The Data Analytic Core (DAC) Information Systems (IS) are designed to ensure the protection of confidentiality, integrity, and availability of the Information Resources (IR) it contains. The privacy and security policies are designed to meet compliance with NIST SP800-53, in accordance with requirements under Data Use Agreements with the Centers for Medicare and Medicaid Services.
A privacy incident is any event that has resulted in (or could result in) unauthorized use or disclosure of PHIOpens in a new window or PIIOpens in a new window data.
Page Contents
Purpose
The purpose of the DAC Information System security policies and standards is to preserve the confidentiality, integrity, and availability of DAC information resources from the threat of unauthorized access or damage.
Scope
These policies apply to all DAC Information System users, including those who:
- Access data stored in the DAC Information System;
- Oversee or give direction to a user with access to data stored in the DAC Information System;
- Are listed on a Data Use Agreement as a Principal Investigator, Co-Principal Investigator, and/or Researcher and it is indicated they have access to data in the DAC Information System;
- Use of any unpublished derivative data, including suppressed and de-identified data, from the DAC Information System.
Note: This policy encompasses all DAC Information Systems and any devices used to access the DAC Information systems.
Data Classification
DAC Information Resources are classified as Level 3 by the Dartmouth College Data Security Level Definition.
Information Security Principles
- Confidentiality
The DAC Information System ensures that DAC Information Resources are not disclosed to unauthorized subjects. - Integrity
The DAC Information System ensures that DAC Information Resources retain their accuracy and are only intentionally modified by authorized Users. - Availability
The DAC Information System ensures that authorized Users may access the DAC Information Resources in a timely and uninterrupted manner.
Roles and Responsibilities
This individual is ultimately responsible for the security maintained across all Dartmouth College Information Systems and Resources.
This is a senior-level governance board that works to ensure Dartmouth departments and IT organizations employ security technology and processes to further Dartmouth’s key strategies and goals.
This individual is responsible for ensuring compliance with security and privacy of DAC Information Resources held in the DAC Information Systems.
System Administrators - These individuals are responsible for the implementation of the DAC Information System Security and Compliance policies, standards, and procedures to the DAC Information Systems (i.e. network, servers, storage, applications).
These individuals are responsible for applying DAC Information System Security and Compliance policies, standards, and procedures to DAC Information Resources and User interface.
Account Managers - These individuals are a designated member of a research project team who serves as the point of contact for research project specific communications (i.e. User changes) between the Research Team and DAC; ensures proper use of covered data; and knowledge hub for their Research Project Team for DAC Information Security and Compliance requirements.
These individuals are responsible for applying DAC Security and Compliance Policies, Standards, and Procedures in any use of DAC Information Resources held in the DAC Information System, including access, transmission, and storage.
All partners, consultants, and vendors are required to abide by Dartmouth College Security Policies. DAC Information Resources held in the DAC Information System that are accessed by a third-party affiliate are bound by contract to abide to DAC Information Security Policies, Standards, and Procedures.
Privacy Controls
- Authority and Purpose
- Accountability Audit Risk Management
- Data Quality Integrity
- Data Minimization Retention
- Individual_Participation_Redress
- Security
- Transparency
- Use Limitation
Security Policies and Standards
All policies are specific to DAC Information Systems and do not represent compliance with these controls for any other Information System at Dartmouth College.
Note: Security Policies and Standards are currently being reviewed and updated.
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Security Assessment and Authorization (CA)
- Configuration Management (CM)
- Contingency Planning (CP)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical and Environmental Protection (PE)
- Planning (PL)
- Program Management (PM)
- Personnel Security (PS)
- Risk Assessment (RA)
- System and Services Acquisition (SA)
- Systems and Communication Protection (SC)
- System and Information Integrity (SI)