Here are an accumulation of best practices as it relates to keeping research data secure. Please contact your IT department or Information Security Officer if you have any questions or needs.
Secure Storage Best Practices
- Do not expose research infrastructure to the Internet, including web servers, unless authorized.
- Use a “least privilege” philosophy and ensure that file system permissions prevent access to data by unauthorized users.
- Encrypt sensitive data transmitted over a network (e.g. use HTTPS, VPN, encrypted files)
- Destroy data that is no longer needed, either by secure deletion or media shredding. This also includes backups and archives. Destroy sensitive data on systems or media that will be disposed of or sent in for repair.
- Data encryption transforms plain text files into a format that prevents unauthorized users from opening the files and reading the contents. There are two types of encryption that should be considered: data at rest, and data in transit. The former protects stored data while the latter protects data as they are being transmitted between parties over a public network. Unless otherwise specified, it is recommended that the highest level of data encryption be used, within the limits of availability and feasibility. Contact your IT representative for assistance.
- Use of centrally provided research computing systems is required unless otherwise excepted by University IT.
- Secure4 Research Cluster is a secured computational research cluster that hosts data falling within the DCL4 classifications per University guidelines. Requests to use to the Secure4 Research Cluster must be emailed to firstname.lastname@example.org and should be sent from the primary PI. Projects must be IRB approved (although exceptions may be made on a per project basis.) Projects must be IRB approved (although exceptions may be made on a per project basis). All projects will be processed per the specifics of the data repository requirements and processes.
- Data classification requirements must be followed for all server administration.
- All servers must be housed in data centers managed by the University IT department. For servers that have been approved to be outside of central data centers; restrict physical access to all servers, network hardware, storage arrays, firewalls and backup media only to those that are required for efficient operations. Simply follow least privilege rules.
Commercial Cloud Services
- Only use cloud services that have been approved for use by the University IT department.
- Cloud services approved by the University may be used to store all classifications of data according to the University’s Data Classification System; however, users must obtain permission from their information security officer before storing any data classified as DCL4.
- Use two-factor authentication when available. Also use passwords that meet password standards.
- Devices must require a password that meets or exceeds password policy.
- Users should avoid keeping research data on devices when possible.
- Encrypt sensitive data including data on laptops, smartphones, tablets, or other devices.
- Encrypt the drives themselves when practical.
- Insure all software is patched and up to date. Also, make sure your anti-virus signatures are updated.
- Immediately report any lost/stolen devices to your IT Professionals.
Portable Media (USB Drives, DVDs, etc.)
- Consider using encryption to limit access to portable media.
- Confidential or restricted data should not be stored on portable media.
- Data that are in hard copy or reside on portable media should be treated as though it were cash, with appropriate controls in place. Such media must be encrypted and stored in a secured in a locked facility with access granted to the minimum number of individuals required to efficiently carry out research.
Travel/Foreign Data storage
- Set the device to require a passcode.
- Enable GPS tracking functionality so that a stolen device may be tracked.
- If your smartphone or tablet is configured to connect to the University email system, notify the central IT department's security team in the event of theft. The device may be able to be wiped remotely.
- Using a departmental loaner laptop containing no sensitive information in lieu of taking a personal or University-owned device that contains any type of sensitive or restricted data.
- Encryption is recommended in all cases. It is required for computers containing DCL4 data. U.S. laws and regulations may limit your ability to travel internationally with export controlled data, even when encrypted. In addition, it is illegal to take encrypted devices to certain countries, which may result in the confiscation of devices. Check with the UM Export Control Office (email@example.com) prior to travel.
- Avoid connecting to public Wi-Fi and use the University's VPN when possible to secure network data.
- Researchers should be aware of local laws regarding the legal status of confidential research information that could be confiscated by police, customs agents or other government officials. Confidential or proprietary research information may also be subject to export control regulations; check with the UM Export Control Office (firstname.lastname@example.org) prior to travel.
- Personally identifiable information (e.g., IP addresses, PHI) must be kept separate from the data.
Paper Records (e.g., consent forms, data files, medical records, etc.):
Paper files related to human subject’s participation in research must be securely stored on campus. Access to files should be restricted to key personnel and supervised by the principal investigator(s) of the study. Locked file cabinets ought to be used and preferably located in secured locations (i.e., locked office or laboratory). In the event that research activities are not carried out on campus AND it is necessary to maintain the consent forms at the research site, copies of the signed consent forms should also be stored in a secure University location (either as a paper copy or in digital form).
More information available below