Benchmarks Online

Skip Navigation Links

Page One

Campus Computing News

Summer Hours

EIS News

Writing in Water

Safeguarding Research Data

Check Out the CBT Website for all Your Online Training Needs

Today's Cartoon

RSS Matters

The Network Connection

Link of the Month


Short Courses

IRC News

Staff Activities

Subscribe to Benchmarks Online

Safeguarding Research Data

By Dr. Philip Baczewski, Associate Director of Academic Computing

A June 2004 report from the Texas State Auditor's Office (SAO) concluded that higher education institutions should do more to protect research data. The findings of their report included the following observation:

Security of research data at the institutions we audited was inconsistent and sometimes inadequate. Although we identified instances in which research data was very well protected, we identified inconsistent security measures at each of the three institutions we audited that expose other research data to the risk of loss or misuse. This could significantly impede researchers' progress or, ultimately, result in the loss of research funding.

The report goes on to detail data losses due to inadequate backup and disaster recovery, as well as productivity losses resulting from the introduction of a computer worm via a laptop computer attached to the campus network.

Hazards to research data

Hazards to research data fall into three categories: loss of data because of inadequate backup can impede completion of a research project and possibly result in a loss of intellectual property which could be patented and licensed for commercial development; unauthorized access to research data can result in the violation of research participants' privacy or in the theft of intellectual property; operational interference to computer systems (virus or worm outbreaks, or inadequate disaster recovery) can delay or prevent completion of funded projects or impede delivery of research related services.

The SAO audit report offers the following recommendations to safeguard research data.

Institutions should:

Establish and enforce a policy regarding sharing data stored on individual workstation hard drives. If users are permitted to share data on their hard drives, institutions should instruct them on how to share this data securely. Institutions should also consider conducting regular scans to identify instances in which users are sharing their hard drives to monitor compliance with established policies.

Ensure that users are made aware of the importance of securing their workstations and servers by changing default accounts and ensuring that all accounts have passwords.

Where possible, ensure that password policies for research departments are strengthened to follow the Department of Information Resources' guidelines for length, complexity, reuse, and aging.

Ensure that server administrators review security logs.

Where possible and appropriate, ensure that workstations use password-protected screen savers when users are away from their workstations.

UNT has a number of policies which support the achievement of the standards recommended above. The "University of North Texas Computer Use Policy" defines standards for password management and system access security. The "UNT Information Resources Security Policy" provides guidelines for controlling access to information resources and preserving data integrity.

Policies on their own, however, will not secure systems or data, so it is necessary for both the central technical departments and the researcher to take actions to protect research data. Research systems managed by ACS are backed up for purposes of disaster recovery, with a three-week retention period on backed-up files. Backups happen once per day and are not intended as an archive. Data archiving remains the responsibility of the individual researcher (for more about backups, see "Writing in Water" in this issue of Benchmarks Online).

What is being done?

The Computing and Information Technology Center (CITC) Security Team does regular scans of the campus network to identify vulnerable systems which could compromise the security or operation of the campus network. It is particularly important that users of MS Windows workstations protect not only their UNT-owned systems, but their personally-owned systems as well, since data is often share between them both. The CITC provides access to current versions of virus protection software to campus as well as personal systems. More information can be found at the UNT Virus Webpage.

Practices are being developed to enforce use of more secure password strings and password aging for central systems, especially those which use an EUID and enterprise password for login. Those practices will be phased in during the Fall 2004 semester, but in the mean time, it is important for researchers to use secure passwords which are not names or dictionary words. In addition the College of Arts and Sciences has begun using password-protected screen savers on their College-supported Windows systems.

If you are managing your own workstation, it is important to keep up with application of security updates. Windows, Mac OS, and most Linux distributions have methods for downloading and applying the latest updates. Unpatched systems have historically been most vulnerable to the compromise or loss of data.

While the CITC provides support and guidelines for safeguarding data, it is ultimately the responsibility of the individual researcher to safeguard their data. Research data should be backed up and archived at its primary storage location, which is usually the faculty research workstation. But backup of data is not the only responsibility of researchers. Being mindful of password and operational security issues will promote a computing environment which safeguards data and ensures continuity of the research process.