Introduction KU’s Information Technology department conducted a data security audit in 2019 which resulted in three recommendations: 1) for all KUSSW employees to complete the required annual security training; 2) development of a data inventory for the School; and 3) annual updating of said data inventory. In response, the Research Office at KUSSW has worked with KUSSW IT to initiate a data inventory with annual updates, established a location within Twente (Rm 12) for hard file data storage and created this guide to disseminate information regarding data security to all of those who deal with research data within the School. We also recently moved all REDCap hosting to KUSSW to allow our researchers to continue to use this valuable service. A big part of our continued data security success of this includes you doing a few things annually: 1. Take the data security trainings through KU IT online (pg. 3) 2. Comply with updating your data inventory annually (pg. 5) 3. Report any and all issues to the IRB as soon as they happen 4. Everyone on a project should be aware of the data they have and have access to Of special note: For data retention on funded grants, ALL documents must be retained for 5 YEARS after the final payment. This policy is only to be overruled if your grant requires documents be held for longer (pg. 6). The first place you should always check is your grant contract that outlines the data security plan you created for your project in addition to your IRB application with the University. Remember that a contract is legally binding and it’s extremely important to adhere to the data plan you originally created, or work with your sponsor to amend the plan, if needed. We hope you find this guide helpful.
Please direct any questions about data security to: Associate Dean for Research Amy Mendenhall: amendenhall@ku.edu KUSSW IT Director Todd Issac: toddi@ku.edu KUSSW Research Office: kusswro@ku.edu
University of Kansas School of Social Welfare
Research Data Security: 2019
Table of Contents Introduction ........................................................................................................................................................................ 1 Security Awareness ............................................................................................................................................................. 3 Step 1: Complete Your Annual KU IT Security Awareness Training ......................................................................................... 3 Step 2: Conduct a Data Inventory with KUSSW IT ................................................................................................................... 3 Step 3: Understand How Data Security Works at KU .............................................................................................................. 3 Step 4: Easy & Obvious Ways to Protect Your Data ................................................................................................................ 3 Data Classifications @ KU....................................................................................................................................................... 4 Data Inventory..................................................................................................................................................................... 5 Conducting a Data Inventory .................................................................................................................................................. 5 HIPAA-Compliant Databases: REDCap & Qualtrics ................................................................................................................ 5 Encrypted Email at KUSSW ..................................................................................................................................................... 5 Data Retention .................................................................................................................................................................... 6 Records Retention Schedule for Grant Data at KU ................................................................................................................ 6 Saving Grant Data Until It Can Be Destroyed ........................................................................................................................ 6 Data Security Contacts @ KU ............................................................................................................................................... 7 Appendices .......................................................................................................................................................................... 8 Appendix A: Research Data Management @ KU .......................................................................................................... 8 Appendix B: Selections from KU Policy Library’s Data Classification & Handling Procedures Guide ............................. 9 Appendix C: Selections from KU IT Security’s Protecting KU Data .............................................................................. 13 Appendix D: Research Security Basics from KU IT Security ........................................................................................ 14 Forms ................................................................................................................................................................................ 15
atwoodj | S:\Research\Research Office\7. Data Secuity\Research Data Security FINAL.docx
PG 2
University of Kansas School of Social Welfare
Research Data Security: 2019
Security Awareness Step 1: Complete Your Annual KU IT Security Awareness Training
All KU faculty and staff are required annually to complete the IT Security Awareness Training Course in KU's Talent Development System. Please note there are times when newer employees don’t have access to this right away. If you find you don’t have access, keep checking back. Take the course: IT Security Awareness Training Course
Step 2: Conduct a Data Inventory with KUSSW IT More information on this step on page 5. The KUSSW IT director will check-in with all PIs annually in the fall (with a check-in in the spring).
