Coping with research data access and security challenges

Universities and colleges harbour a great deal of sensitive data which should be protected. But they are also encouraged to be open and make maximum use of the data they hold through personalisation and open access to research data. Here, UCISA’s Executive Director Peter Tinson looks at the issues for institutions in balancing the need to be open and yet secure.

 

 

 

BALANCING AGILITY, OPENNESS AND SECURITY

The challenges of providing effective services for the research community while supporting open access are many and varied. Researchers need access to both short-term storage and computational resources but the requirements of research funders are moving toward long-term preservation and archiving.
There is resistance to openness – researchers see the data as ‘theirs’ and there is a reluctance to place data in institutional repositories until all the research opportunities have been realised and the results published. Open access to research data requires that data to be tagged with appropriate metadata in order to be discoverable. However, few researchers possess the skills to tag their data and there are few incentives for them to do so.
The demand is for easy to access services provided free of charge at the point of use. While a number of institutions are starting to provide high volumes of storage for their researchers, there are few, if any, effective costing models for long-term storage and preservation. The absence of a cost-effective model provides the opportunity for a shared service; it is hoped that Jisc’s embryonic Research Data Shared Service will provide an effective solution for the sector.
Where there are no centrally provided services, or where researchers find those services too difficult or too costly to use, researchers sought alternative solutions. These included free or low-cost cloud services to store and share data, cloud services for computational resource, and the use of ‘personal’ devices such as removable hard disks or memory sticks. Information security rarely features in decisions to use easily accessible cloud services – this is due in part to the ease with which such services can be purchased but is also indicative of a lack of awareness amongst researchers. This challenge has now been recognised by many institutional IT services who are now providing supported access to cloud storage solutions and computation.
Data management is relatively immature within institutions. There is growing recognition that the data and information that an institution holds are assets and poor management of those assets represents an institutional risk. However, a one size fits all approach is not appropriate – information and data needs to be classified to determine the level of security that needs to be applied to it. The HESA Data Futures project, and HEDIIP before it ,has surfaced the lack of maturity in this area. Although there has been some improvement, we are still some way from data management being an established discipline.
Effective support of research and research data management requires a cross-institutional approach yet this is not readily understood by senior university management. This is all the more frustrating given that a briefing paper jointly produced by UCISA, SCONUL, RLUK, RUGIT, ARMA and Jisc highlighted the need for an institutional approach over three years ago.
A lack of understanding is sometimes reflected in diktats being issued and a resultant poor take up of services. Meeting the demands of both researchers and research funders requires resourcing, both in terms of staffing and services, and an understanding of how cloud services can be used effectively to meet the storage and computational demands securely. The planning process needs to be responsive to long-term trends but also to changes in policy, legislation and technological developments that may require quicker response.
The threat of cyber attack is a major concern; there is growing evidence that state-sponsored attacks primarily aimed at accessing research outputs and institutions’ intellectual property are on the rise. Yet the threat often comes from within as a result of a lack of awareness and poorly maintained systems within the institutional perimeter.
It is important that all staff in the institution realise and accept that information security is their responsibility. The institution’s management needs to recognise that information security is an institutional issue and requires a coordinated and risk-based approach. Where there are policies established to mandate information security awareness training for all staff, it may be necessary for senior institutional management to oversee the enforcement of that mandate, although such enforcement may be detrimental to building understanding and acceptance of individual responsibility.
In conclusion, managing the conundrum of being open in a secure environment requires effective governance, and a central coordinated approach that supports both research and information security. There is likely to be no one solution applicable to every research discipline but shared services such as Jisc’s RDSS should have a strong role to play.

Strategic questions to consider:

  • How mature is your institution’s information management capability? Does your institution have a business classification scheme? Are records management processes embedded in normal operations?

  • How influential is your internal audit function in determining or supporting information security policy and implementation?

  • What mechanisms do you have to learn from information security incidents, whether internal to your organisation or external?

  • Do you have an institutional approach to research data management?

 

UCISA welcomes blog contributions and comment responses to blog posts from all members. If you would like to contribute a new perspective or opinion on a current topic of interest, simply contact UCISA’s marketing manager Manjit Ghattaura via manjit.ghattaura@it.ox.ac.uk

 

The views expressed on UCISA blogs are the authors’ and do not necessarily reflect those of UCISA

Leave a Reply

Your email address will not be published. Required fields are marked *