Title: Protecting the Confidentiality and Integrity of Digital Research Data UT System Policy UTS165
1Protecting the Confidentiality and
Integrity of Digital Research DataUT System
Policy (UTS165)
2Background
- In June of 2004, the State Auditor Office (SAO)
issued the following findings on the protection
of research data - Higher education institutions should do more to
protect research data - Security of research data was inconsistent and
sometimes inadequate. - Institutions rely on decentralized departments
and individual researchers to protect research
data. - Findings are tracked by the Chancellor and Audit
Committee of the Board of Regents.
3Lurking Threats
- Tampering or theft
- Alteration, damage, or loss of sensitive research
data - Unauthorized access or use of sensitive research
data - Improper disposal of digital media containing
sensitive research data - Sharing passwords and/or system access codes
- Unauthorized release of sensitive research data
or product information, on or off the campus
4Adverse Impact of Poor Research Data Security
- Increased legal liability
- Loss of revenue, grants, gifts, and donations
- Loss of data, information resources related
assets, and productivity - Injury to Researcher and UT Institution
reputation, bad publicity - Loss of public trust
- Default on project(s)
- Increased regulation, sanctions and/or
legislation
5Our challenge is to safeguard Research Data while
meeting the requirements of
- Federal research grants,
- Regulations related to the Responsible Conduct of
Research - Scientific journals.
6Policy Objectives
- Protect the confidentiality and integrity of
research data without creating unjustified
obstacles to the conduct of research activities - Establish accountability
- Identify sensitive research data based on Risk
- Protect confidentiality and integrity of research
data in accordance with each UT institutions
Security Plan and with UTS165
7Guiding Tenets
- Research is all about collaboration,
collaborative evaluation, peer reviews, and
exchange of data Sharing!! - But
- Is all research data equal? Or equally important?
8Guiding Tenets
- Certain research data should not be disclosed
(shared), - Research data should be correct, and
- Research data should be available when needed.
9Vocabulary
- Sensitive Digital Research Data Digital Research
Data for which there is demonstrated need for the
Researcher and UT Institution to - Document the integrity of that Digital Research
data (i.e., that the data had not been altered by
either intent or accident), - Restrict and document individuals with access to
that Digital Research Data, - Insure appropriate backup and retention of that
Digital Research Data, and - If applicable, comply with Federal or State law.
10Vocabulary
- Digital Research Data The subset of Research
Data that is transmitted by or maintained in,
electronic media.
11Vocabulary
- Research Data Recorded information, regardless
of form or media in which it may be recorded,
which constitute the original observations and
methods of a study and the analyses of such
original data that are necessary to support
Research activities and validate Research
findings. Research Data may include but is not
limited to printed records, observations and
notes electronic data video and audio records,
photographs and negatives, etc
12Vocabulary
- Research Systematic investigation designed to
develop and contribute to knowledge and may
include all stages of development, testing and
evaluation. - Researcher Lead Researchers, faculty, staff,
students, postdoctoral fellows, residents and
visiting/affiliated scientists who are engaged in
or responsible for Research activities.
13Policy Components
14Available Resources
UTHSCH Policies and Procedures
- UT System Policy (UTS165)
- Handbook of Operating Procedures (HOOP) Chapter
17 - Information Security Procedures
151. Accountability
16Roles and Responsibilities
- Each Lead Researcher is responsible for
implementing this UTS165 for all Digital Research
Data that is under that Lead Researchers
control. - Researchers and all others that assist in the
Research performed at a UT Institution will
comply with this UTS165 and protect Sensitive
Digital Research Data with security safeguards - Internal Audit, or a similar function, will
monitor the implementation of and compliance with
the provisions of this UTS Policy at UT
Institutions - Information Security, or a similar function,
shall provide support, guidance and problem
resolution to the UT Institutions Lead
Researchers and Researchers with respect to this
UTS165 and the Institutions applicable policies
and procedures.
172. Data Classification
- Understand the importance of Digital Research
Data and protect it accordingly!
18Identify and Classify Sensitive Digital Research
Data
- Identify and classify Digital Research Data into
sensitive and non-sensitive based on risk - Do decisions based on risk Risk Assessments?
- Not necessarily..
- Lead researchers should work with their
Institutions Information Security staff, or
similar function, to ensure the use of applicable
data classification standards as outlined in
institutional polices and/or in the federal
guidelines for the responsible conduct of
Research.