Step 3: Understand How Data Security Works at KU
To maintain privacy and data security at KU, you are required to handle data and information properly. This includes: • Understanding what type of data is sensitive • Following proper handling procedures to maintain privacy • Keeping physical areas secure • Protecting mobile devices that are easily lost or stolen
Step 4: Easy & Obvious Ways to Protect Your Data • • • • • •
Don’t leave data sitting out on desks Locking filing cabinets and offices Ensuring students are properly trained Don’t use the same passwords for everything or share your passwords Keep fil cabinets with sensitive data locked Keep your computer locked when not in your office
atwoodj | S:\Research\Research Office\7. Data Secuity\Research Data Security FINAL.docx
PG 3
University of Kansas School of Social Welfare
Research Data Security: 2019
Data Classifications @ KU The KU Data Classification & Handling Policy details three levels of data and the security protections required for the handling of data at each level. All KU employees are responsible for classifying and handling data according to the policy. Below is an excerpt from the policy describing three data classification levels: Level III – Public Information Protection: Proceed with Awareness Low requirement for confidentiality (information is public) and/or low or insignificant risk of financial loss, legal liability, public distrust or harm if this data is disclosed. Examples include: university directory information, as defined by the Student Records Policy; blogs; web pages; course offerings; annual reports Level II – Sensitive Information Protection: Be Very Cautious Moderate requirement for confidentiality and/or moderate or limited risk of financial loss, legal liability or public distrust or harm if this data is disclosed. Examples include: audit reports; email addresses that are not a public record; other grants and contracts (not included above); competitive business information; system security information such as firewall rules and hardening procedures; security incident information Level I – Confidential Information Protection – Stop! Special care is required High risk of significant financial loss, legal liability, public distrust or harm if this data is disclosed. Examples include (not an all-inclusive list): 8. Personally Identifiable Information (“PII”) 1. Data protected by HIPAA (health information) 9. Personnel data 2. Data protected by FERPA (student information 10. Individually identifiable information created and including grades, exams, rosters, official collected by research projects correspondence, financial aid, scholarship 11. Certain research data with National Security records, etc. implications 3. Data protected by GLB (financial information) 12. Data subject to protection pursuant to non4. Data subject to PCI (credit or payment card disclosure agreements industry) standards 13. Audit working papers 5. Data subject to other Federal or state 14. Data protected by attorney/client privilege confidentiality laws 15. Email covering topics listed above 6. Donor or prospect information 7. Passwords and PINs **More on protecting research data can be found in Appendices A-D.
atwoodj | S:\Research\Research Office\7. Data Secuity\Research Data Security FINAL.docx
PG 4
University of Kansas School of Social Welfare
Research Data Security: 2019
Data Inventory Conducting a Data Inventory
After the Annual Internal Audit Risk Assessment, a couple of recommendations were made to the School. One was that the School should conduct a yearly data inventory and develop a process to comply with KU’s data retention policy. KUSSW has developed a data inventory template to be used. This template is far more involved than what has been done in the past, but it is designed to catch as much information as possible. The inventory is not just for electronic data but also for paper data to identify: 1. Where the data originates 2. Where it is stored 3. Where it’s transmitted to 4. What the retention policy is 5. What data might be contained within
•
Moving forward, the IT director will send the Annual Data Inventory out to the data owners to edit and add additional information each fall. There will also be a “Spring Cleaning” data retention reminder to make it a quicker and easier process in the fall.
•
KUSSW IT is currently creating a database for this information to feed into for on-going and historical purposes.
•
The required New Project Kick-off Meetings will also ask about your data security plan so that this is addressed from the very beginning of a project.
HIPAA-Compliant Databases: REDCap & Qualtrics
Both of these databases are deemed HIPAA-compliant and can be used with highly-sensitive data. Please contact KU’s IRB office for more information: irb@ku.edu. The shared drive (S:drive) is also considered HIPPA-compliant, as is some of the RFS (research file storage). Contact Todd Isaac for more information: toddi@ku.edu.
Encrypted Email at KUSSW
While KU has methods of encrypting email, it is primarily for internal mail. If you need to send encrypted email or transfer secure data to a party outside of KU, please contact Todd Isaac: toddi@ku.edu. Hh Hh Hh
atwoodj | S:\Research\Research Office\7. Data Secuity\Research Data Security FINAL.docx
PG 5
University of Kansas School of Social Welfare
Research Data Security: 2019
Data Retention Records Retention Schedule for Grant Data at KU
Funded Grants: documents relating to applications for federal, state and other grants and to the implementation of those received must be retained for 5 YEARS after the final payment, then destroy financial records. Transfer remaining documents to the university archives. This policy is only to be overruled if your grant requires documents to be held for longer. Please refer to your grant contract for specifics on data retention. Unfunded Grants: applications and supporting documentation relating to federal, state and other grants that were submitted but not funded should be retained in electronic copy until no longer useful than achieved. Hard copies of proposals should be returned to the PI so they can destroy or archive them.
