Skip to content
ApplyGive

Other ways to search: Events Calendar | UTHSC News

Requirements

  1. Any researcher with access to data or information with a classification rating of Restricted will have a documented authorization for access to said data. This includes, but is not limited to, IRB approval and pertinent data governance boards.

  2. Any researcher with access to data or information with a classification rating of Restricted must be trained on security and privacy. This includes, but is not limited to both UTHSC privacy and security training and specific training depending on the type of information being used in the research.

  3. Any researcher will not reuse or provide data or information with a classification rating of Restricted to any unauthorized person or entity.

  4. Researchers will only request the minimum necessary data to perform the research. This includes, but is not limited to, a review by IRB and pertinent data governance boards.

  5. Researchers will return, or destroy any data or information with a classification rating of Restricted no longer needed for the research project per IRB guidelines, or otherwise required under appropriate research agreements.

  6. Researchers will report (both suspected and confirmed) data breaches immediately per UTHSC policy, or otherwise required under the pertinent research agreements.

  7. Data or information with a classification rating of Restricted in either paper or any electronic and/or digital form stored on laptops, mobile devices, USB drives, portable storage devices, smartphones, etc. will never be left unattended in unsecure locations (e.g. cars, unlocked offices) and, when not is use, be stored in a secure location.

  8. Any server storing data or information with a classification rating of Restricted must be housed in a secure data center with controlled access procedures.

  9. All workstations, laptops, or any other device that store data or information with a classification rating of Restricted are part of a documented inventory.

  10. All workstations, laptops, or any other device that store data or information will be scanned regularly for vulnerabilities.

  11. All workstations, laptops, or any other device that store data or information  will use the principle of least privilege to perform the research.

  12. All workstations, laptops, or any other device that store and/or process data or information  will have a modern, active, and supported anti-malware mechanisms installed.

  13. All workstations that store data or information should have full disk encryption with FIPS-compliant software.

  14. All laptops that store data or information will have full disk encryption with FIPS-compliant software.

  15. All mobile devices, USB drives, portable storage devices, smartphones, etc. that store data or information will have FIPS-compliant encryption to protect the data.

  16. All removeable media including backup media that store data or information will use FIPS-compliant encryption to protect the data.

  17. All workstations, laptops, or any other device that store and/or process data or information will have a modern, current, patched, and supported operating systems (OS).

  18. All workstations, laptops, or any other device that store and/or process data or information will have a modern, supported, and patched application software.

  19. All workstations, laptops, or any other device that store and/or process data or information should apply security patches to all OS and application software per automated means.

  20. All workstations, laptops, or any other device that store and/or process data or information will have a proper and valid software license.

  21. All workstations, laptops, or any other device that store and/or process data or information will require authentication using a strong password that minimally meets UTHSC complexity requirements, and/or have multi-factor authentication in place.

  22. All workstations, laptops, or any other device that store and/or process data or information with a classification rating of Restricted will not be public facing and will not allow for direct access from the Internet.

  23. Any transfer of data or information with a classification rating of Restricted into or outside the secure UTHSC network will use FIPS-compliant encryption.

  24. Any and all storage of data or information with a classification rating of Restrictedon UTHSC owned portable storage devices will be limited to backup and data version control.

  25. The use of any and all personally owned workstations, laptops, or any other device that store and/or process data or information with a classification rating of Restricted is not allowed unless with documental approval by the IRB, data governance boards, or data owner.
Apr 21, 2026