E.8.5 ICGC Security Best Practices for Controlled-Access Data

E.8.5 ICGC Security Best Practices for Controlled-Access Data 

Version 2.0 August 2021 

Download as pdf

1. Introduction

This document is intended for users and officials at academic institutions and scientific  organizations whose investigators have been granted access to the controlled tier of the  International Cancer Genome Consortium (ICGC), comprising both the ICGC-25K project (http://icgc.org) and the ICGC-ARGO project (https://platform.icgc-argo.org). It provides an outline of the  ICGC’s expectations for the management and protection of ICGC controlled access data transferred to and maintained by institutions whether in their own institutional data storage systems or in cloud computing systems. The principles governing access and use of such data are outlined in the ICGC ARGO Data Access and Use Policies and Guidelines web pages. The data handling guidelines described in these policies are intended to ensure that ICGC controlled access genomic and phenotypic data are kept secure and that access is limited to DACO approved researchers. Two distinct audiences are targeted by these guidelines: scientific and administrative professionals including institutional signing officials and investigators that will use the data, and information technology professionals, including Chief Information Officers (CIOs), Information Systems Security Officer (ISSOs) and operations staff working for both central IT organizations and embedded within research groups. Accordingly this document is split into separate sections focused on each group.

2. Information for Scientific and Administrative Staff  

General Consideration 

Under ICGC ARGO policies, the DACO-approved researcher’s institution is ultimately responsible for  maintaining the confidentiality, integrity and availability of the data to which it is entrusted by the ICGC. Failure to provide appropriate controls can subject investigators or institutions to sanctions defined by the DACO as well as erode public confidence in the ability of ICGC and its stakeholders to carry out research using sensitive information. It is therefore essential that all  recipients of controlled access data understand their responsibilities for ensuring appropriate  information security controls and that they work with their IT organizations to effectively  implement those responsibilities. While the ICGC provides this Best Practices document as a general guide to acceptable  security practices, this document is not a substitute for a formal security plan that is devised for  the specific local or cloud configuration chosen by the investigators and institution. The ICGC  strongly recommends that investigators consult with institutional IT leaders, including the Chief  Information Officer (CIO) and the institutional Information Systems Security Officer (ISSO) or  equivalents to develop the formal information security plan prior to receipt of controlled access  data from the ICGC; institutional signing officials should validate that an appropriate security plan is in place prior to accepting liability for data loss or breach on behalf of the institution.

This document provides an overview of security principles for data, access, and physical  security to ensure confidentiality, privacy, and accessibility of data. This is a minimum set of  recommendations; additional restrictions may be needed by your institution and should be guided by the knowledge of the user community at your institution as well as your institution’s IT requirements and policies. The single most important element (regardless of type of infrastructure) for maintaining the security of ICGC controlled access data is to design security into the chosen environment before the data is transferred rather than attempting to add security controls to an environment after the data has been transferred (protection by design). Security controls should be on by default; investigators and users should not have to perform any active action to turn them on.  To use an analogy, doors should be locked by default rather than need to be actively locked by someone. A corollary is that all users and support staff associated with the project need to have an information security mindset going into the project, and all must be aware that public support  for the collection and dissemination of these types of data are their individual responsibilities,  and it is essential that all staff members that will interact with the data or the systems that  maintain the data have appropriate information security training. This is particularly true for  groups that wish to use cloud computing, and in these cases, the ICGC recommends additional  training to inform staff of the special risks that the use of such infrastructure entails.  

Part of having an information security mindset is being aware of the multiple dimensions of  access control and accountability at all times. This means ensuring that passwords and/or  access devices (smart cards, soft or physical tokens, etc.) are physically safe, strong and not shared with anyone and that data are both physically and logically (i.e., electronically) secure.  Particular care must be taken with copies of data on portable electronic media and devices (i.e., laptops, tablets, USB thumb drives, tapes, etc.). Generally speaking, users should avoid putting  controlled access data on such devices wherever possible. If it is necessary, such devices must  be encrypted and should be treated as if they are cash, with appropriate physical and electronic  controls, including remote wipe capability wherever possible. In addition, please remember that  collaborators at different institutions must file a separate data access request even if they are  working on the same project.  

Finally, remember that data downloaded from ICGC-designated data repositories must be destroyed when they are no longer needed or used, or if the project data access period has expired or been terminated.  Investigators may retain only encrypted copies of the minimum data necessary at their  institution to comply with institutional scientific data retention policy and any data stored on temporary backup media as are required to maintain the integrity of the general institutional data  protection (i.e., backup) program.  

