IES shall ensure that all individually identifiable information remain confidential, in accordance with the Privacy Act of 1974 and the Education Sciences Reform act of 2002.
Restricted-use data Licenses are used to make sensitive federal information sources available to qualified research organizations. Strict security procedures are required to protect the data on individuals who responded to these surveys; i.e., who provided individually identifiable information.
The licensees are governed by the terms of the License and these security procedures, which are the minimum requirements for protecting the individually identifiable information (referred to as "subject data" in the License) while in the custody of the licensee. The protection requirements for individually identifiable information are based on three statutes.
|Anyone who violates the confidentiality provisions of this Act shall be found guilty of a class E felony and imprisoned up to five years, and/or fined up to $250,000.|
Other statutes may apply under certain circumstances, such as the Computer Fraud and Abuse Act of 1986, which makes it a felony to gain unauthorized access to a computer system containing federal data, or to abuse the access one has, with the purpose of doing malicious destruction or damage.
Individually identifiable information is highly sensitive and requires high levels of confidentiality and integrity protection to prevent unauthorized disclosure or modification. The integrity of information produced from these data relies on the integrity of the source data. Licensees shall ensure that adequate security measures are continuously in place so that the subject data are secure from unauthorized disclosure, use, or modification.
The Summary of Minimum Security Requirements below provides an overview of the protection measures. Note: IES may inspect licensee facilities (see Chapter 4) and the questions that will be asked are based on these minimum security requirements. Appendix K contains a list of the questions.
|Summary of Minimum Security Requirements|
Physical Handling, Storing, & Transporting Data
Licensees (i.e., Principal Project Officers) shall assess the security of the environment in which the data will be accessed, handled, and stored to determine if the minimum security procedures, described herein, are adequate for their environment. Since facilities and computer capabilities vary considerably, there may be onsite conditions that necessitate additional protections. If so, licensees shall increase protections to make their environment secure.
Licensees must meet the spirit and intent of these protection requirements to ensure a secure environment 24 hours a day for the period of the License.
The Senior Official (SO), who signed the License document/contract, has overall responsibility for the security of the subject data.
The Principal Project Officer (PPO):
The SO or PPO shall assign a System Security Officer (SSO) (or assume the duties). The SSO shall be responsible for maintaining the day-to-day security of the licensed data.
The SSO's assigned duties shall include the implementation, maintenance, and periodic update of the security plan to protect the data in strict compliance with statutory and regulatory requirements.
Licensees shall complete the restricted-use data Security Plan Form before permitting any access to the subject data.
The SO, PPO, and SSO shall sign the implemented security plan and provide a copy with the original signatures to IES.
Federal agencies will submit a copy of the Certification and Accreditation (C&A) for their IT systems in lieu of a Security Plan Form. Federal agencies must adhere to the security requirements set forth in the MOU.
Access control is the process of determining WHO will have WHAT type of access to WHICH subject databases.
Licensee shall retain the original version of the subject data and all copies or extracts at a single location (i.e., the licensed site) and shall make no copy or extract of the subject data available to anyone except an authorized License user as necessary for the purpose of the statistical research for which the subject data were made available to the licensee.
Licensee shall not permit removal of any subject data from the licensed site (i.e., limited access space protected under the provisions of this License) without first notifying, and obtaining written approval from the IES Data Security Program. The data cannot be used at home or provided to a sub-contractor for use off-site.
Any researcher who requests access to subject data must sign an Affidavit of Nondisclosure under the procedures in Section IV of the License.
Licensee agrees to notify IES immediately when it receives any legal, investigatory, or other demand for disclosure of subject data, including any request or requirement to provide subject data to any state agency or state contractor under conditions that are inconsistent with any requirement of this License. Time is of the essence in notifying IES of any such request or requirement. Licensee must also immediately inform the requestor or enforcer of the request or requirement that subject data are protected under the law of the United States, as specified in Section 3.1. Licensee authorizes IES to revoke this License and, pending the outcome of the penalty procedures under Section VI of this License, to take possession of or secure the subject data, or take any other action necessary to protect the absolute confidentiality of the subject data.
Licensee shall return the original subject data to the IES Data Security Program by certified mail when the research or the subject of the agreement has been completed or the License terminates, whichever occurs first. All other individually identifiable information (e.g., the one backup copy, working notes) shall be destroyed using approved IES procedures.
Machine-readable media storage devices from IES will be CD-ROMs or DVD-ROMS.
Lock Up Media. Subject data on machine-readable media shall always be secured from unauthorized access (e.g., locked in a secure cabinet within secure project office when not in use, only one backup copy can be made).
Label/Catalog/Track Media. To ensure that License loan period is not exceeded, all portable media from IES has been labeled with the expiration date of the License. If the user changes the media, or develops subsets, new labels with the expiration date must be affixed. Additionally, use a simple, effective cataloging/ tracking system to know who has possession and responsibility for what media at all times. Anyone having access to the data must have an affidavit on file with IES, including computer personnel who load data on the system. Data shall not be in a computer facility library unless all who have access to the library media hold affidavits.
Lock Up Printed Material. Printed material containing individually identifiable information shall always be secured from unauthorized access (e.g., locked in a secure cabinet within the secure project office when not in use).
Edit for Disclosures. Licensee shall ensure that all printouts, tabulations, and reports are edited for any possible disclosures of subject data before such output is seen by non-licensed individuals. In planning and producing analyses and tabulations, the general rule is not to publish a cell in which there are fewer than three (3) respondents or where the cell information could be obtained by subtraction. In addition, care must be taken not to disclose information through subsequent use of the same data with variables from other databases.
