UT uses three security classifications for its data:

1. Published: Data that is available to the general public.
2. Controlled: Data that is not published, but not confidential.
3. Confidential: Data that is protected by law or contract.

As grad student, you will come in contact with data at all three classifications. Here are examples you may encounter:

• Published: Published papers, Web pages
• Controlled: UT-internal e-mail, business forms, unpublished research papers
• Confidential: Student grades, class lists, submitted assignments

Note this last category: If you’re a Teaching Assistant or Assistant Instructor, you’ll have student data, and all of it is confidential.

Note: Student data must be handled very carefully. It is officially a crime (i.e. threat of fines, jail time, getting fired) in Texas to “distribute” records, files, documents, or other materials which contain information directly related to a student. If you want details, see Tex. Gov't Code § 552.114, Tex. Gov't Code § 552.352, 20 U.S.C. § 1232g(a)(4)(A).

There are university rules you have to follow if you have UT data.

(The following is a summary. Details are in the Information Resources Use and Security Policy, Minimum Security Standards for Data Stewardship, Minimum Security Standards for Systems, and Data Classification Standard.)

• You must restrict file access using access control methods.
• You should store files in encrypted storage (full-disk or per-file).
• You should encrypt files when transmitting them.
• You must lock up devices (laptops, phones, etc.) and media (flash drives, disks, etc) when not in use.
• Do not send controlled data to a printer unless you are present at that printer.
• You must store printed/written controlled data out of sight when not in use.
• You must shred printed/written controlled data, do not throw in trash/recycling.
• Do not fax controlled data until you have confirmed that an authorized person is standing at the receiving fax machine.
• You must be running anti-virus software.
• You must install OS and app security updates “expediently”.
• If automatic notification of new security updates is available, you must enable it.
• If an OS or app is no longer supported by the vendor with security updates, you must uninstall it.
• Passwords must: be ≥ 6 chars; be a mix of at least letters and digits; not contain personal information (your name, birth date, etc.)

Confidential data CANNOT be stored on your personal device. It must stay on UT-owned computers.

• You must restrict file access using access control methods.
• You must store files in encrypted storage (full-disk or per-file).
• You must encrypt files when transmitting them.
• You must lock up devices (laptops, phones, etc.) and media (flash drives, disks, etc) when not in use.
• Do not send confidential data to a printer unless you are present at that printer.
• Mark confidential data as “Confidential”.
• You must lock up printed/written confidential data when not in use.
• You must shred printed/written confidential data using a “level 3” or higher shredder.
• If you physically mail confidential data, you must use a confirmed delivery service.
• Do not fax confidential data until you have confirmed that an authorized person is standing at the receiving fax machine.
• Do not leave confidential data in a voice mail.
• Regular backups must be running, and verified monthly. Backups must be locked up, and encrypted.
• You must be running anti-virus software.
• You must install OS and app security updates “expediently”.
• If automatic notification of new security updates is available, you must enable it.
• If an OS or app is no longer supported by the vendor with security updates, you must uninstall it.
• System must be behind a firewall.
• Communications encryption:
  • File transfers must be over sftp or scp.
  • E-mail must be encrypted.
  • Remote login sessions must be encrypted (ssh).
  • Web apps must communicate over HTTPS.
  • Printing must be over encrypted (“ipps”) connections.
  • Any other communication (database, app-to-app, etc.) must be over encrypted connections.
• Integrity checking of critical operating system files must be enabled. (Tripwire or something like that.)
• The required university login banner must be installed.
• Only use file systems that support access control.
• Passwords must: be ≥ 12 chars; be a mix of letters, digits, and special characters; not contain personal information (your name, birth date, etc.)
• System activity, including admin or root access, must be logged. The logs must be reviewed routinely.

(All of this is enough of a pain that you may want to keep all student data on department-managed servers only, with tight access controls in place.)

UT has approved these disk encryption products:

• WinMagic SecureDoc
• Microsoft Bitlocker
• Apple FileVault 2
• Linux Unified Key Setup (LUKS) Encryption

UT offers e-mail certificates for use with S/MIME-capable e-mail clients. You can have certificates issued for any of your utexas.edu addresses, including UTCS department e-mail and the university’s UTmail.

Instructions are here: https://wikis.utexas.edu/display/digitalcertificates/How+To+Request+a+Digital+Certificate

UT has approved these e-mail services for student data (FERPA):

• Office 365
• UTmail
• UT-hosted Exchange Server
• Presumably, the UTCS department mail service

UT has approved these cloud storage services for student data (FERPA):

1. UTBox – Strongly preferred. Also approved for HIPAA and PCI data.
2. Google Drive for Education – Part of UTmail
3. Microsoft OneDrive – Part of Office 365 (I think)

Notably, DropBox and iCloud are not approved for controlled or confidential data.