Data Security Policy

Policy Volume: RD
Responsible Executive: CISER Secure Data Services Manager
Responsible Office: Cornell Institute for Social and Economic Research

Issued: 2020-10-01

NOTE: This policy replaces these previous policies:

  • CRADC Data Security Policy [issued 2015-07-13, revised 2016-09-30]
  • Secure Standalone Desktop Data Security Policy [issued 2017-10-17]

POLICY STATEMENT

The fundamental obligation of the Cornell Restricted Access Data Center (CRADC) is to protect restricted‐access research data that are confidential due to applicable laws and regulations, by means of contract or agreement, and University policies.

This policy applies to all research data regardless of the storage medium (e.g., disk drive, electronic tape, CD, DVD, external drive, paper, fiche, etc.) and regardless of form (e.g., text, graphic, video, audio, etc.), physically housed within the Cornell Institute for Social and Economic Research (CISER) auspices.

POLICY REQUIREMENTS

To protect research‐access data appropriately and effectively, CRADC researchers and staff and secure standalone desktop researchers and staff must understand and carry out their responsibilities related to data security, as set forth by the Data Provider Agreement(s) (including referenced laws and regulations), Cornell University Institutional Review Board for Human Subjects, Cornell University Office of Sponsored Programs, and Cornell University Policy. This policy applies regardless of the source of funding for the research.

Process to Identify and Assess Security Risks
  1. Review Data Provider’s Data Use Agreement, or Cornell University agreement for internal data, to determine if CISER Secure Data Services is an appropriate location for the research project
  2. Evaluate applicable laws and regulations, by means of Data Provider’s Data Use Agreement, or Cornell University agreement for internal data
  3. Ensure appropriate university units are involved:
    • Institutional Review Board (IRB): Unless determined otherwise by Cornell Institutional Review Board for Human Participants (IRB), all researchers allowed on the CRADC servers and the secure standalone desktop are required to complete the CITI training course on Social & Behavioral Research Basic, Stage 1 satisfactorily. CRADC relies on the confirmation from the Office of Sponsored Programs (OSP) that approved researchers have satisfactorily passed the CITI training course on Social & Behavioral Research Basic, Stage 1, in addition to their Conflict of Interest (COI) statement. In instances where the Cornell’s IRB states that an IRB review is not necessary for a project, such as with proprietary business data, which contains no human identifying characteristics, researchers will not be expected to complete the CITI training course on Social & Behavioral Research Basic, Stage 1. CRADC relies on the confirmation from the Office of Sponsored Programs (OSP) that these data continue to be exempt from IRB review for Cornell’s processing approval.
    • Office of Sponsored Programs (OSP): CRADC accepts projects and provisions unique user accounts for faculty/staff/students once final approval from the Office of Sponsored Programs has been attained from the Data Provider, on behalf of Cornell University. Data internal to Cornell University is exempted from the need for OSP approval to be housed on the CRADC servers and/or the secure standalone desktop.
  4. Confirm that the CRADC User Agreement has been signed
    • In addition to the final approval from the OSP, which includes the IRB review as necessary, each researcher is required to complete a user agreement with CRADC covering the usage of the CRADC servers and/or the secure standalone desktop. CRADC User Agreements and Secure Standalone Desktop User Agreements are only sent to a researcher for signature once CRADC has final approval from OSP, or internal agreement from Cornell University for Cornell data.

Process to Provision Access and Security on a Project by Project Basis
  1. Account Creation: Upon receiving a signed CRADC User Agreement, the Secure Data Specialist may proceed with unique account creation.
    • CRADC: All temporary passwords, by Active Directory Group Policy, must be changed upon initial login to any CRADC server.
    • Secure Standalone Desktop: All temporary passwords, by group policy, must be changed upon initial login to the secure standalone desktop.
  2. Account Expiration: User account access remains dependent on the existing project requirements, as stipulated within the Data Provider’s Data Use Agreement and approved by OSP, IRB, and the CRADC User Agreement / Secure Standalone Desktop Agreement. Any project with an internal agreement from Cornell University for Cornell data is exempt from approval by OSP, but must retain approval of IRB and the CRADC User Agreement Secure Standalone Desktop Agreement.
  3. Password Requirements: The CRADC server environment and secure standalone desktop require researchers to change their passwords every 90‐days. Password complexity is enabled, and a strict password complexity policy is enforced.
  4. Dual‐Factor Authentication: The CRADC researcher must activate DUO prior to logging on to a CRADC server for the first time. Subsequent logins require DUO authentication after entering the researcher’s unique user account password.
  5. Idle Sessions: Idle sessions are suspended after a set time of non‐activity. If the Data Provider agreement establishes criteria requiring idle sessions be suspended after less than the set time of non‐activity, special requests will be accommodated.
    • CRADC: set time of non-activity = 15 minutes
    • Secure Standalone Desktop: set time of non-activity = 5 minutes
  6. Authorization: Authenticated users have read and execute access to the restricted data provided under the Data Provider Data Use Agreement.
    • CRADC: The user account has project‐based transitory storage space to store application program files and interim datasets.
    • Secure Standalone Server: each user account has personal storage space and access to project-based storage space to store application program files and interim datasets.
    Authorization is based upon Microsoft Windows NTFS permissions.