Saving Grant Data Until It Can Be Destroyed
For funded projects, if the sponsor allows, it is fine to transfer all hard copy data into electronic form and destroy hard copy files. REDCap & Qualtrics: If the project is completed but the data still should be maintained the data should be exported off of REDCap or Qualtrics and stored on the Shared drive or other media. Other Electronic Data: It is recommended that you create a special directory for archived data. Include a document that explains what is contained in the directory and when it should be destroyed. Also, minimize the rights on the directory to the PI. Hard Copies of Files: If there are files that must be saved, KUSSW has space dedicated in Rm 12 of Twente Hall. All items must be in boxes that are labeled with: 1. Grant number from KUCR 2. PI’s Name 3. Date data can be destroyed There are also storage options inside of the Kenneth Spencer Research Library. To find out more, check out their University Archives. They offer Research Data Management: Data Services and Repositories for managing and preserving research data. Contact Jamene Brooks-Kieffer, jamenebk@ku.edu for more information.
atwoodj | S:\Research\Research Office\7. Data Secuity\Research Data Security FINAL.docx
PG 6
University of Kansas School of Social Welfare
Research Data Security: 2019
Data Security Contacts @ KU What to Do if You See an Unknown Individual in a Secure or Private Area
Politely ask for identification. If you observe activity that poses a direct threat to the life or safety of any individual, immediately contact the KU Public Safety Office at 911 or call 785-864-5900.
KU Research Security
The first point of contact should be Todd Isaac: toddi@ku.edu. If he is unavailable, then use the contact info below. KU IT Research Support Team itrs@ku.edu | 785-864-7171
KU IT Security Office itsec@ku.edu | 785-864-9003
You can contact the IT Research Support Team to discuss the information security requirements of your research and how we can best assist you. See KU IT Research Support Team to learn more about the team and services.
Who to Contact if you find Improperly Stored Data The first point of contact should be Todd Isaac: toddi@ku.edu If he is unavailable, then use the contact info to the right: Also, contact Amy Mendenhall amendenhall@ku.edu
For Electronic Records Immediately contact the KU IT Security Office at itsec@ku.edu or 785-864-9003. For Paper Records Immediately contact the KU Office of Institutional Compliance at 785-864-6204 or email jchasen@ku.edu.
KU Library Resources KU Libraries Jamene Brooks-Kieffer, Data Services Librarian jamenebk@ku.edu | 785-864-5238
KU Libraries offers Research Data Management: Data Services and Repositories for managing and preserving research data.
Kenneth Spencer Research Library Rebecca Schulte, University Archivist bschulte@ku.edu | 785-864-2024
Kenneth Spencer Research Library offers research storage and archiving for KU researchers.
KU IRB Human Research Protection Program irb@ku.edu | 785-864-7385
Alyssa Haase, Administrator ahaase@ku.edu | 785-864-5248
atwoodj | S:\Research\Research Office\7. Data Secuity\Research Data Security FINAL.docx
PG 7
University of Kansas School of Social Welfare
Research Data Security: 2019
Appendices
Appendix A: Research Data Management @ KU KU Libraries:
Offers Research Data Management: Data Services and Repositories for managing and preserving research data. Contact Jamene Brooks-Kieffer, jamenebk@ku.edu for more information.
Data Management Plan Creation @ KU:
DMPTool is a web-based tool containing data management plan requirements and templates for many US funding agencies. Draft and share draft with collaborators; export completed plans to multiple formats. Sign in using Option 1 and search for University of Kansas. Log in with your KU Online ID and password.
Federal NIH Rules:
NIH Data Sharing Policy and Implementation Guidance
atwoodj | S:\Research\Research Office\7. Data Secuity\Research Data Security FINAL.docx
PG 8
University of Kansas School of Social Welfare
Research Data Security: 2019
Appendix B: Selections from KU Policy Library’s Data Classification & Handling Procedures Guide Step 1: Determine How Much Protection your Information Needs Is it Confidential? Is there a high need for Integrity?
