Skip to main content

Computing & Data Services

Offering a full continuum of computing and data-related services to assist the social science research and education community with focused and multidisciplinary research and learning endeavors.

“CCSS aims to provide Cornell researchers with the most comprehensive and advanced research support in the social sciences. Let us know what else we can do to support your research needs.” – Peter K. Enns, Robert S. Harrison Director

What We Offer

CCSS provides services supporting computing, secure data, research methods, and more through consultations, workshops, training, and the CCSS HelpDesk. Mouse over the options below and click on any to learn more!

CCSS Policies

All CCSS researchers are held to a strict standard of compliance based on CCSS and Cornell University policies. Please read the associated documents to ensure that you comply.  If you have any questions regarding these policies, please contact us.

Universal Policies

POLICY STATEMENT

The CCSS Research Support Resources Terms of Use policy outlines the expectations for the use of CCSS resources, including but not limited to CCSS Research Support computing resources (servers, software applications, file storage, secure access rooms, etc.), computing accounts (Research, Class and all levels of restricted access accounts), and the CISER Data & Reproduction Archive.

The appropriate use and protection of all systems and associated resources is expected from all clients including faculty, students, employees, and visitors throughout the institution. In addition, each CCSS Research Support service has distinctive policies specific to usage obligations.

A majority of the CCSS Research Support services do not require any form of registration, allowing you to visit our web site and Data Archive without telling us who you are. However, some services may require you to provide us with Personal Data. In these situations, if you choose to withhold any Personal Data requested by us, it may not be possible for you to gain access to certain services and for us to respond to your query. 

Computing Resources and Computing Accounts:

CCSS Research Support computing resources (servers, software applications, file storage, etc.) and computing accounts (Research, Class and all levels of restricted access accounts), are provided for research and academic needs only. Research and academic usage includes use associated with Cornell-approved research, class work for which a student is currently enrolled, and staff work associated with supporting the mission of Cornell University. These resources may not be used for any personal purposes, including but not limited to storage or backup of personal files (e.g. audio, images, photos, video files, etc.), personal email, use of social media, private consulting or business -related activities, watching streaming video or other personal activities.

Computing Resources-Related Terms:

  1. The statistical software installed on the CCSS Research Support servers may not be used for private consulting or for non-academic research. Users may not distribute licensed software from our environment to themselves or to any other persons.

  2. CCSS Research Support servers are a limited, shared resource available to multiple clients at any time. Each client is expected to maintain an acceptable level of performance and must assure that excessive or inappropriate use of the resources does not degrade performance for others.

  3. CCSS provides multiple levels of secure computing environments. It is the client’s responsibility to select the appropriate level of technical security required to be in compliance with the terms and conditions, as well as laws and regulations, for the type of data to be used.

Computing Accounts-Related Terms:

  1. CCSS Research Support computing accounts and passwords may not be shared with any other person. Sharing passwords and/or account information violates these Terms of Use, as well as Cornell’s Authentication to Information Technology Resources Policy 5.8.

  2. It is the responsibility of every CCSS Research Support computing account holder to keep CCSS apprised of any changes to the information provided in your account application, including change in affiliated faculty member/supervisor, academic status, and your contact information.

  3. CCSS collects personally identifiable information about you, such as your full name, phone number and email address when you register for an account. Personal Data is securely stored for the purposes of providing support services, analyzing computing usage statistics and maintenance communications.

  4. CCSS clientele are responsible for complying with all applicable federal, state and local laws and must abide by Cornell University policies. Any misuse of computing resources, proprietary software, or data violates Cornell's Campus Code of Conduct and the Authentication to Information Technology Resources Policy 5.8.

  5. CCSS reserves the right to disable a computing account immediately upon identification of possible misuse of any CCSS services, or non-compliance with CCSS or Cornell University policies. Account termination will occur if misuse is confirmed through appropriate channels, and no reinstatement will be allowed.

  6. If requested within 60-days after account expiration, files left on the CCSS file storage may be made available to the affiliated faculty/staff advisor, or account holder, based on compliance with these Terms of Use. On day 61, the account will be closed, and all data files will be deleted. CCSS will not maintain a backup of any user data.

  7. By applying for an account and using CCSS Research Support computing resources, you agree to the CCSS Research Support Resources Terms of Use as set out above.

CISER Data Archive:

  1. Users are required to adhere to the CCSS Data & Reproduction Archive Acceptable Use Policy (review in tab below)  and any and all licensing requirements as stipulated by the providers of datasets held in the archive.

  2. CISER Data & Reproduction Archive non-public use files which require Cornell University authentication may not be distributed to anyone other than current faculty, staff, and students, or used for private consulting or for non-academic research.

As determined by university administration, any employee found to have violated this CCSS Research Support Resources Terms of Use Policy may be subject to disciplinary action, up to and including termination of employment.

Contact

If you have questions about specific issues regarding this CCSS Resources Terms of Use Policy, contact CCSS by email at socialsciences@cornell.edu or by telephone (607)255-1986.

Cornell Center for Social Sciences (CCSS) is committed to protecting your privacy.

The following privacy notice describes what information we collect from you when you visit our website and affiliated web applications and how we use this information. Please read this privacy notice carefully so that you understand our privacy practices.

Effective Date of Privacy Notice

The privacy notice was introduced on November 27, 2018.

What information we gather during your visit

Information we gather:

We automatically collect certain information from you when you visit our websites. This data is used in conjunction with Google Analytics to gather metrics on site usage including geographic location of visitors, pathways navigated through the website, and which portion of our audience is internal to the Cornell network. The information we collect is not linked to anything that identifies you as an individual. Your session will be tracked but you will remain anonymous as a user. As part of Google Analytics, we also gather device and browser-related information.

Information you may provide:

As part of accessing our services, we collect information as described in this notice or other specific university privacy notices. In order to take advantage of our services, certain tools, such as CCSS Research Support computing account request form, and CCSS Research Support computing account password reset tool may request additional contact information and/or online identifiers (ex. name, email, Cornell netid, telephone number, affiliated faculty member, course number.)

How we use your information

We use gathered information to track user trends and site usage with the goal of improving our visitors’ experience and optimizing our websites. We also use the information to administer this website and prevent abuse.

Special cases - computing accounts:

If you use the CCSS Research Support computing account request form, the information that is gathered will be used to send you email regarding CCSS Research Support systems, notifying your faculty member of your account request, and notifying your college of your CCSS Research Support systems usage.

If you use the CCSS Research Support computing account password reset tool, the information that is gathered will be used to send you email providing you with a verification code. The email correlates to the one sent when submitting your computing account request form.

With whom we share your information

Information we gather may be shared with campus constituents to improve programs, outreach, and other campus initiative. However, we will not sell this data to third-parties for their use in direct marketing, advertising, or for the promotion of their products and services.

Partnerships Purpose Additional Safeguards
Google Software that provides
us information about your visits to our sites.
https://policies.google.com/?hl=en
Member of the EU/U.S. PrivacyShield
Pantheon Hosting platform for
https://socialsciences.cornell.edu/
https://pantheon.io/privacy
Agiloft SaaS to manage data contracts https://www.agiloft.com/privacy.htm
Siteimprove To ensure that our website conforms to appropriate web accessibility standards https://siteimprove.com/en/privacy/privacy-policy/

Cookies and other collection technologies

Cookies

Cookies are text files stored on your computer and accessible only to the websites which create them. Our websites may use cookies to keep you logged into secure areas of the website and/or to keep track of your preferences as you interact with certain services. You may disable cookies in your browser, however, our websites may not work properly if you do so.

Log Files

Our websites automatically gather anonymous information about our visitors including IP addresses, browser types, and the times and dates of webpage visits. The information collected does not include any personally identifiable details and is used to improve our services and administer our websites.

