All members of the JSU community and JSU research community share the responsibility to safeguard the university’s resources and data, and when collecting, storing, sharing or disseminating research data that it is in compliance with university data and device security policies and data protection laws and regulations.
To ensure their research data is appropriately protected, all members of the JSU community and research community must take into account early in a research project the importance of data security to properly prepare and budget for the implementation of any additional security controls that may not be available at the University or that may not meet the security requirements of a research grant, project or opportunity.
Classifying Research Data
Sensitive JSU data must be protected to prevent theft, unauthorized access, compromise, or inappropriate use. JSU has established data classification levels driven by legal, regulatory, academic, financial, and operational requirements.
It is important for researchers to understand the classification of their research data in order to determine security requirements for protecting the data.
Protecting Research Data
It is the responsibility of all JSU faculty, staff, and students to use appropriate tools and technologies to secure sensitive data collected and shared during and/or after conducting university research:
Below are guidelines and suggested tools and services that can help you protect research data:
- Security Requirements: consider the classification level of your research data, by using the JSU Data Classification Standards Policy at the following link: (https://www.jsums.edu/jsu-cyber-awareness/jsu-information-technology-policies/) as a guide for determining if your data is classified as highly sensitive and confidential, Restricted with a moderate level of sensitivity, Public with a low level of sensitivity or Controlled Unclassified Information to determine appropriate data protection mechanisms.
- Sensitive Data Protection Guide: all university research data collected, stored, and shared from students, and employees shall use the following security controls and measures to ensure university data is handled in compliance with data protection and privacy requirements specified by federal and state laws, regulations, and industry standards:
- Sensitive Research Data Collected, Processed and Shared Electronically Examples: Data collected and stored online via web surveys or electronic web forms
- Data Transmission: Encryption must be applied to survey responses during transmission to survey platform. Ensure that the Web Survey tool and platform offers SSL (Secure Socket Layer) data encryption options.
- Data Access & Control: Ensure data is accessible only to those individuals designated with approved access on the research team and have signed appropriate nondisclosure agreements; and typically on a business “need to know” basis. Use complex password with a minimum 15 or more characters including letters, numbers and symbols, and turn on Multifactor Authentication for the associated survey account if possible.
- Data Storage: Ensure web survey host or platform offers data encryption for data collected and stored. If not immediately extract survey collected data to an authorized secure university device where data can be stored and then delete data stored on the survey or electronic platform as soon as possible.
- Data Sharing: The transmission of sensitive confidential data through any non-JSU network or JSU guest network is prohibited (e.g. Internet). Transmission through any electronic messaging system (e-mail, instant messaging, text messaging) is also prohibited.
- Sensitive Data Collected, Processed, and Shared on Portable and non- portable Devices.
Examples: Cell Phones, Laptops, Android Tablets, IPads, USB, external Hard Drives and desktop computers, Paper surveys
- Data Access & Control: Ensure data stored on portable devices and computers are accessible only to those individuals designated with approved access on the research team and have signed appropriate nondisclosure agreements; and typically on a business “need to know” basis. Use complex password with a minimum 15 or more characters including letters, numbers and symbols, and use Multifactor Authentication for the account on the portable device and computer where sensitive research data is stored. Also ensure the screen lock out functions for screen savers is activated on the machine used to collect and store data.
- Data Storage: All sensitive research information and files extracted or collected and stored on portable devices and computers must be encrypted using approved university processes and tools. Example:(Windows Desktops may use Bitlocker) and Portable devices may use the encryption tools that comes with the device unless researcher specifies it does not meet their specific research security requirements.
- Data Sharing: use secure methods of file transfer to transmit confidential data files between users or between institutions. Encrypt associated research files and use tools such as SharePoint, 7 zip or virtru
- Data Disposal: If the research plan calls for destruction of documents or electronic files after the project has been completed, all paper files or CDs with PII should be shredded and any electronic files on memory drives, PCs, laptops, hard drives and file serves should be permanently deleted. If the research plan includes long term retention of PII (in paper or electronic form), then all data files should be stored securely in a safe or locked file cabinets.