Step 1: Physical Possession and Storage of Data Files

1

Data Management Plan Template

STEP 1: PHYSICAL POSSESSION AND STORAGE OF DATA FILES

GOAL

In this step, you should describe the data privacy protections you have in place for conducting this research. Your description should include discussion about how you will maintain an inventory of ______data files and manage physical access to them for the duration of your DUA.

Explain your organizational safeguards. Examples are:

•How you manage/maintain an inventory of the data files and keep it up to date

•Data sharing agreements among organizations (both internal and external to your organization) to ensure protections are being applied throughout the DUA lifecycle

Explain yourpersonnel/staffing safeguards. Examples are:

•Confidentiality agreements that you have in place with individuals you have identified as being assigned to this study. Include, for example, agreements between the Principal Investigator (PI)/Data Custodian and others, including research team members, computer/information Technology (IT) support staff, secretarial/administrative staff and volunteers. (Note: all volunteers assisting with the project must have a direct reporting relationship with a lead researcher)

•How you will keep _____ informed of project staffing changes as related to data custodianship

•Staff training programs you have in place to ensure data protections and stewardship responsibilities are communicated to the research team.

•Procedures you use to track the active status and roles of each member of the research team throughout the DUA period

Explain your technical and physical safeguards. Examples are:

•Actions you have taken to physically secure storage of data files, such as site and office access controls, secured file cabinets and locked offices.

•Safeguards you have put in place to limit access to personally identifiable information (PII)among the research team, , such as analytical data extracts

•Provide a brief summary about the network where _____ data will reside.

•Written policies and procedures for ensuring that data are protected when contained on:

–Servers and local workstations

–hard media devices ( CDS, DVDs, hard drives, etc.) or your organization’s standards for the physical removal, transfer or disclosure of data

STEP 2: DATA SHARING, ELECTRONIC TRANSMISSION, AND DISTRIBUTION

GOAL

Your organization must ensure privacy and security safeguards are in place for data sharing, electronic transmission, and distribution of data among members and organizations of your research team.

Explain your organizational safeguards. Examples are:

•Policies and procedures on how you secure PII shared among the research team.

•Policies and procedures to ensure your organization follows______’ cell suppression policy, such as in creating analytical extracts for research members

•Methods you use to track access and use of _____ data

Explain yourpersonnel/staffing safeguards. Examples are:

•Policies and procedures you have that define data access privileges for specific staff members of a research team, such as a Principal Investigator, Data Custodian, other research analysts, administrative support, IT/computer support and volunteers (Note: all volunteers assisting with a project must have a direct reporting relationship with a lead researcher)

Explain your technical and physical safeguards. Examples are:

•Your approach to managing or limiting access to specific workstations, servers, data directories, or data files.

•Your password management programs.

•Your staff authentication protocols.

•Your log-on/log-off protocols

•Your intrusion prevention protocols (measures to prevent access following specified number of failed access attempts)

•Your use of encryption standards, practices, polices if permitted on hard media devices or your organization’s standards for the physical removal, transfer or disclosure of data.

STEP 3: DATA REPORTING AND PUBLICATION

GOAL

Your organization must ensure that all analysis, findings, presentations, reports, and publications using _____research data files adhere to specific requirements of the DUA .

GUIDANCE

Explain how your organization ensures compliance with the publication requirements of the DUA. Note that for research involving Medicare Part D data, prior approval of the publication is required.

STEP 4: COMPLETION OF RESEARCH TASKS AND DATA DESTRUCTION

GOAL

Your organization must ensure that it has policies and procedures in place to destroy the data files upon completion of the research and that you have safeguards to ensure the data are protected when researchers terminate their participation in research projects.

Explain your organizational safeguards. Examples are:

•The methods you have put in place for ensuring changes to the research team are being managed, such as communicating project staffing changes to _____

•Your policies and procedures for conducting staff exit meetings, including those with organizations you collaborate with for this particular project

•Your approach to notifying information technology support staff about blocking access to research staff or organization to all permitted data resources used for this project study and DUA

Explain your personnel/staffing safeguards. Examples are:

•Meetings you have with organizational and project-level privacy managers to ensure exiting staff are debriefed onprivacy and security protection protocols.

•The procedures you have in place to ensure the return of passkeys, swipe cards, and other media that permit access to data storage and research facilities.

Explain your technical and physical safeguards. Examples are:

•The methods that you have put in place to ensure staff no longer have access to the data files upon completion of the research.

•Policies and procedures that your organization has developed to complete the Certificate of Sanitization Form( available on Page 50 of )

•Policies and procedures that your organization has developed to ensure original data files or derivatives thereof will not be used following completion of the research project

Reference: IT Security Control Objectives to Meet in a Data Management Plan

1. Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
2. Awareness and Training (AT): Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
3. Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
4. Certification, Accreditation, and Security Assessments (CA): Organizations must: (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
5. Configuration Management (CM): Organizations must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems.
6. Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
7. Identification and Authentication (IA): Organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
8. Incident Response (IR): Organizations must: (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate organizational officials and/or authorities.
9. Maintenance (MA): Organizations must: (i) perform periodic and timely maintenance on organizational information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
10. Media Protection (MP): Organizations must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse.
11. Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.
12. Planning (PL): Organizations must develop, document, periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems.
13. Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
14. Risk Assessment (RA): Organizations must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information.
15. System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization.
16. System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.

1. System and Information Integrity (SI): Organizations must: (i) identify, report, and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information systems; and (iii) monitor information system security alerts and advisories and take appropriate actions in response.

1