3. Additional Information Related to the Use of Cloud Computing  

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to  a shared pool of configurable computing resources (e.g., networks, servers, storage,  applications and services) that can be rapidly provisioned and released with minimal  management effort or cloud service provider interaction. In contrast to traditional computing on  local servers and hardware, cloud computing often entails the transfer and storage of controlled access data on systems managed by a third party. Cloud computing offers a number of  advantages for authorized investigators but also requires additional  security considerations.  

Most of the recommendations described above apply to cloud computing; indeed, the primary difference is that while information security in cloud environments is still the responsibility of the institution, the implementation of that security is shared between the institution and the cloud  service provider. Thus, it is essential that institutions validate that they are partnering with a reputable cloud service provider. Institutions should ensure that they understand the security policies and practices utilized and recommended by their cloud service provider of choice, and may wish to obtain third party reviews or audits from the cloud service provider. Institutions should utilize these best practices, work with their cloud service provider to understand and implement the best practices associated with their specific environment and ensure that the cloud service provider can meet institutional information security requirements. Because misconfiguration of cloud resource access policies can potentially result in broad compromise of controlled-tier data, the ICGC strongly recommends that you consult with your institutional CIO,  ISSO and IT staff to ensure that an appropriate security plan is developed and that necessary  technical, training and policy controls are in place before data is migrated to cloud  environments. You and your institution are accountable for ensuring the security of  this data, not the cloud service provider. 

4. Information for IT Professionals  

Local Infrastructure Guidance  

General Information Security Guidelines  

• When using local infrastructure, make sure these files are never exposed to the Internet  with the exception of such connections as are required to download data from source  repositories. Infrastructure should be behind local and/or institutional firewalls that block access from outside of the institution. For cloud infrastructure, investigators must restrict  external access to instances and storage under the investigator’s control (see section on  cloud computing for more details);  
• Data must never be posted on servers in any fashion that will make them publicly accessible, such as an investigator’s (or institution’s) website, because the files can be  “discovered” by Internet search engines, e.g., Google, Bing etc; 
• Institutions must not set up web or other electronic services that host data publicly, or that provide access to other individuals that are not listed on the Data Use Request even if those individuals have access to the same ICGC data. 
• Utilize strong authentication technology for access control. Two factor authentication technologies (smart cards, hard or soft token, etc.) are preferred. When using single  factor passwords, set policies that mandate strong passwords. For example:  

○ Minimum length of 12 characters; 

○ Does not contain user names, real names or company names; 

○ Does not contain a complete dictionary word; 

○ Contains characters from each of the following groups: lowercase letters,  uppercase letters, numerals, and special characters; 

○ Passwords should expire every 120 days or at the rate required by institutional  policies, whichever is more frequent.  

• Avoid allowing users to place controlled access data on mobile devices (e.g., laptops,  smartphones, tablets, MP3 players) or removable media such as USB thumb drives  (except where such media are used as backups and follow appropriate physical security  controls). If data must be placed on mobile devices, it must be encrypted;  
• Keep all software patches up to date. 

Physical Security Guidelines  

• Data that are in hard copy or reside on portable media, e.g., on a USB stick, CD, flash  drive or laptop should be treated as though it were cash, with appropriate controls in  place. Such media must be encrypted and stored in a secured in a locked facility with  access granted to the minimum number of individuals required to efficiently carry out  research;  
• Restrict physical access to all servers, network hardware, storage arrays, firewalls and  backup media only to those that are required for efficient operations; 
• Log access to secure facilities, ideally with electronic authentication.  

Controls for Servers

• Keep servers from being accessible directly from the Internet, (i.e., must be behind a  firewall or not connected to a larger network) and disable unnecessary services. It is  better to begin with a server image that disables all non-essential services and restore  those that are needed than to start with a full-featured image and disable unnecessary  services;  
• Enforce principle of Least Privilege to ensure that individuals and/or processes grant only the rights and permissions to perform their assigned tasks and functions, but no more;  
• Secure controlled-access genomic and phenotypic data on the systems from other users (restrict directory permissions to only the owner and group) and if exported via file sharing, ensure limited access to remote systems; 
• If accessing systems remotely, use encrypted data access (such as Secure Shell (SSH)  or Virtual Private Network (VPN)). It is preferred to use a tool such as Remote Desktop  (RDP), X-windows or Virtual Network Computing (VNC) that does not permit copying of  data and provides “View only” support;  
• If data are used on multiple systems (such as a compute cluster), ensure that data  access policies are retained throughout the processing of the data on all the other  systems. If data are cached on local systems, directory protection must be kept, and  data must be removed when processing is complete. Requesting investigators must  meet the spirit and intent of these protection requirements to ensure a secure  environment 24 hours a day for the period of the agreement.  

