$ProjectName $ProjectDescription
Data Security Plan
Data
Security Plan Summary
RTI has developed this data security plan and will seek review, comment, and approval for it from the $Client ($ProjectName). It provides information to RTI International’s IRB and serves as guideline material for the $ProjectName $ProjectDescription ($ProjectName MMP) managers. This plan describes the security procedures, guidelines, and other safeguards protecting sensitive data collected and used in the $ProjectName MMP. This is the first version of the plan.
The plan covers topics such as the management of the plan, nature of the sensitive data, and the systems we will have in place to manage the data. Please see the outline of the data security plan below:
I. RTI Staff Contact Information
II. Plan Governance
III. Information Collection Request
IV. Information Sensitivity Fundamentals
V. General Description of $ProjectName $ProjectDescription
VI. General Description of Program Systems
VII. Program Data Flow Summary
VIII. Data Exchange
IX. Internal Data Handling
X. IT Systems that Promote Data Security
XI. Physical Plant Protections
I. RTI Staff Contact
Information
Authorizing Official
Other Designated
Contacts
II.
Plan Governance
$ProjectIT, who will serve as RTI’s Systems Task Leader, will oversee and maintain the Data Security Plan. Any updates to the plan will be made by him, with the full knowledge and consent of $ProjectDirector.
Due to the collection, storage and delivery of confidential data, and as required by the Confidential Data Plan at RTI, project staff will submit this data security plan to the Director of Information Technology two weeks in advance of data collection or the receipt of confidential data about potential program participants.
III.
Information Collection Request
RTI promises to secure data and protect the confidentiality of all participants. This is a fundamental underpinning or our Institutional Review Board (IRB).
Through several means, including the lead letter and appointment reminder letter, RTI will provide the phone number for our Office of Research Protection. This will provide a way for sample members to voice their concerns and have their questions answered. Further, we will provide in-depth training to our telephone interviewers so that they can answer data security questions.
IV.
Information Sensitivity Fundamentals
§RTI will have access to highly
confidential information that alone or combined with publicly available data, could
be used to identify individual persons. Such information includes, but is not
limited to: names of potential participants, addresses, telephone numbers, dates
of birth, social security numbers, e-mail addresses, other contact information,
and other confidential information (“Confidential Information”). The
Confidential Information will not be copied or disclosed to any other source by
any means. Confidential Information in electronic folders, on media, in
documents, databases, spreadsheets, electronic mail, and any other format and
or received remotely through any data transmission services will be considered
within the scope of this Agreement, as well as any written documents, mailings,
reports and any other documentation associated with the $ProjectName $ProjectDescription.
Staff
members will not be allowed to interview subjects whom they know personally.
§Sample members will also be informed that their contact information will not be shared with anyone outside the program team. Each respondent who participates in the telephone health interview will also be informed that the answers he/she provides will not be associated with him/her. The answers will be compiled with those of other respondents for group analysis.
§RTI acknowledges that all records,
information, or data to which it may have access to examine, prepare, maintain,
or have custody of and deliver hereunder, are confidential.
§All information and data stored
on RTI systems used to support the project and or on associated computer storage
media are the exclusive and confidential property of $ProjectName. Data stored
in an offsite facility will continue to be the sole confidential property of $ProjectName
and will be subject to the same requirements. We understand that RTI will have
no right to privacy on the specific systems directly supporting $ProjectName
data, and all information and activity on the systems will be made available to
$ProjectName for real-time viewing and monitoring purposes. RTI will not at any
time make any disclosure or statements or release to any third party any
confidential information.
RTI
will take several additional measures to ensure data security. Among them is
that all RTI staff members who work on the $ProjectName MMP will have
been trained on all Standard Operating Procedures (SOPs) and Technical
Operating Procedures (TOPs) which apply directly to confidentiality and
security of data. Additional measures to protect data security will be pointed
to throughout the remainder of the document.
V.
General Description of the Program
VI. General Description of Program
Systems
Several systems will be employed to maximize respondent participation, including:
§Data Capture System (DCS)–
§Control System (CS)–
§Information
Management System (IMS) –
VII.
Program Data Flow Summary
VIII.
Data Exchange
Information Management System
RTI
will develop an integrated web-based Information Management System (IMS) that
will provide on-demand, up-to-date information on project status and progress
to both $ProjectName and RTI staff working on the program. The website hosting the IMS will be encrypted with
128-bit encryption through secure socket layers (SSL) and verified by a
VeriSign®, the leading SSL Certificate authority. When
project team members, including the client and interviewers, come to the IMS,
they will login with their unique security credentials. Users will have been
assigned to one or more security roles that dictate which features and content
they are allowed to see. There will be password-protected network
drives. RTI
will provide an account setup form for each employee provided access to the IMS.
