February 06, 2012


Questions -

Scope has been defined as an overall profile of the research/scholarship sensitivity (vs project or data set granularity.)

- Right now, we register most sensitive data types meaning Moderate and Low will not be registered for researchers with High Sensitivity data (i.e., they skip out of that portion of form.)

- Some Sensitive data types may catch too many people.

Classification Scheme
- It was suggested that H/M/L has too many connotations. To a researcher, all their data are High.

- Sensitive | Private/Confidential | Public
- High | Moderate | Low
- 3 | 2 | 1

High Sensitivity, Non-regulated Data Types
- What UM-endorsed resources are OK to use?

Is CSG up to the task of supporting units in securing data?

Posted by kkwaiser at 04:50 PM | Comments (0)

January 10, 2012

Sensitive Regulated Data: Permitted and Restricted Uses

Mostly a bookmark to new guidance coming out of ITS with regards to where and how sensitive data can be stored. Very timely.

Posted by kkwaiser at 10:36 AM | Comments (0) | TrackBack

November 28, 2011

Multiple Node Add forms on a single page

A few resources:

A forum post describing almost exactly the same challenge. Gives decent technical details.

A less helpful post on Drupal.org.

A fairly advanced tutorial for accomplishing this with D6.

The Multi Node Edit module seems helpful.

Another D6 How To post.

Multiform Module for Drupal 7 - probably the starting point.

Posted by kkwaiser at 10:39 AM | Comments (0) | TrackBack

November 22, 2011

Moderate Sensitivity Data

After placing an initial emphasis on delineating which research data fall under the High Sensitivity category I now wonder which fall under the Moderate Sensitivity category. Data Types such as Proprietary Data and Geolocations of Cultural Assets and Endangered Species* Data fall under High Sensitivity (AKA, Sensitive Data) per UM policy which leaves the cupboard bare at MS.

*Yes, great name and thank you.

What research data are Moderate Sensitivity?

Queue a rampaging google search and documentation session.

University of Iowa (Fight! Fight! Fight! for IOWA!!) - Indicates some research data are of Moderate Sensitivity. I thank you, Hawkeyes, in a highly non-specific manner.
- Update (Jan 16, 2012) - UI's data classification page uses three sensitivity categories. Great minds and all that...

DataONE - the ecological informatics guru's weigh in on this topic- serious adverse effect to an organization as a result of the loss of confidentiality with no examples. Although they do reference FIPS 199 [hint: foreshadowing]

University of Miami does not identify research data as falling under Moderate Sensitivity

Cancer Biomedical Informatics Grid (caBIG) is somewhat specific calling MS data that which is Coded/Limited Data. They also have a somewhat opaque flowsheet for determining Data Sensitivity.

A limited data set is protected health information that excludes certain identifiers but permits the use and disclosure of more identifiers than in a de-identified data set. In particular, the limited data set allows the inclusion of all dates, 5 digit ZIP codes, and city as indirect identifiers. A limited data set may be used only for the purposes of research, public health, or health care operations. - source and another source for good measure.

University of Maryland - overview of data classification from their Office of Information Technology. Despite a barrage of acronyms this is useful.**

- NIST's FIPS 199- Federal governments response to data classification needs brought upon by FISMA
- FISCAM - is the manual that is used by OLA to audit us
- GREAT University Policies - George Washington, Stanford*** and UT-Austin

** Although I wonder how many people this talk has put to sleep.
***Stanford's policies have changed since this presentation was assembled

NIH - Two obscure documents and a presentation that includes the caBIG item I link above define Moderate Sensitivity data, in part, as that which is unpublished.

What have I learned from this Rampaging Google Search and Documentation Session™?

A lot but not too much of immediate use. I'm beginning to think Moderate Sensitivity data include unpublished and unique research data. This creates space for Low Sensitivity data to become published data. The problem is, both categories seem to become catch-alls with a lack of specific examples (aka Data Types).

Posted by kkwaiser at 08:58 AM | Comments (0) | TrackBack

October 07, 2011

Data Security Resources

A list of what a proper resource solution should provide in terms of meeting data security recommendation practices. This is a proposed organization.

Data Classification

There are a host of documents available through IIA but I'm relatively familiar with them so will skip. The following are one-off documents that appear to be somewhat homeless but still may be useful.

A 2008 memo on sensitive data handling. To summarize, no sensitive data on desktop computers, removable storage or email.

Guidelines for the Contract for Obtaining Sensitive Data from the Toledo Adolescent Relationships Study - an example of a highly specific data handling agreement that covers collaborators, backups, replication, destruction, transmission and other facets of data storage.

Protecting Confidential Data on Personal Computers with Storage Capsules - A paper by UM researchers on a method for isolating sensitive data on a desktop computer from malware that may reside on the computer.

Criteria for sensitive data protection plans
- storage requirements for sensitive data, derived data is addressed, network solutions need not apply.

Research Data Strategy: Considerations of the Blue Ribbon Panel - Interesting snippet:

"Data is often not classified leading to data either being over protected because everything is treated like sensitive data or everything is under-protected by treating everything as public data"

Appropriate Data Storage Solution

Should cover:

Access Authentication
Access Authorization
Access/Activity Logging
Account Management
Password Management
Disaster Recovery/Business Continuity Plan

Available Resources:

East Hall's IT group has a pretty good list up. Sensitive data seem to be a deal breaker, however. Value Storage's FAQ states that "is not intended for data that is [sic] considered sensitive, private/confidential or critical to the operation of the university. Value Storage may be considered for such data when the customer environment is tightly managed according to the guidance provided below."

Mainstream Storage's Service Level Agreement recommends users "exercise caution when storing sensitive data in Mainstream Storage space."

Encryption Solution

Should cover:

Digital Media Protection

Available Resources:
SafeComputing on Mobile Device Security (MDS) appears to be the best, single, UM-derived resource. Includes webcasts walkthrough on protecting data in motion and at rest.

White Paper on MDS. See page 3 for practical recommendations.

A more exhaustive take on MDS targeting IT folks is also available from this site.

Backup Solution

Should Cover:
Backup Requirements
Disaster Recovery/Business Continuity Plan

Available Resources:
As I understand it, Tivoli Storage Manager (TSM) Backup Service, will be available for researchers within LSA soon.

This should assist in meeting Disaster Recovery needs because TSM "has full UPS redundancy, enhanced electrical systems, fire protection, security systems, and environmental alarms...[and] is replicated"

Physical Security Solution

Should cover:

Physical Security - Mandatory
Physical Security - Recommended

Not much right now. An likely outdated document with contact information identifying who to contact if, for example, you want to put in a key request at the LSA. I have a feeling this doesn't apply at the unit level in all instances.

Don't Require Solution

Should cover:
Third Party Data Handling
Audit/Review (of applicable procedures)

Training Opportunity Solution

Should Cover:
Training and Awareness of Data Handling and Applicable Regulations



Notes from LSA IT on secure server configuration available here.

Posted by kkwaiser at 10:06 AM | Comments (0) | TrackBack

October 06, 2011

Vague post is vague

Protection Category -> e.g. Backup requirements, access authorization
Sensitivity Level -> Vocabulary -> High, Medium, Low -> Indicates the sensitivity levels addressed prescribed action addressed
Protection Requirement -> Prescribed security actions given a Sensitivity Level and Protection Category

Protection Unit -> The University of Michigan unit responsible for administering the reference protection resource
Protection Resource -> The University of Michigan resource which can be used to meet protection requirements

Posted by kkwaiser at 04:42 PM | Comments (0) | TrackBack