Protecting your information

No method of transmitting over the internet or storing electronic data is 100% secure, but this site has measures in place to help protect against the loss, misuse, or alteration of the information that is under our control.

Email Marketing

If at any time you would like to opt-out of receiving email from CCSS Research Support, please write to socialsciences@cornell.edu.

Social Media Presence

If you share our content through social media, such as liking us on Facebook or tweeting about us on Twitter, those social networks will record that you have done so and may set a cookie for this purpose. If you wish to opt-out of any of these social interactions please refer to the specific social media platform for instructions on how to do so.

Special Notice for EU Residents

If you are located within the European Economic Area (European Union, Norway, Liechtenstein, and Iceland), we acknowledge the rights granted to you under the General Data Protection Regulation (GDPR).

These rights may include:

1. Right to access your information held by us.

2. Right to correct inaccurate or incorrect information about you.

3. Right to the erasure of your information when it is no longer necessary for us to retain it.

4. Right to restrict processing of your personal information in specific situations.

5. Right to object to processing your information, including sending you communications that may be considered direct-marketing materials.

6. Right to object to automated decision-making and profiling, where applicable.

7. Right to complain to a supervisory authority in your jurisdiction within the EU.

Please contact us with any questions, concerns, or if you wish to exercise any of these rights: itservicedesk@cornell.edu.

Contact Information

If you have questions about our privacy notice or the privacy practices it describes, please contact: socialsciences@cornell.edu.

CCSS Research Support receives support from the Office of the Vice Provost for Research and Member Colleges. Acknowledgment of the CCSS Research Support services (or individual staff) in posters, publications, presentations and interviews helps to demonstrate the usefulness and effectiveness of the resources provided and can help strengthen institutional support. You can help us in this effort by acknowledging CCSS Research Support’s contribution to your research, such as use of data from the CCSS Data & Reproduction Archive, use of the CCSS Research Support or CRADC computing systems, and/or assistance from CCSS Research Support staff.

  1. Add a citation acknowledging CCSS Research Support in your work

    Please acknowledge us in all posters, publications, and presentations of the work that utilized CCSS Research Support resources by using the following text:

    “This research was conducted with support and resources provided by the Cornell Center for Social Sciences (CCSS) at Cornell University.”

  2. Notify us about your work which used CCSS Research Support resources

    Please send us information about your posters, publications, presentations and interviews to socialsciences@cornell.edu, so that we can reciprocate by linking to the data source to expand your research network.

  3. Cite use of Data Archive Download Centers

    If you have used any of these CCSS Data & Reproduction Archive Download Centers, please also use this form to submit a citation:


Additional references on research citations:

Data & Reproduction Archive

Policy Volume: DA 
Responsible Executive: Robert S. Harrison Director

Responsible Office: Cornell Center for Social Sciences 
Originally issued: 2020-02-01; Revised 2024-02-07


By accessing CCSS resources, you agree to the terms within our Acceptable Use Policy.

Researchers must:

  • Use downloaded resources for statistical analysis and reporting aggregated information purposes only.
  • Protect the confidentiality of all research participants at all times, including not attempting to identify individual subjects.
  • Report inadvertent identification of individuals to CCSS immediately.
  • Remain in compliance with any and all Data Use Agreements and licensing requirements as stipulated by the providers of datasets.
  • Cite data studies appropriately using the suggested citation in the archive catalog record.
  • Not redistribute data or documentation unless given permission by CCSS or the data is in the public domain, such as US government data.
  • Provide citation information for any books, articles, and other forms of publication created using CCSS-provided data.
  • For any questions surrounding these policies, please contact the archive staff

Policy Volume: DA 
Responsible Executive: Robert S. Harrison Director 
Responsible Office: Cornell Center for Social Sciences 
Revised: 2017-10-20; 2020-09-16; 2024-02-07


POLICY STATEMENT

The CCSS Data & Reproduction Archive is integral to the Center’s overall mission, where CCSS accelerates, enhances, and amplifies social science research at Cornell, including archive support for the evolving data needs of Cornell social science researchers. The goals of the archive are to make social science data available to researchers, while at the same time making data more Findable, Accessible, Interoperable, and Reusable (See The FAIR Data Principles). Towards those goals, archive staff can help researchers appraise, deposit, publish, make accessible, and preserve both research and secondary social science data. We also feature a catalog to maintain and preserve archive metadata, along with our Data Replication and Archiving Service packages.


Background

The CCSS Data Archive was established in 1982 by the then-Cornell Institute for Social and Economic Research, to be a centralized information center and clearinghouse for the acquisition, storage, and access of machine-readable data for Cornell social science researchers. The archive’s content has gone through many changes through the years. We originally started as a clearinghouse for ICPSR, Roper, and government data, making files more accessible and usable for researchers. In more recent years, we have focused on adding to data collections in particular areas, collecting research data by individual researchers both at Cornell and beyond and archiving our Results Reproduction packages. Since the mid 2010s, most studies were assigned DOIs, and the archive catalog went through many additional improvements such as added search fields and expanded categories and keywords. In 2014 the archive earned the Data Seal of Approval, followed by the CoreTrustSeal. Also in 2014, the first Census download center was added to the archive, and in 2016 the first Data Replication code and data packages were added. In 2019-2020, the archive underwent a major upgrade, further expanding the download permissions system, adding additional DDI-compliant metadata, and making studies further discoverable to external researchers using Google’s dataset search. In 2020 the archive was rebranded as the CCSS Data & Reproduction Archive.


Users

Core clientele for the data archive are Cornell faculty, graduate students, staff working in social science disciplines, and other interdisciplinary researchers with a need for social science data. Finally, we have publicly available data studies available to all researchers


Data in Scope

CCSS houses an extensive collection of research data files in the social sciences with particular emphasis on data that matches the interests of Cornell researchers. CCSS intentionally uses a broad definition of social sciences to recognize the interdisciplinary nature of Cornell research. Our archive includes data studies which fall into three broad access categories: available to the public, available to the Cornell community, and restricted data available through various application processes.

CCSS collects and maintains digital research data files in the social sciences, with a current emphasis on Cornell-based social science research and Data Replication & Archiving service packages. Our archive has historically focused on a broad range of social science data, including data on demography, economics and labor, political and social behavior, family life, and health.

The collection includes, but not exclusively so, federal and state censuses, files based on administrative records, public opinion surveys, economic and social data from national and international organizations, and studies compiled by Cornell researchers.

The CCSS Data & Reproduction Archive acquires or accepts data for any geographic area. The historical collection focused on data related to New York State and the United States, with some international datasets as well.


General Criteria

  • Requests from Cornell researchers – Datasets and studies required by CU researchers unavailable elsewhere and not in conflict with applicable scope criteria listed under Data Not in Scope.

  • Data Replication/Reproduction packages that Cornell researchers request we archive. 

 

Case-by-Case

  • Updating or adding elements to data already in the archive when those data are not available elsewhere

  • At-Risk Social Science Data.

  • International Data.

  • Local New York State Data. 


Data Not in Scope

The following are the general criteria for data that are out of the scope of CCSS’s data collection. CCSS reserves the right to archive any dataset we believe will be useful to Cornell researchers.

  • Non-social science data/science data
  • Data with prohibitive costs
  • Data within proprietary software or subscription databases
  • Data availability: Unless data studies are part of the legacy collection for CU researchers or purchased for CUL or other entities, data available in a trusted repository will not be archived.
  • Direct identifiers: The CCSS Data & Reproduction Archive will not accept data that contains personal identifiers, except in such cases where these data are part of the public record. Datasets held in the archive are primarily public-use versions. Our consultants can assist in de-identifying datasets for public use. For restricted access and limited use data products, the CCSS Regulated Research Environment provides secure access.
  • Copyright: CCSS only accepts data in which we have the right to curate, disseminate and preserve a copy of the data.
  • The CCSS Data & Reproduction Archive reserves the right to reject datasets that are deemed to be inadequately documented, potentially disclosive, acquired or generated illegally or unethically, or suspected or known to contain inaccuracies.


