Skip to content. | Skip to navigation

Personal tools

Security Plans for Restricted-Use Data

The costs associated with collecting research data in the United States and internationally are substantial, resulting in many funding agencies, such as the National Institutes of Health (NIH), now requiring recipients to make the data they collect available to the broader research community. Dissemination of research data can present challenges for the project staff charged with securing the sensitive data, especially on machines over which they have no administrative control.

Following are example security plans that employ the defense-in-depth security model that may be used to assist you in securing your sensitive data. In addition to the example security plans there are forms that serve as a checklist to aid in assuring the data provider that you have implemented a security plan. For data that contain identifying information (e.g., names, addresses) one of the first three scenarios should be used (Stand-Alone Computer, External Hard Drive, or Private Network). For data that do not contain specific identifying information, but that are still susceptible to deductive disclosure, the remaining security plans may be used. Please note, these plans contain the basic steps that must be implemented. For more detailed security steps, see the specific Step-by-Step guides referenced in the Security Links section.

Below are a number of different locations where you might choose to store sensitive data: Stand-Alone Computer, External Hard Drive, Private Network, Windows Network, Mac Network, Windows Server, NetWare Server, and Unix or Linux Server. Please select the location you plan to use, then read "How to secure ..." to see the essential components of a good security plan for that location.  The "Form to describe your security plan" for that location can often be submitted with data access contracts to provide documentation of your security plan (e.g., for users of the Add Health data).

Data stored on a stand-alone computer

A stand-alone computer is one that is in no way connected to another computer or networked device such as a switch, hub, or router.

Security plan form and information on how to secure a stand-alone computer

Data stored on an external hard drive

The external hard drive is a modified version of the stand-alone computer, in effect keeping your sensitive data off the Internet or a local area network (LAN).

Security plan form and information on how to secure an external hard drive

Data stored on a computer connected to a private network

A private network is two or more computers and/or network devices (e.g., printer, switch, hub, router) that are not connected in any way to the Internet or a LAN.

Security plan form and information on how to secure a computer connected to a private network

Data stored on a Windows computer connected to a network

A network is two or more computers and/or network devices (e.g., printer, switch, hub, router) connected to the Internet or a LAN.

Security plan form and information on how to secure a Windows computer connected to a network

Data stored on a Macintosh computer connected to a network

A network is two or more computers and/or network devices (e.g., printer, switch, hub, router) that are connected to the Internet or a LAN.

Security plan form and information on how to secure a Macintosh computer connected to a network

Data stored on a Windows server

Because the Windows server is connected to the Internet or to a local or wide area network, the emphasis for securing the data on this server is placed on physical security of the server, controlling access to the data, and protecting the data from unauthorized access across the wire.

Security plan form and information on how to secure a Windows server

Data stored on a NetWare server

Because the NetWare server is connected to the Internet or to a local or wide area network, the emphasis for securing the data on this server is placed on physical security of the server, controlling access to the data, and protecting the data from unauthorized access across the wire.

Security plan form and information on how to secure a NetWare server

Data stored on a Unix or Linux server

Guidelines for securing a server that is running a version of the Unix or Linux operating system.

Security plan form and information on how to secure a Unix or Linux server