Re: Security of Research Data

[Brad Judy <Brad.Judy () COLORADO EDU>]

Since Jim (my auditor) seems to follow me around these lists, I'll take
this chance to follow him.  :-)
 
One thing we're doing on our campus is having a discussion with the
Human Research Committee (they oversee human subject research) on how
human subject research data should fit into our data classification
definitions and policies.  I expect that most research campuses have
something similar to our HRC, at least for human subject work.  When it
comes to human subject research data, I think it makes sense to see
where it fits into existing policies for PII on your campus.
 
I'm also putting the topic of research espionage/theft in the campus IT
threat model I'm developing.  I have yet to dive into this topic much,
but I expect it to be of concern to researchers in highly competitive
fields and/or research in particular topics.
 
Of course, this is the tip of the iceberg when it comes to the topic of
research data security, but I think those are the right places to start
(critical issue of research that might include personal information and
general threat modeling).  I'm sure we'll get into other aspects of
research security and I'm interested to see the responses from others.  
 
Don't forget to check on the security requirements included in the
grant(s) or agreements with funding sources.  Some grants may have very
specific security requirements to satisfy.  
 
Brad Judy
 
IT Security Office
Information Technology Services
University of Colorado at Boulder
 


  _____  

From: Jim Dillon [mailto:Jim.Dillon () CUSYS EDU] 
Sent: Friday, September 01, 2006 9:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security of Research Data


We are creating standards for Fiscal Responsibility much like one would
find in a SOX implementation and are requiring financial principals to
sign off throughout the university on their areas.  Similarly we are
creating new IT policies that make it clear that those implementing IT
systems will be held accountable for the protection and effectiveness of
those systems.  How this works out is yet to be seen, but rather than
hide this responsibility by simply assigning campus chancellors, we are
now carrying the message to the scores of principals that they can no
longer pretend the responsibility lies elsewhere.  Some services are
being deployed as well, but I expect there will continue to be a gap
between expectation and performance for some time, but by forcing
periodic assessments and signature affirmations we ought to at least be
creating a human cry around the gap areas that may lead to some new
funding priorities.
 
That's my interpretation of the process, not the way the U would
characterize it - Openness and Sox like Transparency would be the more
official motto.  If it is to work it will have to result in the
consequences I alluded to I think, but these are my opinions, not that
of the U.
 
There are a lot of uncomfortable financial principals I hear.  It will
be interesting to see how this works its way out and if there is the
institutional will to pursue openness and truthfulness in those
assertions of compliance and responsibility.
 
This of course includes grants and contract areas, aka research
principals/PIs and the like.
 
JD
 
 
*****************************************
Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon () cusys edu
303-492-9734
*****************************************
 
 
 

  _____  

From: Crawford, Tim M. [mailto:tcrawford () GSB STANFORD EDU] 
Sent: Thursday, August 31, 2006 4:53 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Security of Research Data


I'm curious to know what strategies others use to address research data.
Is this something that you're addressing today? If so, how do you
identify and protect accordingly?
 
Regards,
 
Tim
 
______________________________________
Tim M. Crawford
Associate Director, IT Operations
Stanford Graduate School of Business
650.724.2447
 <blocked::mailto:tcrawford () gsb stanford edu> tcrawford () gsb stanford edu