Data Curation

Process: New additions to the CCSS Data & Reproduction archive follow an internally modified version of the Data Curation Network CURATED Workflow, which involves the following steps: Check files/code, Understand the data, Request missing information, Augment metadata, Transform file formats for reuse, Evaluate for FAIRness, and Document curation activities. [ 1 ]

Documentation: Where possible data studies are accompanied by comprehensive documentation: codebooks, file layout maps, technical notes, questionnaires, reports, and errata in open and accessible formats. Non-digital documentation is often available when machine-readable documentation is not. In cases where documentation is insufficient, CCSS works with data producers to ensure that data files are usable and understandable by generating additional contextual information.

File formats: CCSS prefers file formats in the LoC list of recommended formats. The formats are commonly used within the social science and economics domain, have open specifications, and are independent of specific software, developers, or suppliers. CCSS will, however, accept data, regardless of physical format as long as they are convertible to supported and accessible file formats suited for long-time preservation for use by the entire Cornell community.

[ 1 ] Data Curation Network. “The DCN Curation Workflow.” 
https://datacurationnetwork.org/outputs/workflows/. Accessed 17 OCT 2023.


Purchasing Data

Data acquisition is primarily demand-driven. The CCSS Data & Reproduction Archive will attempt to acquire any set of data required by faculty members in accordance with organizational policies regarding cost, quality, restrictions, and expected future use by a broad constituency of social science and economics users. Using the same criteria, data are also acquired for students of those faculty who are engaged in substantive social science or economic research. Proactive collection development is undertaken in anticipation of demand.

CCSS makes efforts to confirm that data were collected in accordance with legal and ethical criteria in place at the time and place of its collection, especially review by Ethical or Institutional Review Boards (IRB). Where this information is unavailable, the professional judgment of the Data Archive staff and the Director will be used to decide on the inclusion of such data, taking into account the relative risk (usually low) associated with the data.

Due to Contractual agreements between CCSS and the Inter-university Consortium for Political and Social Research (ICPSR), the Qualitative Data Repository (QDR), and the Roper Center for Public Opinion Research, members of the Cornell Community are entitled to obtain any of the data offerings of the Consortium, Repository, and the Center. The CCSS Data & Reproduction Archive serves any and all members of the Cornell community in terms of data acquisitions from the Consortium, regardless of subject area.

When a data request is initiated by an individual, the requester will be asked to provide the staff with a description of the data, a written justification for the purchase of the file, and a cost estimate for data acquisition. Criteria are based on the likely usage, how well the purchase fits with our mission and scope, and price. It may be recommended that the requester go directly to another funding source, such as his own department, the library, another agency, or cooperate in pooling resources.

The CCSS Data & Reproduction Archive works with Library Collection Development staff, faculty, and departments to secure full or matching funding, especially in cases where a dataset has a potential audience representing more than one academic department. CCSS also collaborates with Cornell libraries and other information services at Cornell to ensure that collection content and access are not duplicated, so long as CCSS clients can use data and material from those units with reasonable effort. When acquiring material, the archive must consider not only content but format and delivery criteria to fulfill its mission and meet the needs of its clientele.


Policy to Review Process

CCSS will review these policies every three years in conjunction with the CoreTrustSeal certification process or any future certification process.


Contacts

If you have questions about specific issues regarding this policy, contact the following CCSS Staff: Jonathan Bohan socialsciences@cornell.edu, Data Archive Specialist

Policy Volume: DA 
Responsible Executive: Robert S. Harrison Director 
Responsible Office: Cornell Center for Social Sciences 
Revised: 2014-03-21, 2020-10-30; 2024-02-07

The Data Security policy describes physical and information technology measures undertaken to protect CCSS’s digital data collections from unauthorized access.

All CCSS file servers, which house the CCSS Data & Reproduction Archive, have Windows Antivirus virus protection software installed, and data files are scanned for viruses prior to being added to the environment. Security on the CCSS file servers is monitored by the collection and review of system log files generated on all the systems and the Cisco ASA and Cisco Firepower.

Data Center: The CCSS servers are located in an environmentally controlled secure University data center, as part of CCSS’s commitment to take all necessary precautions to ensure the physical safety and security of the CCSS Data & Reproduction Archive. The data center maintains uninterrupted power supplies (UPS), fire prevention and protection system, physical intruder prevention and detection systems and environmental control systems.

Access to the data center is granted by an authorized proximity card (Cornell University ID card) issued only to Cornell staff with the required credentials according to Cornell University Policy 8.4 — Management of Keys and Other Access Control Systems. Entrance and exits to the data center are automatically logged and monitored by Cornell Information Technology staff within the data center, and the CCSS file servers are housed in racks with locked doors, to which only authorized system administrators have keys.
 

Authentication:

  • Public Access: Authentication is not required for access to public-use datasets, if accessing via the archive online catalog. Unauthenticated guests must pass a reCAPTCHA test prior to download.
  • Managed Access: Where the Data Provider obligates, the user would be required to authenticate with CUWebLogin (Cornell NetID required) via the archive online catalog.


Terms of Use: Terms of Use for CCSS resources and the CCSS Data & Reproduction Archive are maintained on the CCSS web site.

Authorization: Access to the CCSS Data & Reproduction Archive digital collection is managed by the archive’s restriction levels. Access to non-public, restricted resources is granted by archive personnel through the archive management system. Access terms are granted based on the provider’s data use agreement. Authorization is linked to Cornell NetID authentication.

Receipt of Original Media: CCSS will employ the highest standard of ingest processing to ensure the quality, integrity, and secure storage of datasets. Refer to the CCSS Data & Reproduction Archive Collection Policy (review in the tab above) for ingest details.

Storage of Original Media and Electronic Copies: Any original media/electronic data that is retained, will be stored in compliance with the CCSS Data & Reproduction Archive Preservation and Storage Policy. 

Disposal/Decommissioning of Data: CCSS reserves the right to decommission data and/or dispose of physical media. The data will be decommissioned/disposed of in line with the directives of the Data Provider.

Backup: Data is backed up by Cornell Information Technology EZ-Backup service.

Security Incidents: Reporting security incidents is mandated by Cornell University Policy 5.4.2, Reporting Electronic Security Incidents.

Policy Review Process: CCSS will review these policies every three years in conjunction with the CoreTrustSeal certification process or any future certification process.


Related Documents

Policy Volume: AC 
Responsible Executive: Robert S. Harrison Director 
Responsible Office: Cornell Center for Social Sciences 
Revised: 2014-04-03, 2020-11-05; 2024-02-07
 

REASON FOR POLICY


To ensure that data versioning criteria are consistently applied to changes in data files and data documentation in the CCSS Data & Reproduction Archive.


POLICY GUIDELINES

 

These guidelines ensure that data versioning criteria are consistently applied to changes in data files and data documentation (including, but not limited to, correction for error, amendments, additional variables, changes in access conditions, format changes) for inclusion in the CCSS Data & Reproduction Archive. This will often involve working closely with the data producer.

Significant changes are those that will have a high impact on the use or interpretation of the data, whereby minor changes are those that will have a low impact in relation to interpretation or use for research purposes. CCSS assigns a new version to a data study with significant changes such as: addition of new variables; revision of incorrect data; revision of miscoded data; substantial documentation changes; withdrawal of data elements or documentation files. Minor changes such as small changes in variable labels, spelling corrections in metadata, changes in access conditions, addition of converted file formats with no actual changes to the data, and minor changes in documentation will be made to relevant content and recorded in ancillary and accompanying documentation, but no new version assigned. Any and all changes are recorded in an internal notes field in our database.

