Research Data & Security FAQ

• For paper documents, destroy them using crosscut shredders which produce particles that are 1 mm x 5 mm (0.04 in. x 0.2 in.) in size (or smaller), or pulverize/disintegrate paper materials using disintegrator devices equipped with a 3/32 in. (2.4 mm) security screen. For other types of media, see the Digital Media Sanitization Data Deletion and Destruction Procedure, section 5.3, provides guidelines for media destruction.

• Currently, users may shred documents in departmental or unit offices as long as they meet the requirements in section 5.3 of the Digital Media Sanitization Data Deletion and Destruction Procedure. Print and mail services also offers a shredding service that may meet the requirements.

• The steps for encryption depend on what operating system (OS) you have.
  • If you have a Windows OS, follow this guide: Enabling BitLocker to Go (RRC)
  
  
  • If you have an Apple OS, follow this guide: Encrypting External Media

Please get in touch with your IT Support Team for additional information or assistance.

What do I do with the removable drive when the project is complete?

• The Digital Media Sanitization Data Deletion and Destruction Procedure provides guidelines for securely sanitizing and deleting data, based on the risk classification of the data involved (see Section 3). Contact support@nebraska.edu for assistance or to arrange media degaussing or destruction.
• Although written for departing PIs, the R&I off boarding process  includes direction on handling different data requirements during a transition.

• Email encryption is done through the Proofpoint portal. When the encrypted email is sent using the Proofpoint portal, the email and the keys are retained within Proofpoint. The receiver must set up an account to read the message. Please use the following link to encrypt your email using Proofpoint. https://securedmail.nebraska.edu/encrypt

• An SSP is typically required to meet regulations that apply to specific projects. It is a formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements. These plans have to be updated when systems change, risks increase, or every three years. Typically, the need for an SSP will be communicated from Research Compliance or the Office of Sponsored Programs based on funder/contractual requirements, who will notify ITS to start the process. As part of this process, you will be required to fill out an inventory and describe the planned operations.

• Every project would benefit from having a DMP, but some projects are required to have one by their funder or specific compliance area. A DMP describes how the data will be acquired or collected, stored, secured, accessed, and transmitted. UNL Libraries provides access to a DMPTool, as well as workshops and information sessions to help understand and create DMPs. The Office of Research Compliance has additional information about DMPs on their website. If your data is subject to IRB oversight or Export Control, Research Compliance has the specialized knowledge to help you. In other cases, the Research Data team in the Libraries can answer questions.

• HIPAA/FERPA data should not be shared via email. HIPAA/FERPA data can be shared with authorized users via a secure SharePoint site. You can request a Secure SharePoint site by clicking on the ‘Request a secure SharePoint site’ button in the right pane on the link below: https://services.unl.edu/service/shared-cloud-storage-ms365-sharepoint

• Accessing data from a cell phone or personal device may be allowed depending on the requirements from the sponsor and/or applicable oversight bodies. This access may be dependent on the [ES1] risk level of the data, please refer to EM 41 and EM 42 for more information.
• Detailed information about using personal devices and examples can be found is section 4.0 of ITS-19: Security of Personally Owned Devices Standard

• Yes, a security review should be completed prior to using the application/software. Reach out to the ITS Security team by emailing support@nebraska.edu.

• Once the High risk data has been appropriately removed, you have options. High risk endpoints can access Low and Medium risk data – the question is whether you are fine working with the restrictions of a system classified as High risk (such as limitations on some applications, printing, and remote access). If want to remove those restrictions, the computer needs to be securely erased and reimaged before accessing  lower risk data. Please work with your Distributed IT or NU ITS support to request the reimage and update your classification.

• You should choose the device that best fits your needs – both can be set up for High risk data. The only difference is the physical security of the device itself. With a laptop, there may be different expectations for device control with controlled/secure data, including where the device is used. The U.S. Cybersecurity & Infrastructure Security Agency provides guidance on physical device security.
  
  Hardware purchasing- All information system hardware, desktops/laptops/workstations/servers/iot, should be purchased from e-shop utilizing our CDWG contract. Please work with your departmental IT representative when purchasing IT hardware.
  
  Software & cloud resource purchasing- Please work with your departmental IT representative when purchasing all software, subscriptions, and cloud resources.

• Your computer needs to be set up for the highest risk data that will be used on it. Network access to a server classified as Medium or High Risk will require a computer with the equivalent (Medium/High) or greater endpoint security settings and minimum-security controls. Please get in touch with your IT Support Team if you need assistance determining the current risk classification of a university-owned endpoint or need assistance elevating the endpoint to a higher classification.