SSRI has updated its IT policies and procedures. Why?
To protect you.
To protect Duke.
To protect data.
Our goal is to guide SSRI faculty, staff and researchers in their use of technology and how to work securely with data. Many of you are engaged in activities that require access to protected data. Be sure to know the rules and help reduce any risks to Duke's data. These updated policies also match what our peer organizations on campus are implementing.
All SSRI staff, faculty, and affiliates must comply with SSRI IT policies, and with all applicable state and federal laws and regulations. Faculty, staff, and affiliates have a responsibility to use SSRI IT resources in an efficient, effective, ethical, and lawful manner. Violations of the policy may result in loss of usage privileges, administrative sanctions (including termination or expulsion) as outlined in applicable Duke University disciplinary procedures, as well as personal civil and/or criminal liability. These policies are subject to review and audit by Duke’s Office of Internal Audits.
SSRI is responsible for implementing the policies described in this document.
SSRI WORKSTATION AND LAPTOP POLICY
SSRI staff who access Sensitive data as part of their regular job duties will only do so from SSRI-managed machines that comply with the ITSO technical standards for workstations and laptops.
SSRI SECURITY OR PRIVACY INCIDENT POLICY
A security incident is:
If a security incident is suspected or confirmed, SSRI staff will gather as much of this information as possible:
SSRI faculty, staff, and end users will report suspected security incidents to SSRI Data staff. If an incident involving SSRI systems, users, or Sensitive data appears to be more than a simple malware infection, or involves exposure of multiple systems, accounts, or exposure of Sensitive data, SSRI staff will follow the University policy and report the incident to the University IT Security Office.
If a request is received (whether from internal or external requestors) for information that would identify a Duke user or provide access to a Duke user’s data, SSRI will report that request to the University IT Security Office and will not act on it without prior authorization by ITSO.
SSRI COMPUTING DEVICES AND PROTECTED DATA POLICY
Most of SSRI is engaged in activities that require faculty, staff, researchers and students to have access to protected data – data classified as Sensitive or Restricted according to the Duke Data Classification standard. These are categories of data that Duke is either required by law to protect, or which Duke protects to mitigate institutional risk. In these cases, personnel who access protected data must abide by strict safeguards regarding access to data, e-mail, departmental computers, personal laptops and other electronic devices.
For this reason, the following policies apply:
Computers: To prevent unauthorized access to information and resources, computers must be configured with appropriate technical controls. SSRI IT staff can assist with computer configurations.
Whole Disk Encryption: Duke owned workstations and laptops which access or store Sensitive or Restricted Duke data must be encrypted. Assistance for this process can be coordinated with SSRI IT support staff, to make sure that your machine has the appropriate encryption. (You should encrypt the drives of any personal machines that are used to access or store your personal private data. Personal machines should not be used to access or store Sensitive or Restricted Duke data – see the SSRI Workstation and Laptop policy above.) Currently the recommended programs are FileVault2 for Macintosh computers, and Bitlocker for Windows machines. Documentation related to this configuration is available at the Duke IT Security Office web site.
Smartphones: Both Duke owned and personal smartphones which access or store Sensitive or Restricted data must be secured. Assistance for this process can be coordinated by departmental IT support staff. Information on how to secure your personal smartphone is also available on the Duke IT Security Office web site.
E-mail: Managing different methods of communication for projects that may or may not include protected information related to projects is complicated, opening up the potential to accidentally transfer sensitive material outside of protected Duke services.
For that reason, the following policies apply:
Portable Data Storage: If protected storage environments are not easily accessible for activity related to working with protected data, then use of portable storage devices can be supported. Any portable storage devices (thumb drives, attachable external hard drives) should be encrypted using methods identified by the Duke IT Security Office or SSRI IT support staff.
Rachel Franke, Associate Director of Research Data Security