Version: 10/15/2014
UT Health Medical School Research Questionnaire
General Information (required for all requests)
Submitted by / Click here to enter text. / Department / Click here to enter text. / Date / Click here to enter a date.Principal Investigator / Click here to enter text. / DMO Approval / ☐ Yes ☐ No / Grant Funds / Yes ☐ No☐
Data Classification(see appendix I) / ☐Confidential ☐De-Identified
Request Type: Please select and fill all applicable sections
☐I. Research PC (computer only) / ☐ II. Research Software (Software only)
☐III. Scientific Equipment with computing device
(May include a scientific instrument with embedded or standalone computing device) / ☐ IV. Research System (may include software Application, Server, database, instrument, external interfaces, external vendors etc.)
Section I—Research PC Only
Research PC
Question / AnswerWhat is the purpose of this computer? / Click here to enter text.
Will this computer process/store/transmit confidential information? / ☐Yes ☐No If Yes please provide details like how many records will be stored and processed daily. Click here to enter text.
Does PC come with a 3 year warranty?(MSIT recommends at least a 3 year warranty) / ☐ Yes ☐No Comments: Click here to enter text.
Will additional research software be installed on this PC? / ☐Yes ☐No (If yes is selected please also fill research software section)
Will this computer connect to any scientific instrument? If yes How? / Click here to enter text.
Can this PC be encrypted (full disk encryption)? / ☐Yes ☐No (If no, an exception request will need to be filed with IT Security)
Will this PC connect to the UT Network? / ☐Yes ☐No (If no, an exception request will need to be filed with IT Security)
Operating System / Click here to enter text.
Can this PC connect to Active Directory? / ☐Yes ☐No (If no is selected describe how will this computer be managed i.e. patches etc.)?Click here to enter text.
Can regular security updates be applied? / ☐Yes ☐No If no, a research exemption needs to be filed with details on patching intervals
Can Forefront antivirus be installed on the machine? / ☐Yes ☐No (If no, an exception request will need to be filed with IT Security)
Who in the department will be responsible for this PC? / Click here to enter text.
What is the typical data file size output? / Click here to enter text.
Where will this data be saved and backed up? / Click here to enter text.
Any interfaces to other systems (i.e. Allscripts, external to UT)? / Click here to enter text.
Any environmental concerns (i.e. extra cooling need, located in a restricted area? / Click here to enter text.
Any other comments? / Click here to enter text.
Section II—Research Software
Research Software
For New Software Requests(see below for license renewals)Software Name / Click here to enter text.
Vendor Name / Click here to enter text.
Does the vendor provide support for the software? If yes please provide details / Click here to enter text.
Vendor Contact / Click here to enter text.
Business need for this software? / Click here to enter text.
Software functionality? (How does this software work?) / Click here to enter text.
How many licenses are needed? / Click here to enter text.
Is there an annual license renewal? / ☐ Yes ☐ No
What are the hardware requirements? / Click here to enter text.
On what hardware will the software be installed? / Click here to enter text.
Is the hardware running this software encrypted? / ☐Yes ☐No
Does the software create process or store confidential data? / ☐Yes ☐No
If confidential data is involved, how many confidential records are processed/stored daily? / Click here to enter text.
What is the format and size of data created by this software? / Click here to enter text.
Where will data generated by this software be saved and backed up?(MSIT recommends NAS) / Click here to enter text.
Who in the department will manage this software (i.e. upgrades)? / Click here to enter text.
How will access be granted to the software? / Click here to enter text.
How many users will have a userid to access this software?
Does the software support LDAP/AD integration for access control? / ☐Yes ☐ No If no please provide details on where user accounts will be created Click here to enter text.
Who will have admin rights to this software? / Click here to enter text.
Does this software track changes made by users? / Click here to enter text.
Will this software be used to provide high availability patient care? / ☐ Yes ☐ No
Does this software communicate to the internet? / ☐Yes ☐ No If yes please provide details Click here to enter text.
