Encrypted services; best practice for password protection; secure data transfer; physical security; secure destruction advice; special services for clinical data requiring extra security.
- Monash systems
- Non-Monash systems
- Secure data transfer
- Password management
- Controlling access to data in physical formats
- Special services for highly sensitive data (ISO 27000)
For most research data generated by Monash researchers, the security provided by default to Monash systems is sufficient.
Monash-hosted solutions such as those offered by eSolutions and the Monash e-Research Centre are part of the Monash network and have the benefit of the Monash firewall and other network-related security measures. Most of these applications use SSL encryption to protect usernames and passwords in-transit, and require a Monash username and password for access.
When using systems outside of Monash, for example provided by another institution or by a commercial provider, it is your responsibility to ensure the security of your data. You should ensure that you read the Terms and Conditions of Use of any external service carefully, and assess the risk associated with storing or transferring your data using that service. In particular you should ask yourself the following questions:
- Who actually has my data?
- Where is it located? If the service provided by an organisation in a different jurisdiction, are there any legal implications to that?
- What happens if my data is lost or becomes corrupted?
- What happens to my data if I stop using the service?
Monash policy does not allow "SENSITIVE DATA", “HIGHLY SENSITIVE DATA” or critical information to be hosted outside of non-Monash supported data storage. This includes administration or staff related data such as credit card numbers, tax file numbers and health information, and research data that are classified by Human and Animal Ethics Committees. A public cloud-based service is not suitable for research data that are critical, confidential, or otherwise sensitive in nature, such as clinical data.
An appropriate exemption must be obtained before this data can be hosted externally. Refer to Electronic Information Security: Responsibilities, Classifications and Standards Procedures for further information.
Importantly, if using a commercial cloud-based service, service level agreements should be read carefully before committing any research data, as there are risks:
- Who owns the IP in your data when held in the Cloud? Can the cloud service provider claim copyright ownership or a broad licence to use your stored material? Does data held outside Australia need to comply with trans-border copyright laws?
- What level of access does the service provider have to your cloud?
- What data protection practices are in place? Assessing a public cloud service provider's data management practices can be difficult. To mitigate this risk, seek out reputable service providers.
- What protocols are used in the transfer of large amounts of data between a remote system and cloud infrastructure? Is there a virtual private network (VPN) or similarly secure connection to ensure data security, whilst simultaneously safeguarding the network from cyber-attacks?
- Can data be comprehensively deleted, when required? The design of some cloud storage means that additional copies may be stored across virtual servers, where data cannot be deleted as the disk to be formatted also stores other data.
- Viability of the service provider - if a service provider shuts down unexpectedly, can your research data be retrieved?
If you do store data on the cloud, we suggest you use a public cloud service with multi-factor authentication and encryption. In addition, follow these best practices to help keep your data on the cloud secure:
- Use strong passwords: Long and randomised passwords should be used for data stored on the cloud. Don’t use the same password twice.
- Where possible regularly back up files in Monash supported storage: Don’t put all your important data in one place.
- Practice smart browsing: If you’re accessing the cloud on a public computer, remember to logout and never save password info.
When you need advice on the most appropriate cloud storage solutions for your research needs, contact the eSolutions Service Desk.
If you have to transfer large files, you may be considering using a web-based service like DropBox. While these types of services provide functionality that is very attractive, asking yourself the questions about non-Monash systems listed above will help you work out whether you can manage the risks associated with their use.
As a Monash researcher, you have access to more secure alternatives. CloudStor+ is a service run by AARNet (Australia's Academic and Research Network) that enables you to easily and securely send and receive data to/from other AARNet users as well as to/from "external" users. Your data is encrypted before submission, and access to the service is using your Monash username and password.
- CloudStor+ should not be used to transfer health data or other forms of identifiable or critical data as it does not meet security standards. Contact Monash eSolutions for advice on transfer solutions, see the Storage and Backup guideline for more information about managed storage of critical data.
- CloudStor+ does not support long-term shared storage of files: see the Storage and Backup guideline for more information about Monash managed storage.
Because of its convenience, you may also be thinking of using email as a means of data transfer. In the long-term you should consider adopting other methods of data transfer. Some of the limitations of email include:
- size restrictions - most institutions have strict limits on the size of emails and attachments
- security risks - particularly if you are working with data that is personally or commercially sensitive and/or utilising personal accounts on non-Monash mail providers that may not meet legal and ethical requirements around privacy and confidentiality
- version control issues.
The biggest risk to password protection as the major form of security is if usernames and passwords are compromised. All members of your research team should regularly review the latest eSolutions advice about password security, and new team members should have security information passed on as part of their induction.
You should choose strong passwords and change your passwords often. Strong passwords should contain 8-12 characters that are a mixture of upper and lower case letter, numbers and symbols, are not dictionary words or something easy to guess. You should never share your password, even with trusted members of the same team. If members of your team need access to data that is stored in a secure service that they do not have an account to, you should arrange for them to get their own account on that service.
Controlling access to data in physical formats can be done through physical means such as:
- Storing research data in safes and lockable filing cabinets
- Securing offices and workspaces
- Physically securing laptops and other hardware (e.g. portable hard drives)
- Instituting check-in / check-out procedures when research data is transferred between researchers or between institutions.
Projects with a need for managing highly sensitive data, particularly in the context of clinical trials or medical registries, can apply through the Monash eResearch Centre to access specialised infrastructure and services that have been independently assessed and accredited to the ISO 27000 standards.
Projects accessing this infrastructure must have controls in place that ensure that all researchers will comply with the Information Security Management System Framework, which has been developed by eSolutions security specialists.
You may need to destroy data to meet ethical requirements or because you have determined that the data no longer has any long-term value. The destruction process must be irreversible, meaning that there is no reasonable risk that any information may be recovered later. Extra care must be taken when dealing with records that contain sensitive information.
If you need to destroy data, you should follow the Recordkeeping: Retention and Disposal of University Records Procedures (Australia only), and seek advice from Records and Archives staff if needed.