19Identify and Classify Sensitive Digital Research
Data
- A good Rule of Thumb is to identify
Digital Research Data for which one or more of
the following are REQUIRED - Need for Confidentiality
- Need for Integrity
- Need for Availability
20Identify and Classify Sensitive Digital Research
Data
- In other words..
- Digital Research Data for which there is
demonstrated need for the Researcher and
Institution to - Document the integrity of that Digital Research
data (i.e., that the data had not been altered by
either intent or accident), - Restrict and document individuals with access to
that Digital Research Data, - Insure appropriate backup and retention of that
Digital Research Data, and - If applicable, comply with Federal or State law.
213. Access Control
Protect Sensitive Digital Research Data from
casual viewing by others.
22Who Can See What
- Lead Researchers should manage and monitor
access to Sensitive Digital Research Data under
their control based on sensitivity and risk and
should secure it appropriately - For example
- Provide access to Sensitive Digital Research Data
on a need to know basis. - When possible, use the UT Institutions issued
identity credentials and Access Management
procedures to provide access to computer systems,
databases, web applications, etc. - Review security logs at least weekly
- Use Virtual Private Network (VPN) or Terminal
Services for secure remote access to the UT
institutions computer systems when access is
required from off-campus.
23Providing Access to Third Parties
- When..
- Third parties act as an agent of or otherwise on
behalf of UT Institutions (e.g., an application
service provider) - And If
- Based on risk, Lead Researchers can determine
that providing access to Sensitive Digital
Research Data to a third party will or can result
in a significant risk to the confidentiality and
integrity of such data - Then
- The UT Institution must enter into a written
agreement with the third party that includes
terms and conditions that protect the
confidentiality and integrity of the Sensitive
Digital Research Data as required by this UTS
Policy. - The agreement must require the third party to use
appropriate administrative, physical, and
technical safeguards to protect the
confidentiality and integrity of the Sensitive
Digital Research Data that it obtains from the UT
Institution.
244. Security Safeguards
Keep people away from your equipment and
Sensitive Digital Research Data.
25Protect Sensitive Digital Research Data
- Sensitive Digital Research Data shall be
secured in accordance with the UT Institutions
security plan and with UTS165. - The following is a representative checklist
- Use Anti-Virus and Firewall software,
- Regularly or automatically upgrade and patch
Operating Systems, - Back up Sensitive Research Data regularly and
ensure that it can be reliably restored, and..
26Protect Sensitive Digital Research Data
- Sensitive Digital Research Data should only be
stored on institutional or personal computers or
other electronic devices (e.g., laptop, hand-held
device, Flash drives, or other portable devices)
that - Are secured against unauthorized access in
accordance with UTS165, and - Would not compromise Research efforts if lost or
destroyed Unless otherwise required by
federal or state law or regulation (such as
HIPAA)
27When to Use Encryption?
- To protect the security of Sensitive Digital
Research Data during electronic communications or
transmissions - Use Secure File Transfer Protocol (SFTP)
- Use encrypted email
- Do not use non-UT email accounts (ex Yahoo,
Hotmail) - As required by the UT Institutions Encryption
Guidelines - If data is encrypted, ensure that Information
- Security assists with the secure escrow of
- encryption keys to ensure data can be
- recovered in the event that assistance is
- required.
28Smart Media Discard
- Discard electronic media (e.g., disks,
tapes, hard drives, etc) containing Sensitive
Digital Research Data - In a manner that renders it unrecoverable
- reformatting, erasing, or modifying the
electronic media to make it unreadable or
indecipherable or - otherwise physically destroying the electronic
media and - In accordance with the applicable UT
Institution's records retention schedule.
29Dont Forget to Lock the Doors
- Consult with the UT Institution Police
- Department on ways to physically protect
- access to research labs and offices.
- Lock workstations or use password
- protected screen savers when systems
- are left unattended.
- Physically secure portable computers, devices and
media containing Sensitive Digital Research Data
if left unattended. - Consult with the UT Institution Environmental
Health and Safety groups to prevent environmental
hazards.
305. Training and Awareness
- Encourage and nurture the growth of information
resources security.
31- Heighten the awareness of those you deal with in
the work place - Encourage the adherence to this UTS165 and
related policies and procedures - Ways to apply training
- Comply with policy and procedures
- Be a model that encourages others
- Provide feedback
- On security improvements in your work place
- On this training session
32Parting Thoughts
- Remember
- Certain research data should not be disclosed
(shared) - Classify Digital Research Data into sensitive and
non-sensitive based on risk - Secure Sensitive Digital Research Data in
accordance with the UT Institutions security
plan and with UTS165. - Your reputation and career may depend on it..
33Thank You