Where possible CCSS will clearly label and make available earlier versions of data and documentation through the data catalog. Version record numbers are captured in metadata held in CCSS relational databases. CCSS retains the right to withdraw an older version of a data study where significant change may be misrepresentative or a copy is held in another major data archive (such as ICPSR).

In some cases data studies are issued as completely new study editions (this may be as part of a series) if there are changes to data/variables, major changes to documentation, new waves have been added to a series, or there have been methodological changes.

Policy Review Process: CCSS will review these policies every three years in conjunction with the CoreTrustSeal certification process or any future certification process. 

Policy Volume: DA 
Responsible Executive: Robert S. Harrison Director 
Responsible Office: Cornell Center for Social Sciences 
Revised: 2014-04-03; 2020-11-05; 2024-02-07

POLICY STATEMENT

The data preservation function is integrated into the operations and planning of CCSS and throughout the management stages of the research data lifecycle to support Social Science research at Cornell University.


REASON FOR POLICY


The fundamental purpose of the CCSS Data & Reproduction Archive is to select, preserve and make available for use primary and secondary data, documentation and metadata, in discipline recognized digital formats that remain suitable for research in perpetuity. The data preservation and storage policy is guided by a variety of community-driven standards, (e.g. Open Archival Information Systems (OAIS) reference model, Trusted Repositories Audit and Certification (TRAC), CoreTrustSeal (CTS), Data Documentation Initiative (DDI), and FAIR Data Principles), that represent an international body of knowledge and expertise pertaining to various issues within digital preservation.


POLICY GUIDELINES


These guidelines address the effective implementation of procedures for the preservation of CCSS’s digital collections within the context of the CCSS Data & Reproduction Archive Collection Policy. CCSS reserves the right to review the scholarly and historical value of and user accessibility into the data preservation characteristics.


Data Integrity:


Upon receipt of new digital content, the Archive staff process the data and documentation, assess that confidentiality concerns are addressed, in collaboration with the data producer fix errors if necessary, convert data formats, and run a checksum. The metadata pertaining to each data file is stored in a SQL database. (A backup of the SQL database is taken every evening and is retained for a finite period.) Provenance notes are maintained, which relate back to the original deposited version, as part of the metadata for any alterations made in the preservation and dissemination versions.

To ensure that the digital content remains identical and accessible, automated tasks are run to verify checksums. The results are compared to the metadata, held within the SQL database, to validate data integrity. If degradation of any digital content is detected, CCSS would endeavor to reinstate the original version from a backup copy.


Data Normalization:

Evaluation of new content types and software/format obsolescence is an ongoing process. It is expected that normalizing the CCSS Data & Reproduction Archive collection by migrating to updated content types when new formats become widely available will occur seamlessly. When new formats are created from data files either through migration into new file formats or through creating new file formats for dissemination, the old files are retained alongside. Version control is stored as part of the metadata, as referenced in the Versioning Policy.


Management of Storage Infrastructure:

The preservation of the CCSS Data & Reproduction Archive is dependent upon CCSS’s storage infrastructure. Thus, management of the storage infrastructure is designed to accommodate scalability, reliability, and sustainability, in accordance with quality control specifications and security regulations. In light of increasing user demand and changing technologies, CCSS staff routinely monitors technical developments and evaluates potential archival solutions that will both streamline and enhance CCSS data preservation practices.

Adequate storage capacity for all CCSS Data & Reproduction Archive holdings is maintained. In addition, unlimited capacity from external media is available. The disk storage maintains a RAID 6 configuration and all infrastructures are protected by uninterrupted power supplies (UPS).

All data are backed up on a daily basis via the University’s offering of EZ-backup, which also provides off-site storage. EZ-backup makes use of IBM’s Tivoli Storage Manager.


Security:


CCSS is committed to taking all necessary precautions to ensure the physical safety and security of the CCSS Data & Reproduction Archive holdings that it preserves. The storage infrastructure is housed in the University data center. The data center features uninterrupted power supplies (UPS), fire prevention and protection system, physical intruder prevention and detection systems and environmental control systems. In addition, the server racks that house the CCSS’s disk storage are equipped with unique keys.


Policy Review Process: CCSS will review these policies every three years in conjunction with the CoreTrustSeal certification process or any future certification process.


Related Documents

Regulated Research Environment (formerly CRADC)

Data Security Policy

Policy Volume: RD
Responsible Executive: CCSS Secure Data Services Manager
Responsible Office: Cornell Center for Social Sciences
(CCSS) Issued: 2020-10-01, revised 2023-11-30

NOTE: This policy replaces these previous policies:

  • CRADC Data Security Policy [issued 2020-10-01, revised 2023-02-28]
  • CRADC Data Security Policy [issued 2020-10-01]
  • CRADC Data Security Policy [issued 2015-07-13, revised 2016-09-30]
  • Secure Standalone Desktop Data Security Policy [issued 2017-10-17

POLICY STATEMENT

The CCSS Regulated Research Environment must use Data Use Agreements and Cornell University policies to protect research data deemed confidential and/or restricted by laws and regulations. This policy applies to all research data physically housed within the CCSS auspices regardless of its storage medium (e.g., disk drive, electronic tape, CD, DVD, external drive, paper, fiche, etc.) or form (e.g., text, graphic, video, audio, etc.).

The CCSS Research IT Director is a Security Liaison for the CCSS Regulated Research Environment.

POLICY REQUIREMENTS

CCSS Regulated Research Environment researchers and support staff must understand and carry out their data security responsibilities to comply with the stipulations of the Data Provider’s Agreement(s), including laws and regulations referenced therein, and Cornell’s Institutional Review Board for Human Participant Research, Office of Sponsored Programs, and official university policies.

This policy applies regardless of the research’s source of funding.

The Process to Identify and Assess Security Risks:

  1. Evaluate the Data Provider’s Data Use Agreement or Cornell University agreement and applicable laws and regulations to determine whether the CCSS Regulated Research Environment meets the criteria for housing the research project’s internal or researcher-collected data.
  2. Ensure that the appropriate university units are involved:
    • Institutional Review Board (IRB)
      Unless the Cornell Institutional Review Board for Human Participants (IRB) determines otherwise, all researchers allowed on the CCSS Regulated Research Environment must satisfactorily complete the CITI Social & Behavioral Research Basic, Stage 1, or other approved training course. The CCSS Regulated Research Environment relies on the Office of Sponsored Programs (OSP) to verify that approved researchers have satisfactorily passed the CITI Social & Behavioral Research Basic, Stage 1, or other approved training course and their Conflict of Interest (COI) statement. If Cornell’s IRB determines that a research project does not require an IRB review, the researchers do not need to complete a Social & Behavioral Research Basic training course. The CCSS Regulated Research Environment relies on the Office of Sponsored Programs (OSP) to confirm that these projects are exempt from IRB review so that Cornell can process them for approval.
    • Office of Sponsored Programs (OSP)
      The CCSS Regulated Research Environment accepts projects and provisions unique user accounts once the Office of Sponsored Programs attains on Cornell University’s behalf final approval from the Data Provider to house the restricted data on CCSS Regulated Research Environment.
      Data internal to Cornell University and researcher-collected data are exempt from OSP approval for housing on the CCSS Regulated Research Environment systems.
  3. Confirm that the CCSS Regulated Research Environment User Agreement has been signed.
    • In addition to attaining OSP and, if necessary, IRB approval, each researcher must complete a user agreement with the CCSS Regulated Research Environment covering the usage of the restricted systems. The CCSS Data Custodians send the CCSS Regulated Research Environment User Agreement to a researcher for signature once the CCSS Regulated Research Environment has the final Data Use Agreement approval from OSP, an internal agreement from Cornell University for Cornell data, or the CCSS Regulated Research Environment agreement from the researcher for researcher-collected data.

