Guidelines for Technology in Faculty Research
NYU is committed to protecting and securing its research data. This flow chart is designed to assist faculty identify the level of security required for their research data and the resources to assure its confidentiality.
In order to safeguard NYU's information assets (i.e. systems and data), research data is classified as low, moderate, or high risk data. The protection of research data may be guided by federal regulation or sponsor requirements. More stringent measures of security are required as the level of risk increases.
Determine the risk classification level of your research data
With research data, faculty should follow moderate or high risk guidelines.
An example of low risk data may be data sets that is widely available on the internet without any access restrictions may be low risk.
An example of moderate risk is unpublished research data that is not classified high risk.
Example of high risk data include:
- Unpublished research data that is subject to sponsor, federal, or foreign government protected data requirements, including human subjects’ data or data which are proprietary, confidential, sensitive or designated as controlled unclassified information (CUI).
- Contact NYU’s firstname.lastname@example.org for more information or assistance.
- Export controlled information.
After reviewing the Electronic Data and System Risk Classification Policy, follow NYU's three step process for classifying your data.
Assess, Review, and Secure Your Data
Review your existing research processes which request or process data in order to assess the state of data security. Consider:
- How is the data being used?
- Who needs access to these data?
- How long do we need to keep these data?
Review your data storage and collection processes. Consider:
- What kinds of sensitive data do we need to store?
- How many records will we be using?
- On what systems will the data be stored?
- Who needs access to systems that contain sensitive data?
- How do we collect sensitive data (web forms, email, paper forms, etc.)?
- How do we transport/transmit the data?
Implement data security standards which will assist you and your department in securing sensitive data from unauthorized access or breaches. Consider:
- Authentication: Users should need to log in with a username and password to see data and that access should be logged.
- Permissions/Access Controls: Verify that controls are in place to allow system users to only see the data they need to see.
- Encryption where appropriate: Where possible, encrypt restricted data.
- In transit: Both in transit over a network and physical transportation of media containing sensitive data, such as hard drives.
- In storage: Encrypt data using tools such as PGP, etc. (This may not be possible in all cases. Contact the Office of Information Security with any questions you may have.)
- Select a secure storage location: Select a location appropriate to store the data
- Proceed to Step 3
- Proceed to Step 3
Plan for Storage, Management, and Publication of Your Data
NYU provides a variety of storage solutions. Compare the qualities and security levels available with NYU Drive, NYU Box, NYU Stream, Research Workspace and Windows File Sharing. Contact Secure Research Data Environment (SRDE) for assistance.
Research at NYU frequently involves international collaborations and international travel. In turn, travel related to international collaborations often involves traveling with research data, equipment such as laptops, and software. Review NYU’s guidelines on traveling internationally with technology and research data.
Traveling with Technology and Technical Data
Before traveling internationally consider the following four questions:
Which export control regulations may apply?
Various U.S. Government agencies impose restrictions on taking research data or items overseas and on travel to particular international destinations.
Where are you going?
An export license and/or import permit might be required to travel internationally with research data or items. Some destinations are sanctioned by the U.S. Government; special travel guidelines apply.
What are you taking with you?
Export control restrictions may apply to taking research data or items abroad depending on whether the technology is military/defense related or dual-use and the destination of travel.
What will you be doing and with whom will you be interacting?
It is important to ensure that you do not accidentally export controlled information or provide any type of assistance to an entity/person on a restricted party list maintained by U.S. Government.