Restricted‐access Research Data Storage
  1. Storage of Original Media:
    1. The physical media on which the data were received from Data Providers (e.g., CDs, DVDs, USB drives) are stored in a locked fire‐protected safe in CRADC office Room 201A, CISER building, 391 Pine Tree Road. Only the CISER Secure Data Services Manager and CISER Secure Data Support Specialist have keys to access the Sentry Media Safe.
    2. Original electronic data may be copied to physical media as a backup when permitted by the Data Provider’s Data Use Agreement, and stored in the Sentry Media Safe.
    3. Storage of Included Documents: No documents are produced or stored by CISER Secure Data Services, unless provided with the original media. Documents provided with original media are stored in the safe in the project folder, alongside the physical media.
  2. Data for Analysis:
    1. Authenticated users have read and execute access to the restricted data provided under the Data Provider Data Use Agreement.
      • CRADC: Restricted data are copied to secure CRADC network attached storage. The user account has project‐based transitory storage space to store application program files and interim datasets.
      • Secure Standalone Desktop: Restricted data are copied to the specific project folder on the hard drive of the secure standalone desktop. The user account has personal and project-based storage space to store application program files and interim datasets.
      Authorization is based upon Microsoft Windows NTFS permissions.
  3. Researcher Responsibility:
    1. Data Security of Researcher Copies: The Principal Investigator and others authorized by the Data Provider to have an external copy of their non‐restricted user created working files are responsible for the creation and storing of such documents in strict accordance with the Data Use Agreement they have signed with the Data Provider. It is the responsibility of the researcher to properly manage and destroy user created working files as required by the Data Use Agreement.
    2. Researcher Publication of Data:It is the responsibility of the researcher to request approval from the Data Provider prior to publishing study findings that include statistics, beneficiary, or facility level data. Any questions the researcher may have pertaining to publication and Data Provider publication policies must be directed to the Office of Sponsored Programs.
    3. Researcher Modification of Temporary Analysis Files: When specified within a Data Provider’s Data Use Agreement, it is the responsibility of the Principal Investigator to ensure that all stipulated temporary analysis files for the project, within all project user accounts, are deleted at the specified Agreement dates each year.

Restricted‐access Research Data Backup
  1. Original Media Backups:
    1. Data Security of Original Media Backups: The original physical media stored in the Room 201A safe serves as the only backup of the restricted data stored at CRADC or the Secure Standalone Desktop. The disk array (CRADC) and local disk (Secure Standalone Desktop) containing original restricted‐use data files are not included in the routine backup.
    2. Backups of Original Electronic Data Copies: Electronic data copies of the restricted data reside on the CRADC network attached storage and are excluded from backup routines. When permitted by the Data Provider’s Data Use Agreement, original electronic data may be copied to physical media as a backup and stored in the safe as noted above.
  2. Backups of User Created Files (Unless Prohibited by Data Use Agreement): The user created transitory files (programs, output, log files and working datasets) housed on the…
    • CRADC network attached storage are backed up via disk‐to‐disk and are never commingled with any other backups.
    • Secure Standalone Desktop are not included in a routine back up.

De‐provisioning of Accounts
  1. Researcher Account De‐provisioning: OSP communication initiates that an account should be de‐provisioned. CISER Secure Services staff will contact the Principal Investigator (PI) and offer the PI the possibility to have the researcher’s personal project subfolder files copied to the project’s transitory / shared storage space. After 30‐days, or sooner if the PI notifies CISER Secure Services staff to destroy the files, the researcher’s personal project files will be destroyed utilizing the disposal of electronic files method.
  2. CISER Secure Data Services Staff De‐provisioning: Changes in the CISER Secure Data Services staff will be communicated via email to the Data Provider through OSP. The staff account will be disabled on the last day of employment within CISER Secure Data Services and terminated shortly thereafter.

