Security Requirements for Researchers Dealing with Data Classification that is Ranked a C-3, I-3 or A-3

Aligning with the UTHSC mission and goals, researchers conduct various types of research. The data is often collected from human subjects and requires strict levels of protection. The UTHSC recognizes its obligation to effectively secure and safeguard this information in terms of confidentiality, integrity, and availability while allowing authorized individuals to access and appropriately share information as needed. To assist with the security of this data, UTHSC has a security program and published Cybersecurity Standards and Practices. UTHSC has defined a number of data classifications, documented in GP-002-Data & System Classification. For our research community dealing with human subject data, Controlled Unclassified Information (CUI), HIPAA data or Classified federal data, the important steps are:

1. 1. 1. Systems/Data need to be classified in each of the areas of Confidentiality (C), Integrity (I), and Availability (A).
      2. The process of data and system classification is accomplished by assigning a classification score of 0-3 in the areas of Confidentiality, Integrity, and Availability, with higher scores representing a higher level of sensitivity or criticality. It is acceptable if these are mixed, i.e. Confidentiality 1 (C-1), Integrity 3 (I-3), and Availability 2 (A-2). Each system/dataset will have different levels of security needs and controls based on risk and this classification process allows for the appropriate application of controls for each area. This process and examples are explained in GP-002-Data & System Classification.
      3.  While selecting classification levels, System/Data Owners should also assign an impact level in the areas of Confidentiality, Integrity, and Availability to quantify the potential impact of an adverse event in each of these areas. This process, along with examples and definitions, is explained in GP-002-Data & System Classification. 
      4. Data types should be identified and documented for each type of data that is transmitted, processed, or stored by the system or data set. These data types may have additional statutory requirements that must be assessed regarding security control implementation in addition to the baseline controls outlined in this standard. Data types that may need to be identified and associated with a system or data set are listed in Appendix B of the GP-002-Data & System Classification. 
      5. The classification of data is independent of its format. For example, if personal health information is revealed in a video recording of a lecture, then that video file should be classified as C-3. If paper credit card receipts are stored, then they should be classified as C-3.

Systems containing data categorized by the federal goverenment as Classified require special attention and are not allowed to be connected to the UTHSC network. Contact the UTHSC Cybersecurity team for more information.

Most of the data UTHSC's research community handles is ranked as a C-3. To ensure that these data or information are adequately protected, specific administrative, physical, and technical protections need to be implemented. If a researcher is unable to comply with any of these requirements, a request for exception may be submitted, GP-001.02-Security Exceptions and Exemptions to ITS Standards and Practices. However, adequate alternative measures must be in place and properly documented before an exception will be granted.