Skip Navigation
small NCES header image
Statistical Standards Program

Chapter 3: Security Procedures

IES shall ensure that all individually identifiable information remain confidential, in accordance with the Privacy Act of 1974 and the Education Sciences Reform act of 2002.

Chapter Contents


3.1 Introduction

Restricted-use data Licenses are used to make sensitive federal information sources available to qualified research organizations. Strict security procedures are required to protect the data on individuals who responded to these surveys; i.e., who provided individually identifiable information.

The licensees are governed by the terms of the License and these security procedures, which are the minimum requirements for protecting the individually identifiable information (referred to as "subject data" in the License) while in the custody of the licensee. The protection requirements for individually identifiable information are based on three statutes.

Basic Statutes

  • Privacy Act of 1974: Defines, and provides for the security and privacy of, personal data maintained by the federal government.
  • Computer Security Act of 1987: Increases the protection requirements for Privacy Act data and other sensitive federal information; requires a security plan for each computer system that contains sensitive federal information.
  • E-Government Act of 2002, Title V, subtitle A, Confidential Information Protection mandates the protection of individually identifiable information that is collected by any federal agency for statistical purposes. Unauthorized disclosure of these data is a class E felony.

IES Statutes

  • Education Sciences Reform Act of 2002: Mandates the protection of individually identifiable information about students, their families, and schools that is collected and disseminated by IES. Unauthorized disclosure of these data is a class E felony.
Warning Anyone who violates the confidentiality provisions of this Act shall be found guilty of a class E felony and imprisoned up to five years, and/or fined up to $250,000.

Other Statutes

Other statutes may apply under certain circumstances, such as the Computer Fraud and Abuse Act of 1986, which makes it a felony to gain unauthorized access to a computer system containing federal data, or to abuse the access one has, with the purpose of doing malicious destruction or damage.

Top

3.2 Risk Management

Individually identifiable information is highly sensitive and requires high levels of confidentiality and integrity protection to prevent unauthorized disclosure or modification. The integrity of information produced from these data relies on the integrity of the source data. Licensees shall ensure that adequate security measures are continuously in place so that the subject data are secure from unauthorized disclosure, use, or modification.

The Summary of Minimum Security Requirements below provides an overview of the protection measures. Note: IES may inspect licensee facilities (see Chapter 4) and the questions that will be asked are based on these minimum security requirements. Appendix K contains a list of the questions.

  Summary of Minimum Security Requirements  
   
  General Security
(Section 3.3)
  • Assign security responsibilities
  • Complete the Security Plan Form
  • Restrict key access to secure project office to license users only
  • Use data at licensed project office site only
  • Limit data access only to users with an affidavit on file with IES
  • Permit read-only access to data only
  • Permit users to access only data listed on their own affidavit
  • Return original data to IES using tracking number on shipment
  Physical Handling, Storing, & Transporting Data
(Section 3.4)
  • Protect machine-readable media/printed material
    • Store securely
    • Label/catalog/track
  • Use data only on a non-networked desktop computer only
  • Avoid disclosure from printed material
  • Restrict copying of data
  • Limit backups-one copy of data
  • Limit transporting of data to:
    • Sworn employees
    • Bonded couriers
    • Certified mail
 

Licensees (i.e., Principal Project Officers) shall assess the security of the environment in which the data will be accessed, handled, and stored to determine if the minimum security procedures, described herein, are adequate for their environment. Since facilities and computer capabilities vary considerably, there may be onsite conditions that necessitate additional protections. If so, licensees shall increase protections to make their environment secure.

Licensees must meet the spirit and intent of these protection requirements to ensure a secure environment 24 hours a day for the period of the License.

Top

3.3 General Security Requirements

Assign Security Responsibilities

The Senior Official (SO), who signed the License document/contract, has overall responsibility for the security of the subject data.