RTI will maintain an account set up form showing the
action taken for each addition, deletion or change in account status. RTI will maintain
a log of all transactions made to the IMS database to include but not be
limited to the IP address for each login, login and password of each login
attempt; all database transactions; all procedures run; database backups; database
copies; and associated activities.
Data
File Exchange
During
the course of the project, $ProjectName and RTI will exchange data files. The
data will include, but will not be limited to: new additions to the Cohort database, contact
data information, subject member status, reports, metrics and all other related
data for which secure transfer is necessary. To this end, RTI will provide the
IMS (Information Management System) containing a tool implementing File
Transfer Protocol (FTP). Both take advantage of 128-bit encryption through secure socket layers (SSL). RTI will
verify the integrity of a file prior to delivering the file electronically to $ProjectName.
Data
files delivered to $ProjectName will have a separate delivery ID (not the same
as the internal RTI case ID number used for tracing, contacting respondents,
scheduling medical screenings, etc.).
Data files containing sensitive data that are delivered to $ProjectName will be encrypted, whether the data are sent electronically or on physical media. Electronic data that is shipped will be placed on password protected storage media and shipped via an overnight shipping service.
Data sent to and from external tracing sources for the purposes of sample member location will be encrypted whenever possible. Any data physically shipped will travel by a secure carrier. Case identifiers used on data files sent to external batch tracing services will be different from case identifiers used on final data files destined for release.
Data will not be released to any individual
or organization outside the research team.
Further, RTI will not ask any subject to
release contact information or any other information to a third party.
Receiving Sensitive Data
Once data are received at RTI, they will be
handled with the same high- level security as other data in our possession.
Data will be stored in a secure database utilizing a relational table
structure, facilitating expedient access to data. The server, located at RTI,
will be accessible only to the project team assigned to this project. Other
individuals not associated with the project will not be able to access the data
without permission from the Project Director.
End of Project Data Handling
At the close of the program, RTI
will return to $ProjectName any and all confidential information in its
possession. RTI staff will not retain any confidential information in any form
at the close of the program.
IX.
Internal Data Handling
Project Share
Staff members will not use local hard drives to maintain project data.
The Systems Task Leader will administer the organization of and security for a project share. The share will be organized with folders corresponding to common areas of work. This project share on the secure ITS Windows NT server has been established to accommodate project electronic data file storage by project personnel. The Systems Task Leader will work with ITS to create and maintain appropriate NT login user identification (userid) groups for administration of project share security. At a minimum, a group consisting of all sworn project technical staff will exist, and the Systems Task Leader may create other subgroups as appropriate for controlling permissions to resources that not all project staff need to access.
Only sworn project staff will be granted the privileges necessary to make a network connection to the project share. By default, the primary technical staff group will have read access to all folders on the share. All folders on the project share containing sensitive project data will be restricted via explicit permissions such that only project staff with a specific need to access the data have read access. Project staff will be granted write access to folders and subfolders individually or through specific subgroup membership.
A “users” folder will also be created, containing a subfolder for each staff member’s NT login userid. Each staff member will have write access to his/her own folder, and may grant or deny permissions on objects in that folder to other sworn project staff members as desired. At no time will any project staff member set permissions on any resource stored on the project share to allow access by persons who are not sworn.
The
project share will allow for the sharing of data needed by multiple project
staff members for collaboration, and provide for automatic backup of project
data. Project staff will review the folders on the project share for which they
have responsibility and delete temporary and working folders as appropriate.
Any sensitive data produced through DCS, web, scanning, tracing, or other means will be stored in restricted folders on the project share.
Personal e-mail folder files for project-related messages will be stored in a restricted directory on the project share. If multiple staff members need to access a shared mail folder, that folder will be created with access restricted to only that set of staff members.
Communications and sharing of sensitive project data among sworn project staff members will be accomplished by referring to the data location on the project share drive on the RTI secure network. No sensitive project data will be sent via email.
Electronic Data
Electronic files containing sensitive data created in the process of preparing printed materials for mailouts and other purposes (e.g., mail-merge data files, print files) will be saved to a secure location as soon as possible after the associated mailings have been completed or printed materials have been produced and delivered to project staff.
Electronic case identifiers will be different from case identifiers on final data files.