Level I Protection
STOP! SPECIAL CARE IS REQUIRED
Level II Protection
BE VERY CAUTIOUS
Level III Protection
PROCEED WITH AWARENESS
Is there a high need for Availability? Is it Sensitive? Is there a medium need for Integrity? Is there a medium need for Availability? Is it Public? Is there a low need for Integrity? Is there a low need for Availability?
Step 2: Collect Only What is Necessary Step 3: Provide Minimum Necessary Access Step 4: Disclose Only the Minimum Necessary Information Step 5: Safeguard Information in Transit Level I
Level II
Level III
A. Use secure methods of transmission when sending data. Secure methods include, but are not limited to: • Encryption (i.e., at least Triple DES or AES; use AES-256 when possible), • Virtual private network (VPN), Required Required • Secure Shell (HTTPS), • Secure FTP (SFTP), • Encrypted and password protected CDs separated from passwords (phoned in) and/or the decryption keys (hand carried)
Recommended
B. Encrypt email even to other authorized users. The encryption method and key storage method must be approved by IT Security. Examples of information that should not be sent by email (unless encrypted) include, but are not limited to: • Student lists, Required Required • Data subject to the Health Insurance Portability and Accountability Act (HIPAA), • Data subject to the Gramm-Leach Bliley Act (GLBA), or • Use a confidentiality statement at the beginning or end of e-mails to notify the recipient of confidential content.
Recommended
D. Ensure information (including device(s) containing information) is physically secure at all times when carrying or hand-delivering it to a new location.
Required Required
Recommended
E. Remove information from secure locations only with prior approval.
Required Required
Recommended
atwoodj | S:\Research\Research Office\7. Data Secuity\Research Data Security FINAL.docx
PG 9
University of Kansas School of Social Welfare
Research Data Security: 2019
F. Access information remotely using only secure methods approved by the KU IT Security Office.
Required Required
Recommended
G. Accessing or transferring Private Information (Confidential or Sensitive information) using on-campus wireless connections is NEVER appropriate, unless the Required Required wireless network is encrypted and it has been approved by the KU IT Security Office.
Not Applicable
For example, KU Anywhere is a virtual private network that can be used to access private information remotely.
H. Accessing and transporting Social Security Numbers via a portable device is NOT appropriate.
Required
Not Not Applicable Applicable
Step 6: Secure Physical Equipment and Resources Level I
Level II
Level III
A. Actively “lock” your workstation when you are away from your desk; do not just wait for the screen saver feature to self-activate.
Required
Strongly Strongly Recommended Recommended
B. Use “strong” passwords that are not easily guessed. Ensure that computer monitors are situated in a manner that login screens cannot be observed by passersby. Any passwords written down should be securely stored. Detailed requirements in regards to password strength and password changes can be found in the KU Password Policy.
Required Required
Required
C. Place devices that can be used to print information in secure locations.
Required Required
Recommended
D. Use a variety of methods to help prevent information compromise. • Use a properly configured and currently patched firewall. • Actively monitor systems using Anti-virus software that is updated daily. • Actively monitor systems using Anti-spyware that is updated daily. Required Required • Obtain automatic security updates, and implement them expediently. • Click “No” if your web browser offers to save passwords. Alternatively, turn off the password saving feature in the browser. • Be aware of the risks to privacy of information when using desktop search features like Google Desktop Search.
Required
E. Physical protection from theft, loss, or damage must be utilized for mobile devices that can be easily moved such as a PDA, thumb drive, or laptop. Select portable device models that provide security options to protect information stored on the drive. • For example, Personal Data Assistants (PDAs) may be set to require a Required Required password when turned on or are inactive for a few minutes. • Enable pass-codes and inactivity timers on mobile devices that support them. • Employ whole disk encryption on mobile computers (where the encryption method and key strength level are approved by IT Security).
