[unisog] funding regulations

Daniel Feenberg feenberg at nber.org
Sat Jul 12 22:30:49 GMT 2003


We have had grants from:

   HICFA
   NIH
   SSA
   NCES
   NSF
   Census
   
and others with security requirements. If (and only if) they are supplying
confidential data they may send a "security plan" for us to sign and
follow. In most cases the plan presumes a stand-alone non-networked
computer in a locked room, and the specifications deal with the quality of
physical security and record keeping for who gets a key and when. Often
there is an option for network connected storage of data, but with many
agencies, and different rules for each one, it has usually not been
practical for us to take that option. In most cases remote access to the
data would not be allowed anyway, so the incentive is mild.

Institutions with large projects or personal medical records no doubt have
quite a different experience than ours.

If your intent is to implement a plan that would be broadly acceptable to
many agencies, I think that would be hard to do. For example, most
agencies require the door to the locked room be clearly labeled as
"Authorized persons only", but recently one agency changed its mind and
prohibited such labels. One agency may require data be stored on a
removable drive, which itself must be stored in a safe when not in use.
Another may require that the stand-alone computer not even have removeable
drives. If I had one "secure data facility" I would have a problem
satisfying all the agencies. The rules also change through time, and new
rules don't (in our experience) apply to old grants.

On 11 Jul 2003, Mark Newman wrote:

> Does anyone know of any resources (links,etc.) that describe current
> federal regulations/requirements for research grants specifically
> related to information security?
> 
> Thanks,
> Mark Newman
> University of Tennessee
> 
> 
> 
> 
> 




More information about the unisog mailing list