A substantial Schedule of Requirements was drawn up for the call for tenders and selection of a central Research Data Management system (RDM) for the University Library.
'In the near future, when storing your research data you'll no longer need to be concerned about matters such as the availability, integrity and confidentiality of the system and its environment,' explains UvA/AUAS information security manager Frank Haak enthusiastically.
'When storing data in the central RDM system, a researcher will meet all the security requirements. You'll no longer need to worry about matters such as retrieving your data for replication studies, data leakage, data breaches and the legal requirements for archiving. You could lose a USB stick containing research data and on top of that risk a hefty penalty plus reputational damage’.
‘Information carriers such as CD-ROMs can disintegrate, and given the rapid pace of ICT developments, often systems will soon no longer be able to read them. We ensure that research data are properly protected in the central RDM system. We create system updates, keep a close eye on everything - hacking comes to my mind! - and patch or close any gaps that could arise due, for instance, to programming errors, or unexpected, new techniques’.
UvA/AUAS policy and the Information Security Baseline (1) are based on the ISO27001/2 standards. We require our partners to deliver a comparable level of information security. A supplier must provide a Third-Party Notification (2) to demonstrate that it meets the UvA/AUAS information security requirements. Added to that the contract includes a provision stipulating that we also want to be able to verify this for ourselves’.
The ISO27001/2 standards impose requirements on physical and logical access control. This relates to aspects such as back-up and restore procedures and processes, and setting up a user structure and authorisations, i.e. who has access to what and what the user is allowed to do there. Moreover the staff of business partners and suppliers are required to sign a confidentiality agreement.
‘There are three different levels of security: standard, sensitive and critical,' Haak explains. 'The Information Security Baseline containing some 120 guidelines applies to standard data. These are security measures that may be relevant.
Where sensitive data are concerned, aspects such as privacy or confidentiality come into play. In that case we take additional security measures, such as two-factor authentication (3) or encryption. Where critical data are concerned, we carry out a comprehensive risk analysis.
The researcher is responsible for determining the required level of protection. Of course, he or she can seek advice from a UvA/AUAS lawyer and the ICTS information security managers’.
‘We keep a vigilant eye on the privacy of personal data. Due to the USA Freedom Act - which stipulates that the US government can obtain data from US cloud computing companies - we do not work with US companies, such as Amazon, at present. Awareness of what is needed to actually store data safely, and of data privacy, is vitally important. People have said that "the current method of managing personal data is rather like smoking in the Sixties”. Researchers are still insufficiently aware of the harmful impact it can have’.
(1) The Baseline Information Security document sets out the measures that apply as minimum security requirements at the UvA. The measures described are a combination of best practices, existing UvA practices and the experiences of the authors of this document.
(2) A Third-Party Notification (TPN) is a statement issued by an independent audit party on the quality of an outsourced ICT service. A TPN provides insight into the quality of the ICT management structure and services provided by the supplier.
(3) Two-factor authentication is an additional step during the login process. For example: you not only need your login code but also your bank card when using the e-identifier.