2
The NIH provides this best practice document so that institutions can obtain an understanding of the
types of information security practices that they should be enacting. However, this best practice
document is not a substitute for a more formal security plan that is devised for the specific local or cloud
configuration chosen by the investigators and institution.
The NIH strongly recommends that investigators consult with institutional IT leaders, including the Chief
Information Officer (CIO) and the institutional Information Systems Security Officer (ISSO) or equivalents
to develop the formal information security plan prior to receipt of controlled access data from the NIH,
and institutional signing officials should validate that an appropriate security plan is in place prior to
accepting liability for data loss or breach on behalf of the institution. This document provides an
overview of security principles for data, access, and physical security to ensure confidentiality, privacy,
and accessibility of data. This is a minimum set of requirements; additional restrictions may be needed
by your institution and should be guided by the knowledge of the user community at your institution as
well as your institution’s IT requirements and policies.
The single most important element (regardless of type of infrastructure) for maintaining the security of
NIH controlled access data is to design security into the chosen environment before the data is
transferred rather than attempting to add security controls to an environment after the data has been
downloaded. Security controls should be on by default; investigators and users should not have to
perform any active action to turn them on. To use an analogy, doors should be locked by default rather
than need to be actively locked by someone. A corollary is that all users and support staff associated
with the project need to have an information security mindset going into the project, and all must be
aware that public support for the collection and dissemination of these types of data are their individual
responsibilities, and it is essential that all staff members that will interact with the data or the systems
that maintain the data have appropriate information security training. This is particularly true for groups
that wish to use cloud computing, and in these cases, NIH recommends additional training to inform
staff of the special risks that the use of such infrastructure entails.
Part of having an information security mindset is being aware of the multiple dimensions of access
control and accountability at all times. This means ensuring that passwords and/or access devices
(smart cards, soft or physical tokens, etc.) are physically safe, strong and not shared with anyone and
that data is both physically and logically (i.e. electronically) secure. Particular care must be taken with
copies of data on portable electronic media and devices (i.e. laptops, tablets, USB thumb drives, tapes,
etc.). Generally speaking, users should avoid putting controlled access data on such devices wherever
possible. If it is necessary, such devices must be encrypted and should be treated as if they are cash,
with appropriate physical and electronic controls, including remote wipe capability wherever possible. In
addition, please remember that collaborators at different institutions must file a separate data access
request even if they are working on the same project.
Finally, remember that data downloaded from NIH-designated data repositories must be destroyed if
they are no longer needed or used, or if the project is to be terminated and closed-out in the dbGaP
Authorized Access System. Investigators may retain only encrypted copies of the minimum data
necessary at their institution to comply with institutional scientific data retention policy and any data
stored on temporary backup media as are required to maintain the integrity of the general institutional
data protection (i.e. backup) program.