Research Data Security Guidelines
Good data security practices minimize risk to subjects and financial or regulatory/compliance risks to researchers. Privacy and protection of confidential information is a continued priority for the IRB and the University. Please see the below tools and tips to maximize the protection of research data.
- File storage and sharing - To know where to store your data, you first need to classify the sensitivity level of your data. Please use Fordham's Data Classification Guidelines to determine that level, of which there are three: Protected Data, Sensitive Data, and Public Data. Also, please read why it is important to store sensitive data properly to protect research participants and the University community.
- Virtual Private Network - The Virtual Private Network (VPN) provides secure access to many of the University's network resources when you are off-campus or using the public wireless network, Fordhamwifi. Essentially, a VPN "fools" the network into thinking the user is at Fordham, even though the computer connection is taking place offsite.
- Password selection and management - choose strong passwords or passphrases to make sure no one gets access to your private information.
- Multi-Factor Authentication - Multi-factor authentication (MFA) provides your password-protected, online accounts at Fordham with an additional layer of security by using your device (mobile phone, landline, tablet, hardware token) to verify your identity.
- Operating System, Software Application, and Anti-Virus Updates. It is very important to keep your device's operating system and software applications updated.
Avoiding Accidental or Coercive Exposure of Sensitive Information
Whether at home, work, or traveling, you should secure your digital environment and restrict access to sensitive information.
- When possible, encrypt laptops, desktops, and mobile devices that will store sensitive information. Encryption reduces the risk to exposure of confidential data, or devices containing data, obtained by unauthorized persons. Fordham IT is currently building a centrally managed encryption solution. In the interim, IT supports the use of VeraCrypt as a standalone solution. When using VeraCrypt, please note that IT cannot help restore a forgotten password. Please contact IT Service Desk at 718-817-3999 or via email: [email protected] for more information.
- For smartphones, tablets, and other mobile devices, set a passcode to access your device, set a passcode lock that requires the PIN to be re-entered after 5 minutes of inactivity, and set up auto-wipe so that the device wipes (erases) all of the data it contains after 10 successive passcode failures.
- Use encrypted and password protected flashdrive to move sensitive data to other devices or share data with others when Google Drive is not used. Encrypted USB drives are available at local retailers.
- Never ask for or supply more sensitive information than necessary.
- Anyone who can access sensitive information should be made aware of its importance and be trained in handling it, including transcribers and data coders.
Keeping Your Research Data Safe When Traveling
- Do not leave your devices unattended. Keep mobile devices on your person or in a locked safe whenever possible. Ensure that they are encrypted and have a PIN as described above.
- Do not expect privacy. Certain countries have policies or legal environments that allow them to record everything and anything, from cellular calls to internet traffic. Be prepared when traveling abroad that you may be compelled to share any research data brought with you. Certain countries restrict encrypted devices.
- Make sure that VPN is set up on your computer before you travel.
- Install a privacy screen on your laptop to discourage "shoulder surfing."
- Back up your data and media to a device that will remain in the United States or to Google Drive.
- Only download iOS or Android mobile apps from the Apple or Google App Store.
- Less is best - bring the least amount of information/data and the fewest devices possible. Utilize travel-only devices that are stripped down to only necessary documents, services, and applications.
- If possible, do not insert USB ("thumb") drives or other portable media given to you when traveling. If it is necessary, before plugging them in make sure that your virus definitions are up-to-date and that your anti-malware program is configured to automatically examine USB devices for malware before enabling access to them.
- Turn off your device, or at least the Wi-Fi and Bluetooth capabilities, when not in use. Do allow them to be in "sleep" or "hibernation" mode when they are not in active use.
- Limit use of public terminals, and avoid using accounts that require usernames and passwords on public machines. It is easy for someone to set up a fake Wi-Fi network in a hotel or other public area and encourage people to connect to it to capture sensitive information.
- If for some reason you can't use a VPN, at least protect your web browsing. Try typing https instead of http into the address bar - to access Gmail, for example, you'd type https://gmail.com. If a padlock appears beside the address, the data you send and receive from that site is encrypted. If you're using Chrome, Firefox, or Opera, it's even easier: install the HTTPS Everywhere plugin and it'll do this for you automatically.
- If you are doing something sensitive online, use VPN, in addition to any other measures such as HTTPS, to protect the connection against eavesdropping. Also, it's harder to intercept cellular networks than Wi-Fi ones, so if you have access to reasonably priced cell data on your phone or tablet, use it.
- Software like Find My iPhone and Android Device Manager all offer various features for tracking down stolen gear. They can report their location, take photos and video, sound alarms, display messages on the screen, and more, and can help reunite you with your technology. Make sure they're set up and working correctly before your gear goes missing!
- Upon your return to the United States, run anti-virus software to scan your device for malware and follow the instructions to correct any issues. If you used your Fordham ID and password while traveling abroad, it's a good idea to change your password when you return.
For further additional information on IT Security Awareness:
Information Security Training
Information Security and Assurance, together with Proofpoint, a leading provider of security awareness training, has created an immersive Information Security Awareness Program. It includes online security awareness training to help you better protect the University and yourself from increasingly sophisticated threats by malicious computer users.
To access the course, log-in to the Proofpoint app from the MyApps tab in the portal, my.fordham.edu.
For more information and guidance, contact the IRB Director, Michele Kuchera at [email protected] or IT Service Desk Tech Help Tab at [email protected].