Security

Encrypted services; best practice for password protection; secure data transfer; physical security; secure destruction advice; special services for clinical data requiring extra security.

Monash systems
Non-Monash systems
Secure data transfer
Password management
Controlling access to data in physical formats
Special services for highly sensitive data (ISO 27000)
Destruction

Monash systems

For most research data generated by Monash researchers, the security provided by default to Monash systems is sufficient.

Monash-hosted solutions such as those offered by eSolutions and the Monash e-Research Centre are part of the Monash network and have the benefit of the Monash firewall and other network-related security measures. Most of these applications use SSL encryption to protect usernames and passwords in-transit, and are Authcate-enabled, that is, they require a Monash userid and password for access.

Non-Monash systems

When using systems outside of Monash, for example provided by another institution or by a commercial provider, it is your responsibility as the researcher to ensure the security of your data. You should ensure that you read the Terms and Conditions of Use of any external service carefully, and assess the risk associated with storing or transferring your data using that service. In particular you should ask yourself the following questions:

• Who actually has my data?


• Where is it located? If the service provided by an organisation in a different jurisdiction, are there any legal implications to that?


• Who has access to my data and what controls are in place to ensure that they will not misuse my data?


• What happens if my data is lost or becomes corrupted?


• What happens to my data if I stop using the service?

Secure data transfer

If you have to transfer large files, you may be considering using a web-based service like DropBox. While these types of services provide functionality that is very attractive, asking yourself the questions about non-Monash systems listed above will help you work out whether you can manage the risks associated with their use.

As a Monash researcher, you have access to more secure alternatives. Cloudstor is a service run by AARNET (Australia's Academic and Research Network) that enables you to easily and securely send and receive data containing sensitive or personal information to/from other AARNet users as well as to/from "external" users. Your data is encrypted before submission, and access to the service is using your Monash Authcate credentials. Cloudstor does not support long-term shared storage of files: see the Storage and Backup guideline for more information about collaborative storage solutions on Monash's Large Research Data Store. 

Because of its convenience, you may also be thinking of using email as a means of data transfer. In the long-term you should consider adopting other methods of data transfer. Some of the limitations of email include:

• size restrictions - most institutions have strict limits on the size of emails and attachments


• security risks - particularly if you are working with data that is personally or commercially sensitive and/or utilising personal accounts on non-Monash mail providers that may not meet legal and ethical requirements around privacy and confidentiality


• version control issues.

Password management

The biggest risk to password protection as the major form of security is if usernames and passwords are compromised. All members of your research team should regularly review the latest eSolutions advice about password security, and new team members should have security information passed on as part of their induction.

You should choose strong passwords and change your passwords often. Strong passwords should contain 8-12 characters that are a mixture of upper and lower case letter, numbers and symbols, are not dictionary words or something easy to guess. You should never share your password, even with trusted members of the same team. If members of your team need access to data that is stored in a secure service that they do not have an account to, you should arrange for them to get their own account on that service. 

Controlling access to data in physical formats

Controlling access to data in physical formats can be done through physical means such as:

• Storing research data in safes and lockable filing cabinets


• Securing offices and workspaces


• Physically securing laptops and other hardware (e.g. portable hard drives)


• Instituting check-in / check-out procedures when research data is transferred between researchers or between institutions.

Special services for highly sensitive data (ISO 27000)

Projects with a need for managing highly sensitive data, particularly in the context of clinical trials or medical registries, can apply through the Monash eResearch Centre to access specialised infrastructure and services that have been independently assessed and accredited to the ISO 27000 standards.

Projects accessing this infrastructure must have controls in place that ensure that all researchers will comply with the Information Security Management System Framework, which has been developed by eSolutions security specialists.

Destruction

You may need to destroy data to meet ethical requirements or because you have determined that the data no longer has any long-term value. The destruction process must be irreversible, meaning that there is no reasonable risk that any information may be recovered later. Extra care must be taken when dealing with records that contain sensitive information.

If you need to destroy data, you should follow the Monash Records and Archives guide, How to Destroy Records Securely, and seek advice from Records and Archives staff if needed.