Research and Intellectual Property Checklist

Summary

Here are some items that must be done to properly secure University research data and intellectual property.

Body

Overview

Here are some items that must be done to properly secure University research data and intellectual property.

 

Detail

  • Need to perform a risk assessment to insure that the data is protected commensurate with it value or sensitivity.  Not all data needs the strongest level of security.
  • The principle investigator is responsible for the security, confidentiality, and integrity of the data
  • All research and data must be on a University approved system
    • Must have a current contract with Pitt, not the individual, if cloud based
      • No ‘personal’ accounts such as Drop Box and Google
      • Pitt Box is approved (box.com)
        • Must use file structure approved by Information Security with access controls
    • Must use University laptops, computers, flash drives, USB drives, etc
      • Devices must be encrypted
      • Data at rest on servers must be encrypted
    • If research is on a system controlled by another entity or organization, i.e., another university or company, then the principle investigation must insure the security of the data
      • If it is Pitt data, must have security plan reviewed by Security
  • Must have access control (user name, password, Duo or second factor, …)
  • Must use the concept of ‘least privilege’
    • “concept in computer security, is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. Under POLP, users are granted permission to read, write or execute only the files or resources they need to do their jobs: In other words, the least amount of privilege necessary.”   https://searchsecurity.techtarget.com/definition/principle-of-least-privilege-POLP
    • Restrict access to research so that everyone cannot read/download all of the data, especially data that they are not associated with
  • Notify Information Security that you have high value data so it can be better monitored and protected
  • Basic security controls
    • Patch all computers
    • Use endpoint protection such as anti-virus
    • Train users on security requirements
    • Notify Information Security within 24 hours of any potential incidents
    • Protect mobile devices such as smart phones and tablets
      • Have a PIN on the device
      • Have an idle time out that requires a PIN to access the device
      • Limit games and other applications on device
        • Verify the permissions required by the app before installing
          • For example, why would a game need to know you location or access your phone records
    • NDA and non-compete agreement
    • Limit number of copies of data

The Information Security can provide assistance and consulting in securing the data.

 

Details

Details

Article ID: 90
Created
Tue 7/18/23 2:52 PM
Modified
Fri 3/29/24 10:07 AM

Related Services / Offerings

Related Services / Offerings (1)

SECURITY CONSULTING AND EDUCATION Pitt IT Security will recommend appropriate data-protection controls through security consultation and risk assessments.