Collection and Use

No protection requirements

Granting Access or Sharing

No protection requirements

Disclosure, Public Posting, etc.

No protection requirements

Electronic Display

No protection requirements

Open Records Requests

Data can be readily provided upon request. However, individuals who receive a request must coordinate with University Relations Office before providing data.

Exchanging with Third Parties, Service Providers, Cloud Services, etc.

No protection requirements

Storing or Processing: Server Environment

Servers that connect to the UAB network must comply with IT Security Practices.

Storing or Processing: Endpoint Environment (e.g. laptop, phone, desktop, tablet, etc.)

Systems that connect to the UAB network must comply with IT Security Practices.

Storing on Removable Media (e.g. thumb drives, CDs, tape, etc.)

No protection requirements

Electronic Transmission

No protection requirements

Email and other electronic messaging

No protection requirements

Printing, mailing, fax, etc.

No protection requirements

Disposal

No protection requirements

Collection and Use

Limited to authorized uses only.

Units/Colleges that collect and/or use Sensitive Data should participate in the Information Security Program by reporting servers to the Enterprise Information Security Office.

In addition, any/all servers that process or store Sensitive Data must meet all requirements associated with applicable laws and/or standards.

Additionally, sensitive institutional data must be stored and managed in unit or higher systems.

Granting Access or Sharing

Access shall be limited to authorized University officials or agents with a legitimate academic or business interest and a need to know as outlined by UAB policies.

All access shall be approved by an appropriate data steward and tracked in a manner sufficient to be auditable.

Before granting access to external third parties, contractual agreements which outline responsibilities for security of the data shall be approved through the UAB contract process.

Disclosure, Public Posting, etc.

Sensitive Data shall not be disclosed without consent of the data steward.

Sensitive Data may not be posted publicly.

Directory information can be disclosed without consent. However, per FERPA, individual students can opt out of directory information disclosure.

Sensitivity Label

All documents (documents, spreadsheets, pdfs, etc.) that contain Sensitive data must be identified with a sensitivity label of Sensitive.

It is incumbent on the UAB community to apply appropriate sensitivity labels to data.

Electronic Display

Only to authorized and authenticated users of a system.

Open Records Requests

Sensitive Data is typically not subject to open records disclosure. However, some open records requests can be fulfilled by redacting sensitive portions of records. Individuals who receive a request must coordinate with the University Relations Office.

Exchanging with Third Parties, Service Providers, Cloud Services, etc.

A contractual agreement (or MOU if governmental agency) outlining security responsibilities shall be in place and approved through the UAB contract process before exchanging data with the third party / service provider.

UAB Box.com – no special requirements.

UAB M365 – no special requirements.

Storing or Processing: Server Environment

Servers that process and/or store sensitive institutional data must comply with IT Security Practices, as well as applicable laws and standards. Additionally, sensitive institutional data must be stored and managed in unit or higher systems.

Storing or Processing: Endpoint Environment (e.g. laptop, phone, desktop, tablet, etc.)

Systems that connect to the UAB network must comply with IT Security Practices, as well as applicable laws and standards.

In addition, any/all systems that process or store Sensitive Data must be on an encrypted volume and endpoint must require PIN and/or password for access to device.

Storing on Removable Media (e.g. thumb drives, CDs, tape, etc.)

Sensitive Data shall only be stored on removable media in an encrypted file format or within an encrypted volume.

Electronic Transmission

Sensitive Data shall be transmitted in either an encrypted file format or over a secure protocol or connection.

Email and other electronic messaging

Messages shall only be sent to authorized individuals with a legitimate need to know.

Messages with Sensitive Data shall be transmitted only to other uab.edu or uabmc.edu email recipients.

Sensitive Data may be shared through approved UAB services.

UAB email forwarding to personal email accounts is prohibited.

Printing, mailing, fax, etc.

Printed materials that include Sensitive Data shall only be distributed or available to authorized individuals or individuals with a legitimate need to know.

Access to any area where printed records with Sensitive Data are stored shall be limited by the use of controls (e.g. locks, doors, monitoring, etc.) sufficient to prevent unauthorized entry.

Do not leave printed materials that contain Sensitive Data visible and unattended.

Disposal

Follow the UAB Secure Media Destruction process for the secure disposal of discs, CDs, DVDs, tapes and hard drives.

Repurposed for University Use - Multiple pass overwrite. NOT Repurposed for University Use - Physically destroy.

Follow the Destruction of University Records Procedure for printed materials.

Refer to the UAB Records Retention Policy and Records Retention Schedule for specific guidance on records retention.

Collection and Use

Limited to authorized uses only.

Units/Colleges that collect and/or use Restricted data should participate in the Information Security Program by reporting servers to the Enterprise Information Security Office.

