Educause Security Discussion mailing list archives

Re: research data security

From: Steve Brukbacher <sab2 () UWM EDU>
Date: Wed, 4 Nov 2009 15:19:51 -0600

Thanks for the reply.  I recently had an RFI out for a GRC product.
Didn't get anything from Archer unfortunately.

Our vision is to purchase a HIPAA module for a GRC product, similar to
what you are talking about.

So what do you get for your subscription to HI Trust?

Conceptually, my goal has been to do what you are talking about.
Funding it is turning out to be another matter entirely, but it is very
comforting to hear that this is working for someone else.

--
Steve Brukbacher, CISSP
University of Wisconsin Milwaukee
Information Security Architect
UWM Computer Security Web Site
www.security.uwm.edu
Phone: 414.229.2224



Chris Kidd wrote:

Steve,

We are embarking on a similar effort with the IRB, but are also pulling in the Office of Sponsored Projects. We're 
using the HI Trust Alliance Common Security Framework (anyone else using that?) with Archer. Our initial thoughts are 
that the inherent/residual risk questionnaires would become a part of the research and grant application processes.

Let me know what you come up with.

Chris

Chris Kidd
Chief Information Security and Privacy Officer
The University of Utah
650 Komas Drive, Suite 102
Salt Lake City, UT 84108
Office: 801.587.9241
Cell: 801.747.9028
chris.kidd () utah edu

http://www.secureit.utah.edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steve 
Brukbacher
Sent: Wednesday, November 04, 2009 1:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] research data security

Hi,
I'm working on my strategy for working with our researchers.  We are
beginning to work more formally with researchers as part of the IRB
process.

The variety of their work is great. Everything from one on one
interviews going into an access database all the way to much larger
web-based survey instruments that will need to handle PHI.

What I'm wondering is how are other institutions handling these
situations?  Do you do a risk assessment/security planning engagement
with each of them?  Is it left up to departmental IT staff?

Any tips for managing the workload on these?

Anyone have checklists that have been useful in getting the basics taken
care of?

Current thread:

research data security Steve Brukbacher (Nov 04)
- <Possible follow-ups>
- Re: research data security Chris Kidd (Nov 04)
- Re: research data security Steve Brukbacher (Nov 04)
- Re: research data security Scott Bradner (Nov 04)
- Re: research data security Faith Mcgrath (Nov 04)
- Re: research data security Steve Brukbacher (Nov 05)