When it comes to cybersecurity, you know it is important to protect sensitive information, but what information is considered sensitive? And did you know there is a level beyond sensitive?
OIT maintains an Information Classification Policy for The University of Alabama where all UA data is classified into one of three categories.
Public Information: Information that may be disclosed to the general public without harm. Examples of public information include course catalogs, job postings, press releases, public directories and general benefits information.
Sensitive Information: Information that should be kept confidential. Access to this information requires authorization and legitimate need-to-know. Privacy may be required by law or contract. This includes student records, budgetary plans, proprietary business plans and patent pending information.
Restricted Information: Sensitive information that is highly confidential in nature and carries significant risk from unauthorized access or uninterrupted accessibility and is critical to UA operations. Privacy and security controls are typically required by law or contract. Examples of restricted information include financial data, Social Security numbers, government-issued identification and protected health information.
UA faculty and staff should understand the data classification chart to know protection requirements for data they access. Certain data requires significant protection methods. For example, sensitive information must be stored and managed in the Office of Information Technology or department data centers, and access should be limited and approved by appropriate data stewards.
No matter what type of data you access, all computers should be password-protected, use current antivirus software, and should run up-to-date operating systems. Sensitive and restricted information must be stored in secure and encrypted environments such as OneDrive, and mobile devices must be encrypted.
Visit the UA Policy website to view the Information Classification Policy in its entirety. OIT Security maintains an Information Classification Procedure to support the policy. For the protection of human subject research data, refer to the Research and Economic Development Institutional Review Board website.
October is National Cybersecurity Awareness Month. OIT is posting cyber safety tips throughout the month. For more information about UA cybersecurity practices, visit the OIT website.