This is the second in a short series of articles intended to introduce the recently-updated, UC-wide IS-3 security policy, which was signed into policy by President Napolitano in September 2018 and is now being implemented across all UC campuses. You can find the previous article here.
- Do you work with sensitive data from federal or state agencies, or from non-profit organizations or commercial entities?
- Do you share sensitive data that you collect with researchers at other institutions?
- Is your research funded by federal or state grants that require data management plans?
If you answered yes to any of those questions, please read on!
If you want the short version, here's a summary:
- Most federal and state agencies, many non-profit organizations, and many corporations now require sign-off by the UC Davis Chief Information Security Officer (CISO) and/or Privacy Officer before they will share sensitive data with UC Davis researchers.
- To obtain that sign-off, researchers must agree to implement the data security processes and controls required by the agency or corporate partner. Further, researchers must demonstrate compliance with those controls in an auditable way on an ongoing basis.
- The controls necessary to meet the agency's requirements (and basic cyber-security hygiene) are jointly developed by the CISO's office, local IT, and the research team and documented in a data security plan. That security plan must be agreed to by the PI, CISO, local IT, and the unit head (typically the dean) or a delegate.
- Assessing requirements, developing the security plan, and implementing the controls takes time. Based on some early examples, it can take a month or more to obtain the CISO sign-off. Please plan ahead and start the process as soon as possible!
IS-3 is not happening in a vacuum. With major data security breaches and record fines announced almost daily across government agencies, companies, healthcare, and educational institutions, cyber-security is top of mind for many organizations. And those organizations are creating similar IT security policies, with most using the same international IT security frameworks as IS-3, like ISO 27001, as their basis.
Consequently, most institutions that collect and share data for research or commercial purposes have policies governing that data that include requirements to which partners and customers who receive that data must adhere. Typically, such policies include requirements for how the data will be transferred, stored, re-shared, combined with other data, and destroyed at the end of the research.
Increasingly, agencies require that their data policies be reviewed and approved by the UC Davis Chief Information Security Officer (CISO) and/or Privacy Officer, meaning that those offices must formally review the agency's data policy, verify that the researcher can meet the requirements of the policy, and accept the risks of associated with any possible data breach. Note that while the CISO is authorized to accept the risk, under IS-3 the financial risk for a breach devolves to the "unit head," which is usually the dean in the case of a college or school. Therefore, one or more representatives, called "unit information security leads," appointed by the unit head may also be required to sign off.
These engagements with the Information Security Office (ISO) typically take the following form:
- The PI reaches out to local IT or to the ISO with the initial request.
- The ISO provides the PI with a "context questionnaire" to collect some basic information about the nature of the data, the research that will be conducted with the data, the agency's requirements surrounding the data, and the IT environment in which the data will be stored and processed, etc.
- The PI completes the questionnaire--often in consultation with local IT--and returns it to the ISO for review.
- The ISO schedules a meeting with the PI, local IT, and a unit information security lead to talk through the context questionnaire, the use of the data, the agency requirements, and the research IT environment.
- The ISO prepares a report outlining recommended minimum controls required to get the CISO to sign off on the data agreement.
- The PI, local IT, and the unit information security lead then prepare a data security plan addressing each of the requirements from the ISO report, to which the PI agrees to adhere. In some cases, the agency providing the data must also review and agree to the controls in the plan.
- Once the security plan is agreed to by all parties, the CISO will provide an attestation back to the agency providing the data.
- The plan typically includes a periodic review to ensure that the agreed controls have been implemented and are operating effectively.
As you might guess from the number of steps involved, this process can take a month or more. Please plan ahead: engage with IT and the ISO as soon as you know you will be requesting sensitive data!
We are also working to streamline the process, such as building a "library" of common controls that can meet most agency guidelines. We are also working to build the most commonly require controls, such as full disk encryption, into our standard practices.