Versions Compared

Version Old Version 3 New Version 4
Changes made by

Eric Zematis

Eric Zematis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Description

Research involving sensitive data and/or systems needs to be physically secured and monitored in accordance with its sensitivity.

Scope

This policy applies to everyone who manages or uses a Secure Research Facility at Lehigh.

Security Requirements

NIST 800-171 references the following security requirements within the XXXX family:

...

  • HIPAA Security Rule - Physical Safeguards

    The HIPAA Security Rule establishes safeguards to protect electronic protected health information (ePHI). Within that, the Physical Safeguards specifically address physical access to ePHI and the facilities where it's stored.  

  • 28 CFR Part 22 - Confidentiality of Identifiable Research and Statistical Information
    The Electronic Code of Federal Regulations (eCFR) Title 28, Part 22, pertains to the confidentiality and proper use of identifiable research and statistical information.

Implementation

  1. Secure Research Facilities (SRF) need to be secured with an electronic lock and access restricted to only the individuals who need to have access to the facility including:

    1. Approved researchers

    2. Lehigh University Police

    3. Other individuals who need access including cleaning staff will need to provided access and monitored by those with approved access.

  2. Secure Research Facilities are intended to limit access to authorized individuals and should not to be shared. If the physical space must be shared it should only be for other research requiring a similar level of security and there must be other physical and/or logical controls in place to restrict access. For example, using separate computers inside of a SRF for each research project.

  3. Audit logs of all access need to be logged.

    1. Electronic Access Control (Preferred) - SRF should be secured with electronic access and logs will be sent to Information Security office for audit purposes monthly.

    2. Physical Key - Physical keys should only be used for emergency access to a SRF. If a physical key is used then access needs to manually recorded in access log upon entry and exit. The log needs to be immediately available upon entry and copies of the logs need to be sent to Information Security for audit purposes monthly.

  4. Information Security will maintain a list of authorized users and audit access logs.

  5. Maintenance Access - If maintenance or housekeeping access is required it must be conducted in the presence of personnel with authorized access to the space.

Definitions

 Secure Research Facilities - Physical space where research involving sensitive data (e.g. CUI, PHI/ePHI) that requires additional protection must be conducted.

Revision History

Date

Version

Description

Approval

1.0

Original Document

Draft

1.01

Revisions

Draft

1.1

CISO Approved

Approved

...