Security & Compliance

The subset of University Data that is private or confidential by law or otherwise exempt from public disclosure

Examples

• Social Security Numbers
• FERPA
• PII
• PHI
• Export Controlled Data
• CUI/CDI
• Government issued identification numbers

The subset of University Data that is not created for or made available for public consumption but that is subject to release under the Texas Public Information Act or other laws

Examples

• Network diagrams
• UT Dallas emails
• UT Dallas-ID number
• Budget and salary information

The subset of University Data intended for public consumption

Examples

• Marketing materials
• Press releases
• Public websites
• Published papers
• UT Dallas-issued email address
• Fundamental research data

Fundamental refers to research data which created through the exploration of basic and applied research topics, the results of which are published and shared broadly within the scientific community.

Reference

Personally Identifiable Information (PII) refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or link-able to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. Non-PII can become PII whenever additional information is made publicly available so that, when combined with other available information, could be used to identify an individual. Note that this term is not related to HIPAA and is not regulated by any one entity or in any one industry like PHI is.

Reference

Protected Health Information (PHI) is any information that can potentially identify an individual, that was created, used, or disclosed in the course of providing healthcare services by a covered entity.

Reference

Controlled Unclassified Information (CUI) is information that is sensitive or confidential, but not classified, that requires dissemination controls and must be safeguarded. CUI is organized into Categories and Subcategories.

Important Distinctions

Controlled Technical Information (CTI): CTI is technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. CTI would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents.

Covered Defense Information (CDI): CDI is used to describe information that requires protection under DFARS Clause 252.204-7012, which includes, but is not limited to, CUI and CTI.

Reference

Administrative refers to non-research data associated with the operation of research at UT Dallas. It is any recorded information created or received by or on behalf of a state agency documenting activities in the conduct of the state business or use of public resources. So, almost everything we do at UT Dallas results in State Records

UT Dallas Policy

Reference

The Family Educational Rights and Privacy Act (FERPA) is a federal law enacted in 1974 to protect the privacy of student education records. While this restriction is typically limited to academic data created in the operation and delivery of instruction here at UT Dallas, it is possible that research data sets may require adherence to procedures defined in this regulation.

UT Dallas Policy

Reference

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the privacy and security of individual health information (see PHI) used, transmitted, and retained for the provision and payment of health care services. While data sets may have health data including diagnostic results, medical history, and demographic data; a large majority of these data sets are not subject to HIPAA regulations and controls. In general HIPAA data is only generated, processed, and retained within the UT Dallas Callier Center for Communication Disorders.

UT Dallas Policy

Reference

National Institute for Standards and Technology – Special Publication 800-171: (NIST 800-171)standards are implemented to protect CUI in nonfederal IT systems from unauthorized disclosure. The Office of Research provides an authorized environment in which to conduct research projects subject to these 110 controls.

Reference

Cybersecurity Maturity Model Certification (CMMC) is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). CMMC is designed to provide increased assurance that an organization can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain. CMMC is intended to eventually replace NIST 800-171.

Reference

The export of certain technologies, software, and hardware is regulated and controlled by the International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), and the Office of Foreign Assets Control (OFAC) for reasons of national security, foreign policy, prevention of the spread of weapons of mass destruction, and for competitive trade reasons.

Reference

1. Create a DMP. Create a data management plan to outline how data will be organized, stored, preserved, and disseminated as part of a research project. It should detail how data will be managed during the research lifecycle and describe how a researcher and lab will adhere to data security requirements.
2. Control digital access. Keep a list and periodically review who has access to data and information in storage locations such as Box, lab file shares, departmental storage, etc. Remove users who should no longer have access. Apply granular permissions.
3. Be up to date. Ensure your devices and software contain the latest updates and patches. Remove applications that are not frequently used.
4. Scrutinize links and attachments. If it looks suspicious, and you know the source, it’s best to delete it or mark it as spam. If you believe an email is legitimate, hover your cursor over embedded links to verify where they will lead before clicking. If you’re still unsure, contact infosecurity@utdallas.edu.
5. Encrypt data. PII and confidential information should always be encrypted and especially before transfer.
6. Share securely. Share and transfer files using methods that support the sensitivity level of the data. Use sharing methods such VPN, SSH, to ensure encryption stays with the data as it travels through the network, web servers, application servers, and database servers. Use UT Dallas approved applications for sharing.
7. Backup data. Protect your work by keeping recoverable backups in a safe storage location. Use the new Data Storage Finder to identify approved storage options.
8. Effectively destroy data. If data destruction is required, use destruction methods that support the sensitivity level of the data. Review UT Dallas Retention & Destruction policies. 
9. Secure physical access. Don’t keep doors propped open. Store physical data, materials, and information under lock and key when not in use. Turn off workstations, lock your screen, or log off when away.
10. Use UT Dallas devices. Avoid using non-UT Dallas devices for collecting, analyzing, and storing research data. Personal devices are not covered by the UT Dallas Information Security and Acceptable Use policy, BP3096.
    

Immediately report suspected security incidents to infosecurity@utdallas.edu.

• In general, it’s good practice to use the 3-2-1 Backup Rule:
  • 3 copies of your data
  • 2 saved locally on two different devices
  • 1 off-site backup on the cloud
• Learn how to recover data from backups before an emergency.
• Note that synchronization with a cloud storage service is not the same as creating a backup.
  • Some cloud storage services, like AWS and Box, provide both storage and backup services. Learn more about your options by navigating to the Storage & Compute page or consulting with the Data Management Team.
• For cost effectiveness, consider creating backups of just your most valuable data.

After the completion of a research project, data must often be retained to comply with regulations, agreements, or policies. Typically, when there are multiple retention requirements, you must keep records for the longest applicable period. Keep in mind that regulations do not necessarily specify when you must destroy data, but rather state the minimum amount of time that you must retain data. If research data is kept secure and complies with applicable data security requirements and restrictions, then data can generally be kept indefinitely. Please do note that this guidance does not apply to administrative data governed by State of Texas data destruction policies. Retention periods for research data may be influenced by factors such as:

• Funding agency requirements (generally a minimum of 5 years after last citation)
• University policies
• Agreements or contracts with research and industry partners

After the completion of research, or the termination of a contract, some agreements require that data be destroyed. At a minimum, data must be destroyed according to UT Dallas Information Security Standards.

• When data is destroyed it must be irreversible with no chance of recovery.
• Not all destruction methods are created equal. Make sure that Storage media (e.g. hard drives, flash memory, magnetic data tapes, and floppy disks) must be securely overwritten before reuse and physically destroyed at the end of the useful life of the device.
• Paper and CD/DVD optical media must be securely shredded in a manner sufficient to prevent reassembly.
• UT Dallas-issued mobile computing devices are subject to electronic erase or factory reset procedures before the device is issued to another user or retired from service.
• Vendors who host data remotely must provide UT Dallas with a certificate of data destruction upon termination of the contract.

If you have questions about how you can comply with retention policies and data destruction requirements, consult with the Data Management Team.