Source Data and Control of Copies of Data  

Approved users must retain the original version of the encrypted data, track all copies or extracts and ensure that the information is not divulged to anyone except authorized staff members at the institution. ICGC therefore recommends ensuring careful control of physical copies of data and providing appropriate logging on machines where such data are resident.  Restrict and monitor outbound access from devices that host controlled access data.  

Destruction of Data  

• Data downloaded from ICGC-designated data repositories must be destroyed when they  are no longer needed or used, and in any event after DACO approval for the project  expires. Delete all data for the project from storage, virtual and physical machines,  databases, and random access archives (i.e., archival technology that allows for deletion  of specified records within the context of media containing multiple records);  
• Investigators and Institutions may retain only encrypted copies of the minimum data  necessary at their institution to comply with institutional scientific data retention policy and any data stored on temporary backup media as are required to maintain the integrity of the institution’s data protection program. Ideally, the data will exist on backup media  that is not used by other projects and can therefore be destroyed or erased without impacting other users/tenants. If retaining the data on separate backup media is not possible, as will be the case with many users, the media may be retained for the  standard media retention period but may not be recovered for any purpose without a  new DACO Access request approved by the DACO office. Retained data should be  deleted at the appropriate time, according to institutional policies;  
• Shred hard copies and other non-reusable physical media;  
• Delete electronic files securely. For personal computers, the minimum would involve deleting files and emptying the recycle bin or equivalent with equivalent procedures for  servers. Optimally, use a secure method that performs a delete and overwrite of the  physical media that was used to store the files. Ensure that backups are reused (data  deleted) and any archive copies are also destroyed. Destroy media according to  suggested NIST Guidelines for Information Media Sanitization (http://csrc.nist.gov/publications/PubsSPs.html). 

5. Additional Guidance for Cloud Computing  

Due to the inherent Internet-connected nature of cloud computing as well as the potential issues  introduced by multi-tenant computing, institutions that wish to use cloud computing must work with their cloud service provider to devise an appropriate security plan that meets the additional Best Practices described below: 

General Cloud Computing Guidelines  

• Whenever possible, use end-to-end encryption for network traffic. For example, use the  Secure Shell (SSH) protocol to encrypt traffic between you and your instance. Ensure  that your service uses only valid and up-to-date keys and/or certificates;  
• Encrypt data at rest with a user's own keys, with a one-time autogenerated key (e.g., for  block-level encryption of temporary volumes), or with keys generated by a cloud  vendor’s key management service;  
• Use security groups and firewalls to control inbound traffic access to your instance.  Ensure that your security profile is configured to allow access only to the minimum set of  ports required to provide necessary functionality for your services and limit access to  specific networks or hosts. In addition, allow administrative access only to the minimum  set of ports and source IP address ranges necessary;  
• Be aware of the top 10 vulnerabilities for web applications and build your applications  accordingly. To learn more, visit Open Web Application Security Project (OWASP) - Top  10 Web Application Security Risks. When new Internet vulnerabilities are discovered, promptly update any web applications included in your Virtual Machine (VM) images; 
• Review the Access Control Lists (ACLs), permissions, and security perimeter to ensure  consistent definition.  

Audit and Accountability

• Ensure that data is accessible only to those approved for access, and controls for  changing that access are retained by the investigator who submitted the DAR and the  appropriate IT staff. A mechanism for monitoring and notification needs to be in place to  monitor changes in permission changes;  
• Ensure that account access is logged along with access controls and file access and this  information is reviewed by the investigator on a regular basis to ensure continued secure  access.  

Image Specific Security  

• Ensure images do not contain any known vulnerabilities, malware, or viruses. A number  of tools are available for scanning the software, such as Chkrootkit, rkhunter, OpenVAS  and Nessus;  
• Ensure that Linux-based Images lock/disable root login and allow only sudo access.  Additionally, root password must not be null or blank;  
• Ensure that images allow end-users with OS-level administration capabilities to allow for  compliance requirements, vulnerability updates, and log file access. For Linux-based  Images, this is normally through SSH, and for Windows-based virtual machine images,  this is normally through RDP. 

Best Practices for Specific Cloud Service Providers:  

Examples of cloud service provider best practices are provided in the links below, links to the  best practices of additional cloud service providers will be periodically appended to this  document when they become available. Please be aware that these are provided for  convenience only, and do not imply endorsement by the ICGC for any of these services. The  ICGC recommends that investigators consult with their cloud service provider to ensure that  they are using the most up-to-date best practice documents.  