The Principal Project Officer (PPO):

  • is the most senior officer in charge of the day-to-day operations involving the use of subject data, and
  • has full and final responsibility for the security of the subject data, shall oversee the preparation and implementation of the NCES restricted-use data security plan, and shall monitor and update the security requirements, as needed.

The SO or PPO shall assign a System Security Officer (SSO) (or assume the duties). The SSO shall be responsible for maintaining the day-to-day security of the licensed data.

The SSO's assigned duties shall include the implementation, maintenance, and periodic update of the security plan to protect the data in strict compliance with statutory and regulatory requirements.

Complete the Security Plan Form

Licensees shall complete the restricted-use data Security Plan Form before permitting any access to the subject data.

The SO, PPO, and SSO shall sign the implemented security plan and provide a copy with the original signatures to IES.

Federal agencies will submit a copy of the Certification and Accreditation (C&A) for their IT systems in lieu of a Security Plan Form. Federal agencies must adhere to the security requirements set forth in the MOU.

Restrict Access to Data

Access control is the process of determining WHO will have WHAT type of access to WHICH subject databases.

  • WHO? Only professional/technical and support staff (P/TS) who have signed an Affidavit of Nondisclosure (which requires reading and understanding the Security Procedures) and who are listed as users on the License may have access to the data, as stated in Section 2.4.
  • WHAT type of access? User access to the original version of the subject data shall be read-only. Restricted-use survey data are not to be modified or changed in any way. Only extrapolations and reading of the data are permitted.
  • WHICH data? Each individual's Affidavit of Nondisclosure lists the restricted-use data that can be accessed.

Use Data at Licensed Site Only

Licensee shall retain the original version of the subject data and all copies or extracts at a single location (i.e., the licensed site) and shall make no copy or extract of the subject data available to anyone except an authorized License user as necessary for the purpose of the statistical research for which the subject data were made available to the licensee.

Licensee shall not permit removal of any subject data from the licensed site (i.e., limited access space protected under the provisions of this License) without first notifying, and obtaining written approval from the IES Data Security Program. The data cannot be used at home or provided to a sub-contractor for use off-site.

Response to Outside Request for Subject Data

Any researcher who requests access to subject data must sign an Affidavit of Nondisclosure under the procedures in Section IV of the License.

Licensee agrees to notify IES immediately when it receives any legal, investigatory, or other demand for disclosure of subject data, including any request or requirement to provide subject data to any state agency or state contractor under conditions that are inconsistent with any requirement of this License. Time is of the essence in notifying IES of any such request or requirement. Licensee must also immediately inform the requestor or enforcer of the request or requirement that subject data are protected under the law of the United States, as specified in Section 3.1. Licensee authorizes IES to revoke this License and, pending the outcome of the penalty procedures under Section VI of this License, to take possession of or secure the subject data, or take any other action necessary to protect the absolute confidentiality of the subject data.

Return Original Data to IES

Licensee shall return the original subject data to the IES Data Security Program by certified mail when the research or the subject of the agreement has been completed or the License terminates, whichever occurs first. All other individually identifiable information (e.g., the one backup copy, working notes) shall be destroyed using approved IES procedures.

Top

3.4 Physical Handling, Storage, and Transportation


Protect Machine-Readable Media and Printed Material

Machine-readable media storage devices from IES will be CD-ROMs or DVD-ROMS.

Note: Data stored on fixed hard disks are addressed in Section 3.5 in Standalone Desktop Computer Security Model.

Lock Up Media. Subject data on machine-readable media shall always be secured from unauthorized access (e.g., locked in a secure cabinet within secure project office when not in use, only one backup copy can be made).

Label/Catalog/Track Media. To ensure that License loan period is not exceeded, all portable media from IES has been labeled with the expiration date of the License. If the user changes the media, or develops subsets, new labels with the expiration date must be affixed. Additionally, use a simple, effective cataloging/ tracking system to know who has possession and responsibility for what media at all times. Anyone having access to the data must have an affidavit on file with IES, including computer personnel who load data on the system. Data shall not be in a computer facility library unless all who have access to the library media hold affidavits.