For License Renewals only
Brief description of the software / Click here to enter text.
Where is this software installed? / Click here to enter text.
Does the software create process or store confidential data? / ☐Yes ☐ No
Who is responsible for managing this software (i.e. upgrades)? / Click here to enter text.
Any changes to vendor contact Information?
Section III—Scientific Equipment with Embedded and or standalone PC
Scientific Equipment with Embedded and or standalone PC
Business need for this equipment? / Click here to enter text.Will the equipment process and or store confidential information? / ☐ Yes ☐No
Is the PC embedded in the instrument? / ☐ Yes ☐No
If PC is not embedded, how is it connected to the instrument? / Click here to enter text.
Does the vendor provide support for the PC? / Click here to enter text.
Can the pc be encrypted? / ☐ Yes ☐No If no, an exemption needs to be filed with IT Security
Do the instrument and or PC need to connect to the network? / Click here to enter text.
Are there any external interfaces?(i.e. remote support) / Click here to enter text.
What operating system is installed on the PC? / Click here to enter text.
Can the PC component connect to Active Directory? / ☐Yes ☐No If no is selected describe how will this computer be managed i.e. patches etc.Click here to enter text.
Can regular Security updates be applied? / ☐ Yes ☐No If no, a research exemption needs to be filed with details on patching intervals
Can Forefront antivirus be installed on the machine? / ☐Yes ☐No If no, an exception request will need to be filed with IT Security
What is the typical data file size output from the instrument? / Click here to enter text.
Where will this data be saved? / Click here to enter text.
Any special needs (i.e. extra cooling, power etc.) / Click here to enter text.
Section IV—Research System
Research System (may include software Application, Server, database, instrument, external interfaces, external and vendors etc.)
General Info
What is the business need for this system? / Click here to enter text.How does this system work? (Functionality). / Click here to enter text.
Does this system provide patient care? / ☐Yes ☐ No
Does the system process, store and transmit confidential data? / ☐Yes ☐ No
Please provide a list of hardware that comprises this system? / Click here to enter text.
Hardware location / ☐ UT Data Center ☐Cloud ☐ Other Please provide details
Click here to enter text.
Please provide a list of software that comprises this system (including databases)? / Click here to enter text.
Is there a need to create a test/dev environment(recommended for high availability systems) / ☐Yes ☐ No If yes increased hardware costs
Does the system involve desktop software component? / ☐Yes ☐ No If yes please provide detailsClick here to enter text.
Does the system involve use of mobile devices (i.e. iPad, USB drive, External Storage)? / Click here to enter text.
Is there a need for an SLA (Service Level Agreement) with the vendor? / ☐Yes ☐ No
Is there a need for a BAA (Business Associate Agreement)? / ☐Yes ☐ No BAA is needed if vendor will have access to UT confidential data
Roles and Responsibilities
Who is the system/data owner (usually a PI)? / Click here to enter text.
Who will be the application custodian (responsible for maintaining/supporting the application)? / Click here to enter text.
Who will be the Server custodian (responsible for maintaining/supporting server hardware) / Click here to enter text.
Will the vendor provide support? / ☐Yes ☐ No ☐NA If yes, how long will the vendor provide support Click here to enter text.
Who will have admin rights to the system? / Click here to enter text.
Is a guest account needed for the vendor? / ☐Yes ☐ No
Data Flow
Risk Classification / ☐ High ☐ Medium ☐Low Please see Appendix II
How is data collected and entered into the system? / Click here to enter text.
What type of data is it? / Click here to enter text.
How is this data backed up? / Click here to enter text.
What is the data retention period? / Click here to enter text.
What type and size of data will be created by the system? / Click here to enter text.
Are there any special network bandwidth considerations? / Click here to enter text.
Access Control
How is this system accessed by end users? (i.e. via client, website etc.)? / Click here to enter text.
Are these users internal, external or both? / Click here to enter text.
How many users will have userids access to this system? / Click here to enter text.
