Level 2 Data Security Overview

Last Updated: June 21, 2024 12:45 pm

OASIS IRB Support

Required Measures for Level II Data Security

  • Access to study data must be protected by a username and password that meets the complexity and change management requirements of a UNC ONYEN.
  • Study data that is accessible over a network connection must be accessed from within a secure network (i.e., from on campus or via a VPN connection).
  • Computers storing or accessing study data must have a UNC approved AntiVirus/AntiSpyware such as Microsoft Security Center Endpoint Protection installed and updated regularly where technologically feasible. Alternates for Linux or Mac are available on shareware.unc.edu.
  • Patch management and system administration best practices should be followed at all times on systems storing or accessing your data.
  • Users should be granted the lowest necessary level of access to data. (when technologically feasible).

**These requirements do not replace or supersede any security plans or procedures required by granting agencies or sponsors. Questions or concerns about compliance with these requirements should be directed to your local IT support staff.

 

When conducting research, particularly when it involves sensitive or protected information, data security is paramount. Let’s delve into some data security practices that uphold the integrity and confidentiality of your study data.

Access to study data must be protected by a username and password that meets the complexity and change management requirements of a UNC ONYEN. This requirement underscores the importance of robust authentication measures to prevent unauthorized access. It’s not merely about creating barriers; it’s about ensuring that only those with explicit permission can view or manipulate the data. Such precautions protect against potential breaches that could compromise the research’s integrity and the privacy of its subjects.

When study data is accessible over a network connection, it must only be done within a secure network environment. This means accessing data either directly on campus or through a virtual private network (VPN) connection when off-site. This practice shields the data from interception by unauthorized entities, ensuring that the transmission of sensitive information is protected. It’s a critical layer of defense against cyber threats that can jeopardize both the data’s confidentiality and the integrity of the research process.

For computers that store or access study data, the installation and regular update of a UNC-approved AntiVirus/AntiSpyware software, such as Microsoft Security Center Endpoint Protection, is mandatory where technologically feasible. For operating systems like Linux or Mac, alternative solutions are available and you should check with your IT contact to know what those are. This measure is not just about protecting the data from malicious software; it’s about creating a resilient environment where the data’s integrity can be maintained against a backdrop of ever-evolving cyber threats. Regular updates ensure that the protective measures stay ahead of new vulnerabilities, safeguarding your research data from potential compromise.

For Mac. Update to latest OS and install patches as they come out. For Windows you have to be on AD. Updates are pushed out automatically, but users still have to install and restart. Adherence to patch management and system administration best practices is a cornerstone of maintaining secure systems that store or access study data. This approach ensures that systems are not only up-to-date with the latest security patches but are also configured and managed in a way that minimizes potential vulnerabilities. It’s a proactive stance on security, aiming to mitigate risks before they can be exploited, thus preserving the integrity and availability of the data critical to the research. (what is this? just OS updates? can we be explicit in the range of updates this covers?)

Finally, the principle of least privilege should guide the allocation of access rights to study data. Users should be granted the lowest necessary level of access that allows them to perform their roles effectively. This minimizes the risk of accidental or intentional data exposure or alteration, aligning with the principle of safeguarding data integrity and confidentiality. It’s about ensuring that access is not just controlled but is also precisely tailored to meet the operational requirements without compromising the data’s security.

These practices form a comprehensive framework for securing IRB protected research data. Each measure contributes to a layered defense strategy, safeguarding the data against a range of potential threats while ensuring its integrity and availability for the research process. For faculty and graduate students engaged in research, understanding and implementing these data security practices is not just about compliance; it’s about upholding the trust and ethical responsibilities inherent in the research endeavor.

As always, if you are unsure of or have any questions about any of these items we encourage you to speak with your IT contact. (email instruct tect) (thinking about adding a line like this to the end of each section)