Avoid Disclosure from Printed Material

Lock Up Printed Material. Printed material containing individually identifiable information shall always be secured from unauthorized access (e.g., locked in a secure cabinet within the secure project office when not in use).

Edit for Disclosures. Licensee shall ensure that all printouts, tabulations, and reports are edited for any possible disclosures of subject data before such output is seen by non-licensed individuals. In planning and producing analyses and tabulations, the general rule is not to publish a cell in which there are fewer than three (3) respondents or where the cell information could be obtained by subtraction. In addition, care must be taken not to disclose information through subsequent use of the same data with variables from other databases.

Licensees are required to round all unweighted sample size numbers to the nearest ten (nearest 50 for ECLS-B) in all information products (i.e.: proposals, presentations, papers or other documents that are based on or use restricted-use data). Licensees are required to provide a draft copy of each information product that is based on or uses restricted-use data to the IES Data Security Office for a disclosure review. The licensee must not release the information product to any person not authorized to access the subject data until formally notified by IES that no potential disclosures were found.

Only One Backup Copy. The licensee is permitted to make only one backup copy of the entire database at the beginning of the loan period. Protect this backup copy under the same security procedures as the original database.

If the licensee plans to make a backup copy of the restricted-use data, the licensee must state in their security plan: (1) that a backup copy of the entire database will be made, and (2) what security procedures will protect the restricted-use data from disclosure.

Limit Transporting of Data

Restricted-use data are licensed for one site only (see Section 3.3), and only the following methods shall be used for transporting the data within that site, to a new License site as approved by IES, or to and from IES:

  • An individual with a signed Affidavit of Nondisclosure (that is on file at IES);
  • A "bonded courier," who must sign for the sealed package, and who is responsible for the data during transport; or
  • By certified mail (normal for transporting data between the IES and the licensee).

Top

3.5 Computer Security Requirements

If prospective licensees cannot meet the security requirements, then they will not be granted a License.

Standalone Desktop Computer Security Model

A standalone desktop computer is any single-user PC (e.g., running a Windows operating system). Laptop computers are strictly prohibited. See "No Connections to Another Computer" below for further information.

Limit room/area access. The data must always be secured from unauthorized access. Computer rooms/areas that process individually identifiable data must be secure during business hours and locked after close of business. Only users listed on the License may have key access to the secure project office.

  Standalone Computer Security Model  
   
 


Computer

Implement these security measures

 

Minimum Security Requirements -

  • Laptop computers cannot be used
  • Limit access to room/area
    to License users only
  • Passwords-unique, 6-8
    characters with one non-alphanumeric
  • Change password at
    least every 3 months
  • Notification
    (warning statement)
  • Read-only access
    to original data
  • Shut down any connections to other
    computers prior to loading data
    on the system
  • Lock computer and/or room
    when away from computer, or
    Enable automatic "shutdown"
    after 3-5 minutes of inactivity
  • No routine backups of restricted-use data
  • Change staff passwords accordingly when
    staff changes
  • Remove data by overwriting at the
    end of the project or prior to
    the computer needing repair
 
 
     

Passwords. When passwords are used, they shall be unique, 6-8 characters in length, contain at least one non-alphanumeric character (e.g., ?, &, +), and be changed at least every three months. See subparagraphs "Lock Computer and/or Room" and "Automatic 'Shutdown' of Inactive Computer" for other password requirements. (For additional details on passwords, see FIPSPUB 112, Password Usage, Section 4.3, "Password System for High Protection Requirements.")

In the absence of an automated password generator, user-selected passwords should be unique, memorizable, and NOT dictionary words. One good way to select a password is to make up an easy to remember phrase-My Favorite Lake Is Superior-and use the first letter in each word plus a non-alphanumeric character (e.g., ?, +, *) as your password. The result is MFL?IS.

Notification (warning screen). During the log-in or boot-up process, a warning statement should appear on the screen before access is permitted. This statement should stay on the screen for at least ten seconds to ensure that it is readable. The statement should be worded to ensure that the intent of the following is conveyed.