When possible, intermediate files containing sensitive data will be deleted as soon as they are no longer needed (programs will be written and maintained such that endpoint data files can be reproduced from original data if needed without requiring permanent storage of intermediate files). Project staff will review the project share folders for which they have responsibility on a monthly basis to identify intermediate files that can be deleted.
Physical Data
Any printed sensitive materials not being used, such as batches of materials with printing problems, or call scheduling lists, will be shredded immediately. While needed, such printed material will be kept securely locked when not in direct use.
If sensitive printed materials need to be sent between sworn project staff, they will be hand-delivered when on campus, and shipped via a secure carrier when going to or from staff off campus. Printed sensitive materials will not be left in departmental mailboxes.
Case identifiers printed on any communications to sample members will be different from case identifiers on final data files produced for release.
Tracing
TOPS computer systems will be configured to allow only assigned sworn staff to access project cases. TOPS data transfer folders will be protected with specific permissions giving read and write access only to sworn TOPS staff and the sworn project staff directly involved in batch tracing activities.
Data sent to and from external tracing sources for the purposes of sample member location will be encrypted whenever possible and if not transmitted electronically will be shipped by a secure carrier. Case identifiers used on data files sent to external batch tracing services will be different from case identifiers used on final data files destined for release.
All services used for external batch tracing shall have adequate written data security procedures and written policies stating that they will not release project case information to any third parties for any reason.
Testing
Any database
created for the purposes of testing the application shall be created with test
data only and shall not use data provided by the $ProjectName and or data
created from any $ProjectName Cohort member data.
X.
IT Systems that Promote Data Security
Firewall
RTI’s network is connected to the Internet by an Internet firewall. All traffic between the RTI network and the Internet passes through this single connection point, providing the same level of protection and monitoring to all systems connected to the RTI network.
The firewall is programmed to allow or prevent access to the RTI network by using a set of rules to determine whether attempted network access is in compliance with RTI’s network security policy. The firewall logs all incoming traffic from the Internet to the RTI network. This information is essential in detecting and analyzing any problems.
The firewall is used to create two RTI networks with different levels of access from the Internet. These networks are called the “private network” and the “public network.” The private network is the main RTI network, and most systems are located on it. Access to this network from the Internet is very limited, using a limited set of protocols into specific systems. For example, incoming electronic mail is only permitted to specific mail servers. The public network is more accessible from the Internet and is where World Wide Web servers, anonymous file-transfer protocol (FTP) servers, and other publicly available systems are located.
RTI staff can connect remotely to resources within the RTI
firewall using either dial-up networking or
Server Security
Servers
on the public network must be registered with our information technology
services group and specify which services they offer that should be accessible
from the Internet. Services not specifically required are not allowed. By not
allowing unnecessary services, a server’s exposure to potential threats is
minimized, and the overall security of RTI’s public network is improved.
Web
servers are placed behind load balancing devices that provide high availability
and serve as an additional layer of protection between the Internet, the web
servers, and RTI’s public network. The load balancing devices are configured to
only allow traffic based on the website specific configuration. Only approved
file types are allowed on the web servers. Computer-based tools are used to
detect and identify vulnerabilities on RTI systems and network. This ensures
that vulnerabilities, if detected, can be corrected before unauthorized persons
exploit them.
Multiple
layers of automated network and server monitoring quickly identify failures or
unusual activity, which may be an indication of an attempted security breach.
Alerts can be sent to on-call staff 24 hours a day, 7 days a week via e-mail
and cell phones for evaluation and appropriate response. A multilayered
anti-virus program is in place.
E-mail
is scanned multiple times and by multiple antivirus programs. Anti-spam
filtering is in place. RTI system and network administrators are automatically
subscribed to multiple mailing lists to ensure they are quickly informed of
security advisories, new threats, and the appropriate corrective measures. This
includes CERT, Microsoft, Network Associates, Trend Micro, and SANS. RTI is an active
member in InfraGard, a cooperative security program between the FBI and
commercial enterprises. To avoid unknowingly providing unauthorized access to RTI
information, all RTI staff must be aware of information technology security
threats that are increasingly common. This includes attacks that try to exploit
human behavior such as “phishing” and “social engineering.” Security awareness articles
are posted on the internal RTI website, and staff are notified by e-mail when
new articles are posted. The information technology security staff maintains
several professional certifications including Certified Information Systems
Security Professional (CISSP) and firewall vendor certifications.
Windows NT Built-in Security Measures
Microsoft’s Windows NT-based network operating system supports several security features to control access to network directories, folders, and files. These features include:
NTFS permissions allow users and administrators to control access to Windows NT resources on a per-user or per-user-group basis. NTFS has many levels of access control, including no access, read only, change, and full control.
