University of Wisconsin–Madison

Section V: Security Checks and Staying Informed

In order to monitor the status of compliance with IRP security policies and procedures, IRP’s Data Security Officer conducts routine evaluations of how computing resources are being utilized and how information is being protected. As part of our strategy for ensuring that confidential data are not accidentally released to unauthorized users, IRP conducts periodic announced and unannounced reviews of security practices by individuals authorized to access confidential data.

Review of Files Removed from SILO

Only aggregate information may be removed from Silo.  Information on files removed by researchers from Silo using the silosync process will be logged and retained for review, to ensure that no individual-level information is removed from Silo.

Expired User Accounts, Directories

SSCC annually renews user accounts. Upon an employee’s or graduate student’s departure from IRP, the Data Security Officer will review the individual’s accounts. If you are accessing project files owned or stored using an SSCC account that may not be renewed in the future, consult with the IRP Data Security Officer so that you can take steps to have these files moved to an active account and transferred to a new owner.

Email Reminders

IRP Confidentiality and Data Security Agreements are deemed to be active for one year. An e-mail is sent to the signee every six months detailing the main points of the Agreement to serve as a reminder to those with access to sensitive data of the terms of their Agreement and the importance of continued compliance with IRP Data Security policies.

Email notices will also be sent when policies or agreements are updated, as will reminders of the notification period for public release of research.

Terminating Access to Sensitive Data

An employee given access to restricted data is responsible for notifying the Data Security Officer and Principal Investigator when their work on a project listed in their signed Data Security and Access Checklist is completed.

It is the work on a specific IRP project which authorizes an employee to have access to sensitive data. Any continued access to the data after the work on a project has been completed is prohibited by the terms of the employee’s original Confidentiality Agreement. Use of data for a project not listed may result in termination of data access privileges.  Any research conducted for which authorization was not given cannot be disseminated in any form.

It is recommended that the employee meet with the Officer to review all of the terms of the employee’s original Confidentiality Agreement, and complete the Leaving IRP and Ending Access to Data Checklist. The Data Security Officer and the employee can confirm that the employee has adhered to IRP’s Data Security policies while authorized to access sensitive data.