Recommended
atwoodj | S:\Research\Research Office\7. Data Secuity\Research Data Security FINAL.docx
PG 10
University of Kansas School of Social Welfare
Research Data Security: 2019
F. When evaluating new software or appliances, request a security review of the Strongly Strongly proposed items by the IT Security Office BEFORE purchasing or installing. The Required request to ITSO should be in writing, signed by the purchasing authority, prior to Recommended Recommended final selection of vendors or products. G. When making a change to a service, system, or business process, consider whether any currently functioning security measures will be disrupted. All changes or modifications to the standard architecture shall be documented along with any justifications.
Required Required
Recommended
H. Conduct regular system backups. Backups help ensure the availability of data necessary to fulfill University responsibilities in the case of device failure, disaster or theft. • Restoration from backup should be regularly verified. Strongly Strongly Required Recommended Recommended • Security logs in addition to primary data should be backed up. • Backup files should be stored at a secure location sufficiently apart from the primary data source/storage so as not to be impacted by an event that might render the original data unusable. I. Immediately contact the local area public safety department if there is a theft of any computer, electronic storage media, portable or personal device containing or that has been used to process University information. • Also alert the department responsible for the device. • If you suspect any Private Information was on the stolen device, contact Required Required the Information Technology Customer Service Center (785-864-8080). The Information Technology Customer Service Center will notify the KU Privacy Officer and/or the KU IT Security Officer as required by the particular incident.
Required
Step 7: Safeguard Information in Storage Level I
Level II
Level III
A. Employ physical protection for all devices (electronic and non-electronic) used to store data. • Limit physical access, including the ability of the public to inadvertently view the data (i.e., as passersby). • Filing cabinets & drawers, offices, labs, and suite doors containing data must be locked. Do not leave data on unattended desk tops or leave file drawers unattended and unlocked. • When not in use, all easily transportable devices should be secured (e.g., in Required Required Recommended locked cabinets or drawers). • Users of lap-top and other mobile computing devices need to be particularly vigilant and take appropriate steps to ensure the physical security of mobile devices at all times, but particularly when traveling or working away from the University. • Electronic media used to store Confidential Information must be secured by password-protected encryption. The encryption method and key strength level must be approved by IT Security.
atwoodj | S:\Research\Research Office\7. Data Secuity\Research Data Security FINAL.docx
PG 11
University of Kansas School of Social Welfare
•
Research Data Security: 2019
Encrypt Confidential Information stored on any portable device (laptop, PDA, smartphone, etc.) or other portable media device (CD’s, DVD’s, floppy disks, USB/Flash/Thumb drives, etc.) and utilize available security features on the device. The encryption method and key strength level must be approved by IT Security.
B. Store Confidential or Sensitive Information in a separate location when possible.
Required Required Not Applicable
C. Always encrypt Confidential and Sensitive Information prior to storage. Encrypting data helps ensure that if an access control is bypassed, the information is still not readily available. A standard and published encryption standard should be used. The Required Required Recommended encryption method and key strength level must be approved by IT Security. Encrypt media stored off-site or have a documented process to prevent unauthorized access. D. Securely store information. Limit custody/access to as few people as possible to enhance accountability. Document transfers of custody.
Required Required Recommended
E. Store data on systems that support access control (as described in Section 3 of this Required Required Recommended policy).
Step 8: Dispose of Information Securely When No Longer Needed Level I
Level II
Level III
A. When retention requirements have been met, records must be either immediately destroyed or placed in secure locations as described in this section for controlled destruction. No records that are currently involved in, or have open investigations or audits, Required Required Required or records for which a litigation “hold” has been issued, shall be destroyed or otherwise discarded. B. Review, purge and shred printed documents regularly (in accordance with published destruction schedules). • Shred documents prior to disposal/recycling. • Adequately secure any documents that must be stored temporarily prior to shredding so they are not accessible to anyone without authorization.
Required Required
Not Applicable
C. Ensure complete destruction of information on electronic storage media, computers, and portable devices prior to disposal/recycling. Refer to the Electronic Data Disposal Policy and Procedure and the Data Removal from KU-Owned Computers procedure from the KU IT Not Required Required Security Office. Applicable • Securely erase media prior to transfer to another individual or department. • Securely erase data used for testing once testing is complete.
