Protecting the Confidentiality and Integrity of Digital Research Data UT System Policy UTS165

1
Protecting the Confidentiality and
Integrity of Digital Research DataUT System
Policy (UTS165)
2
Background

• In June of 2004, the State Auditor Office (SAO)
  issued the following findings on the protection
  of research data
• Higher education institutions should do more to
  protect research data
• Security of research data was inconsistent and
  sometimes inadequate.
• Institutions rely on decentralized departments
  and individual researchers to protect research
  data.
• Findings are tracked by the Chancellor and Audit
  Committee of the Board of Regents.

3
Lurking Threats

• Tampering or theft
• Alteration, damage, or loss of sensitive research
  data
• Unauthorized access or use of sensitive research
  data
• Improper disposal of digital media containing
  sensitive research data
• Sharing passwords and/or system access codes
• Unauthorized release of sensitive research data
  or product information, on or off the campus

4
Adverse Impact of Poor Research Data Security

• Increased legal liability
• Loss of revenue, grants, gifts, and donations
• Loss of data, information resources related
  assets, and productivity
• Injury to Researcher and UT Institution
  reputation, bad publicity
• Loss of public trust
• Default on project(s)
• Increased regulation, sanctions and/or
  legislation

5
Our challenge is to safeguard Research Data while
meeting the requirements of

• Federal research grants,
• Regulations related to the Responsible Conduct of
  Research
• Scientific journals.

6
Policy Objectives

• Protect the confidentiality and integrity of
  research data without creating unjustified
  obstacles to the conduct of research activities
• Establish accountability
• Identify sensitive research data based on Risk
• Protect confidentiality and integrity of research
  data in accordance with each UT institutions
  Security Plan and with UTS165

7
Guiding Tenets

• Research is all about collaboration,
  collaborative evaluation, peer reviews, and
  exchange of data Sharing!!
• But
• Is all research data equal? Or equally important?

8
Guiding Tenets

• Certain research data should not be disclosed
  (shared),
• Research data should be correct, and
• Research data should be available when needed.

9
Vocabulary

• Sensitive Digital Research Data Digital Research
  Data for which there is demonstrated need for the
  Researcher and UT Institution to
• Document the integrity of that Digital Research
  data (i.e., that the data had not been altered by
  either intent or accident),
• Restrict and document individuals with access to
  that Digital Research Data,
• Insure appropriate backup and retention of that
  Digital Research Data, and
• If applicable, comply with Federal or State law.

10
Vocabulary

• Digital Research Data The subset of Research
  Data that is transmitted by or maintained in,
  electronic media.  

11
Vocabulary

• Research Data Recorded information, regardless
  of form or media in which it may be recorded,
  which constitute the original observations and
  methods of a study and the analyses of such
  original data that are necessary to support
  Research activities and validate Research
  findings. Research Data may include but is not
  limited to printed records, observations and
  notes electronic data video and audio records,
  photographs and negatives, etc  

12
Vocabulary

• Research Systematic investigation designed to
  develop and contribute to knowledge and may
  include all stages of development, testing and
  evaluation.
• Researcher Lead Researchers, faculty, staff,
  students, postdoctoral fellows, residents and
  visiting/affiliated scientists who are engaged in
  or responsible for Research activities.

13
Policy Components
14
Available Resources
UTHSCH Policies and Procedures

• UT System Policy (UTS165)
• Handbook of Operating Procedures (HOOP) Chapter
  17
• Information Security Procedures

15
1. Accountability
16
Roles and Responsibilities

• Each Lead Researcher is responsible for
  implementing this UTS165 for all Digital Research
  Data that is under that Lead Researchers
  control.
• Researchers and all others that assist in the
  Research performed at a UT Institution will
  comply with this UTS165 and protect Sensitive
  Digital Research Data with security safeguards
• Internal Audit, or a similar function, will
  monitor the implementation of and compliance with
  the provisions of this UTS Policy at UT
  Institutions
• Information Security, or a similar function,
  shall provide support, guidance and problem
  resolution to the UT Institutions Lead
  Researchers and Researchers with respect to this
  UTS165 and the Institutions applicable policies
  and procedures.

17
2. Data Classification

• Understand the importance of Digital Research
  Data and protect it accordingly!

18
Identify and Classify Sensitive Digital Research
Data

• Identify and classify Digital Research Data into
  sensitive and non-sensitive based on risk
• Do decisions based on risk Risk Assessments?
• Not necessarily..
• Lead researchers should work with their
  Institutions Information Security staff, or
  similar function, to ensure the use of applicable
  data classification standards as outlined in
  institutional polices and/or in the federal
  guidelines for the responsible conduct of
  Research.

