Re: research data security

["Bowden, Zeb" <zbowden () VT EDU>]

One way that we've [sort of] done this is to follow the NIST guidelines (NIST 800-18 w/ support from 800-53) in 
developing an IT Security Plan for our computing environment. We were actually driven to do this by NIH after being 
awarded a large contract, however it was something that needed to be done anyway and had a lot of positive 
benefits/side-effects. One of those benefits, at least in our case, was clearly defining the controls that we have in 
place to protect data of all sorts - but primarily research data. Similar to what Doug said, we tried not to separate 
research from enterprise data.

Then if you wanted to take it to the next level to deal with really sensitive data (HIPAA protected data/ePHI for 
instance) then you can just build out your controls/plan a little further. There's even a guide for that - NIST 800-66. 
Part of what that will entail, at least in my interpretation, is internal and external review of the 
controls/protocols. They wouldn't necessarily look at specific cases like an IRB might, but they would ensure that what 
you say you're doing to protect the data is sufficient. 

I'm not sure if HIPAA is a concern to you or not, but if it is I think http://hipaa.yale.edu/security/ & 
http://rtinfo.indiana.edu/aitc/serv-tab.shtml are good examples of organizations that have done this well (there are 
probably plenty of other good ones as well). Even if you're not interested in HIPAA I think a lot of the ideas are 
applicable to protecting data in general ... or even more generically, to protecting resources.

Zeb Bowden 
Associate Director, Core Computational Facility 
Virginia Bioinformatics Institute






-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Doug 
Markiewicz
Sent: Thursday, February 18, 2010 1:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] research data security

We've made some inroads on this front.  We were recently involved in a research project where export control was a 
concern.  Through our relationships with that IT staff in that college and with our Office of Sponsored Programs, we 
were able to incorporate our data protection framework into the technology control plan for that project.  It was a 
success story both from the standpoint that it was one of the first applications of our relatively new framework in a 
research area and from the standpoint that an IT group that has historically operated independently was interested in 
partnering with us.  With that being said, we've not conducted an assessment to see how effectively they've implemented 
their controls, but it's a start.  I think over the long haul, our relationship with the Office of Sponsored Programs 
will be important since they probably carry more weight than we do in the research arena.

Related to whether research should have a separate "protocol" for safeguarding data, our strategy is to build a single 
"protocol" that works for enterprise and research data.  I think one of the bigger challenges we've seen is laying out 
roles and responsibilities so that they work effectively in both areas.  The data steward/custodian roles and 
responsibilities we've developed work fine in business units but start to break down in colleges and amongst faculty.  
Over time, we will hopefully get that sorted out though.

Cheers!

Doug


> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steve Brukbacher
> Sent: Thursday, February 18, 2010 11:30 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] research data security
>
> Hi,
> I'm trying to get my arms around our research data security situation 
> at our institution.  I'm fairly convinced we need a separate "protocol" for
>   research data security, just like we all have an IRB requirement, 
> requirements for animal care, etc.
>
> I know some will reply that this should "happen" in the IRB process, 
> but unfortunately, a lot of data security detail is beyond the scope 
> of what an IRB is tasked with doing.
>
> So my question is, does anyone feel like they have a success story to 
> share in ensuring that researchers using data with high 
> confidentiality requirements meet some sort of security standards?
>
>
> --
> Steve Brukbacher, CISSP
> University of Wisconsin Milwaukee
> Information Security Architect
> UWM Computer Security Web Site
> www.security.uwm.edu
> Phone: 414.229.2224