Information Security Reviews for Research Projects: A Primer
By: Natascha Shawver, Ray Phillips, and Amanda Winegarden, Security Risk Analysts for University Information Security
University Information Security (UIS) is no stranger to a multitude of consultation requests from the research community about data and system security. An ever-changing landscape of legal, regulatory, and contractual requirements regarding the security of research data makes it a daunting task for security and technology professionals and researchers alike to ensure sensitive research data is secured appropriately.
UIS professionals and partners across the University like the Sponsored Projects Administration (SPA), the Office of General Council (OGC), and compliance officers are here to help navigate these challenges. It is the responsibility of Principal Investigators and researchers to engage these parties early on and with as much as information as can be provided to facilitate a comprehensive and timely security review. While only some projects necessitate a security review, it’s always important to:
- Know your data, who owns it and who will handle it: For any review, it is important to know what types of data you are going to handle, e.g. sensitive health information, export-controlled information, information that if lost could cause damage to the institution, how much of it you will be handling and who will have access to it.
- Know your obligations: What are the stipulations for data security and compute environments you intend to use, e.g. in your grant award? Specifics matter, e.g. requirements surrounding encryption.
- Know your use cases: Will the data only be stored on one device, or do you intend to exchange data with peers on a regular basis? Will you need a lot of storage, or a lot of compute power? Will you be using equipment purchased with grant money?
- Collect all information security related documentation for review: Be sure to include any requirements you are already aware of, and any procedures that you already have documented in your consultation request. Be prepared to describe the whole project at a high level, in particular how data is handled, stored, processed and transmitted.
- Familiarize yourself with the arcane language of security frameworks and compliance: Most of us know what HIPAA, FERPA, FISMA and other common legal requirements are by now. As federal agencies and private companies shore up their own security efforts, you may encounter terms you have not been familiar with thus far. For example, the Department of Defense may ask you to comply with NIST 800-171, an information security framework designed to secure CUI (Controlled Unclassified Information).
- Ask for help early: Security reviews can become lengthy depending on the scope of the project. Submit your request to the UIS Risk team at [email protected] for review.