UT Data Security Policy

UT uses three security classifications for its data:

1. Published: Data that is available to the general public.
2. Controlled: Data that is not published, but not confidential.
3. Confidential: Data that is protected by law or contract.

As grad student, you will come in contact with data at all three classifications. Here are examples you may encounter:

• Published: Published papers, Web pages
• Controlled: UT-internal e-mail, business forms, unpublished research papers
• Confidential: Student grades, class lists, submitted assignments

Note this last category: If you’re a Teaching Assistant or Assistant Instructor, you’ll have student data, and all of it is confidential.

Note: Student data must be handled very carefully. It is officially a crime (i.e. threat of fines, jail time, getting fired) in Texas to distribute, misuse, “permit inspection of”, or disclose any records, files, documents, or other materials which contain information directly related to a student. If you want details, see Tex. Gov't Code § 552.114, Tex. Gov't Code § 552.352, 20 U.S.C. § 1232g(a)(4)(A).

There are university rules you have to follow if you have UT data.

(The following is a summary. Details are in the Information Resources Use and Security Policy, Minimum Security Standards for Data Stewardship, Minimum Security Standards for Systems, and Data Classification Standard.)

• You must restrict file access using access control methods.
• You should store files in encrypted storage (full-disk or per-file).
• You should encrypt files when transmitting them.
• You must lock up devices (laptops, phones, etc.) and media (flash drives, disks, etc) when not in use.
• Do not send controlled data to a printer unless you are present at that printer.
• You must store printed/written controlled data out of sight when not in use.
• You must shred printed/written controlled data, do not throw in trash/recycling.
• Do not fax controlled data until you have confirmed that an authorized person is standing at the receiving fax machine.
• You must be running anti-virus software.
• You must install OS and app security updates “expediently”.
• If automatic notification of new security updates is available, you must enable it.
• If an OS or app is no longer supported by the vendor with security updates, you must uninstall it.
• Passwords must: be ≥ 6 chars; be a mix of at least letters and digits; not contain personal information (your name, birth date, etc.)

Confidential data CANNOT be stored on your personal device. It must stay on UT-owned computers.

• You must restrict file access using access control methods.
• You must store files in encrypted storage (full-disk or per-file).
• You must encrypt files when transmitting them.
• You must lock up devices (laptops, phones, etc.) and media (flash drives, disks, etc) when not in use.
• Do not send confidential data to a printer unless you are present at that printer.
• Mark confidential data as “Confidential”.
• You must lock up printed/written confidential data when not in use.
• You must shred printed/written confidential data using a “level 3” or higher shredder.
• If you physically mail confidential data, you must use a confirmed delivery service.
• Do not fax confidential data until you have confirmed that an authorized person is standing at the receiving fax machine.
• Do not leave confidential data in a voice mail.
• Regular backups must be running, and verified monthly. Backups must be locked up, and encrypted.
• You must be running anti-virus software.
• You must install OS and app security updates “expediently”.
• If automatic notification of new security updates is available, you must enable it.
• If an OS or app is no longer supported by the vendor with security updates, you must uninstall it.
• System must be behind a firewall.
• Communications encryption:
  • File transfers must be over sftp or scp.
  • E-mail must be encrypted.
  • Remote login sessions must be encrypted (ssh).
  • Web apps must communicate over HTTPS.
  • Printing must be over encrypted (“ipps”) connections.
  • Any other communication (database, app-to-app, etc.) must be over encrypted connections.
• Integrity checking of critical operating system files must be enabled. (Tripwire or something like that.)
• The required university login banner must be installed.
• Only use file systems that support access control.
• Passwords must: be ≥ 12 chars; be a mix of letters, digits, and special characters; not contain personal information (your name, birth date, etc.)
• System activity, including admin or root access, must be logged. The logs must be reviewed routinely.

(All of this is enough of a pain that you may want to keep all student data on department-managed servers only, with tight access controls in place.)

UT has approved these disk encryption products:

• WinMagic SecureDoc
• Microsoft Bitlocker
• Apple FileVault 2
• Linux Unified Key Setup (LUKS) Encryption

UT offers e-mail certificates for use with S/MIME-capable e-mail clients. You can have certificates issued for any of your utexas.edu addresses, including UTCS department e-mail and the university’s UTmail.

Instructions are here: https://wikis.utexas.edu/display/digitalcertificates/How+To+Request+a+Digital+Certificate

UT has approved these e-mail services for student data (FERPA):

• Office 365
• UTmail
• UT-hosted Exchange Server
• Presumably, the UTCS department mail service

UT has approved these cloud storage services for student data (FERPA):

1. UTBox – Strongly preferred. Also approved for HIPAA and PCI data.
2. Google Drive for Education – Part of UTmail
3. Microsoft OneDrive – Part of Office 365 (I think)

Notably, DropBox and iCloud are not approved for controlled or confidential data.

If you create a paper form or electronic form, put a Texas privacy notice on it. This is something like:

Under Texas Government Code chapters 552 and 559, you are entitled to be informed about the information that UT Austin collects about you. You also have the right to request a copy of that information, and to have the university correct any of that information that is wrong. You may request to receive and review any of that information, or request corrections to it, by contacting the university's Public Information Officer, Office of Financial Affairs, P.O. Box 8179, Austin, Texas, 78713.