Licensees are required to round all unweighted sample size numbers to the nearest ten (nearest 50 for ECLS-B) in all information products (i.e.: proposals, presentations, papers or other documents that are based on or use restricted-use data). Licensees are required to provide a draft copy of each information product that is based on or uses restricted-use data to the IES Data Security Office for a disclosure review. The licensee must not release the information product to any person not authorized to access the subject data until formally notified by IES that no potential disclosures were found.
Only One Backup Copy. The licensee is permitted to make only one backup copy of the entire database at the beginning of the loan period. Protect this backup copy under the same security procedures as the original database.
If the licensee plans to make a backup copy of the restricted-use data, the licensee must state in their security plan: (1) that a backup copy of the entire database will be made, and (2) what security procedures will protect the restricted-use data from disclosure.
Restricted-use data are licensed for one site only (see Section 3.3), and only the following methods shall be used for transporting the data within that site, to a new License site as approved by IES, or to and from IES:
If prospective licensees cannot meet the security requirements, then they will not be granted a License.
A standalone desktop computer is any single-user PC (e.g., running a Windows operating system). Laptop computers are strictly prohibited. See "No Connections to Another Computer" below for further information.
Limit room/area access. The data must always be secured from unauthorized access. Computer rooms/areas that process individually identifiable data must be secure during business hours and locked after close of business. Only users listed on the License may have key access to the secure project office.
|Standalone Computer Security Model|
Minimum Security Requirements -
Passwords. When passwords are used, they shall be unique, 6-8 characters in length, contain at least one non-alphanumeric character (e.g., ?, &, +), and be changed at least every three months. See subparagraphs "Lock Computer and/or Room" and "Automatic 'Shutdown' of Inactive Computer" for other password requirements. (For additional details on passwords, see FIPSPUB 112, Password Usage, Section 4.3, "Password System for High Protection Requirements.")
In the absence of an automated password generator, user-selected passwords should be unique, memorizable, and NOT dictionary words. One good way to select a password is to make up an easy to remember phrase-My Favorite Lake Is Superior-and use the first letter in each word plus a non-alphanumeric character (e.g., ?, +, *) as your password. The result is MFL?IS.
Notification (warning screen). During the log-in or boot-up process, a warning statement should appear on the screen before access is permitted. This statement should stay on the screen for at least ten seconds to ensure that it is readable. The statement should be worded to ensure that the intent of the following is conveyed.
Unauthorized Access to Licensed Individually Identifiable Information is a Violation of Federal Law and Will Result in Prosecution.
If it is not feasible to have this statement appear on the screen of the computer, it should be typed and attached to the monitor in a prominent location. The following is an example of the warning screen:
FEDERAL RESTRICTED-USE DATA
UNAUTHORIZED ACCESS TO LICENSED INDIVIDUALLY IDENTIFIABLE INFORMATION IS A VIOLATION OF FEDERAL LAW AND WILL RESULT IN PROSECUTION.
DO YOU WISH TO CONTINUE? (Y)es ___ or (N)o ___
Read-only Access. User access authorization to the original data shall be read-only. Restricted-use survey databases are not to be modified or changed in any way. Only extrapolations and reading of the original data are permitted.
No Connections to Another Computer. Prior to placing any subject data (individually identifiable information) on a standalone desktop computer, shut down any connections to another computer (e.g., via modem, LAN, cable, wireless). For modems, use one of the following methods to prevent unauthorized dial-in access:
The standalone desktop computer cannot be connected to the LAN while subject data are being used in the system or stored on the hard drive.
Lock Computer and/or Room. When the authorized user is away from the computer, protect the subject data by locking the computer and/or the room. For example, physically lock the computer with its exterior keylock, shut down the computer and enable its power-on password, or lock the room to prevent an unauthorized individual from gaining access to the computer.
Automatic "Shutdown" of Inactive Computer. Some computers can automatically shutdown, logout, or lockup (e.g., password-protected screen-savers) when a period of defined inactivity is detected. If available, this feature may be used in place of or in addition to locking the computer and/or room. When used, the defined period of inactivity shall be three to five minutes.
Do Not Backup Restricted-Use Data. Licensees shall not make routine or system backups (e.g., daily, weekly, incremental, partial, full) of restricted-use data except for the one backup copy of the entire restricted-use database. (Also see Section 3.4.) This restriction does not apply to backing up statistical computer syntax code used to analyze the restricted-use data.
Overwrite Hard Disk Data. Even after files are deleted from computer systems, the information remains in a form that can be recovered by various techniques. Active steps must be taken to prevent this possibility. Overwriting new data in the file storage location makes the previous data unreadable. For example, various utilities such as WIPEINFO (Norton Utilities' Wipe Information) have an option that overwrites the selected files or disk areas with 0s. Overwriting is necessary when a computer containing restricted-use data is no longer used (e.g., reallocated to other projects), the computer needs to be repaired (e.g., hard disk crashes), or when the computer is to be reconnected to a network or LAN.
Note: The "delete" and "erase" commands remove the data's address, but not the data. The data remains on the hard disk until the computer needs the space for new data. When hard disks are reformatted, old data are not overwritten--the disk appears to be empty but the data are usually recoverable.
Each user listed on the License, including the PPO and SSO, is required to complete a short online training course that covers the data security procedures and disclosure prevention measures required under the terms of the License. Users may log into the training through the NCES website, using the following web address:
Compliance with this training requirement is tracked through the online licensing database. Certificates of completion will be produced upon passing the knowledge check at the end of the training program. These certificates should be printed and included in the License file for each user. Each person listed on the License (with the sole exception of the Senior Official) must complete this training once per calendar year.