Amazon Web Services:  

• http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html  
• http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-best-practices.html  
• http://aws.amazon.com/documentation/ec2/  

Google Cloud Platforms:  

• https://cloud.google.com/developers/articles/best-practices-for-configuring permissionson-gcp  

Others Sources of Information for Cloud Best Practices:  

Examples of cloud best practices from organizations that leverage the cloud are provided in the  link below. Links to additional documentation will be periodically appended to this document  when they become available. Please be aware that these are provided for convenience only,  and do not imply endorsement by the ICGC for any of these services. The ICGC recommends  that investigators consult with these organizations to ensure that they are using the most up-to date best practice documents.  

• DNAnexus: https://dnanexus.com/papers/Compliance_White_Paper.pdf  
• Seven Bridges: https://www.sbgenomics.com/media/uploads/seven_bridges_compliance_white_paper.pdf

6. Information Technology (IT) Security Assessment and Access Checklist

As part of the ICGC ARGO Data Access Agreement you are expected to observe basic information security practices as described therein. At a minimum, You MUST agree to the following:

• Physical security– ICGC Controlled Data will be maintained in secure physical environments on physically and secure computer systems, such as in a locked office. ICGC Controlled data must be encrypted when:
  • Stored on a laptop
  • Stored on a memory stick or portable hard drive
  • Stored or exchanged on other portable media such as CDs, DVDs
  • Exchanged with external organizations or individuals

Controlled data should not be stored or accessed on mobile phones or tablets unless  appropriate security measures are in place.

• Access security – Only individuals who are listed on an Approved and active DACO Application will have access to ICGC Controlled Data. If copies of the ICGC Controlled Data are stored locally on a shared computer system or a file server, then they must be strong password and/or encryption protected so that only the individual’s named in the application have access to it. If the computer that holds ICGC Controlled Data is backed up, the backup media must be encrypted and/or stored in a physically secure location.
• Network security – If ICGC Controlled Data are stored on a network-accessible computer, there must be controls in place to prevent access by computer “hackers”, or contamination by viruses, malware and spyware. Network security is usually implemented by Your institution's IT department and will consist of some combination of network firewalls, network intrusion monitoring, and virus scanning software.
• End of project – After finishing the Research Project for which you are requesting access or if Your access approval is terminated, You must securely destroy all local copies of the ICGC Controlled Data, including any backup copies. However, if necessary, you may still keep the ICGC Controlled Data for archival purposes in conformity with national audits or other legal requirements.
• Training – Everyone who will access and/or use ICGC Controlled Data must be trained in confidential data handling the responsible use of personal health information, familiarized with the terms and conditions of the Data Access Agreement, and briefed on Your security plans. Training should include GDPR and Cyber Awareness Training and all Users must take steps against unauthorized data disclosure in accordance with The University of Glasgow confidential data handling guidance.   
• Compute Cloud Use  – You may place copies of ICGC Controlled Data on a private or commercial compute cloud for analytical purposes. If You do so, You acknowledge that You maintain responsibility for the data and You agree that: You must take care to apply strong encryption to the data while in motion and at rest; restrict access to stored copies of the data to Yourself, authorized personnel, students and authorized collaborators; use firewall rules to restrict ingress and egress from virtual machines to trusted network address(es) keep virtual machines that host controlled data up to date with security patches; and destroy all copies of the data, including snapshots and backups, at the end of the Research Project or if Your application is not renewed; and ensure there is an agreement in place with Your cloud provider that ensures You can meet these requirements. Any use of a private or commercial cloud is between You and the cloud provider. To the extent permitted by law ICGC accepts no responsibility for any interaction between You and the cloud provider and is released from any liability arising out of or in any way connected with such interaction.

Access to ICGC Controlled Data is a procedure that entails legal and ethical obligations. You and Your institution must have a modern, up to date, information technology (IT) policies in place that must minimally include the following items:

• Logging and auditing of access to data and to computer network
• Password protection to computer network
• Virus and malware protection to computers on computer network
• Auditable data destruction procedure, when necessary
• Secure data backup procedure, when necessary
• Strong encryption on any portable device which may store or provide access to ICGC controlled access data
• Privacy breach notification

References 

¹ Portions of this document have been adapted from the NIH’s “NIH Security Best Practices for Controlled Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy”; 

http://www.ncbi.nlm.nih.gov/projects/gap/pdf/dbgap_2b_security_procedures.pdf