![]() Information Classification PolicyUnit: Office of Information Technology | ||
PurposeThe purpose of this policy is to assist The University of Alabama community in the classification and protection requirements for all information. Based on the classification of the information, users are required to implement and follow appropriate security control procedures. Having information appropriately classified will enable automated management in University systems that utilize classifications. PolicyAll University of Alabama (UA) information stored, processed, or transmitted must be classified in accordance with this policy. Based on classification, users are required to implement appropriate security controls for the protection of the information, and follow the Information Protection Procedure. All University information must be classified into one of the three following categories:
Classification of Research DataFor the classification of human subject research information and/or export control information, refer to the Research and Economic Development Institutional Review Board (IRB) website. ResponsibilitiesUniversity divisions that own sensitive and restricted information must name a data steward for its information. The data steward must grant formal approval for the access and use of its sensitive and restricted information. Specific roles and responsibilities for protecting UA information
Incident Reporting and ManagementAny suspected breach or compromise of sensitive or restricted information must be reported immediately to the Information Security Office in the Office of the Vice Provost and Chief Information Officer (CIO) for Information Technology and to the dean or administrative unit head. Specific procedures for reporting a suspected or actual breach/compromise of information are located on the Information Security website and include other offices that must also be notified immediately. Upon receiving the report, the Information Security Office will be responsible for conducting or coordinating the investigation, making or assessing recommendations for corrective action, reporting the incident to the Executive Computer Incident Response Team (ECIRT) and other administrative units as needed, and maintaining documentation of the incident. Protection Requirements Based on ClassificationThe University of Alabama Information Protection Procedure document defines minimum protection requirements for each classification category of information when being used or handled in a specific context (e.g. sensitive information sent in an email message). Please note that these protections are not intended to supersede any regulatory or contractual requirements for handling information. DefinitionsChief Information Security Officer (CISO): A designated individual responsible for the management of information security for the entire campus. Classification (information classification): Information classification is the process of sorting and categorizing information into various types, forms or any other distinct class. Information classification enables the separation and classification of information according to data set requirements for various business or personal objectives. It is mainly an information management process and allows enablement of protection requirements based on classification. Data Custodian: A data custodian is an employee of the University who has administrative and/or operational responsibility over UA information. In many cases, there will be multiple data custodians over a single piece of data. An enterprise application may have teams of data custodians, each responsible for varying functions. Data Steward: A data steward is a role within an organization responsible for utilizing some portion of the University’s information governance processes to ensure fitness of data elements - both the content and metadata. Export Controls: Export-controlled information or material is any information or material that cannot be released to foreign nationals or representatives of a foreign entity, without first obtaining approval or license from the Department of State for items controlled by the International Traffic in Arms Regulations (ITAR), or the Department of Commerce for items controlled by the Export Administration Regulations (EAR). Export-controlled information must be controlled as restricted information and marked accordingly. Financial Information: Nonpublic information referring to an individual’s assets, liabilities, credit, financial account numbers including bank, savings, credit or debit with or without balances, transactional information, social security numbers and or other tax identification numbers. Health Information Technology for Economic and Clinical Health Act (HITECH): Federal regulation enacted under Title XIII of the American Recovery and Reinvestment Act of 2009. The HITECH Act was created to promote and expand the adoption of health information technology, specifically, the use of electronic health records (EHRs) by healthcare providers. Health Insurance Portability and Accountability Act (HIPAA): Federal regulation that defines the management of protected health information held by covered entities and/or business associates of covered entities. Medical Information: any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment or diagnosis by a health care professional. Any information containing an individual’s health insurance policy numbers, subscriber identification number, or any unique identifier used by a health insurer. Risk Analysis: An accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of information at defined classification levels. Risk: The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact on confidentiality, integrity and availability of confidential information. System of Record (SOR): The system of record is the authoritative source for a particular type of data (e.g., CWID, SSN, student discipline records, payroll information, academic transcripts, etc.). To ensure information integrity, there must be one -- and only one -- system of record for a given type of data. System of record is a data management term for an information storage system commonly implemented on a computer system running a data base management. ReferencesScopeThis policy applies to all faculty, staff, students, approved volunteers, or contractors who have access to University information. | ||
Office of the ProvostApproved by Dr. Lesley Reid, Associate Provost, 03/11/2022 |