How many desktop computers will have access to this system? / Click here to enter text.
Where are these desktop computers located? / Click here to enter text.
Will the system utilize SAML/LDAP for access control?(MSIT does not recommend local user accounts) / ☐Yes ☐ No Comments: Click here to enter text.
How will userids be managed? Skip if UT accounts are being used? / Click here to enter text.
What is the process a new user would follow to request a user ID for the application/system? / Click here to enter text.
Is communication during the authentication process encrypted? / Click here to enter text.
Who will review system access list on a regular basis? / Click here to enter text.
How will access be terminated? / Click here to enter text.
Is there a need to provide different levels of access (i.e. elevated for doctors, restricted for administrative staff)? / Click here to enter text.
Login Management
Is there an application lockout feature available after X number of failed attempts? / Click here to enter text.
Does the application logout after X minutes of inactivity? / Click here to enter text.
Audit/Logs
Does the application/system have an audit trail feature? / Click here to enter text.
Does the application/system record all changes made by users? / Click here to enter text.
How long are the audits kept? / Click here to enter text.
Database
Does the application/system require a specific database solution (Oracle, DB2, SQL, etc.)?Please include database version / Click here to enter text.
Does the application/system need a dedicated database server? / ☐Yes ☐No
What will be the initial database size in MB? / Click here to enter text.
What will be the anticipated yearly growth in MB? / Click here to enter text.
If SQL is used can the database reside on the UT SQL cluster? / ☐ Yes: ☐SQL 2008 Cluster ☐SQL 2012 Cluster
☐ No
What type of environment is this database intended for? / ☐Development
☐Testing
☐Production
How is the database being developed? / ☐ Vendor
☐ In-house (database provided)
☐ In-house n(blank database)
☐Other. Please explainClick here to enter text.
Describe in detail the front end interface making a connection to this database? / Click here to enter text.
What are the requirements for the interface connectivity with the database (i.e. firewall ports? / Click here to enter text.
Interfaces
Will the system be interfacing with other UT applications? / Click here to enter text.
Will the system be interfacing with external entities on the internet? / Click here to enter text.
Will data be transferred to other systems? Please provide details. / Click here to enter text.
Business Continuity Disaster Recover
Please specify how long your users/managers could be without the system if there was an unplanned downtime or a system outage.(Recovery Time Objective) / Click here to enter text.
Please specify what amount of data loss would be either acceptable or re-creatable (manual entry, etc.) if your application were to encounter an unplanned downtime or service interruption during the backup intervals.(Recovery Point Objective) / Click here to enter text.
Is there a need for specific backup solution? UT backups are kept for 14 days. / Click here to enter text.
Application Development
(please answer the following questions if application/Web development is involved)
How will the application be developed? / ☐ In House:
☐ Custom developed by the vendor
☐Off the Shelf
☐Off the shelf with customization
Where will the application be hosted? / ☐ Internally
☐ Externally
Who in the department will manage this application? / Click here to enter text.
Storage Needs
Are there any storage needs? / Click here to enter text.
Location of storage / ☐ Internal ☐ External Please provide details Click here to enter text.
Size in GB / Click here to enter text.
Any special needs(i.e. high speed, data replication, archiving) / Click here to enter text.
Is confidential data involved? / Click here to enter text.
Is there a need to replicate data? / Click here to enter text.
Is there a need to archive data?
Mobile Devices(iPad, usb drive)(please provide this information if Mobile Devices are involved)
How will mobile devices be secured?(i.e. Airwatch, Lok IT) / Click here to enter text.
Will mobile device process store confidential data? / Click here to enter text.
If yes how long will confidential data reside on the mobile devices? / Click here to enter text.
How many records of patient data will be stored at any given day and time? / Click here to enter text.
Will the device have an automated mechanism to regularly purge patient data? / Click here to enter text.
Will the department maintain a check-in-check out sheet? / Click here to enter text.
Appendixes
Appendix I—Data Classification