Data Destruction and Certification
  1. Destruction of Physical Media: The Secure Data Services Manager or Data Support Specialist will be the person responsible for the return and destruction of all associated materials as determined by the Data Use Agreement. All physical media, whether originally supplied by the Data Provider or a secure data services created backup copy of electronic original data, will be destroyed and the Data Provider sent a certificate of data destruction, unless the Data Provider requests the media returned within the Data Use Agreement. As stipulated by the Data Use Agreement, requested physical media will be returned to the Data Provider using a traceable method via FedEx, with requirement for a signature by the recipient.
  2. Destruction of Original Data Files on CRADC Servers and Secure Standalone Desktop: The Secure Data Services Manager or Data Support Specialist will be the person responsible for the destruction of all original data on CRADC servers and the Secure Standalone Desktop as determined by the Data Use Agreement. All original data will be destroyed and the Data Provider sent a certificate of data destruction.
  3. Destruction of User‐Created Electronic Files: The Secure Data Services Manager or Data Support Specialist will be the person responsible for the destruction of user‐created electronic files as determined by the Data Use Agreement. Electronic files on the CRADC servers and Secure Standalone Desktop are disposed of utilizing the Department of Defense shredding algorithm.
  4. Destruction of Paper Materials: No paper materials or copies are produced or stored by CISER Secure Data Services, unless provided with the original media. The Secure Data Services Manager or Data Support Specialist will be the person responsible for the destruction of all paper materials. If the Data Provider requests the return of any paper materials provided with the original media, the paper materials will be returned to the Data Provider using a traceable method via FedEx, with requirement for a signature by the recipient.
  5. Certificate of Destruction: Upon completion of the disposal of all project related data, the Secure Data Services Manager or Data Support Specialist will certify that the secure data and user created project‐based transitory files (and transitory files) have been securely destroyed via a CRADC / Secure Standalone Desktop Certificate of Destruction. The completed Certificate of Destruction will be sent to the Data Provider either as a paper copy through FedEx or electronically via email, with a copy of the Certificate of Destruction supplied to Office of Sponsored Programs.

Data Center Specifications
  1. Managed Environment: The CRADC servers and secure standalone desktop managed environments are based on specialized security‐limited functionality, with security taking precedence over functionality. System integrity of hardware and software is verified daily on the CRADC servers. The system administrator receives notifications from Microsoft of any patches or service packs that need to be applied to the operating system. All CRADC servers have Symantec Endpoint Protection software installed. The secure standalone desktop has System Center Endpoint Protection (SCEP) software installed. Data files are scanned for viruses prior to being added to the environment. Real‐time (automatic) file scanning is enabled and will quarantine or delete the file immediately.
    • Security on the CRADC servers is monitored by the collection and review of system log files generated on all the systems and the Cisco ASA within the secure environment through a Security Information and Event Management (SIEM) application.
    • Security on the Secure Standalone Desktop is monitored by the collection and review of security and system log files generated within the secure environment.
  2. Maintenance: Periodic maintenance is based on hardware, operating system and applications requiring updates (i.e. BIOS, firmware, Microsoft security patches, service packs, and application revisions).
    • CRADC maintenance is on the second Thursday of each month.
    • Secure Standalone Server maintenance is done quarterly.
  3. Physical Location:
    • CRADC
      1. The CRADC servers and network attached storage (NAS) will be located in an environmentally controlled secure Data Center at Cornell University, Ithaca, NY.
      2. Access to the Data Center will be granted by an authorized proximity card (Cornell University ID card) issued only to Cornell staff with the required credentials according to Cornell University Policy 8.4 ‐‐ Management of Keys and Other Access Control Systems. Entrance and exits to the Data Center will be logged and monitored. The CRADC servers will be housed in racks with locked doors within the Data Center, to which only authorized administrators have keys.
    • Secure Standalone Desktop
      1. The secure standalone desktop will be located in Room 201H, 391 Pine Tree Road, at Cornell University, Ithaca, NY.
      2. Access to room 201H is granted by an authorized proximity card (Cornell University ID card) issued only to Cornell staff with the required credentials according to Cornell University Policy 8.4 — Management of Keys and Other Access Control Systems. Entrance are logged and monitored. A sign-in and sign-out sheet is also utilized for scheduling of the secure standalone desktop.
  4. Networking and Firewall: The CRADC servers will be installed behind a firewall with default deny applied and FIPS 140‐2 security levels implemented. The Secure Standalone Desktop will have a Microsoft Windows Defender firewall with default deny applied.

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Contacts

If you have questions about specific issues regarding this Sharing, Transmission and Distribution of Restricted Data Policy, call the following offices:

NAMEEMAILTITLEPHONE
William BlockCISER Director607‐255‐4801
Elena GoloborodokoCISER Secure Data Services Manager607‐255‐4801
Jonathan BohanCRADC Secure Data Specialist607‐255‐4801
Resa ReynoldsCAC Assistant Director, Systems607‐254‐8686
Kim BurlingameSystem Administrator607‐254‐8686
Lucia WalleSystems Analyst/Programmer607‐254‐8686
Brenda LappTechnical Consultant607‐254‐8686
Cornell University
Security Office
607-255-6664