Security Plans for Restricted-Use Data
The costs associated with collecting research data in the United States and internationally are substantial, resulting in many funding agencies, such as the National Institutes of Health (NIH), now requiring recipients to make the data they collect available to the broader research community. Dissemination of research data can present challenges for the project staff charged with securing the sensitive data, especially on machines over which they have no administrative control.
Following are example security plans that employ the defense-in-depth security model that may be used to assist you in securing your sensitive data. In addition to the example security plans there are forms that serve as a checklist to aid in assuring the data provider that you have implemented a security plan. For data that contain identifying information (e.g., names, addresses) one of the following scenarios should be used (Stand-Alone Computer, External Hard Drive, Windows Terminal Server or Linux Compute Server). For data that do not contain specific identifying information, but that are still susceptible to deductive disclosure, the remaining security plans may be used. Please note, these plans contain the basic steps that must be implemented. For more detailed security steps, see the specific Step-by-Step guides referenced in the Security Links section.
Below are a number of different locations where you might choose to store sensitive data: Stand-Alone Computer, External Hard Drive, Windows or Macintosh Computer, Windows File Server, Windows Terminal Server, Linux SAMBA server, and Unix or Linux Compute Server. Please select the location you plan to use, then read "How to secure ..." to see the essential components of a good security plan for that location. The "Form to describe your security plan" for that location can often be submitted with data access contracts to provide documentation of your security plan.
Data stored on a stand-alone computer
A stand-alone computer is one that is in no way connected to another computer or networked device such as a switch, hub, or router.
Data stored on an encrypted external hard drive
Data stored on a Windows or a Macintosh computer connected to a network
A network is two or more computers and/or network devices (e.g., printer, switch, hub, router) connected to the Internet or a LAN. This plan is typically used when you want to put your data on the computer you use for all of your other work throughout the day.
Data stored on a Server
A server can be used as a File Server (files reside on the server, but are served to the user's computer over the network) or as a Compute Server (files are stored on the server and all processing of the data files are done on the server: data files are not served to the user's computer over the network).