Skip Navigation
small header image
U.S. Department of Education
Institute of Education Sciences
NCES Kids' Zone
  
Statistical Standards Program
Publications & Products|Staff

Appendix J: Restricted-use Data Security Plan Form


Security Plan Form


Institute of Education Sciences (IES)

Restricted-use Data Security Plan

Name of Institution / Organization:

_____________________________________________________________________

PPO Name: ___________________________

PPO Address:

(no P.O. Box numbers; specify building names and room numbers) (Provide street address, city, state, zip code, department and building name, and office/room number.)

_____________________________________________

_____________________________________________

_____________________________________________

_____________________________________________

PPO Phone Number: ___________________________

Type of Security Plan:

 New Renewal Modification

License Number: ___________________________

Physical Location of Data

Project Office Address:
(no P.O. Box numbers; specify building name, department, and room number)		 (Provide street address, city, state, zip code, department and building name, and office/room number.)

_____________________________________________

_____________________________________________

_____________________________________________

_____________________________________________

Project Office Phone Number: _____________________________

Note: The restricted-use data and computer must be used only at this location. When the data are not being used, the data must be stored under lock and key at this location. Only authorized users of the data, as listed on the License, may have access to this secure project office/room.

Physical Security of Data

Describe Building Security:
(Describe building security arrangements where project office is located)

___________________________________________

___________________________________________

___________________________________________

___________________________________________

Describe Project Office Security:
(Describe the office security arrangements for the room where the computer and data will be located)

___________________________________________

___________________________________________

___________________________________________

___________________________________________

Computer Security Requirements

Description of Computer System:
(Please read the Note below. Computer security must follow the requirements listed below.)

___________________________________________

___________________________________________

___________________________________________

___________________________________________

Computer Operating System: ___________________________

Anti-Virus Software Installed on Computer: ___________________________

Note: The restricted-use data must be copied to and run on a standalone, desktop computer. Use of a laptop computer, external hard drive, or USB memory stick is strictly prohibited. Absolutely no restricted-used data may be copied onto a server or computer that is attached to a modem or network (LAN) connection. Prior to attaching the computer to a modem or LAN connection, the restricted-use data must be purged and overwritten on the computer.

The following physical location and computer security procedures must be implemented when in possession of restricted-use data. By checking the box next to each security procedure, you signify that these procedures will be implemented for the duration of the project and License period:

  • Only authorized users listed on the License will have access to the secure room. Access will be limited to the secure room/project office by locking office when away from the office.
  • Data will only be secured, accessed and used within the secure project room/office (as specified on page 1 of this plan).
  • A password will be required as part of the computer login process.
  • The password for computer access will be unique and contain 6 to 8 characters with at least one non-alphanumeric character.
  • The computer password will change at least every 3 months or when project staff leave.
  • Read-only access will be initiated for the original data.
  • An automatic password protected screensaver will enable after 5 minutes of inactivity.
  • No routine backups of the restricted-use data will be made.
  • Project office room keys will be returned and computer login will be disabled within 24 hours for any user who leaves the project. The PPO will notify IES of staff changes.
  • Restricted-use data will not be placed on a server (network), laptop computer, USB memory stick, or external hard drive.
  • The data will be removed from the project computer and overwritten, whether at the end of the project or when reattaching a modem or LAN connection.
  • Post Warning notification: During the computer log-in process, a warning statement (shown below) will appear on the computer screen before access is granted. If it is not possible to have the warning appear on the screen, it must typed and attached to the computer monitor in a prominent location.

W A R N I N G

U.S. Government Restricted-use Data

Unauthorized Access to Data (Individually identifiable Information) on this Computer is a Violation of Federal Law and Will Result in Prosecution.

Do you wish to continue? (Y)es or (N)o

 

Notice

Proposed Publications Using Restricted-use Data

Licensees are required to round all unweighted sample size numbers to the nearest ten (nearest 50 for ECLS-B) in all information products (i.e.: proposals, presentations, papers or other documents that are based on or use restricted-use data). Licensees are required to provide a draft copy of each information product that is based on or uses restricted-use data to the IES Data Security Office for a disclosure review. The Licensee must not release the information product to any person not authorized to access the data you are using until formally notified by IES that no potential disclosures were found. This review process usually takes 3 to 5 business days.

The PPO shall also forward a final, approved copy of each publication containing information based on restricted-use data to the IES Data Security Office.

 

Signature Page – Management Review and Approval

I have reviewed the requirements of the License agreement and the security procedures in this plan that describe the required protection procedures for securing, accessing and using the restricted-use data.

I hereby certify that the computer system, physical location security procedures, and access procedures meet all of the License requirements and will be implemented for the duration of the project and License period.

 

___________________________________   _______________________
Senior Official Signature   Date
     
___________________________________   _______________________
Senior Official Name (print)   Phone Number
     
     
     
___________________________________   _______________________
Principal Project Officer Signature   Date
     
___________________________________   _______________________
Principal Project Officer Name (print)   Phone Number
     
     
     
___________________________________   _______________________
System Security Officer Signature   Date
     
___________________________________   _______________________
System Security Officer Name (print)   Phone Number
     


Note: The National Center for Education Statistics (NCES) processes licenses and disseminates restricted-use data for all centers in the Institute of Education Sciences (IES) including the National Center for Education Research (NCER), the National Center for Education Statistics (NCES), the National Center for Education Evaluation (NCEE), and the National Center for Special Education Research (NCSER).


Pubs/Products|Surveys/Programs|DataTools|Tables/Figures|FastFacts|School/LibrarySearch|Annuals|What's New|Kids Zone
|Institute of Education Sciences|NCER|NCEE|NCSER
  
1990 K Street, NW
Washington, DC 20006, USA
Phone: (202) 502-7300 (map)
Statistical Standards|FedStats.gov