The purpose of this document is to provide guidance for protecting university research data from unauthorized access or disclosure.
This guideline is applicable to UNC Charlotte faculty and staff as well as other authorized users who obtain, access or generate research data. This guideline also applies to Data Security Officers working with researchers and research team members to ensure implementation of the applicable security controls for research data.
Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact ITS Information Security Compliance at ISCompliancefirstname.lastname@example.org.
Anyone conducting research in the course and scope of his or her employment at the university should complete the Research Data Registration form. Information gathered includes:
- Research team members
- Data provider
- Research location
- Data description
- Data classification
- Data transmission/collection
The information submitted in the form will be maintained by the appointed Data Security Officer (DSO) for the college or unit. The DSO will work with the researcher to develop and implement appropriate data security protections either in the form of a Data Security Plan or general research-related data handling guidelines.
Data Security Plan
A Data Security Plan (DSP) is required for research involving the following:
- Data subject to contractual access restrictions
- Human subjects data if directed by IRB
- Data classified as highly restricted by data custodian or DSO
A DSP is a formal document developed by the DSO working with the primary researcher. The security controls in a DSP will vary depending upon the specific security obligations based on laws, regulations, policies, and binding commitments such as data use agreements and participant consent documents.
Researchers working with confidential or sensitive level two data that doesn’t require a Data Security Plan should work with their DSO to implement the following security measures to protect their research data:
- Encrypt and password-protect the hard drive and removable media used to store or transfer research data.
- Encrypt data transferred to/from external networks.
- Password-protect the firmware to prevent starting up from another drive.
- Do not use shared or generic accounts.
- Regularly audit account ownership and permissions to ensure appropriate access.
- Follow the Standard for Account Passwords for all accounts.
- Use university-approved anti-virus software on computers storing research data.
- Enable screensaver after 15 minutes of inactivity and prompt for login when the screensaver has been activated to access hard drive.
- Limit data access to researchers and IT administrators who have signed statements of confidentiality.
- Provide users with the lowest necessary level of access to data.
Researchers are responsible for following the prescribed data security controls throughout the duration of their research.
ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.
Initial Draft 2/28/17
Information Assurance Committee Approval 3/2/17