Skip to content

Other ways to search: Events Calendar | UTHSC News

Requirements

  1. Any researcher with access to data or information with a classification rating of 3 in any area will have a documented authorization for access to said data. This includes, but is not limited to, IRB approval and pertinent data governance boards.

  2. Any researcher with access to data or information with a classification rating of 3 in any area must be trained on security and privacy. This includes, but is not limited to both UTHSC privacy and security training, and specific training depending on the type of information being used in the research.

  3. Any researcher will not reuse or provide data or information with a classification rating of 3 in any area to any unauthorized person or entity.

  4. Researchers will only request the minimum necessary data to perform the research. This includes, but is not limited to, a review by IRB and pertinent data governance boards.

  5. Researchers will return, or destroy any data or information with a classification rating of 3 in any area no longer needed for the research project per IRB guidelines, or otherwise required under appropriate research agreements.

  6. Researchers will report (both suspected and confirmed) data breaches immediately per UTHSC policy, or otherwise required under the pertinent research agreements.

  7. Data or information with a classification rating of 3 in any area in either paper or any electronic and/or digital form stored on laptops, mobile devices, USB drives, portable storage devices, smart phones, etc. will never be left unattended in unsecure locations (e.g. cars, unlocked offices) and, when not is use, be stored in a secure location.

  8. Any server storing data or information with a classification rating of 3 in any area must be housed in a secure datacenter with controlled access procedures.

  9. All workstations, laptops, or any other device that store data or information with a classification rating of 3 in any area are part of a documented inventory.

  10. All workstations, laptops, or any other device that store data or information with a classification rating of 3 in any area will be scanned regularly for vulnerabilities.

  11. All workstations, laptops, or any other device that store data or information with a classification rating of 3 in any area will use the principle of least privilege to perform the research.

  12. All workstations, laptops, or any other device that store and/or process data or information with a classification rating of 3 in any area will have a modern, active, and supported anti-malware mechanisms installed.

  13. All workstations that store data or information with a classification rating of 3 in any area should have full disk encryption with FIPS compliant software.

  14. All laptops that store data or information with a classification rating of 3 in any area will have full disk encryption with FIPS compliant software.

  15. All mobile devices, USB drives, portable storage devices, smart phones, etc. that store data or information with a classification rating of 3 in any area will have FIPS compliant encryption to protect the data.

  16. All removeable media including backup media that store data or information with a classification rating of 3 in any area will use FIPS compliant encryption to protect the data.

  17. All workstations, laptops, or any other device that store and/or process data or information with a classification rating of 3 in any area will have a modern, current, patched, and supported operating systems (OS).

  18. All workstations, laptops, or any other device that store and/or process data or information with a classification rating of 3 in any area will have a modern, supported, and patched application software.

  19. All workstations, laptops, or any other device that store and/or process data or information with a classification rating of 3 in any area should apply security patches to all OS and application software per automated means.

  20. All workstations, laptops, or any other device that store and/or process data or information with a classification rating of 3 in any area will have a proper and valid software license.

  21. All workstations, laptops, or any other device that store and/or process data or information with a classification rating of 3 in any area will require authentication using a strong password that minimally meets UTHSC complexity requirements, and/or have multi-factor authentication in place.

  22. All workstations, laptops, or any other device that store and/or process data or information with a classification rating of 3 in any area will not be public facing and will not allow for direct access from the Internet.

  23. Any transfer of data or information with a classification rating of 3 in any area into or outside the secure UTHSC network will used FIPS compliant encryption.

  24. Any and all storage of data or information with a classification rating of 3 in any area on UTHSC owned portable storage devices will be limited to backup and data version control.

  25. The use of any and all personally owned workstations, laptops, or any other device that store and/or process data or information with a classification rating of 3 in any area is not allowed unless with documental approval by the IRB, data governance boards, or data owner.
May 26, 2022