Classification System

UAB IT worked closely with information security officials from UAB Health System to develop the three level data classification system for all data. This system establishes roles and responsibilities for those individuals and groups who will safeguard and use UAB data. Many of the policies and guidelines established to support this classification system are required by federal law and UAB must remain compliant.

What’s your data?

Public Data

Public data is data that can be disclosed to the general public without harm.
Examples of public data include phone directory information, course catalogs, public research findings, enrollment figures, public web sites, general benefits data, press releases, newsletters and other similar information.

Sensitive Data

Sensitive data is data that should be kept confidential, with access requiring authorization or legitimate need-to-know involvement.
Examples of sensitive data include FERPA information, budgetary plans, proprietary business plans, patent pending information, export controls information and data protected by law.

Restricted/PHI data

Restricted/PHI data is sensitive data that is highly confidential in nature, and carries significant risk from unauthorized access. Privacy and security controls are typically required by law or contract for this data.
Examples include Social Security numbers, credit card numbers (PCI), personally identified information, protected health information, GLBA data, export controlled data, FISMA regulated data, login credentials, and information protected by non-disclosure agreements.

Can you store or share data?

See the table below for guidance on how you can store and transmit data. Electronic storage and emailing of credit card numbers is never allowed.

  PublicSensitiveRestricted/PHI
UABFile Share      
Desktop C Drive    
password required; encryption optional.
 
Laptop C Drive    
password required; encryption optional.
 
password/pin and encryption required.
UAB Box      
Risk assessment required.
Personal accounts      
Thumb Drive    
encryption required.
 
Mobile Device    
device password/pin and encryption required.
 
device password/pin and encryption required.
UAB Email    
only to uab.edu or uabmc.edu email addresses.
 
UABMC Email    
only to uab.edu or uabmc.edu email addresses.
 
requires third-party encryption tool to send externally.

What’s your role & responsibility?

Data stewards

Data stewards

Data stewards have administrative control and are officially accountable for a specific information set.

Data custodians

Data custodians

Data custodians safeguard the data on behalf of the data steward. While data stewards are ultimately responsible for the security of data, data custodians ensure the security controls are in place.

UAB Information Security

UAB Information Security

Members of the UAB IT and UAB Health System information security teams are responsible for developing and implementing the information security program, as well as the supporting data security and protection policies and procedures.

Departmental security administrators

Departmental security administrators

Each unit or department senior manager will choose one DSA to act as a liaison with the UAB Information Security team. DSAs oversee information security responsibilities for the departments, including security awareness and security incident response.

System administrators

System administrators

System administrators in UAB IT, HSIS and school/department units who are responsible for day-to-day maintenance of information systems are responsible for following data security protection procedures and practices.

Data users

Data users

Data users refers to individuals authorized to access UAB data and who are responsible for protecting information assets on a daily basis through adherence to UAB policies.