Purpose: This document is intended to determine infrastructure set-up, security, policies, and staffing for restricted-access room. This room is for researchers to handle controlled unclassified data (sensitive data) for research projects.
You can find more information about the space and also apply to use it.
Table of Contents
Terminology
Data Use Agreement/ Data security plan: the agreement made between the researcher and the data owner regarding how the researcher is allowed to use the data, for how long, and where
Data Project Application: an application a researcher must fill out per project they want to use the Secure Data Room for. They will need to include details of their finalized Data Use Agreement. If approved, they will be granted access to the room.
Room Access Spreadsheet: a log that the room manager (the Research Data Librarian) keeps to track who has submitted Data Project Applications, and how long their project(s) are approved for access into Secure Data Room. This spreadsheet will be helpful for sending reminders to researchers to complete Extension Request Forms.
LibCal Reservation: to book a reservation for a computer space within the Secure Data Room. There are currently two (2) bookable computer spaces. These spaces will be visible for booking via a private URL by researchers who have had their Data Project Application approved. Though bookable, these spaces cannot be entered if the researcher does not have access to the room (see Extension Request Form).
Extension Request Form: an email that must be answered before each additional year by researchers who have had Data Project Applications approved for their project. The contents of the form certifies continued agreement to the Room Usage Policy. Room access is automatically cut off for everyone at the end of each year, so this email response grants renewed access for the researcher. The Room Access Spreadsheet will need to be updated.
Antechamber to Secure Data Room: 2050A, where lockers are kept. External items must be stored here, away from the computer spaces.
Data destruction: a method for the data to be securely destroyed, as agreed upon in the Data Use Agreement/Data Security Plan
Secure Data Room’s Specifications
Source of Authority: 07.300.03 Physical and Environmental Security
Related Links:
- 07.400.01 Information Technology Vendor Risk Management Policy
- 07.300.02 Operational Security
- 07.300.04 Cryptographic Security
- 07.200.03 Network Infrastructure Management and Standards
Computing Platform
Network Configurations
The workstations in the Secure Data Room belong to a private, isolated research network built with specific Group Policy (GPO) controls. This network is segmented with limited access to other network resources, such as servers and storage in UNCW’s datacenter. The workstations can access the internet, and the network is protected and monitored by UNCW IT personnel.
Network connectivity is approached with a default deny-all, permit-by-exception methodology, for inbound, outbound, internal, and external traffic. All connections are explicitly vetted for use case and security.
Network connections are audited on an annual basis to determine if connections need to remain in place or if they can be removed.
Any network changes impacting the secure data room infrastructure will be reviewed for compliance with desired security standards, laws, regulaations. Additionally, these changes will be vetted via Change Advisory Board.
Network communications associated with protected, sensitive, or any data subjected to restrictions will be transmitted in accordance with those restrictions.
Backup data storage
All files located locally on the Secure Data Room workstations will be deleted upon computer restart due to the computer’s DeepFreeze settings; therefore there will be no backups created for the restricted data on the computer. Files must be saved manually by the researcher onto OneDrive or approved external media rather than automatically synced to OneDrive.
System and Third-Party Application Updates and Patches on workstations
The relevant computers are configured for Windows operating system updates at least once per month. Updates for third-party applications will occur at will during the next designated nightly maintenance window that is aligned with DeepFreeze’s thaw.
The relevant computers are protected with antivirus software (Crowdstrike and Microsoft Defender) and configured for antivirus updates at will during the next designated nightly maintenance window that is aligned with DeepFreeze’s thaw.
Any and all applications utilized on the relevant computers will undergo a thorough vetting process, ensuring an appropriate use case is presented, security concerns are addressed, the vendor risk management process is satisfied, and approval is explicitly granted.
Security
The Secure Data Room meets ISO-27002:2022 digital and physical data security compliance standards. Workstation infrastructure is subjected to risk assessments, system inventory, data requests, and permitted users. For approval to use the Secure Data Room, the researcher accepts that they will follow the Access Standard and Computer Usage Standard. These policies include agreeing to not access the data files outside of the room even if the files themselves are stored in cloud storage, agreeing to not use external materials such as cell phones while handling data files, and agreeing to not let unauthorized users into the Secure Data Room.
The workstations will be reset upon every reboot using DeepFreeze. Workstation monitors will be oriented to prevent eavesdropping. The computer screen will be set to auto-lock after 12 minutes of inactivity and all users agree to manually lock the screen or log off from the desktop when stepping away. The workstations will prevent unauthorized data access by utilizing password-protected user accounts.
All users included in the Data Use Agreement for a project associated with restricted data are given control access to their data stored on the PI’s OneDrive folder for the project and are given physical access to the Secure Data Room to work with the data. Authorization to the Secure Data Room is reviewed annually, and video and digital logs are kept to show who used the Room for what project at what time.