In addition, any/all servers that process or store Restricted Data must meet all requirements associated with applicable laws and/or standards.

Additionally, restricted/PHI data must be stored on servers located in the UAB data center and managed by Central IT.

SSNs may not be used to identify members of the UAB community if there is a reasonable alternative.

SSNs shall not be used as a username or password.

SSNs shall not be collected on unauthenticated individuals.

All credit/debit card uses must be approved by the VP of Financial Affairs and Administration Office.

Granting Access or Sharing

Access shall be limited to authorized University officials or agents with a legitimate academic or business interest and a need to know as outlined by UAB policies.

All access shall be approved by an appropriate data steward and tracked in a manner sufficient to be auditable.

Before granting access to external third parties, contractual agreements which outline responsibilities for security of the data shall be approved through the UAB contract process.

Disclosure, Public Posting, etc.

Not permitted unless required by law.

Sensitivity Label

All documents (documents, spreadsheets, pdfs, etc.) that contain Restricted data must be identified with a sensitivity label of Restricted.

It is incumbent on the UAB community to apply appropriate sensitivity labels to data.

Electronic Display

Restricted data shall be displayed only to authorized and authenticated users of a system.

Identifying numbers or account number shall be, at least partially, masked or redacted.

Open Records Requests

Restricted data is typically not subject to open records disclosure. However, some open records requests can be fulfilled by redacting Restricted portions of records. Individuals who receive a request must coordinate with the University Relations Office.

Exchanging with Third Parties, Service Providers, Cloud Services, etc.

A contractual agreement (or MOU if governmental agency) and/or Business Associate Agreement (BAA) outlining security responsibilities shall be in place and approved through the UAB contract process before exchanging data with the third party / service provider.

UAB Box.com – Subject to any applicable laws.
** Transactional storage of ePHI/HIPAA data is subject to approval. For Health System covered entities, approval is granted by HSIS. For UAB covered entities, approval is granted by the Enterprise Information Security Office. ServiceNow request.

UAB M365 (OneDrive, SharePoint, Email, Teams) – Subject to any applicable laws.

Storing or Processing: Server Environment

Servers that process and/or store sensitive institutional data must comply with IT Security Practices, as well as applicable laws and standards.

Additionally, restricted/PHI data must be stored on servers located in the UAB data center and managed by UAB IT.

Storing Credit/Debit card PAN data is not permitted.

Storing or Processing: Endpoint Environment (e.g. laptop, phone, desktop, tablet, etc.)

Any/all systems that process or store Restricted Data must be encrypted volume and endpoint must require PIN and/or password for access to device.

Storing Credit/Debit card PAN data is not permitted.

Storing Restricted Data on personally-owned devices is not permitted.

Devices storing or processing restricted data must be physically secure at all times.

Avoid storing Restricted Data on portable devices.

Storing on Removable Media (e.g. thumb drives, CDs, tape, etc.)

Not permitted unless required by law.

If required by law, Restricted Data stored on removable media shall be encrypted and the media shall be stored in a physically secured environment. Storing restricted data on personally-owned media is not permitted.

Electronic Transmission

Secure, authenticated connections or secure protocols shall be used for transmission of Restricted Data.

Email and other electronic messaging

Messages with Restricted Data shall be transmitted in either an encrypted file format or only through secure, authenticated connections or secure protocols.

Restricted Data may be shared through approved UAB services.

UAB email forwarding to personal email accounts is prohibited.

Messages with Restricted Data shall be transmitted only to other uab.edu or uabmc.edu email recipients.

SSNs may not be shared through email or other electronic messaging.

Credit card data may not be shared through email or other electronic messaging.

Printing, mailing, fax, etc.

Printed materials that include Restricted Data shall only be distributed or available to authorized individuals or individuals with a legitimate need to know.

Access to any area where printed records with Restricted Data are stored shall be limited by the use of controls (e.g. locks, doors, monitoring, etc.) sufficient to prevent unauthorized entry.

Do not leave printed materials that contain Restricted Data visible and unattended.

Social Security Numbers shall not be printed on any card required to access services.

New processes requiring the printing of SSN on mailed materials shall not be established unless required by another state agency or a federal agency.

Disposal

Follow the UAB Secure Media Destruction process for the secure disposal of discs, CDs, DVDs, tapes and hard drives.

Repurposed for University Use - Multiple pass overwrite. NOT Repurposed for University Use - Physically destroy.

Follow the Destruction of University Records Procedure for printed materials.

Restricted Data that is no longer necessary for University business should be disposed to minimize risk of data breach.

Refer to the UAB Records Retention Policy and Records Retention Schedule for specific guidance on records retention.