Encrypted services; best practice for password protection; secure data transfer; physical security; secure destruction advice; special services for clinical data requiring extra security.
For most research data generated by Monash researchers, the security provided by default to Monash systems is sufficient.
Monash-hosted solutions such as those offered by eSolutions and the Monash e-Research Centre are part of the Monash network and have the benefit of the Monash firewall and other network-related security measures. Most of these applications use SSL encryption to protect usernames and passwords in-transit, and are Authcate-enabled, that is, they require a Monash userid and password for access.
When using systems outside of Monash, for example provided by another institution or by a commercial provider, it is your responsibility as the researcher to ensure the security of your data. You should ensure that you read the Terms and Conditions of Use of any external service carefully, and assess the risk associated with storing or transferring your data using that service. In particular you should ask yourself the following questions:
If you have to transfer large files, you may be considering using a web-based service like DropBox. While these types of services provide functionality that is very attractive, asking yourself the questions about non-Monash systems listed above will help you work out whether you can manage the risks associated with their use.
As a Monash researcher, you have access to more secure alternatives. Cloudstor is a service run by AARNET (Australia's Academic and Research Network) that enables you to easily and securely send and receive data containing sensitive or personal information to/from other AARNet users as well as to/from "external" users. Your data is encrypted before submission, and access to the service is using your Monash Authcate credentials. Cloudstor does not support long-term shared storage of files: see the Storage and Backup guideline for more information about collaborative storage solutions on Monash's Large Research Data Store.
Because of its convenience, you may also be thinking of using email as a means of data transfer. In the long-term you should consider adopting other methods of data transfer. Some of the limitations of email include:
The biggest risk to password protection as the major form of security is if usernames and passwords are compromised. All members of your research team should regularly review the latest eSolutions advice about password security, and new team members should have security information passed on as part of their induction.
You should choose strong passwords and change your passwords often. Strong passwords should contain 8-12 characters that are a mixture of upper and lower case letter, numbers and symbols, are not dictionary words or something easy to guess. You should never share your password, even with trusted members of the same team. If members of your team need access to data that is stored in a secure service that they do not have an account to, you should arrange for them to get their own account on that service.
Controlling access to data in physical formats can be done through physical means such as:
Projects with a need for managing highly sensitive data, particularly in the context of clinical trials or medical registries, can apply through the Monash eResearch Centre to access specialised infrastructure and services that have been independently assessed and accredited to the ISO 27000 standards.
Projects accessing this infrastructure must have controls in place that ensure that all researchers will comply with the Information Security Management System Framework, which has been developed by eSolutions security specialists.
You may need to destroy data to meet ethical requirements or because you have determined that the data no longer has any long-term value. The destruction process must be irreversible, meaning that there is no reasonable risk that any information may be recovered later. Extra care must be taken when dealing with records that contain sensitive information.
If you need to destroy data, you should follow the Monash Records and Archives guide, How to Destroy Records Securely, and seek advice from Records and Archives staff if needed.