UFIT Research Computing as the operator of the HiPerGator services is responsible for the vast majority of the security and compliance controls, but compliance and security are a shared responsibility, and some responsibilities, with accountability, fall on the principal Investigator (PI) or the designated data manager of the approved project involving restricted data and the authorized members of the project team.
The users and their project supervisors/mentors are responsible for ensuring that the endpoints used to access HiPerGator follow UF standards:
- All persistent storage within mobile computing devices will be encrypted:
(https://policy.ufl.edu/policy/mobile-computing-and-storage-devices-policy/) - Screen lock after 15 minutes of inactivity
- Use devices in locations where shoulder surfing is not possible
- If transferring files via Globus, it is the responsibility of the user/project manager to enforce the use of encrypted communication options available in Globus for the incoming or outgoing data transfers.
The PI is responsible for providing instructions to authorized users when they telework from approved locations to ensure that these procedures are followed. Users will also be instructed to not access the HiPerGator system and their restricted data projects from their endpoints while in public locations like airports, libraries, and other public venues such as coffee shops.
Each approved restricted data project will designate a data manager, whose responsibilities are listed below:
- Record and maintain the signed Rules of Behavior form (paper or electronic) signed by each user after training. Provide a copy of this list as a report to UFIT Research Computing quarterly.
- The list of authorized participants is maintained in the IRB record for projects involving PHI research, the UFHealth risk assessment record for projects involving operational work with PHI, the technology control plan (TCP) for ITAR/EAR project work, and the UFIT risk assessment system for FERPA projects. This requirement can be satisfied by pulling that information from the IRB, TCP, or relevant risk assessment database.
- Keep a record of when users complete training and ensure that training is renewed annually. Provide a report to UFIT Research Computing quarterly of this list. Training examples include:
- HIPAA training (PHI)
- FERPA training (FERPA)
- Export control training (Export controlled data)
- Protecting UF: Information Security Training
- Verify and review authorized accounts regularly, at least once per month, and notify UFIT Research Computing staff immediately when users leave the project or change roles in the project (e.g. when they take on a new job in the university or leave the university) so that access to the restricted data project can be removed.
- If the restricted data project involves transaction-based systems, the project manager and team are responsible for ensuring transactions can be recovered in the case of failures. This can be implemented in collaboration with UFIT Research Computing staff.