The Process to Provision Access and Security on a Project by Project Basis

  1. Account Creation: Upon receiving a signed CCSS Regulated Research Environment User Agreement, the CCSS Data Custodians will create a user account for that user. The CCSS Data Custodians provide login instructions and temporary passwords for the newly onboarded users and send temporary passwords to authorized users via a secure file transfer tool. The CCSS Regulated Research Environment users must change temporary passwords after the first successful login.
  2. Account Expiration: User account access remains dependent on the existing project requirements, as stipulated within the Data Provider’s Data Use Agreement, and approved by OSP, IRB, and the CCSS Regulated Research Environment User Agreement. Any project with an internal agreement from Cornell University for Cornell data or from a researcher for the researcher-collected data is exempt from approval by the OSP but must retain IRB and the CCSS Regulated Research Environment User Agreement approval.
  3. Password Requirements: The CCSS Regulated Research Environment systems require researchers to change their passwords every 90 days. Password complexity is enabled, and a strict password complexity policy is enforced.
  4. Multi‐Factor Authentication (MFA): The CCSS Regulated Research Environment
    researcher must activate MFA before logging into the server environment for the first time. Subsequent logins require MFA. The CCSS Regulated Research Environment air-gapped computer does not require MFA.
  5. Idle Sessions: Idle sessions are suspended after a set time of non-activity.
    The CCSS Data Custodians will work with the server support team to accommodate special idle session suspension criteria set forth by the Data Provider.
  6. Authorization: Authenticated users are granted read and execute permissions to access the restricted data location on the CCSS Regulated Research Environment systems.The authenticated user accounts can write in the project-based transitory storage space that stores application program files, interim datasets, and data analysis files.

Reference: Provisioning / Deprovisioning section in the Access Control Policy

Restricted Access to the Research Data Storage:

  1. Storage of Original Media:
    A locked, fireproof safe in the CCSS Data Custodian’s office stores the physical data media from the Data Providers (e.g., CDs, DVDs, and USB drives). Only the CCSS Data Custodians have the keys to access the Sentry Media Safe.
    CCSS Regulated Research Environment service does not produce or store documents unless provided with the original media. Documents provided with original media are stored in the safe in the project folder alongside the physical media. The project folder is labeled with the project number tracked in the contract management system.
  2. Data for Analysis:
    The CCSS Data Custodians will create a copy of the restricted data on the network-attached storage or the C:\ drive of the CCSS air-gapped computer. Authorized CCSS Regulated Research Environment users are granted read and execute access to the restricted data location on the designated server or air-gapped computer. Each user account is assigned the project-based transitory storage space to store the research-derived data.
  3. Researcher Responsibility:
    • Data Security of Researcher Copies: The Principal Investigator and research staff authorized by the Data Provider to have an external copy of their non-restricted user-created working files are responsible for storing the documents in strict accordance with the Data Use Agreement they have signed with the Data Provider. The researchers are responsible for the secure storage and destruction of user-created working files as required by the Data Use Agreement.
    • Researcher Publication of Data: A researcher is responsible for requesting the Data Provider’s approval before publishing study findings as required by the Data Use Agreement. Any questions about the research results’ publication and the Data Provider’s publication policies must be directed to the Cornell Office of Sponsored Programs.
    • Researcher Modification of Temporary Analysis Files: When specified within a Data Provider’s Data Use Agreement, the Principal Investigator is responsible for ensuring the deletion of all stipulated temporary analysis files for the project, within all project user accounts, at the specified Agreement dates each year.

Restricted‐access Research Data Backup:

  1. Original Media Backups:
    The original physical media stored in the CCSS Secure Data Services Manager’s safe is the only backup of the restricted data secured on the CCSS Regulated Research Environment. The CCSS Regulated Research Environment systems housing original restricted-use data files are not included in the routine backup unless otherwise specified by the Data Provider.
  2. Backups of User-Created Files (Unless Prohibited by the Data Use Agreement):
    The user-created transitory files (programs, output, log files, and working datasets) housed in the CCSS Regulated Research Environment network-attached storage are included in the routine backup. Each research project folder’s backup copy is never combined with any other backup jobs and remains on the Ithaca campus. The backup data is encrypted in transfer and at rest. The research project data located on the secure air-gapped desktop is not included in routine backup.

De‐provisioning of Accounts:

  1. Researcher Account Deprovisioning: The research project PI and Cornell OSP are responsible for requesting a CCSS Regulated Research Environment user account termination. The CCSS Data Custodians will delete the user account from the secure systems and offer the PI the option to copy the researcher’s project subfolder files to the project’s transitory/shared storage space within the project folder. The project PI is responsible for notifying the CCSS Data Custodians about the destruction of the researcher’s project files. The CCSS Data Custodians will dispose of the researcher’s project folder using the secure data shredding algorithm for electronic files.
  2. CCSS Regulated Research Environment Staff Deprovisioning: The CCSS Secure Data Services Manager will communicate CCSS Secure Data Services staffing changes to the Data Provider and OSP via email. The staff account will be disabled on the last day of employment within CCSS Secure Data Services and terminated on the CCSS Regulated Research Environment systems

Reference: Provisioning / Deprovisioning section in Access Control Policy 

Data Destruction and Certification:

  1. Destruction of Physical Media: The CCSS Data Custodian is responsible for the return or destruction of all the project-associated materials as stipulated in the Data Use Agreement. All physical media supplied by the Data Provider will be securely
    destroyed following the NIST 800-88 media sanitization standards. The Data Provider will receive the CCSS Regulated Research Environment Certificate of Destruction unless the Data Provider requests the media returned within the Data Use Agreement. Requested physical media will be returned to the Data Provider following the Data Provider’s physical media shipment instructions and using a traceable shipping method.
  2. Destruction of Original Data Files on the CCSS Regulated Research
    Environment: The CCSS Data Custodian is responsible for destroying the original
    data on the CCSS Regulated Research Environment systems as stipulated in the Data Use Agreement. The Data Provider will receive the CCSS Regulated Research Environment Certificate of Destruction after the secure data removal from the restricted environments is completed.
  3. Destruction of User-Created Electronic Files: The CCSS Data Custodian is
    responsible for destroying user-created electronic files as stipulated in the Data Use Agreement. The research-derived electronic files on the CCSS Regulated Research Environment systems are removed by utilizing the secure data shredding algorithm for electronic files removes the research-derived electronic files on the CCSS Regulated Research Environment systems
  4. Destruction of Paper Materials: The CCSS Regulated Research Environment does not produce or store any paper materials or copies unless they were provided with the original media. The CCSS Data Custodian is responsible for destroying all paper materials at the project closure. If the Data Provider requests a return of the paper materials supplied with the original media, the materials will be sent to the Data Provider using a traceable shipping method.
  5. Certificate of Destruction: After the disposal of all project-related data, the CCSS Data Custodian will certify via the Certificate of Destruction that the secure data and user created project-based transitory files have been securely destroyed. The completed Certificate of Destruction will be sent to the Data Provider either as a paper copy via traceable mail or electronically via email, with a copy of the Certificate of Destruction supplied to the Cornell Office of Sponsored Programs.

Reference: Data Destruction and Return of Restricted Data Policy

Data Center Specifications:

Managed Environment: The CCSS Regulated Research Environment systems are managed environments created following NIST 800-171 information security guidelines for non-federal systems. The system integrity is verified daily by the System Administrator. The System Administrator is responsible for applying system upgrades and security patches to ensure compliance with NIST 800-171 standards.

The CCSS Data Custodian is responsible for scanning data files for viruses before
uploading them to the CCSS Regulated Research Environment.

The CCSS Regulated Research Environment server support monitors the system's security by collecting and reviewing the system log files within the secure environment through Security Information and Event Management (SIEM).

