Secure Research Data Strategy

SRDS Certified Environments

Last modified: 10/17/2019

Under the University’s Research Data Protection Policy the CISO is responsible for “approving information security measures implemented to protect the security of Restricted Data and aiding Principal Investigators and Information Technology personnel in implementing such measures”. One means by which this is done is a process of certifying computing environments provided to researchers in which to store and/or process their sensitive research data. This page records environments that have been so certified.

Information for those who may wish to have a computing environment certified is further below.

Certified Environments

Each environment is certified to meet a given Protection Level of Moderate or High, as defined in the Sensitive Research Data Usage Guide. The Service Scope column indicates the range of PIs or projects that the service is operated to support.

 

Name Protection Level Service Scope
Secure Data Enclave High,

High – offline

University PIs
UL 2.0 High Urban Labs
Data Room, Social Science Research Center High – Offline SSD PIs needing a physically secured room with no network access
Center for Research Informatics High BSD PIs, especially those working with UCMC patient data
An end user device that meets all of the criteria in the Baseline Protection of End User Devices Policy and the Information System and Managed End User Device Standards. Low User of the end user device

Certification Process

The CISO’s Office offers certifications at two Protection Levels, Moderate and High. These meet the security standards defined in the University Edition Cyber Security and Data Privacy Policies Templates at its “Core” and “Low” levels, respectively. Environments can also be reviewed and certified to meet some other identified security standard as may be required for a specific research activity. The Protection Level your environment should meet will depend on the types of sensitive data you want to be able to store and process as well as terms in associated contracts or approved protocols.

Contact CISO@uchicago.edu to inquire about certification.

The certification process itself happens by having a member of the CISO’s Office work alongside your team while you’re developing your technology and procedures to provide the desired level of security. The engagement begins with a discussion of what all you want to accomplish, discerns key capabilities and risks associated with that, and then proceeds through an overall review of ~100 security controls (for High Protection Level) to see what choices may need to be made in order to arrive at a compliant security plan for that environment. A technical description of the Protected Environment, which defines the set of stuff to which the security plan pertains, is developed in parallel with that review, and whatever procedural or other documentation that needs to be developed in addition to the security plan itself is noted. The CISO representative develops the security plan as this process unfolds – its degree of completion is how we keep track of where we are in the process.

After the initial gap analysis, regular, usually weekly, meetings let us dive into and resolve the myriads of details, choices, and trade-offs that come up along the way. After we get all the way through the first time, we’ll review and revise the security plan and all of the supporting documentation we’ll have produced to ensure it reflects reality (rather than some earlier supposition, for example). Then we’ll create a POAM (Plan Of Action and Milestones – federal information security jargon) of whatever remains to be done to achieve perfection, and if that’s not terribly large, the CISO representative certifies your Protected Environment. URA, Office of Legal Counsel, and the IRBs are notified that you’ve met that standard from the University Edition policies, and your service will be added to the table above.

Note that perfection is almost never achieved in the real world! Things are always changing for a variety of good reasons. Our aim is to ensure that your team learns how to keep their eye on the ball in a variety of ways. Good people who’ve learned how to do so is the best way to manage risk. We’ll keep track of the POAM items and review the environment against its security plan at least annually, sometimes in between times as may make sense, to be diligent about addressing any gaps between the actual environment and its designed security plan.

For planning purposes, the length of time it takes from initial contact to initial certification is about 18 months for High Protection Level and about 6 months for Moderate Protection Level. This allows for the possibility that some new equipment may need to be purchased, that processes may need to be developed and documented, or that governance or management responsibility may need to be clarified or established.