Information Security and Research Data 王大為 中研院資訊所 Important messages • Information Security is worth the effort in the long run • Data classification is important • “Sensitive”
Download ReportTranscript Information Security and Research Data 王大為 中研院資訊所 Important messages • Information Security is worth the effort in the long run • Data classification is important • “Sensitive”
Information Security and Research Data 王大為 中研院資訊所 Important messages • Information Security is worth the effort in the long run • Data classification is important • “Sensitive” data should be handled with caution • It is a process, from data creation to deletion • Trust is the key word • Use your common sense to deal with information security problem • Why do you need information security • What are the valuables • How to do it Daily security decision • • • • • • • Don’t talk to strangers Don’t walk alone in a dark alley Don’t hand your ATM card to anyone Do lock your door Put valuable to a safety box Buy insurance Don’t put all eggs in one basket Why and What • Information security goals, to maintain data – Availability – Integrity – Confidentiality • • • • What are the valuable information assets? What are the threats? How much will security incidents cost you? What’s the odd an incident occurs? • High cost, very low probability: insurance – Earthquake insurance • High cost, high probability: do something to reduce the cost and/or the probability • Low cost, high probability: do a costbenefit analysis • Low cost, lost probability: what’s the problem? How • • • • • • How do you secure your home or office? How do you construct a building? How do you know your lift is safe? How do you fight against bacteria/virus? 。。。。 Working with the experts Technical Jargons • If there is no common sense explanation, then either the person does not know it well enough or the technology is not mature. • Second opinions Important cliché • Information security is a process not a product • 70% of the incidents caused by insiders, if not 80% • You won’t get a medal for a good security job, and you don’t want to be famous • Security is about balance not optimization – Cost-benefit, risk-convenience … Research Data • What are the valuable information assets? • What are the threats? – Data lost, deleted by accident, leaked • How much will security incidents cost you? – 3 month? A ph.d.? Trust? • What’s the odd an incident occurs? – Depends on how you deal with it Availability, Confidentiality • Hard disk crashed! – Solution: make a lot of copies. • New problem: confidentiality? • Confidentiality of what? – Personally identifiable information • De-identification ( explained in the afternoon) • Store PID information in a secure place – Locked – Encrypted – No internet connection – Restricted access –… • De-identified data – Document how it is de-identified and make the document available Why make documents public? • It is about trust • Why people give their time, tissue and information for research? – For the public good? – For the money? – Social Norm Theory – Trust is the key • Without trust!?! The destruction of data • Why keep it if it is no longer needed? • Especially there is a risk to keep it • You made a promise in the inform consent form to destroy the data • Document the process • Document the destruction details People • Not many evil people, but careless people everywhere! • A designated data custodian of PID – Make it a profession with authority – Institutions should consider create such a position • Education data users • Password rule Conclusion • Researches are propelled by general public devoting their time, info, tissues… • Trust is abstract yet valuable • You make promises in the informed consent form • People, process, technology • Use your common sense and work with professionals