  1. System Maintenance: Periodic system maintenance is based on hardware, operating system, and applications requiring updates (i.e., BIOS, firmware, security
    patches, service packs, and application revisions).
    • The CCSS Regulated Research Environment servers require monthly maintenance. Per request from the CCSS Regulated Research Environment server support team, CCSS Data Custodians schedule emergency system downtime in consultation with the CCSS Research IT Director.
    • Secure air-gapped desktop maintenance is performed annually.
  2. Physical Location:
    • CCSS Regulated Research Environment Servers
      • The CCSS Regulated Research servers are in an environmentally controlled secure Data Center at 757 Rhodes Hall on the Cornell University campus in Ithaca, NY
      • Access to the Data Center will be granted by an authorized proximity card issued only to Cornell staff with the required credentials according to Cornell University Policy 8.4 ‐‐ Management of Keys and Other Access Control Systems. Entrance and exits to the Data Center will be logged and monitored. The servers will be housed in racks with locked doors within the Data Center, to which only authorized administrators have the keys.
      • Secure Air-Gapped Desktop
        • The secure air-gapped desktop is in a secure room on the Cornell University campus: Room 736 Rhodes Hall, Ithaca, NY.
        • Access to the room is granted by an authorized proximity card issued only to Cornell staff with the required credentials, according to Cornell University Policy 8.4 — Management of Keys and Other Access Control Systems. Entrances are logged and monitored, and a sign-in/ sign-out sheet is used to schedule the secure standalone desktop.
  3. Networking and Firewall: The CCSS Regulated Research Environment servers are installed behind a firewall with default deny applied and FIPS 140-2 security levels implemented. The Microsoft Windows firewall is activated on the CCSS air-gapped computer.

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Contacts

If you have questions about specific issues regarding this Sharing, Transmission and Distribution of Restricted Data Policy, call the following offices:

NAMEEMAILTITLEPHONE
Cassian D'Cunhacd642@cornell.eduCCSS Research IT Director607-254-5919
Elena Goloborodokosocialsciences@cornell.eduCCSS Secure Data Services Manager607‐255‐4801
Jonathan Bohansocialsciences@cornell.eduCCSS Secure Data Specialist607‐255‐4801
Resa Reynoldsrda1@cornell.eduCAC Assistant Director, Systems607‐254‐8686
Kim Burlingamekb269@cornell.eduSystem Administrator607‐254‐8686
Lucia Wallelucia.walle@cornell.eduSystems Analyst/Programmer607‐254‐8686
Brenda Lappbll3@cornell.eduTechnical Consultant607‐254‐8686
Cornell University
Security Office
security-services@cornell.edu 

 

Access Control Policy 

Policy Volume: RD
Chapter: AC‐1
Responsible Executive: CCSS Secure Data Services Manager
Responsible Office: Cornell Center for Social Sciences (CCSS)
Originally Issued: 2015-12-01, revised 2023-11-30.
Revised: 2016-09-30, 2018-12-18, 2020-10-06, 2023-02-28, 2023-11-30

POLICY STATEMENT

To comply with the information security terms outlined in Data Use Agreements (DUAs) and National Institute of Standards and Technology (NIST) 800-171 information security guidelines, CCSS Regulated Research Environment must limit system and network access to authorized users.

This policy covers all stages in the user access life cycle, including authorizing access, granting initial access, updating access privileges as user roles change, and removing user accounts for users no longer requiring access.

REASON FOR POLICY

CCSS Regulated Research Environment believes that protecting data resources requires authorized users' responsible handling of information technology and data. CCSS Regulated Research Environment researchers, system administrators, and data custodians must strictly control access to information resources under their direction or ownership

POLICY REQUIREMENTS

These guidelines address establishing procedures before account provisioning and the effective implementation of access authorization, account provisioning, change in status, unsuccessful login attempts, session lockout, account expiration, account re‐enabling, record keeping, and account de-provisioning.

Before Account Provisioning:
 

Institutional Review Board (IRB) Authorization:
Unless the Cornell Institutional Review Board for Human Participants (IRB) determines otherwise, all researchers allowed on the CCSS Regulated Research Environment systems must complete the CITI or other approved training course on Social & Behavioral Research Basic, Stage 1 satisfactorily. CCSS Regulated Research Environment relies on the Office of Sponsored Programs (OSP) to confirm that approved researchers have satisfactorily passed the CITI or other approved training course on Social & Behavioral Research Basic, Stage 1, and their Conflict of Interest (COI) statement.

Office of Sponsored Programs (OSP) Data Use Agreement (DUA):
The CCSS Regulated Research Environment's acceptance of projects and provisioning of unique user accounts is contingent on Cornell University's signing of the DUA via the OSP. The OSP signs the DUA after receiving final DUA approval from the Data Provider.

The data internal to Cornell University and researcher-collected data are exempt from OSP approval for housing on the CCSS Regulated Research Environment systems.

CCSS Regulated Research Environment User Agreement:
In addition to attaining any IRB and DUA approvals required, the user must also agree and sign the CCSS Regulated Research Environment User Agreement, which covers the usage of the restricted systems.

Authorization of Access:
The CCSS Data Custodians grant the authorized users access to the restricted systems after completing all appropriate account provisioning steps. In all cases, the access must comply with applicable legal requirements.

Without independent authorization, information technology personnel must conduct routine system protection, maintenance, or management purposes following internal protocols and processes. Likewise, requests for access in connection with litigation, legal processes, or law enforcement investigations, or to preserve electronic user information for possible subsequent access under this policy, need no independent authorization if made by Cornell University’s Office of the General Counsel in compliance with respective DUAs.

Provisioning / De‐provisioning:
Account Provisioning: Upon receiving a signed CCSS Regulated Research Environment User Agreement, the CCSS Data Custodians proceed with account creation on the restricted system. The CCSS Data Custodians notify the researcher about the account creation by sending a CCSS Regulated Research Environment Welcome email with user ID and login guidelines and instructions for accessing the temporary password on the secure FTP site. All temporary passwords must change upon the initial login to any restricted server.

Account De‐provisioning: Accounts are de-provisioned upon notification by the Principal Investigator or OSP of the project’s completion. The user account de‐provisioning occurs within three business days of the date provided by the Principal Investigator or OSP for the termination of each user account.

CCSS Data Custodian and Approved Support Staff De‐provisioning: Any change in the CCSS Regulated Research Environment and authorized server support staff will be communicated via email to the Data Provider by the Cornell OSP. The staff account will be disabled on the last day of employment within CCSS Regulated Research Environment, and the account will be terminated in two business days.

Change in Researcher Status:
The Principal Investigator is responsible for informing the CCSS Data Custodians within three business days of any changes in project staffing such that a researcher is no longer permitted to access the restricted data. CCSS Data Custodians will disable the researcher’s access to the project files within two business days and notify the Office of Sponsored Programs about removing the research personnel’s access to the restricted systems. The OSP will notify the Data Provider of the project staffing changes. CCSS Data Custodians will re‐enable or de‐provision the user account based on the final decision communicated by the OSP on behalf of Cornell University and the Data Provider.

Unsuccessful Logon Attempts / Session Lockouts:
Unsuccessful Logon Attempts: A CRADC user account is locked after three unsuccessful login attempts. A lockout period is enforced before the researcher can attempt to log on again.

Session Lockouts: Dependent upon the Data Provider’s Data Use Agreement, a screensaver session lockout will occur after 10 minutes of non‐activity. Special requests can be accommodated if the Data Provider agreement establishes criteria requiring idle sessions to be suspended after less than 10 minutes of non‐activity.


Account Expiration:
User account access remains dependent on the existing project requirements, as stipulated within the Data Provider’s Data Use Agreement and approved by OSP, IRB, and the CRADC User Agreement. At the expiration of any existing project requirement, the user account will be disabled. The user account will be re-enabled when the requirement has been approved, and all existing project requirements are completed.

