CCSS-RS

Institutional Review Board (IRB) Authorization: Unless determined otherwise by Cornell Institutional Review Board for Human Participants (IRB), all researchers allowed on the CRADC servers are required to complete the CITI training course on Social & Behavioral Research Basic, Stage 1 satisfactorily. CRADC relies on the confirmation from the Office of Sponsored Programs (OSP) that approved researchers have satisfactorily passed the CITI training course on Social & Behavioral Research Basic, Stage 1, in addition to their Conflict of Interest (COI) statement.

In instances where Cornell’s IRB states that an IRB review is not necessary for a project, such as business data which contain no human identifying characteristics, researchers will not be expected to complete the CITI training course on Social & Behavioral Research Basic, Stage 1. CRADC relies on confirmation from the Office of Sponsored Programs that these data do not require IRB review for Cornell’s processing approval.

Office of Sponsored Programs (OSP) Data Use Agreement (DUA): CRADC accepts projects and provisions unique user accounts for faculty/staff/students once the Data Use Agreement between Cornell University’s Office of Sponsored Programs and the Data Provider has been executed. Any project with an internal agreement from Cornell University for Cornell data is exempt from approval by OSP, but must retain approval of IRB and the CRADC User Agreement.

CRADC User Agreement: Each researcher is required to complete a user agreement with CRADC covering the usage of the CRADC servers. CRADC User Agreements are only sent to a researcher for signature once CRADC has final approval from OSP or internal agreement from Cornell University for Cornell data.

Access to CRADC infrastructure systems may only be granted by the CRADC staff after all appropriate processes and paperwork have been filed. In all cases, access must comply with applicable legal requirements.

No independent authorization is required for information technology personnel to conduct routine system protection, maintenance, or management purposes in accord with internal protocols and processes. Likewise, requests for access in connection with litigation, legal processes, or law enforcement investigations, or to preserve user electronic information for possible subsequent access in accordance with this policy, need no independent authorization if made by Cornell University’s Office of the General Counsel.

Account Provisioning: Upon receiving a signed CRADC User Agreement, the CRADC staff proceeds with account creation. Once the account has been created, the researcher is notified via an email of their unique account user name and provided a secure link to their temporary password. All temporary passwords, by Active Directory Group Policy, must be changed upon initial login to any CRADC server. [Noted exception: Specific projects require a 24‐hour delay after initial login in order to create new password.]

Account De‐provisioning: Account de‐provisioning is based upon notification via an OSP communication. De‐provisioning occurs within three business days.

CCSS Secure Data Services Staff De‐provisioning: Any change in the CCSS Secure Data Services staff will be communicated via email to the Data Provider through OSP. The staff account will be disabled on the last day of employment within CCSS Secure Data Services and the account terminated shortly thereafter.

It is the responsibility of the Principal Investigator to inform the CRADC staff within ten business days of any changes in project staffing such that a researcher is no longer permitted to access the restricted data. CRADC staff will disable the researcher’s access to the project files within two business days and notify the Office of Sponsored Programs. The Office of Sponsored Programs will then notify the Data Provider of said project staff changes. CRADC will re‐enable or de‐provision the user account based on the final decision as communicated by OSP on behalf of Cornell University and the Data Provider.

Unsuccessful Logon Attempts: A policy is defined on the Domain Controller that locks all accounts after three unsuccessful logon attempts. A lockout period is enforced before the researcher can attempt to logon again.

Session Lockouts: Dependent upon the Data Provider’s Data Use Agreement, a screensaver session lockout will occur after 10‐minutes of non‐activity. If the Data Provider agreement establishes criteria requiring idle sessions be suspended after less than 10‐minutes of non‐activity, special requests can be accommodated.

User account access remains dependent on the existing project requirements, as stipulated within the Data Provider’s Data Use Agreement and approved by OSP, IRB, and the CRADC User Agreement. At the expiration of any existing project requirement, the user account will be disabled. When the requirement has been approved and all existing project requirements are complete, the user account will be re‐enabled.

The CRADC staff oversees the management of CRADC projects and user accounts through a contract management system, and implements the unique project and user accounts within Active Directory Users and Computers on the CRADC domain controller. User accounts are created by the CRADC staff upon notification of completion of all required University and Data Provider signatures (i.e. Data Use Agreement, internal Cornell data, and/or Institutional Review Board). During any status update, the CRADC staff ensures that both the management system and the CRADC domain controller are synchronized on researcher status and forthcoming expiration dates.