Policies

Policies

Policies

SSRI IT POLICIES 

SCOPE
SSRI has updated its IT policies and procedures. Why?

To protect you.
To protect Duke.
To protect data.

Our goal is to guide SSRI faculty, staff and researchers in their use of technology and how to work securely with data. Many of you are engaged in activities that require access to protected data. Be sure to know the rules and help reduce any risks to Duke's data. These updated policies also match what our peer organizations on campus are implementing.

COMPLIANCE
All SSRI staff, faculty, and affiliates must comply with SSRI IT policies, and with all applicable state and federal laws and regulations. Faculty, staff, and affiliates have a responsibility to use SSRI IT resources in an efficient, effective, ethical, and lawful manner. Violations of the policy may result in loss of usage privileges, administrative sanctions (including termination or expulsion) as outlined in applicable Duke University disciplinary procedures, as well as personal civil and/or criminal liability. These policies are subject to review and audit by Duke’s Office of Internal Audits.

RESPONSIBILITY
SSRI is responsible for implementing the policies described in this document.

SSRI WORKSTATION AND LAPTOP POLICY
SSRI staff who access Sensitive data as part of their regular job duties will only do so from SSRI-managed machines that comply with the ITSO technical standards for workstations and laptops. 

SSRI SECURITY OR PRIVACY INCIDENT POLICY
A security incident is:

  • an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information
  • interference with the operation of an information system

If a security incident is suspected or confirmed, SSRI staff will gather as much of this information as possible:

  • All user IDs and systems involved in the incident.
  • Identify all business processes or applications affected.
  • Does the system or application involved store or process Sensitive or Restricted data?
  • Does the user involved have access to Sensitive or Restricted Duke data as a part of their job duties?

SSRI faculty, staff, and end users will report suspected security incidents to SSRI Data staff.  If an incident involving SSRI systems, users, or Sensitive data appears to be more than a simple malware infection, or involves exposure of multiple systems, accounts, or exposure of Sensitive data, SSRI staff will follow the University policy and report the incident to the University IT Security Office.

If a request is received (whether from internal or external requestors) for information that would identify a Duke user or provide access to a Duke user’s data, SSRI will report that request to the University IT Security Office and will not act on it without prior authorization by ITSO.

SSRI COMPUTING DEVICES AND PROTECTED DATA POLICY
Most of SSRI is engaged in activities that require faculty, staff, researchers and students to have access to protected data – data classified as Sensitive or Restricted according to the Duke Data Classification standard. These are categories of data that Duke is either required by law to protect, or which Duke protects to mitigate institutional risk. In these cases, personnel who access protected data must abide by strict safeguards regarding access to data, e-mail, departmental computers, personal laptops and other electronic devices.

For this reason, the following policies apply:

Computers: To prevent unauthorized access to information and resources, computers must be configured with appropriate technical controls. SSRI IT staff can assist with computer configurations.

  • Duke owned computers accessing Sensitive data must be enrolled SSRI’s IT device management programs. This ensures that the computers receive regular patches, have the managed antivirus client installed to receive up-to-date antivirus protection, and have their hard drives encrypted. Assistance can be provided by SSRI IT support staff.
  • Personal laptops should have an up-to-date antivirus client installed as well as being patched regularly. Duke currently provides the Symantec antivirus client free on the Duke Software download site. You are encouraged use Windows Update, Apple Software Update, or an application like Secunia PSI to identify programs on your computer in need of security update. 
  • Both Duke owned and personal computers must have security policies in place requiring the user to enter a valid user ID and password. User accounts will be configured to lock after 10 unsuccessful login attempts.
  • Both Duke owned and personal computers must have security policies in place that limit the time that an unattended, logged-in system is vulnerable to unauthorized use. Systems should be configured to launch a password-protected screen lock after a maximum of 15 minutes of inactivity.

Whole Disk Encryption: Duke owned workstations and laptops which access or store Sensitive or Restricted Duke data must be encrypted. Assistance for this process can be coordinated with SSRI IT support staff, to make sure that your machine has the appropriate encryption. (You should encrypt the drives of any personal machines that are used to access or store your personal private data. Personal machines should not be used to access or store Sensitive or Restricted Duke data – see the SSRI Workstation and Laptop policy above.) Currently the recommended programs are FileVault2 for Macintosh computers, and Bitlocker for Windows machines. Documentation related to this configuration is available at the Duke IT Security Office web site.

Smartphones: Both Duke owned and personal smartphones which access or store Sensitive or Restricted data must be secured. Assistance for this process can be coordinated by departmental IT support staff. Information on how to secure your personal smartphone is also available on the Duke IT Security Office web site.

E-mail: Managing different methods of communication for projects that may or may not include protected information related to projects is complicated, opening up the potential to accidentally transfer sensitive material outside of protected Duke services.

For that reason, the following policies apply:

  • All Duke related communication, regardless of whether it contains protected information or not, must be conducted within the Duke managed e-mail system. SSRI IT support staff can work with users to help configure or make recommendations for configuring IMAP clients to provide access to Duke e-mail services.
  • Forwarding Duke e-mail to non-Duke managed e-mail services (Gmail and others) is prohibited. Use of these services should be reserved for personal correspondences only.

Portable Data Storage: If protected storage environments are not easily accessible for activity related to working with protected data, then use of portable storage devices can be supported. Any portable storage devices (thumb drives, attachable external hard drives) should be encrypted using methods identified by the Duke IT Security Office or SSRI IT support staff.

For more information, contact:

Rachel Franke, Associate Director of Research Data Security
 

Duke SSRI

Durham, NC 27708 | 919.681.6019

SSRI

Gross Hall, 2nd Floor
140 Science Drive
Durham, NC 27708

SSRI

Erwin Mill Building
2024 W. Main St.
Durham, NC 27705

Social Media