Requirements for data governance at various sensitivity levels are classified by in accordance with UNCW’s Data Classification Standard and checked with the researcher upon the creation of their Data Security Plan. To accommodate data owner stipulations for controlled unclassified research data, necessary security procedures will be negotiated for data accessed within the Secure Data Room.
Campus ITS Security team reviews software vulnerabilities and hardware vulnerabilities. Campus ITS will manage patching for systems present within the secure data room. Campus ITS and the Library IT teams will have authority to scan the necessary systems through the IP addresses of the Secure Data Room workstations. Vulnerabilities are remediated in accordance with their criticality, all exceptions are reviewed, vetted, and documented.
Campus and Library IT are obligated to follow appropriate procedures if a security incident is suspected. All incident response procedures are handled in accordance with UNCW’s Incident Response Plan.
Security audit process
Reservations for use of the workstations (using the Library’s LibCal booking software) can be reviewed by the Library IT team. A card scan list will be created quarterly by Library Building Operations and provided to the Research Data Librarian to audit against a list of approved users. A security camera will record all entry and exit through the door to the Secure Data Room and can be checked upon need. Approved projects will be tracked by the Research Data Librarian to ensure authorization to the Secure Data Room should still be enabled.
Campus IT Security monitors for anomalous traffic on the Secure Data Room’s isolated network, scans and remediates vulnerabilities, monitors end-user's actions, responds to cybersecurity related alerts, and assists with periodic review of compliancy requirements
Physical room access
UNCW Employees
Specific Library and Campus ITS employee are given card access to the Secure Data Room in order to make any necessary hardware, security, or facility updates. Employee access to the room must be approved by the Library’s Associate Director of IT & Digital Strategies and UNCW’s Director of Information Security.
A current list of UNCW employees granted to the Secure Data Room is maintained by Library IT.
Researchers
After a Data Project Application is accepted, researchers are granted no more than one-year long card access to the Secure Data Room. All university employees annually renew their agreement to protect confidential data securely.
Passwords
Users log in to the Secure Data Room computers using their UNCW passwords, which are required to meet University standards. Access to the data files themselves are also password protected through the user’s OneDrive login. There may be additional collaborator permission restrictions or password protections at the folder or file level if required for the research project’s IRB approval.
The relevant computers are configured such that a screensaver lock will activate after a short period of time and the user will need to re-enter their password to unlock the screen. Administrative access to change security and other configurations on the workstations is limited to specific Campus and Library IT employees.
Researchers found in violation of security protocol
Researchers are expected to follow the procedures outlined in this document and abide by the terms of their Data Use Agreement and Data Security Plan. UNCW Library reserves the right to rescind or bar access to the Secure Data Room for individual researchers if they are found in violation of security protocols.
Data Storage
Storage Location
Data will be stored on the researcher’s Microsoft OneDrive folder for the approved research project only and will only be accessed within the Secure Data Room. In no case should data be downloaded or accessed from the cloud storage outside of the Secure Data Room or otherwise be copied onto media or devices not approved in the researcher’s approved Data Security Plan for the project.
Only analysis results including output tables and figures will be removed from the cloud storage; no original data will be removed.
Alternate methods of storage are subject to review, ensuring compliance with any applicable laws, standards, or regulations. All alternate methods of storage require approval from the Library IT team and campus ITS.
Data Encryption
The researcher will transfer source data from the data owner through the data owner’s designated encrypted channel.
In accordance with the specifications of the researcher’s approved Data Security Plan with the data owner, as well as IRB approval, the researcher will digitally password protect files on cloud storage or utilize an external hard drive with hardware encryption or software encryption such as BitLocker.
Data Destruction
Data destruction protocols are governed by the relevant Data Use Agreement and the IRB data security designation. Information designated category type “Highly Sensitive” (such as Controlled Unclassified Information) must be properly disposed of by securely overwriting the information or physically destroying the media when no longer needed. Data stored on the PI’s OneDrive that is deleted will not be able to be accessed by the user after 30 days and will not be able to be accessed by IT after 90 days, in accordance with Microsoft’s recovery period policy.
Physical Location
Authorized Usage Purposes
Data will be accessed and analyzed on a secure computer at the University of North Carolina Wilmington campus Secure Data Room (Address: Secure Data Room, 2nd floor, UNCW Library, 5162 Randall Dr, Wilmington, NC 28403)
Authorized Personnel
UNCW researchers who have received approval for use of this restricted-access room have access through a card scan, which must receive yearly access renewal approval.
Only approved researchers, designated IT administrators, and designated building facilities personnel will have physical access to the Secure Data Room.
Policy Adopted: 10/14/2024