Sharing, Transmission and Distribution of Restricted Data

Policy Volume: RD
Responsible Executive: CISER Secure Data Services Manager
Responsible Office: Cornell Institute for Social and Economic Research

Issued: 2020-10-01

NOTE: This policy replaces these previous policies:

  • Sharing, Transmission and Distribution of Restricted Data [issued 2015-05-11, revised 2016-09-30, 2017-11-09, 2019-04-18]
  • Secure Standalone Desktop – Sharing, Transmission and Distribution of RestrictedData [issued 2017-09-17]

POLICY STATEMENT

This policy is to establish secure standards for the sharing, transmission and distribution of restricted data.

POLICY REQUIREMENTS

For the purpose of this document, restricted data relates to any nonpublic data that is protected by regulation, law or policy and/or is subject to contractual access restrictions as defined by a Data Use Agreement (DUA). Cornell Restricted Access Data Center (CRADC), as the Data Custodian of these data, along with the authorized research team (Researcher), are obligated to adhere to the conditions set forth by the Data Provider in a signed DUA and this policy.

Sharing

The Researcher is authorized to access only the restricted data residing within the folders (and subfolders) on the CRADC computing system and Secure Standalone Desktop in accordance with their DUA to maintain the security and confidentiality of the encompassed data.

Providing anyone else with given credentials to access the restricted data or CRADC computing systems or the Secure Standalone Desktop is strictly forbidden.

The Researcher is not to attempt to circumvent, or disable any of the security controls in place on the CRADC computing systems or the Secure Standalone Desktop. If at any time the Researcher is aware of a potential security incident that may place the restricted data at risk of unauthorized access, it is the responsibility of the Researcher to contact CRADC’s Security Liaison and abide by Cornell University Policy 5.4.2, Reporting Electronic Security Incidents.

Restricted data on the CRADC system or the Secure Standalone Desktop may only be used for non‐proprietary scientific research.

Transmission

When required by the DUA, the CISER Secure Data Services staff will disclosure proof any files uploaded to, or downloaded from, the CRADC computing system or the Secure Standalone Desktop. Such files will be delivered by Cornell’s Secure Dropbox service, SFTP or HTTPS to authorized IP addresses, or other methods considered appropriate by CISER Secure Data Services staff to insure compliance with the DUA.

CRADC:

If permissible by the Data Provider, researchers may utilize either SFTP or HTTPS protocol to transmit restricted data.To secure access to use SFTP or HTTPS protocol, the Researcher must provide a pre‐designated static IP address that is specific to a campus or industry location (no personal residences allowed). SFTP and HTTPS access is limited to the Researcher’s personal project folder only.

Email or instant messaging should not be used to transmit restricted data. Nor should restricteddata be placed on portable devices or media such as mobile phones, PDAs, USB drives, and CDs/DVDs unless allowable according to the DUA.

Secure Standalone Desktop:

CISER Secure Data Services staff are the only individuals permitted to transfer data on and off the Secure Standalone Desktop, as permissible by the Data Provider. Researcher access to hardware auxiliary devices (e.g. CD-ROM, DVD, USB, etc.) is not permitted.

Distribution

Approved distribution methods for restricted data, as performed by the CISER Secure Data Services staff, are Cornell’s Secure Dropbox service, SFTP or HTTPS to an authorized IP address that is specific to a campus or industry location (no personal residences allowed), or methods vetted and considered appropriate by CISER Secure Data Services staff to insure compliance with the DUA.

Restricted data should only be distributed to known computing systems, with verified security measures in place prior to the transfer. Person(s) receiving the restricted data must have a current signed DUA that asserts an understanding of the required security protections, including the governed regulations, policies and laws, as appropriate.

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Contacts

If you have questions about specific issues regarding this Sharing, Transmission and Distribution of Restricted Data Policy, call the following offices:

NAMEEMAILTITLEPHONE
William BlockCISER Director607‐255‐4801
Elena GoloborodokoCISER Secure Data Services Manager607‐255‐4801
Jonathan BohanCRADC Secure Data Specialist607‐255‐4801
Resa ReynoldsCAC Assistant Director, Systems607‐254‐8686
Kim BurlingameSystem Administrator607‐254‐8686
Lucia WalleSystems Analyst/Programmer607‐254‐8686
Brenda LappTechnical Consultant607‐254‐8686
Cornell University
Security Office
607-255-6664