Passwords
Every username (i.e., account) on all ITS systems has an associated password. No written or electronic record of passwords is generated. Automated controls are in place to ensure password quality (requiring a minimum length and a mix of uppercase letters, lowercase letters, numerals, and punctuation). Passwords expire and must be changed every 90 days. Project staff will not share their passwords with any other person.
All project staff will configure their desktop workstations with a password-protected screensaver that will lock the station after 10 minutes of inactivity. All project staff will manually lock their stations upon leaving their work space.
Backups
Under normal operating conditions, complete backups of all files on every network drive, and all e-mail message stores, are written to tape on a weekly basis. Every business day, a differential backup of all files created or modified since the last complete backup is performed. In the event of a hardware or software failure, files can be restored to their status as of the time of the last differential backup, usually the evening of the previous business day. Tapes from complete backups are kept for approximately 3 months. Tapes, Compact Disks (CD-R and CD-RW), or Digital Versatile Disks (DVD-R and DVD-RW) are used for long-term data archiving.
The tapes from the current complete backup are stored in the secure ITS computer room to enable rapid restoration in the event of a data loss. The tapes from the previous backup set are stored at an offsite location. The offsite location has a media vault that meets the American National Standards Institute (ANSI) standards for safe, climate-controlled storage of tapes.
XI.
Physical Plant Protections
Access to all work space is secured at all times through the combination of electronic access cards and security guards. RTI has a keyless card-controlled access system on all buildings at all locations. The system monitors and limits access to the buildings and the Information Technology Services (ITS) computer room. Access is granted on an individual basis and reports can be generated to review access patterns. Buildings staffed by security guards are automatically locked at 5:00 p.m. every business day and automatically unlocked at 8:05 a.m. the next business day. Buildings without security guards are locked 24 hours a day. During non-business hours, RTI security officers patrol the campus, confirm that the exterior doors to the buildings are locked, and walk through the buildings. Additionally, security officers inspect the ITS computer room for signs of unauthorized entry or access. Internal building checks are verified independently using a system that collects data from bar codes that security guards scan using micro-wands. The data are loaded into a PC for review, analysis, and storage.
RTI’s Research Triangle Park (RTP) facility has a radio/telephone system that allows all staff to have immediate communication with RTI Security in emergencies. All full-time security staff are cleared by the Department of Defense and cleared for access to confidential business information (CBI).
Separately coded keyless card-controlled locks are also installed on special rooms within each building at the RTP facility; these rooms also contain file cabinets equipped with combination locks for storage of sensitive offline data. Access to these locked rooms and combinations to the secured file cabinets are limited by specially programmed card access to a very small number of staff tasked with sensitive data library tasks. All staff at all facilities have private access to locking drawers and cabinets near their work spaces.
Computer Rooms
RTI’s
Information Technology Services maintains two data centers on RTI’s
Continuous
electrical service for the computer room is ensured by an uninterruptible power
supply (UPS) and a diesel generator. The UPS ensures continuous service during
brief electrical power disruptions and conditions the electrical supply
minimizing hardware failures. The generator will begin function within seconds
of a loss of utility company power. It provides continuous operations during
more extended power failures. A 7-day supply of diesel fuel is maintained. The
generator is inspected weekly, monthly, or semi-annually for different items
through the preventive maintenance program.
Computer
Room Two is located on RTI’s main campus and is secured by an automatically
locking steel door that is locked at all times. Fire protection is provided by
an H2O fire
suppression system. If a problem is detected, automatic telephone dialers
notify RTI Security and Maintenance. The H2O fire suppression system is
inspected semi-annually through the preventive maintenance program. Air
conditioning and ventilation are provided in the computer room by two Liebert
air conditioning systems, each sufficient to independently maintain an
appropriate operating environment. Each Liebert system has built-in redundant compressors.
The systems are separate from the heating, ventilation, and air conditioning
systems in the parent building. Both temperature and humidity are monitored and
alarmed. There are alarms to detect water under the raised floor of the
computer room. Alarms can be automatically transmitted to RTI Security and RTI
Facilities and Maintenance staff 24 hours a day, 7 days a week via radio or
pager. The Liebert units are inspected semi-annually according to a preventive
maintenance program. Continuous electrical service for the back-up computer
room is ensured by a UPS and a diesel generator.
Unauthorized
personnel must be logged in and escorted to a computer room. Visitors and
maintenance personnel needing access to a computer room are required to have
preplanned appointments so that an appropriate escort can be provided.