Protected Data Service

OSC's Protected Data Service (PDS) is designed to address the most common security control requirements encountered by researchers while also reducing the workload on individual PIs and research teams to satisfy these requirements.

Protected Data at OSC

The OSC cybersecurity program is based upon the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4 requirements for security, and reflects the additional requirements of established Information Technology (IT) security practices.

OSC currently supports the following protected data types.

Personal Health Information (PHI)
- data covered by Health Insurance Portability and Accountability Act (HIPAA)
Research Health Information (RHI)
Export Control data
- International Traffic in Arms Regulations (ITAR)
- Export Administration Regulations (EAR)
Personally Identifiable Information (PII)
NIH Controlled-Access Data
Proprietary Data

If you need support for a data type that is not listed, please contact OSC Help to discuss.

OSC only provides support for unclassified data processing, regardless of the specific category of that information. No support for data classified at secret or above is provided, and researchers should not, under any circumstance, transfer such data to OSC systems.

Getting started with the Protected Data Service at OSC

OSC's PDS was developed with the intent of meeting the security control requirements of your research agreements and to eliminate the burden placed on PIs who would otherwise be required to maintain their own compliance infrastructure with certification and reporting requirements.

In order to begin a project at OSC with data protection requirements, please follow these steps:

Contact OSC

Send an email to oschelp@osc.edu and describe the project's data requirements.

Consultation

You will hear back from OSC to set up an initial consultation to discuss your project and your data. Based on your project and the data being used, we may request the necessary documentation (data use agreements, BAA, MOU, etc).

Approval

Once OSC receives the necessary documentation, the request to store data on the PDS will be reviewed, and if appropriate, approved.

All PDS projects require multi-factor authentication (MFA). MFA will be set by OSC when the project is created.

Get started

OSC will help set up the project and the storage used to store the projected data. Here is a list of useful links:

Getting started documentation: the guidance on how to start research for all new users
PDS acceptable use and guidance document: Users are expected to comply with the guidelines in this document when working with PDS at OSC
Manage the protected data and its access: the guidance on how to manage the projected data in the location with right permissions, as well as the access to the data
Securely transferring files: the guidance on how to transfer protected data

Manage the protected data and its access

Keep protected data in proper locations

Protected data must be stored in predetermined locations. The only locations at OSC to store protected data are /fs/ess/PDEXXXX and /fs/scratch/PDEXXXX directories.
(Only with prior approval from OSC may a protected data service project not have a project prefix of PDE).

There are other storage locations at OSC, but none of the follwing locations can be used to store protected data because they do not have the proper controls and requirements to safely store it:

/users/<project-code>
/fs/ess/<non-PDS-project>
/fs/scratch/<non-PDS-project>

PDS is the acronym for Protected Data Service.

Project space access controls and permissions should not be altered

The directory permissions where protected data are stored are setup to prevent changing the permissions or access control entries on the top-level directories by regular users. Only members of the project are authorized to access the data; users are not permitted to attempt to share data with unauthroized users.

The protected data environment will be monitored for unauthorized changes to permissions and access control.

Grant and remove user access to protected data

Protected data directoires will be set with permissions to restrict access to only project users. Project users are determined by group membership. For example, project PDE1234 has a protected data location at /fs/ess/PDE1234 and only users in the group PDE1234 may access data in that directory.

Adding a user to a project in OSC client portal adds the group to their user account, likewise removing the user from the project, removes their group. See our page for invite, add, remove users.

A user's first project cannot be the secure data project. If a user's first project was the secure data project, then removing them from the project in client portal will not take away their group for that project.

Keep accounts secure

Do not share accounts/passwords, ever.

A user that logs in with another person's account is able to perform actions on behalf of that person, including unauthorized actions mentioned above.

Securely transferring files to protected data location

Securely transferring files at OSC

Files containing personal health information (PHI) must be encrypted when they are stored (at rest) and when they are transferred between networked systems (in transit).

Transferring files securely to OSC involves understanding which commands/applications to use and which directory to use.

Before transferring files, one should ensure that the proper permissions will be applied once transferred, such as verifying the permissions and acl of the destination directory for a transferred file.

In the notes below, substitute your project code, eg PDE0001 for {secure_dir}

FileZilla

Install filezilla client software and use the filezilla tutorial to transfer files.

Use the client sftp://sftp.osc.edu

Select login type as interactive, as multi-factor authentication will be required to login for protected data projects.

Make sure to use sftp option
It is connected to user's home directory by default.
Need to navigate to /fs/ess/{secure_dir} before starting the file transfer

Globus

Protected Data Service projects must use the OSC high assurance endpoint or transfers may fail. See Globus high assureance page for more information. Also, ensure protected data is being shared in accordance with its requirements.

There is guide for using globus on our globus page.

OnDemand

You can use the OnDemand file explorer for upload and download of protected data as well as the integrated Globus High Assurance application.

This is guide for using OnDemand file transfer.

Command-line transfers

Files and directories can also be transferred manually on the command line.

secure copy (scp)

scp src <username>@sftp.osc.edu:/fs/ess/{secure_dir}

sftp

sftp <username>@sftp.osc.edu ## then run sftp transfer commands (get, put, etc.)

rsync

rsync --progress -r local-dir <username>@sftp.osc.edu:/fs/ess/{secure_dir}