Educause Security Discussion mailing list archives
Re: research data security
From: "Bowden, Zeb" <zbowden () VT EDU>
Date: Thu, 18 Feb 2010 16:51:26 -0500
One way that we've [sort of] done this is to follow the NIST guidelines (NIST 800-18 w/ support from 800-53) in developing an IT Security Plan for our computing environment. We were actually driven to do this by NIH after being awarded a large contract, however it was something that needed to be done anyway and had a lot of positive benefits/side-effects. One of those benefits, at least in our case, was clearly defining the controls that we have in place to protect data of all sorts - but primarily research data. Similar to what Doug said, we tried not to separate research from enterprise data. Then if you wanted to take it to the next level to deal with really sensitive data (HIPAA protected data/ePHI for instance) then you can just build out your controls/plan a little further. There's even a guide for that - NIST 800-66. Part of what that will entail, at least in my interpretation, is internal and external review of the controls/protocols. They wouldn't necessarily look at specific cases like an IRB might, but they would ensure that what you say you're doing to protect the data is sufficient. I'm not sure if HIPAA is a concern to you or not, but if it is I think http://hipaa.yale.edu/security/ & http://rtinfo.indiana.edu/aitc/serv-tab.shtml are good examples of organizations that have done this well (there are probably plenty of other good ones as well). Even if you're not interested in HIPAA I think a lot of the ideas are applicable to protecting data in general ... or even more generically, to protecting resources. Zeb Bowden Associate Director, Core Computational Facility Virginia Bioinformatics Institute -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Doug Markiewicz Sent: Thursday, February 18, 2010 1:55 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] research data security We've made some inroads on this front. We were recently involved in a research project where export control was a concern. Through our relationships with that IT staff in that college and with our Office of Sponsored Programs, we were able to incorporate our data protection framework into the technology control plan for that project. It was a success story both from the standpoint that it was one of the first applications of our relatively new framework in a research area and from the standpoint that an IT group that has historically operated independently was interested in partnering with us. With that being said, we've not conducted an assessment to see how effectively they've implemented their controls, but it's a start. I think over the long haul, our relationship with the Office of Sponsored Programs will be important since they probably carry more weight than we do in the research arena. Related to whether research should have a separate "protocol" for safeguarding data, our strategy is to build a single "protocol" that works for enterprise and research data. I think one of the bigger challenges we've seen is laying out roles and responsibilities so that they work effectively in both areas. The data steward/custodian roles and responsibilities we've developed work fine in business units but start to break down in colleges and amongst faculty. Over time, we will hopefully get that sorted out though. Cheers! Doug
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steve Brukbacher Sent: Thursday, February 18, 2010 11:30 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] research data security Hi, I'm trying to get my arms around our research data security situation at our institution. I'm fairly convinced we need a separate "protocol" for research data security, just like we all have an IRB requirement, requirements for animal care, etc. I know some will reply that this should "happen" in the IRB process, but unfortunately, a lot of data security detail is beyond the scope of what an IRB is tasked with doing. So my question is, does anyone feel like they have a success story to share in ensuring that researchers using data with high confidentiality requirements meet some sort of security standards? -- Steve Brukbacher, CISSP University of Wisconsin Milwaukee Information Security Architect UWM Computer Security Web Site www.security.uwm.edu Phone: 414.229.2224
Current thread:
- research data security Steve Brukbacher (Feb 18)
- <Possible follow-ups>
- Re: research data security Tracy Mitrano (Feb 18)
- Re: research data security Gary Dobbins (Feb 18)
- Re: research data security STEVE MAGRIBY (Feb 18)
- Re: research data security Doug Markiewicz (Feb 18)
- Re: research data security Bowden, Zeb (Feb 18)