Our next Research IT Reading Group topic will be: Approaches to Secure Research Computing: Working with Restricted or Sensitive Data, Th 3 December / noon / 200C Warren Hall.
When: Thursday, December 3rd from noon - 1pm
Where: 200C Warren Hall, 2195 Hearst St (see building access instructions on parent page).
Event format: The reading group is a brown bag lunch (bring your own) with a short <20 min talk followed by ~40 min group discussion.
Presenter: Jason Christopher, Research IT
Facilitator: Leon Wong, Information Security
Is my research data secure? Is securing my data for research a point-in-time event or a process? If it is a process, how should it be managed through the lifecycle of the research project? Jason Christopher (RIT) and Leon Wong (IS) will discuss conducting research with sensitive data. They will present frameworks and several approaches that are currently in use, and options for future development.
Please review the following prior to our 12/3 meeting:
The following are additional/optional reference materials:
Presenting: Jason Christopher, Research IT; Leon Wong, Information Security & Policy
Aron Roberts, Research IT
Ben Gross, IST-API/EIE
Bill Allison, Campus CTO
Camille Crittenden, CITRIS
Chris Hoffman, Research IT
Chris Paciorek, Statistics & BRC
Jon Hayes, bConnected
Ian Crew, bConnected
Jamie Wittenberg, Research IT
Jen Bollinger, bConnected
Kelly Rowland, Nuclear Engineering & BRC
Patrick Schmitz, Research IT
Perry Willet (CDL)
Rick Jaffe, Research IT
Ronald Sprouse, Linguistics
Stephanie Simms, CDL
Steve Masover, Research IT
Steven Carrier, School of Education
Tanya Preston, Human Subjects
Adrienne Tanner, Office for the Protection of Human Subjects
Walter Stokes, IST-Database Services
See slide deck
Multidimensional problem. Many stakeholders. Lots of people and technologies. Costly. And security is a real issue: breaches at Stanford, Penn State.
FISMA: low/moderate/high risk to operation, security, reputation of an organization. Gaining popularity. Also external vendors (AWS, Google) are getting in the business of certifying their environments as FISMA 'compliant'
At Berkeley ... (see slides). Info Sec & Policy unit has a review and consultation role. Does not host sensitive research data, sign off on research contracts, implement compliant systems (e.g., HIPAA), or monitor systems implemented on cloud platforms.
350 person-hours to meet FISMA-moderate requirements in a use-case in which Info Sec & Policy participated to help a campus research unit host a set of FISMA-moderate data (from Center for Medicare/Medicaid). A major fraction of this work is documentation. (Patrick notes: for HIPAA environments at the lab, .5 to 1.0 FTE to set up; then .25 FTE ongoing to maintain the documentation/environment.)
Issue with locally-managed environments: when a researcher's admin (sometimes a grad student) move on to other work and leave the security-related function they were performing unfilled.
Lots of campus options for storing data, but none conveniently "packaged" for researchers.
Jason: Research IT has a Secure Research Data Project. A high priority. Currently doing needs assessment (see slides for detail on areas being assessed).
Walter Stokes: MSSEI Level 2 protection on databases currently in production.
Ian Crew: A lot of compliance with something like MSSEI Level 2 is at the end-user end, not the service implementer: who has access, for example.
Rick: In assessing needs, include training for research group leads who are responsible.
Patrick: Research IT working groups across all UC campus -- one of which is focused on secure computing needs. Recommendations may be made to UCOP on what's needed to support secure data effectively and efficiently across the system, including the possibility of services sharable across the campus.
Steven Carrier: experience from the departments -- ask questions, get told "you can't do this" -- there's no technical reason for this response, the person I've contacted doesn't know what they're talking about ... that's a tension
Leon: To give an informed response requires more conversation than a researcher might expect to have, another source of tension.
Perry: How much of research data does require secure handling of any kind?
Leon: We don't actually know.
Chris H: It's growing. And one issue is that what we're prepared to secure has to do with administrative data/use cases; there's work to do in understanding and supporting research data security use cases.
See "What have we learned so far" slide (conclusion/summary).