Unauthorized Access to Licensed Individually Identifiable Information is a Violation of Federal Law and Will Result in Prosecution.

If it is not feasible to have this statement appear on the screen of the computer, it should be typed and attached to the monitor in a prominent location. The following is an example of the warning screen:

WARNING

FEDERAL RESTRICTED-USE DATA

UNAUTHORIZED ACCESS TO LICENSED INDIVIDUALLY IDENTIFIABLE INFORMATION IS A VIOLATION OF FEDERAL LAW AND WILL RESULT IN PROSECUTION.

DO YOU WISH TO CONTINUE? (Y)es ___ or (N)o ___

Read-only Access. User access authorization to the original data shall be read-only. Restricted-use survey databases are not to be modified or changed in any way. Only extrapolations and reading of the original data are permitted.

No Connections to Another Computer. Prior to placing any subject data (individually identifiable information) on a standalone desktop computer, shut down any connections to another computer (e.g., via modem, LAN, cable, wireless). For modems, use one of the following methods to prevent unauthorized dial-in access:

  • unplug the phone line connected to the modem, or
  • turn off the power to an external modem, or
  • disable the "answer mode" software on the computer.

The standalone desktop computer cannot be connected to the LAN while subject data are being used in the system or stored on the hard drive.

Lock Computer and/or Room. When the authorized user is away from the computer, protect the subject data by locking the computer and/or the room. For example, physically lock the computer with its exterior keylock, shut down the computer and enable its power-on password, or lock the room to prevent an unauthorized individual from gaining access to the computer.

Automatic "Shutdown" of Inactive Computer. Some computers can automatically shutdown, logout, or lockup (e.g., password-protected screen-savers) when a period of defined inactivity is detected. If available, this feature may be used in place of or in addition to locking the computer and/or room. When used, the defined period of inactivity shall be three to five minutes.

Do Not Backup Restricted-Use Data. Licensees shall not make routine or system backups (e.g., daily, weekly, incremental, partial, full) of restricted-use data except for the one backup copy of the entire restricted-use database. (Also see Section 3.4.) This restriction does not apply to backing up statistical computer syntax code used to analyze the restricted-use data.

Staff Changes. Change passwords accordingly when staff changes are made. Inform the IES Data Security Office of any staff changes via “Add User” or “Delete User” amendments (see Section 2.6).

Overwrite Hard Disk Data. Even after files are deleted from computer systems, the information remains in a form that can be recovered by various techniques. Active steps must be taken to prevent this possibility. Overwriting new data in the file storage location makes the previous data unreadable. For example, various utilities such as WIPEINFO (Norton Utilities' Wipe Information) have an option that overwrites the selected files or disk areas with 0s. Overwriting is necessary when a computer containing restricted-use data is no longer used (e.g., reallocated to other projects), the computer needs to be repaired (e.g., hard disk crashes), or when the computer is to be reconnected to a network or LAN.

Note: The "delete" and "erase" commands remove the data's address, but not the data. The data remains on the hard disk until the computer needs the space for new data. When hard disks are reformatted, old data are not overwritten--the disk appears to be empty but the data are usually recoverable.

Top

3.6 License User Training

Each user listed on the License, including the PPO and SSO, is required to complete a short online training course that covers the data security procedures and disclosure prevention measures required under the terms of the License. Users may log into the training through the NCES website, using the following web address:

https://nces.ed.gov/statprog/licenseapp/CertificationLogin.asp

Compliance with this training requirement is tracked through the online licensing database. Certificates of completion will be produced upon passing the knowledge check at the end of the training program. These certificates should be printed and included in the License file for each user. Each person listed on the License (with the sole exception of the Senior Official) must complete this training once per calendar year.

Top


Would you like to help us improve our products and website by taking a short survey?

YES, I would like to take the survey

or

No Thanks

The survey consists of a few short questions and takes less than one minute to complete.