UT uses three security classifications for its data:

1. Published: Data that is available to the general public.
2. Controlled: Data that is not published, but not confidential.
3. Confidential: Data that is protected by law or contract.

As grad student, you will come in contact with data at all three classifications. Here are examples you may encounter:

• Published: Published papers, Web pages
• Controlled: UT-internal e-mail, business forms, unpublished research papers
• Confidential: Student grades, class lists, submitted assignments

Note this last category: If you’re a Teaching Assistant or Assistant Instructor, you’ll have student data, and all of it is confidential.

There are university rules you have to follow if you have UT data.

(The following is a summary. Details are in the Information Resources Use and Security Policy, Minimum Security Standards for Data Stewardship, Minimum Security Standards for Systems, and Data Classification Standard.)

• You must restrict file access using access control methods.
• You should store files in encrypted storage (full-disk or per-file).
• You should encrypt files when transmitting them.
• You must lock up devices (laptops, phones, etc.) and media (flash drives, disks, etc) when not in use.
• Do not send controlled data to a printer unless you are present at that printer.
• You must store printed/written controlled data out of sight when not in use.
• You must shred printed/written controlled data, do not throw in trash/recycling.
• Do not fax controlled data until you have confirmed that an authorized person is standing at the receiving fax machine.
• You must be running anti-virus software.
• You must install OS and app security updates “expediently”.
• If automatic notification of new security updates is available, you must enable it.
• If an OS or app is no longer supported by the vendor with security updates, you must uninstall it.
• Passwords must: be ≥ 6 chars; be a mix of at least letters and digits; not contain personal information (your name, birth date, etc.)

Confidential data CANNOT be stored on your personal device. It must stay on UT-owned computers.

• You must restrict file access using access control methods.
• You must store files in encrypted storage (full-disk or per-file).
• You must encrypt files when transmitting them.
• You must lock up devices (laptops, phones, etc.) and media (flash drives, disks, etc) when not in use.
• Do not send confidential data to a printer unless you are present at that printer.
• Mark confidential data as “Confidential”.
• You must lock up printed/written confidential data when not in use.
• You must shred printed/written confidential data using a “level 3” or higher shredder.
• If you physically mail confidential data, you must use a confirmed delivery service.
• Do not fax confidential data until you have confirmed that an authorized person is standing at the receiving fax machine.
• Do not leave confidential data in a voice mail.
• Regular backups must be running, and verified monthly. Backups must be locked up, and encrypted.
• You must be running anti-virus software.
• You must install OS and app security updates “expediently”.
• If automatic notification of new security updates is available, you must enable it.
• If an OS or app is no longer supported by the vendor with security updates, you must uninstall it.
• System must be behind a firewall.
• Communications encryption:
  • File transfers must be over sftp or scp.
  • E-mail must be encrypted.
  • Remote login sessions must be encrypted (ssh).
  • Web apps must communicate over HTTPS.
  • Printing must be over encrypted (“ipps”) connections.
  • Any other communication (database, app-to-app, etc.) must be over encrypted connections.
• Integrity checking of critical operating system files must be enabled. (Tripwire or something like that.)
• The required university login banner must be installed.
• Only use file systems that support access control.
• Passwords must: be ≥ 12 chars; be a mix of letters, digits, and special characters; not contain personal information (your name, birth date, etc.)
• System activity, including admin or root access, must be logged. The logs must be reviewed routinely.

(All of this is enough of a pain that you may want to keep all student data on department-managed servers only, with tight access controls in place.)