Protected Data Storage

Resource Icon: OSC Protected Data Storage

OSC's Protected Data Storage (PDS) is designed to address the most common security control requirements encountered by researchers while also reducing the workload on individual PIs and research teams to satisfy these requirements.

Protected Data at OSC

The OSC cybersecurity program is based upon the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4 requirements for security, and reflects the additional requirements of established Information Technology (IT) security practices.

OSC currently supports the following protected data types.

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Export Control data
    • International Traffic in Arms Regulations (ITAR)
    • Export Administration Regulations (EAR)
  • Personally Identifiable Information (PII)
  • Proprietary Data

If you need support for a data type that is not listed, please describe it in the form below.

OSC only provides support for unclassified data processing, regardless of the specific category of that information. No support for data classified at secret or above is provided, and researchers should not, under any circumstance, transfer such data to OSC systems.

Getting started with the Protected Data Service at OSC

OSC's PDS was developed with the intent of meeting the security control requirements of your research agreements and to eliminate the burden placed on PIs who would otherwise be required to maintain their own compliance infrastructure with certification and reporting requirements.

In order to begin a project at OSC with data protection requirements, please follow these steps:

Fill out online form

Complete the form below to submit a consultation request. Describe the project's data.

Consultation

Once submitted, you will hear back from OSC to set up an intial consultation to dicsuss your project and your data. Based on your project and that data being used, we will request the necessary documentation (data use agreements, BAA, MOU, etc).

Approval

Once OSC receives the necessary documentation, the request to store data on the PDS will be reviewed, and if appropriate, approved.

Get started

Once OSC receives the necessary documentation, the request to store data on the PDS will be reviewed, and if appropriate, approved.

Please visit the 'getting started' documentation for starting research at OSC. Please review the links below in the Navigation section to find useful best practices for successfully using OSC's Protected Data Service.

Please note it will take, on average, between 4-12 weeks to ensure all relevant documents have been signed by both parties.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

Important protected data notes

Keep protected data in proper locations

Do not move or copy data outside the project space /fs/ess/<project-code> without PI approval. Protected data must be stored in predetermined locations. Moving protected data to locations outside of the original /fs/ess/<project-code> path is not permitted because other locations may not have the proper controls and requirements to safely store it. To reiterate, there are many other storage locations at OSC:

  • /users/<project-code>
  • /fs/project/<project-code>
  • /fs/scratch/<project-code>
  • /fs/ess/scratch/<project-code>
none of the above locations can be used to store protected data, only /fs/ess/<project-code> dir can be used.

Project space access controls and permissions should not be altered

Do not adjust permissions of project space without PI approval.

The project space permissions where protected data will be stored was setup to prevent unauthorized access to the data. Altering these permissions without approval could lead to the data being exposed and a violation.

Keep accounts secure

Do not share passwords, ever. Sharing passwords is not authorized.

A user that logs in with another person's account is able to perform actions on behalf of that person, including unauthorized actions mentioned above.

Securely transferring files to protected data location

Securely transferring files at OSC

Files containing personal health information (PHI) must be encrypted when they are stored (at rest) and when they are transferred between networked systems (in transit).

Transferring files securely to OSC involves understanding which commands/applications to use and which directory to use.

Before transferring files, one should ensure that the proper permissions will be applied once transferred, such as verifying the permissions and acl of the dest dir for a transferred file.

FileZilla

Install filezilla client software and use the https://wiki.filezilla-project.org/FileZilla_Client_Tutorial_(en) page to transfer files.

Use the client sftp://sftp.osc.edu

Select login type as interactive, as multi-factor authentication will be required to login for protected data projects.

Make sure to use sftp option
It is connected to user's home directory by default.
Need to navigate to /fs/ess/secure_dir before starting the file transfer

Globus

There is guide for using globus on our globus page.

Command-line transfers

Files and directories can also be transferred manually on the command line.

secure copy (scp)

scp src <username>@sftp.osc.edu:/fs/ess/secure_dir

sftp

sftp <username>@sftp.osc.edu ## then run sftp transfer commands (get, put, etc.)

rsync

rsync --progress local-dir <username>@sftp.osc.edu:/fs/ess/secure_dir

providing access to protected data locations

Providing access to protected data locations

PHI data transferred to OSC will be set with permissions to restrict access to only project users. Project users are determined by group membership. For example, project PEX1234 has a protected data location at /fs/ess/PEX1234 and only users in the group PEX1234 may access data in that dir.

Grant and remove user access to protected data

See our page for invite, add, remove users.

Adding a user to a project in OSC client portal adds the group to their user account, likewise removing the user from the project, removes their group.

A user's first project cannot be the secure data project. If a user's first project was the secure data project, then removing them from the project in client portal will not take away their group for that project.