Step 9: Stay Informed About Information Risks
Ensure attendance at information awareness training provided by the University. • Course 1, Module 1 for any new employee BEFORE granting access to Confidential or Sensitive data. • Refresher courses every year thereafter. • Certain categories of staff may have additional training requirements. • For more information, including upcoming scheduled courses, reference the Information Management Program.
atwoodj | S:\Research\Research Office\7. Data Secuity\Research Data Security FINAL.docx
PG 12
University of Kansas School of Social Welfare
Research Data Security: 2019
Appendix C: Selections from KU IT Security’s Protecting KU Data Proper Handling of Sensitive Data Help maintain privacy by doing the following: • Adopt a clean desk and clear screen policy • Lock your screen when you step away from your desk • Set your the timeout for your screen at 10 minutes or less • Don't retain un-needed data (electronic or paper) • Destroy sensitive data in the proper way: o Old computers, hard drives, mobile devices, etc. should be sent to KU IT eWaste Recycling o Paper documents should be securely shredded. Contact KU Procurement Services for more information about secure shred bins. Maintaining Physical Security To maintain the privacy and security of KU information, it is important to maintain security in the physical spaces where data, information and computer equipment are stored. Remember to always: • Lock exterior and inter-office doors during non-work hours. • Close and lock windows during non-work hours. • Do not let unknown individuals into secure or private areas. • Be aware of people attempting to follow you into secure or private areas, known as "tailgating." • Avoid using secondary exits unless necessary and, make sure the door locks behind you. • Keep paper documents containing sensitive information in locked cabinets and keep accurate records of who has keys. What to Do if You See an Unknown Individual in a Secure or Private Area Politely ask for identification. If you observe activity that poses a direct threat to the life or safety of any individual, immediately contact the KU Public Safety Office at 911 or call 785-864-5900. Best Practices for the Security of Mobile Devices Mobile devices include laptops, tablets, smartphones and removable storage devices (e.g., thumb drives, external hard drives). Smartphones and tablets are incredibly powerful computers that are just as susceptible to security issues and malicious attacks as desktop and laptop computers. Mobile devices create an even greater danger because they are easily lost or stolen. See Mobile Security tips and best practices to help improve mobile device security. What Constitutes a Security Breach? "Security breach" is the unauthorized access to a system, device, application or data by circumventing security policies, practices, procedures or mechanisms. State of Kansas Statute: Article 7a - PROTECTION OF CONSUMER INFORMATION »
atwoodj | S:\Research\Research Office\7. Data Secuity\Research Data Security FINAL.docx
PG 13
University of Kansas School of Social Welfare
Research Data Security: 2019
Appendix D: Research Security Basics from KU IT Security Principal Investigator (PI) Responsibility
It is the responsibility of the Principal Investigator (PI) to comply with information security. Each PI is encouraged to carefully examine their use agreements, grants and other contracts to see what data handling requirements are included. KU researchers must, at a minimum, comply with the requirements included with their grants and contracts, as well as comply with the KU Data Classification and Handling Policy. PI’s are encouraged to meet with KU IT to discuss what is required of their research.
Sensitive Research Data
KU research may deal with sensitive information that does not directly relate personally identifiable information. Proprietary information subject to confidentiality requirements, information with national security implications and other types of information may require extra security precautions. Researchers are encouraged to consult with KU IT to determine the proper security measures needed for these types of data.
Data Classification and Handling Policy
Classification is necessary to understand which security practices should be used to protect different types of information. The more protected the information needs to be, the more practices are required. Please read and comply with the KU Data Classification and Handling Policy.
Breach Notification Requirements
Each research project should have a well-defined document detailing what to do in the case of a security breach. Obtaining, creating and retaining the breach notification requirements is the responsibility of the researcher.
atwoodj | S:\Research\Research Office\7. Data Secuity\Research Data Security FINAL.docx
PG 14
University of Kansas School of Social Welfare
Research Data Security: 2019
Forms Data Retention for Grant Kick-off Meetings Please fill out this form in its entirety and bring with you to your Grant Kick-off Meeting. 1.
Name of Project
2.
Sponsor
3.
Type of Data (Electronic, Paper or Other)
4.
Where will data be stored?
5.
Who has/will have access to this data?
6.
Where is the data coming from?
7.
What is the data retention policy on your grant contract?
atwoodj | S:\Research\Research Office\7. Data Secuity\Research Data Security FINAL.docx
PG 15