ACCRE places a paramount focus on the security and privacy of sensitive data. Here are the key security measures and practices in place:
- Data Center Location: Sensitive data hosted by ACCRE is exclusively stored on file, database, or computational servers located within Vanderbilt's highly secure data centers in Davidson County, TN. These data centers are specifically approved for handling a range of sensitive data types, including FERPA, Export Controlled, PII, HIPAA, and Sensitive Human Subject Research data.
- Science DMZ Security Model: ACCRE follows the Science DMZ security model, which is designed to provide a secure and high-performance environment for scientific data sharing and analysis. This model ensures that data is protected while allowing for efficient research collaboration.
- Continuous Monitoring: All servers within ACCRE's environment are continuously monitored, 24/7, for network and physical intrusion attempts. This vigilant monitoring helps identify and respond to any potential security threats promptly.
- Patch Management: ACCRE's dedicated staff handles server patching based on risk assessments and availability requirements. Regular patching ensures that servers are protected against known vulnerabilities, reducing the risk of security breaches.
- Group-Based Access Controls: Access to sensitive data is controlled through group-based access controls. This means that users are granted access based on their roles and responsibilities, adhering to the principle of least privilege. This minimizes the risk of unauthorized access to sensitive data.
- Isolated Server Instances: ACCRE employs separate server instances to facilitate approved researchers in analyzing data without needing to remove it from the protected data centers. This approach maintains the security of the data while enabling valuable research activities.
- Remote Access Security: Remote access to the ACCRE environment is subject to stringent security measures. Users must utilize strong encryption methods, and active accounts in two distinct directories are required to gain access. These measures ensure that only authorized personnel can access the environment remotely.
- Data Disclosure Requirement: Prior to creating a research group and allocating resources in the ACCRE environment, all Principal Investigators (PIs) are required to complete a data disclosure. This disclosure is essential for understanding the nature of the data and its associated security needs. It is also shared with collaborating compliance and security groups at the university when necessary, as determined by the data's assigned classification level.
In summary, ACCRE's security practices encompass a comprehensive set of measures, from secure data center hosting to continuous monitoring, access controls, encryption, and data disclosures. These practices ensure that sensitive data remains protected, compliant with regulations, and accessible only to authorized users and researchers.