Record Keeping:
The CCSS Data Custodians are responsible for the record-keeping of CCSS Regulated Research Environment projects and user accounts in the contract management system. CCSS Data Custodians also create and enter the unique project and user IDS within the Users and Computers section of the Active Directory on the CCSS Regulated Research Environment domain controller. CCSS Data Custodians create user accounts upon notification of the completion of all required University and Data Provider signatures (i.e., DUA, internal Cornell data, and/or IRB). During any project, contract, or user status update, CCSS Data Custodians ensure the synchronization of the contract management system and the systems domain controller on research status and forthcoming project expiration dates

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Contacts

If you have questions about specific issues regarding this Data Destruction and Return of Restricted Data Policy, call the following offices:

 

NAMEEMAILTITLEPHONE
Cassian D'Cunhacd642@cornell.eduCCSS Research IT Director607-254-5919
Elena Goloborodokosocialsciences@cornell.eduCCSS Secure Data Services Manager607‐255‐4801
Jonathan Bohansocialsciences@cornell.eduCCSS Secure Data Specialist607‐255‐4801
Resa Reynoldsrda1@cornell.eduCAC Assistant Director, Systems607‐254‐8686
Kim Burlingamekb269@cornell.eduSystem Administrator607‐254‐8686
Lucia Wallelucia.walle@cornell.eduSystems Analyst/Programmer607‐254‐8686
Brenda Lappbll3@cornell.eduTechnical Consultant607‐254‐8686
Cornell University
Security Office
security-services@cornell.edu 

 

 

 

Sharing, Transmission, and Distribution of Restricted Data

Policy Volume: RD
Responsible Executive: CCSS Secure Data Services Manager
Responsible Office: Cornell Center for Social Sciences
(CCSS) Issued: 2020-10-01, revised 2023-11- 30.

NOTE: This policy replaces these previous policies:

  • Sharing, Transmission, and Distribution of Restricted Data [issued 2015-05-11, revised 2016-09-30, 2017-11-09, 2019-04-18, 2023-03-30, 2023-11-30]
  • Secure Standalone Desktop – Sharing, Transmission, and Distribution of Restricted Data [issued 2017-09-17

POLICY STATEMENT

This policy is to establish secure standards for restricted data sharing, transmission, and distribution.

POLICY REQUIREMENTS

For this document’s purpose, restricted data relates to any nonpublic data protected by regulations, laws, policies, and/or contractual access restrictions defined by a Data Use Agreement (DUA). The Regulated Research Environment operated by the Cornell Center for Social Sciences (CCSS), as the Data Custodian of these data, along with the authorized research team (Researcher), must adhere to the conditions set forth by the Data Provider in a signed DUA and this policy.

Sharing:
The Researcher is authorized to access only the restricted data residing within the folders (and subfolders) on the CCSS Regulated Research Environment computing system per their DUA to maintain the security and confidentiality of the encompassed data. Providing unauthorized users with credentials to access CCSS Regulated Research Environment computing systems is forbidden.

The Researcher should not attempt to bypass or disable any security controls on the CCSS Regulated Research Environment computing systems. The Researcher is responsible for reporting potential security breaches that put the restricted data at risk of unauthorized access to the CCSS Security Liaison or CCSS Secure Data Services Manager and must abide by Cornell University Policy 5.4.2, Reporting Electronic Security Incidents.

The CCSS Research IT Director serves as a Security Liaison for the CCSS Regulated Research Environment. Restricted data on the CCSS Regulated Research Environment may only be used for non‐proprietary scientific research.

Transmission:
When required by the DUA, the CCSS Data Custodians will disclose proof of any files uploaded to or downloaded from the CCSS Regulated Research Environment. These files will be transferred to or from the Researcher using Cornell’s Secure File Transfer service, SFTP or HTTPS to authorized IP addresses, or other methods considered appropriate by the CCSS Data Custodians to ensure compliance with the DUA.


CCSS Regulated Research Environment:
If granted permission by the Data Provider and Cornell Office of Sponsored Programs (OSP), researchers may use either SFTP or HTTPS protocol to transmit research-derived restricted data. To access the SFTP or HTTPS transfer services, the Researcher must provide a designated static IP address specific to a campus or authorized organization location (personal residences are not allowed) to CCSS Data Custodians. The designated IP addresses will then be added to the secure file transfer system’s firewall.

SFTP and HTTPS access to the CCSS Regulated Research Environment is limited to the Researcher’s personal project folder. Using unencrypted email, instant messaging, or other unsecure communication methods to
transit restricted data is prohibited. Storing copies of restricted data on portable devices, mobile phones, PDAs, USB drives, and CDs/DVDs is prohibited unless approved by the DUA. The Researcher is responsible for securely storing restricted data outside the CCSS Regulated Research Environment following the DUA requirements.

Per the CCSS Information Systems Security Plan, CCSS Data Custodians are the only personnel permitted to transfer data on and off the CCSS Regulated Research Environment. The Researcher's access to hardware auxiliary devices (e.g., CD-ROM, DVD, USB, etc.) is disabled on the CCSS Regulated Research Environment.

Distribution:
Approved methods for distributing restricted data include Cornell’s Secure File Transfer service, SFTP or HTTPS to an authorized IP address specific to a campus or approved organization location, and other methods considered appropriate and in DUA compliance by CCSS Data Custodians in consultation with the CCSS Research IT Director. 

Restricted data should only be distributed to known computing systems, with verified security measures in place before the transfer. The person(s) receiving the restricted data must have a current signed DUA that asserts an understanding of the required security protections, including the governed regulations, policies, and laws, as appropriate.

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Contacts

If you have questions about specific issues regarding this Data Destruction and Return of Restricted Data Policy, call the following offices:

 

NAMEEMAILTITLEPHONE
Cassian D'Cunhacd642@cornell.eduCCSS Research IT Director607-254-5919
Elena Goloborodokosocialsciences@cornell.eduCCSS Secure Data Services Manager607‐255‐4801
Jonathan Bohansocialsciences@cornell.eduCCSS Secure Data Specialist607‐255‐4801
Resa Reynoldsrda1@cornell.eduCAC Assistant Director, Systems607‐254‐8686
Kim Burlingamekb269@cornell.eduSystem Administrator607‐254‐8686
Lucia Wallelucia.walle@cornell.eduSystems Analyst/Programmer607‐254‐8686
Brenda Lappbll3@cornell.eduTechnical Consultant607‐254‐8686
Cornell University
Security Office
security-services@cornell.edu 

 

 

 

Restricted Data Security Breach Reporting and Response

Policy Volume: RD
Responsible Executive: CCSS Secure Data Services Manager
Responsible Office: Cornell Center for Social Sciences
(CCSS) Issued: 2020-10-06

NOTE: This policy replaces these previous policies:

  • CRADC Restricted Data Security Breach Reporting and Response Policy [issued 2015-07-15, revised 2016-09-30, 2019-04-18, 2023-03-27, 2023-11-30]
  • Secure Standalone Desktop – Restricted Data Security Breach Reporting and Response Policy [issued 2017-09-17]

POLICY STATEMENT

This policy outlines procedures for reporting and responding to restricted information security breaches.  It includes determining the affected systems, compromised restricted data, impacted data specifics, and actions required for forensic investigation and legal compliance.

POLICY REQUIREMENTS

The Cornell Center for Social Sciences (CCSS) Regulated Research Environment is committed to compliance with restricted data security requirements.  For this document's purpose, restricted data relates to any nonpublic data protected by regulations, laws, policies, and/or contractual access restrictions as defined by a Data Use Agreement (DUA).  The CCSS Regulated Research Environment, as the Data Custodian of these data, along with the authorized research team (Researcher), must adhere to the conditions set forth by the Data Provider in a signed DUA and this policy.