19
Identify and Classify Sensitive Digital Research
Data

• A good Rule of Thumb is to identify
  Digital Research Data for which one or more of
  the following are REQUIRED
• Need for Confidentiality
• Need for Integrity
• Need for Availability

20
Identify and Classify Sensitive Digital Research
Data

• In other words..
• Digital Research Data for which there is
  demonstrated need for the Researcher and
  Institution to
• Document the integrity of that Digital Research
  data (i.e., that the data had not been altered by
  either intent or accident),
• Restrict and document individuals with access to
  that Digital Research Data,
• Insure appropriate backup and retention of that
  Digital Research Data, and
• If applicable, comply with Federal or State law.

21
3. Access Control
Protect Sensitive Digital Research Data from
casual viewing by others.
22
Who Can See What

• Lead Researchers should manage and monitor
  access to Sensitive Digital Research Data under
  their control based on sensitivity and risk and
  should secure it appropriately
• For example
• Provide access to Sensitive Digital Research Data
  on a need to know basis.
• When possible, use the UT Institutions issued
  identity credentials and Access Management
  procedures to provide access to computer systems,
  databases, web applications, etc.
• Review security logs at least weekly
• Use Virtual Private Network (VPN) or Terminal
  Services for secure remote access to the UT
  institutions computer systems when access is
  required from off-campus.

23
Providing Access to Third Parties

• When..
• Third parties act as an agent of or otherwise on
  behalf of UT Institutions (e.g., an application
  service provider)
• And If
• Based on risk, Lead Researchers can determine
  that providing access to Sensitive Digital
  Research Data to a third party will or can result
  in a significant risk to the confidentiality and
  integrity of such data
• Then
• The UT Institution must enter into a written
  agreement with the third party that includes
  terms and conditions that protect the
  confidentiality and integrity of the Sensitive
  Digital Research Data as required by this UTS
  Policy.
• The agreement must require the third party to use
  appropriate administrative, physical, and
  technical safeguards to protect the
  confidentiality and integrity of the Sensitive
  Digital Research Data that it obtains from the UT
  Institution.

24
4. Security Safeguards
Keep people away from your equipment and
Sensitive Digital Research Data.
25
Protect Sensitive Digital Research Data

• Sensitive Digital Research Data shall be
  secured in accordance with the UT Institutions
  security plan and with UTS165.
• The following is a representative checklist
• Use Anti-Virus and Firewall software,
• Regularly or automatically upgrade and patch
  Operating Systems,
• Back up Sensitive Research Data regularly and
  ensure that it can be reliably restored, and..

26
Protect Sensitive Digital Research Data

• Sensitive Digital Research Data should only be
  stored on institutional or personal computers or
  other electronic devices (e.g., laptop, hand-held
  device, Flash drives, or other portable devices)
  that
• Are secured against unauthorized access in
  accordance with UTS165, and
• Would not compromise Research efforts if lost or
  destroyed Unless otherwise required by
  federal or state law or regulation (such as
  HIPAA)

27
When to Use Encryption?

• To protect the security of Sensitive Digital
  Research Data during electronic communications or
  transmissions
• Use Secure File Transfer Protocol (SFTP)
• Use encrypted email
• Do not use non-UT email accounts (ex Yahoo,
  Hotmail)
• As required by the UT Institutions Encryption
  Guidelines
• If data is encrypted, ensure that Information
• Security assists with the secure escrow of
• encryption keys to ensure data can be
• recovered in the event that assistance is
• required.

28
Smart Media Discard

• Discard electronic media (e.g., disks,
  tapes, hard drives, etc) containing Sensitive
  Digital Research Data
• In a manner that renders it unrecoverable
• reformatting, erasing, or modifying the
  electronic media to make it unreadable or
  indecipherable or
• otherwise physically destroying the electronic
  media and
• In accordance with the applicable UT
  Institution's records retention schedule.

29
Dont Forget to Lock the Doors

• Consult with the UT Institution Police
• Department on ways to physically protect
• access to research labs and offices.
• Lock workstations or use password
• protected screen savers when systems
• are left unattended.
• Physically secure portable computers, devices and
  media containing Sensitive Digital Research Data
  if left unattended.
• Consult with the UT Institution Environmental
  Health and Safety groups to prevent environmental
  hazards.

30
5. Training and Awareness

• Encourage and nurture the growth of information
  resources security.

31

• Heighten the awareness of those you deal with in
  the work place
• Encourage the adherence to this UTS165 and
  related policies and procedures
• Ways to apply training
• Comply with policy and procedures
• Be a model that encourages others
• Provide feedback
• On security improvements in your work place
• On this training session

32
Parting Thoughts

• Remember
• Certain research data should not be disclosed
  (shared)
• Classify Digital Research Data into sensitive and
  non-sensitive based on risk
• Secure Sensitive Digital Research Data in
  accordance with the UT Institutions security
  plan and with UTS165.
• Your reputation and career may depend on it..

33
Thank You