NYU is committed to protecting and securing its research data. This flow chart is designed to assist faculty identify the level of security required for their research data and the resources to assure its confidentiality.
In order to safeguard NYU's information assets (i.e. systems and data), research data is classified as low, moderate, or high risk data. The protection of research data may be guided by federal regulation or sponsor requirements. More stringent measures of security are required as the level of risk increases.
Determine the risk classification level of your research data
Low Risk
With research data, faculty should follow moderate or high risk guidelines.
An example of low risk data may be data sets that is widely available on the internet without any access restrictions may be low risk.
Moderate Risk
An example of moderate risk is unpublished research data that is not classified high risk.
High Risk
Example of high risk data include:
Unpublished research data that is subject to sponsor, federal, or foreign government protected data requirements, including human subjects’ data or data which are proprietary, confidential, sensitive or designated as controlled unclassified information (CUI).
Review your existing research processes which request or process data in order to assess the state of data security. Consider:
How is the data being used?
Who needs access to these data?
How long do we need to keep these data?
The Data Use Agreement Checklist (PDF) (requires NYU login) is designed to help identify the type(s) of data being exchanged, and should be completed when NYU is receiving and/or sharing data.
Review
Review your data storage and collection processes. Consider:
What kinds of sensitive data do we need to store?
How many records will we be using?
On what systems will the data be stored?
Who needs access to systems that contain sensitive data?
How do we collect sensitive data (web forms, email, paper forms, etc.)?
How do we transport/transmit the data?
Secure
Implement data security standards which will assist you and your department in securing sensitive data from unauthorized access or breaches. Consider:
Authentication: Users should need to log in with a username and password to see data and that access should be logged.
Permissions/Access Controls: Verify that controls are in place to allow system users to only see the data they need to see.
Encryption where appropriate: Where possible, encrypt restricted data.
In transit: Both in transit over a network and physical transportation of media containing sensitive data, such as hard drives.
In storage: Encrypt data using tools such as PGP, etc. (This may not be possible in all cases. Contact the Office of Information Security with any questions you may have.)
Select a secure storage location: Select a location appropriate to store the data
Plan for Storage, Management, and Publication of Your Data
NYU provides a variety of storage solutions. Compare the qualities and security levels available with NYU Drive, NYU Box, NYU Stream, Research Workspace and Windows File Sharing. Contact Secure Research Data Environment (SRDE) for assistance.
Research at NYU frequently involves international collaborations and international travel. In turn, travel related to international collaborations often involves traveling with research data, equipment such as laptops, and software. Review NYU’s guidelines on traveling internationally with technology and research data.
Before traveling internationally consider the following four questions:
Which export control regulations may apply?
Various U.S. Government agencies impose restrictions on taking research data or items overseas and on travel to particular international destinations.
Where are you going?
An export license and/or import permit might be required to travel internationally with research data or items. Some destinations are sanctioned by the U.S. Government; special travel guidelines apply.
What are you taking with you?
Export control restrictions may apply to taking research data or items abroad depending on whether the technology is military/defense related or dual-use and the destination of travel.
What will you be doing and with whom will you be interacting?
It is important to ensure that you do not accidentally export controlled information or provide any type of assistance to an entity/person on a restricted party list maintained by U.S. Government.