Office of Information Technology

Institutional Review Board Security & Privacy Checklist

Cloud Icon

Storing data on a Non-AU website?

Do you plan on storing your documents outside of the American University network, for example:

  • Using a Third Party E-mail Provider (i.e., Google, Hotmail, Yahoo, etc.)
  • Using a Third Party Web Hosting Provider
  • Using Drop Box
  • Posting information via Social Networking sites (i.e., Facebook, Twitter, etc.)

If you answered yes to any of the above, then please take the time to answer the following questions: 

Privacy and Confidentiality

  1. How will the company store your data protect the privacy and confidentiality of your data?
    • Ask them what encryption they use for "data at rest," "data in motion," and "data in transit."
    • Carefully review all terms and conditions and privacy policies before posting potentially sensitive data or risky data to third party sites. Look for key things such as:
      • Who do they share information with?
      • What protections are in place for your stored data?
      • What happens to your data if they go out of business or a merger takes place?
      • Who do you contact for technical assistance? What are the hours of their help desk?

Integrity

  1. How will the company storing your data protect the Integrity of your data?
  2. How can unauthorized modification be detected?
  3. The answer should be along the lines of "we have security staff that regularly monitor to detect unauthorized access or unauthorized changes." Ask for a reference to their policy or internal guidelines that state that this is what they do.
  4. How will the company partner with AU in the event of a cyber breach?
  5. Does the company follow University Policy – see www.american.edu/policies?

Availability

  1. what are the "end of life" and/or "record retention" policies for backed up data?
  2. What assurance is given regarding the company destruction of investigator's data, if the contract for services ends, the company goes out of business, or there is a merger?

    Consideration: Create your own backup copies that are encrypted and physically secured.
  3. Does the research data stored on the third party service follow American University policy and regulatory compliance issues?
  4. What happens to data if the company dissolves?
  5. What if data is exposed (breached)?
    • What would the effect on the subjects be? On the Investigator? On American University?
    • Who would need to be notified?
    • Who is responsible for notification?

General Considerations

  1. Where possible, obfuscate or avoid using any personally identifiable information.
  2. Password protect any document related to your research as an added defense layer. Please see the online Microsoft Word password protection instructions.
  3. Use caution, if connecting to the Internet via a public wireless service such as an "Internet Café" or "Hotel" service to upload documents to your "private e-mail." Cyber criminals often monitor and intercept unprotected wireless traffic.

    How do you protect yourself?
    • Ensure that the web page you are typing your login credentials (username and password) into uses SSL (secure socket layers). You will know this by looking at the web page address. It should begin with https:// and several browsers, for example Internet Explorer, illustrate that a web page uses SSL by adding an icon of a locked lock at the end of the web page address field.

    • Consider changing your password more frequently than you normally would to protect your e-mail access should a cyber criminal discover your credentials, when you figure it out your credentials have been exposed (if you do), it will be too late.

    • Remember to create strong passwords. Combine mixed case and a symbol or two and make the password as long as possible at least 8 characters. Avoid using words found in any language found in any dictionary.
  4. Consider using encryption to protect your data on your system from prying eyes.

    What is encryption? Read this FAQ.
    • Personal computer? One encryption product that is free and used by many security professionals is a product called TrueCrypt available for download at http://www.truecrypt.org/downloads.
    • University issued computer? Should already be encrypted using the University's licensed product, PGP. If your University-owned laptop is not encrypted, please call the Help Desk at 202-885-2550 to schedule an appointment.
    • Portable USB devices with encryption and password protection. Many retail stores, such as Best Buy, sell these devices. If research data is recorded and transcribed directly to this type of device, it would ensure that the data is protected between the time it is being received and up until it is transferred to another storage location.

Note: Some countries prohibit the use of encryption please refer to the University's Export Control Policy

If you are concerned about "seizure of your field notes," and can't use encryption, consider USB thumb drives, as they are small and easier to conceal.

>> Back to Checklist