Research Sponsors often ask specific questions on how you and BU are securing research data.

Please start with these examples, but reach out to bumcinfosec@bu.edu if you have any questions.

Description of Security Controls for BU network drive (aka RU-NAS1, BUMC Y Drive):

The data resides on a BU Restricted Use (HIPAA compliant) network drive that is protected by a plethora of security controls, including Palo Alto firewalls and IPS, network-based IDS, hardware-based encryption at rest, and activity logging. Encryption and integrity controls in transit are provided by Microsoft network drive protocol (SMB3). Off-campus access requires use of the BU two-factor VPN, providing an extra layer of encryption. The network drive system and backup system are located in on-campus BU data centers, in compliance with our BU Data Center Policy.

Data is backed up by a daily, weekly, and monthly snapshot process. Ultimately, data backups are retained for three months before automatic deletion by the write-over process. Therefore, any Sponsor requirements to confirm deletion need to take this three-months of data retention into account before confirming the deletion of data.

Description of security controls for BU Shared Computing Cluster:

Data on the Shared Computing Cluster is protected by Palo Alto firewalls and IPS, two-factor authentication, and vulnerability management. Within the Shared Computing Cluster, data resides on either the restricted partition called SCC4 that is cleared for Confidential data* or SCC1, SCC2, or SCC3 that are cleared for data classified as Public or Internal.

Data stored on the SCC’s backed-up filesystem is copied off-site each night, and snapshots maintain a record of daily changes for up to six months.  Data stored on the not-backed-up filesystem have daily snapshots for 21 days for convenience and to protect against accidental deletion.

Description of security controls for BU IS&T and BUMC IT managed devices used to access or analyze the data:

BU-managed Windows and Apple laptops and desktops are protected by several security controls, including KACE inventory and patching, Crowdstrike advanced threat protection, encryption, and a 15-minute automatic screen lock.

Describe the BU Policies that must be followed by the research team:

All BU departments, including researchers, must follow the BU Data Protection Standards

These policies are reviewed annually and often revised annually (unless not necessary or advisable). All human subject researchers must also complete HIPAA and Data Security Training, initially and every three years thereafter.

What access controls are in place?

Access to BU-managed devices and services, including the BU network drive system, requires a strong BU password (minimum 16 characters, 2 upper case, 2 lower case, at least 1 special character or number). Off-campus access to the BU Restricted Use network drives requires use of the BU two-factor VPN.

Does BU have an incident response plan?

Yes, BU maintains an extensive Data Breach Management Plan, outlining roles and responsibilities. Generally, the BU community has an obligation to report potential security incidents or breaches to the BU Incident Response Team. Following a report, a Data Breach Coordinator is appointed, who will work with the Principle Investigator, to ensure we meet any reporting deadlines. The BU Data Breach Management Plan is for internal use only, but we provide overview information here.