The Cornell Center for Social Sciences (CCSS) Research IT Director serves as a Security Liaison for the CCSS Regulated Research Environment. 

Reporting:
According to Cornell University Policy 5.4.2, Reporting Electronic Security Incidents, the Researcher is responsible for immediately notifying the CCSS Security Liaison or CCSS Data Custodians of unauthorized access to restricted data or any other information security risk or restricted data compromise.

Response:

After receiving a data security breach notification, the CCSS Security Liaison, CCSS Secure Data Services Manager, and System Administrator will immediately convene to review the report.  The CCSS Security Liaison will notify the Cornell University Information Technology Security Officer (ITSO) about the security incident after the initial review (Cornell University Policy 5.4.2, Reporting Electronic Security Incident).

Process Steps:

  1. Identify:
    1. the nature of the incident to the best of one's knowledge.
    2. the data involved.
    3. the Data Provider contact information.
    4. the systems involved and remove them from the network if applicable.
    5. applicable policies, regulations, and/or laws involved.
  2. Recovery and Response
    1. Contact the Cornell University IT Security Office for assistance in forensics.
    2. Secure the system and preserve it without change.
    3. If deemed necessary, the Security Office will alert the Cornell University Data‐Loss Incident Response Team.
    4. Resolve the situation.
  3. Communicate
    1. Contact the Office of Sponsored Programs (OSP).
    2. The OSP will contact the Data Provider to inform them of the current situation.
    3. If required, notify individuals of data theft.
  4. Document
    1. Create an incident report.
    2. Document lessons learned.
    3. Update necessary documentation.

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Contacts

If you have questions about specific issues regarding this Data Destruction and Return of Restricted Data Policy, call the following offices:

 

NAMEEMAILTITLEPHONE
Cassian D'Cunhacd642@cornell.eduCCSS Research IT Director607-254-5919
Elena Goloborodokosocialsciences@cornell.eduCCSS Secure Data Services Manager607‐255‐4801
Jonathan Bohansocialsciences@cornell.eduCCSS Secure Data Specialist607‐255‐4801
Resa Reynoldsrda1@cornell.eduCAC Assistant Director, Systems607‐254‐8686
Kim Burlingamekb269@cornell.eduSystem Administrator607‐254‐8686
Lucia Wallelucia.walle@cornell.eduSystems Analyst/Programmer607‐254‐8686
Brenda Lappbll3@cornell.eduTechnical Consultant607‐254‐8686
Cornell University
Security Office
security-services@cornell.edu  

 

 

 

Data Destruction and Return of Restricted Data

Policy Volume: RD
Responsible Executive: CCSS Secure Data Services Manager
Responsible Office: Cornell Center for Social Sciences
Issued: 2020-10-07 Revised 2023-02-28.

NOTE: This policy replaces these previous policies:

  • CRADC Data Destruction and Return of Restricted Data Policy [issued 2020-10-07] 
  • CRADC Data Destruction and Return of Restricted Data Policy [issued 2015-07-13, revised 2019-09-16]
  • Secure Standalone Desktop – Data Destruction and Return of Restricted Data Policy [issued 2017-09-17]

POLICY STATEMENT

To comply with the terms of the Data Use Agreement, CCSS Regulated Research Environment Data Custodians must certify to the Data Provider the secure destruction of associated data and/or the return of original physical media at the termination of the Data Use Agreement. This policy applies to all research data physically housed within the CCSS Regulated Research Environment auspices regardless of the storage medium (e.g., disk drive, electronic tape, CD, DVD, external drive, paper, fiche, etc.) or form (e.g., text, graphic, video, audio, etc.).

POLICY REQUIREMENTS

To protect restricted-access data appropriately and effectively, CCSS Regulated Research Environment researchers and staff must understand and carry out their responsibilities related to data security, as set forth by the Data Provider Agreement(s) (including referenced laws and regulations), Cornell University Institutional Review Board for Human Subjects, Cornell University Office of Sponsored Programs, and Cornell University Policy. This policy applies regardless of the research's source of funding.

Destruction of Physical Media:

  • The CCSS Data Custodians are responsible for the return and destruction of all the project-associated materials as determined by the Data Use Agreement. All physical media originally supplied by the Data Provider will be securely destroyed following the NIST 800-88 media sanitization standards unless the Data Provider requests the media returned within the Data Use Agreement. As stipulated by the Data Use Agreement, requested physical media will be returned to the Data Provider using a traceable shipping method. Physical destruction methods:
    • CDs/DVDs are destroyed using a crosscut shredder.
    • USB flash drives are first sanitized following the NIST 800-88 Media Sanitization standards. After sanitization, the flash drives are turned over to Cornell University’s R5 recycling unit, which then ensures their physical destruction by a licensed company.
    • Hard disk drives are first sanitized following NIST 800-88 Media Sanitization standards. After sanitization, the hard disk drives are turned over to Cornell University’s R5 recycling unit, which then delivers the drives to a licensed company for physical destruction.

Destruction of Original Data Files on CCSS Regulated Research Environment:
The CCSS Data Custodians are responsible for destroying all original data on the servers in the CCSS Regulated Research Environment as determined by the Data Use Agreement. The CCSS Data Custodians will certify the destruction of sponsored projects data to the Data Provider and Cornell Office of Sponsored Programs and internal Cornell and Researcher-collected data to the project Principal Investigator. A secure file removal tool shreds electronic files in the CCSS Regulated Research Environment.

Destruction of User‐Created Electronic Files:
The CCSS Data Custodians are responsible for destroying research-derived electronic files as determined by the Data Use Agreement. A secure file removal tool shreds research-derived electronic files in the CCSS Regulated Research Environment.

Researcher Requested Copy of User‐Created Electronic Files:
When permitted by the Data Use Agreement, researchers may request a copy of their user-created, disclosure-proofed files for transfer to the researcher before the project destruction.

Destruction of Paper Materials:
No paper materials or copies are produced or stored by the CCSS Regulated Research Environment unless provided with the original media. The CCSS Data Custodians are responsible for the destruction of all paper materials. Upon the Data Provider's request, paper materials will be returned to the Data Provider using traceable mail with a signature required by the recipient. A crosscut shredder destroys paper materials.

Certificate of Destruction:

After the disposal of all project-related data, the CCSS Data Custodians will certify via the CCSS Regulated Research Environment Certificate of Destruction the destruction of all secure data and user created, project-based transitory files. The CCSS Data Custodians will send the completed Certificate of Destruction to the Data Provider either as a paper copy via a trackable mail or electronically via email, with a copy of the Certificate of Destruction supplied to the Office of Sponsored Programs.

If the Data Provider requires a specific certificate of destruction format to conclude the Data Use Agreement, the CCSS Data Custodians will complete the requested certificate instead of the CCSS Regulated Research Environment Certificate of Destruction.

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Contacts

If you have questions about specific issues regarding this Data Destruction and Return of Restricted Data Policy, call the following offices:

 

NAMEEMAILTITLEPHONE
Cassian D'Cunhacd642@cornell.eduCCSS Research IT Director607-254-5919
Elena Goloborodokosocialsciences@cornell.eduCCSS Secure Data Services Manager607‐255‐4801
Jonathan Bohansocialsciences@cornell.eduCCSS Secure Data Specialist607‐255‐4801
Resa Reynoldsrda1@cornell.eduCAC Assistant Director, Systems607‐254‐8686
Kim Burlingamekb269@cornell.eduSystem Administrator607‐254‐8686
Lucia Wallelucia.walle@cornell.eduSystems Analyst/Programmer607‐254‐8686
Brenda Lappbll3@cornell.eduTechnical Consultant607‐254‐8686
Cornell University
Security Office
security-services@cornell.edu 

 

 

 

  • We'd love to hear your ideas, suggestions, or questions!

    Are you
    Would you like to be contacted for further assistance?