It is important to keep the CWRU research data secured and protected. Based on the nature of the research, sometimes it is also important to comply with the data protection guidelines outlined by the funding agencies and data owners in addition to university policies.
The National Science Foundation (NSF) and the National Institutes of Health (NIH) mandate that the projects they fund have data management and data sharing plans. As a service to the research community, UTech Research Computing provides guidelines on how to write individual plans, including examples. UTech will also review data management requirements, including specific requirements for NSF and NIH-funded research.
Please see the UTech Data Management page for more information.
University Policies related to using IT resources
Cookbook of useful how-to guides
CWRU uses a three-tier system to categorize information types and sensitivity. The requirements and expectations for securing and protecting research data vary with the category. Let's examine the different tiers, and what sorts of data may be classified in each. Expand each of the tiers listed below to see suggestions on where that type of data may be stored.
Expectations for all computers connected to the CWRU network (Acceptable Use Policy)
Basic hygiene - information and a checklist of features intended to protect your computer and others around you on the network.
This is the bare minimum needed to assure a computer or workstation will function well in our environment.
Data and information intended to be shared with the public. Host Security Checklist for Public Information
Examples include News and public announcements, course offerings, approved publications, directory information including names, CWRU NetID, work phone number, office or lab locations, email addresses .
In addition to local workstations, Public data may be stored on departmental file servers, Digital Case, the main Case website, any central CWRU storage system, or in Google, Box, or Amazon or Microsoft web services.
Mainly data or information for the internal workings of the University or your works in progress. Host Security Checklist for Internal Use Information
Examples include home phone numbers, student grades, and you might consider this for your prepublication data and reports of a less sensitive nature but still not ready to be made public.
Google Drive, Microsoft or Box cloud storage, Canvas, QuickBase, Departmental file storage, or any of the Research storage options are approved for Internal Use information. Do not place Internal Use information on any public web service, including a departmental web site. Almost anything protected with CWRU Single Sign On would be more appropriate.
Intellectual property, trade secrets, Protected Health Information, data covered by restrictive Data Use Agreements or regulations such as HIPAA, FISMA, CMMC, or others. Host Security Checklist for Restricted Information.
Examples include internal information such as tenure reviews and personnel information, along with research data containing Personally Identifying Information of research subjects, proprietary information covered under a nondisclosure agreement, or "HIPAA covered" data.
Only a few of our storage options are approved for storing Restricted Data. These include the Secure Research Environment and the Box cloud service. Under certain very limited circumstances you may keep Restricted Data on local workstations or your Departmental systems, but these must be very carefully set up and secured against unauthorized access or theft. For any questions, please consult with Information Security.
Under limited circumstances, limited data sets or other data that has been deidentified (having most or all of the 18 HIPAA identifiers removed or redacted) may be used with the High Performance Computing cluster. Fully-deidentified data is best, but your data use agreement may still require strict controls.
Often the terms and conditions found in a Data Use Agreement or Data Security Plan approach or exceed the controls we apply to Restricted Data generally.
Contact us for assistance with creating Data Security Plans or implementing a Data Use Agreement, or if you think you might have Restricted Data and want to be sure it's properly protected.
A word on cloud services, such as Google, Microsoft OneDrive, or Box...
We know that it is sometimes difficult to fully separate personal correspondence, email, and such, from University records, data, and documents.
Along with your individual accounts with GMail and Microsoft 365, you have personal storage in your Google Drive or Microsoft OneDrive you may use. Storing personal documents in such locations is fine, but this is not appropriate for Institutional Data.
Research data, along with other institutional documents, should be stored in a location that is shared with others; your collaborators, your Department, other appropriate individuals or groups at the University. This way, should you leave the University, the data is not erased when your account is removed.
Be mindful to use Microsoft SharePoint team storage, or Google Shared Folders, or assign co-owners in Box or any other service where you store institutional data, including any and all research data. This is not just good data stewardship, but your colleagues and collaborators will thank you!