Managing sensitive/restricted research data: Wed. 7 May 12-1pm

[Steve MASOVER]

All,

Our next Reading Group meeting will take place on WEDNESDAY of next week --
May 7th -- from noon to 1pm in 200C Warren Hall.

We'll be discussing management of sensitive or restricted research data,
with a particular focus on federal guidelines and rules: issues that are
critically important to researchers across a wide range of domains because
those guidelines and rules ground the model for auditing research grants
that manage or use sensitive data.

University practice in this area is largely driven by institutions that
include medical schools, and therefore broad and deep need to manage
personal health information in a secure way in alignment to HIPAA
guidelines (see optional reading). That said, more and more sensitive data
outside med school domains needs the same kind of management.


This was a topic of special discussion at the April CASC meeting in
Arlington, VA, attended by Patrick Schmitz who will facilitate next week's
discussion.


Please read the following to prepare for our discussion next Wednesday
(note specific page or section callouts for the large NIST document):



==> Overview of Federal   Information Security Management Act (FISMA):

    http://csrc.nist.gov/groups/SMA/fisma/ and


http://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002




==> FISMA generally points at NIST for the details:


http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

    [Page references below are PDF pages, not the numbering of pages in the
document sections themselves...]

    o PDF pages 8-12

    o Chapter 1, Introduction (PDF pages 23-27),

    o Chapter 2 through the end of Section 2.1 (PDF pages 29-31)

    o Glance at Appendix D for the way they think about the guidelines (PDF
page 107-149)



Federal Risk and Authorization Management Program (FedRAMP) is another
model.

See
http://www.datacenterknowledge.com/archives/2013/11/26/government-clouds-what-is-a-fedramp/
for
a discussion of fedRAMP certification. Browse
http://www.gsa.gov/portal/category/102375 andhttp://cloud.cio.gov/fedramp  if
you want.



Optional:

=========


HIPAA: Read the intro to
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act,
but ignore all the bits about insurance, etc.


Scan
http://www.businesswire.com/news/home/20110707006289/en/University-California-Settles-HIPAA-Privacy-Security-Case#.U2A7M_ldV8E
for
impact on Med Centers.



A commercial approach: HITRUST:
http://hitrustalliance.net/common-security-framework/understanding-leveraging-csf/




We're looking forward to seeing you on Weds 7 May at noon, 200C Warren Hall.


~Steve





-- 
Steve Masover
IST Research Information Technologies
maso...@berkeley.edu
510-642-8488