Research Data Security

UC Santa Barbara hosts sponsored and unsponsored research projects using datasets from around the world. Some of the datasets, whether supplied by the sponsor or developed as part of research, require special protections against unauthorized disclosure or compromise of data integrity. All research datasets require safeguards to ensure the availability of the dataset before, during, and after a research project. The Chief Information Security Officer (CISO) is a resource for you to consult when trying to identify and meet requirements for data protection.

There are generally two ways that restricted datasets make it onto campus. The first is through sponsored research. In this case, the sponsored projects office coordinates the required documentation before data are transferred to UCSB. In the case of non-sponsored research where the datasets come from the government or industry, the office of Technology and Industry Alliances (TIA) manages the documentation. Both organizations understand that they must engage the CISO in the event that research datasets require any type of special security, but you don’t need to wait to ask for help.

Some datasets include requirements by inclusion of Federal regulations as in DFARS or FISMA. Others, such as those from the Bureau of Labor Statistics for example, come with multi-page security plans incorporated into the contract language. Datasets obtained from industry sources may contain security requirements and associated non-disclosure agreements. In all of these cases, principal investigators must determine if they have the capability within their labs and departments to meet the security requirements.

For the most stringent requirements, the university maintains the Secure Compute Research Environment (SCRE): This virtual-PC environment is designed to meet the requirements for FISMA, DFARS, and Controlled Unclassified Information (CUI). Security obligations under these regimes are quite high and are beyond the scope of departmental IT groups. Anything requiring this level of security must use SCRE or an alternative that has been approved by the CISO. Alternative solutions are available commercially and at other institutions such as the San Diego Supercomputer Center (, but these can include significant fees that should be considered when creating grant proposals.

Dual use technology as defined under the International Traffic in Arms Regulations (ITAR) may also have implications for computing resources. Please consult Office of Research Export Controls Officer or the CISO.

Where do you start? If a dataset used in your research comes with a security plan, security requirements, or requires a sign-off by a security officer then you should contact your departmental IT organization to determine if the requirements can be met within the department. If you are in any doubt, contact the CISO for assistance. If a sign-off is required, the CISO approves all security plans. The SPO or TIA will contact the CISO as a last step according to the process that you can find at: Do not wait for the last minute to obtain signoff. Consult with the CISO to ensure that all requirements are met before entering the final sign off process.