Acceptable Use Policy#
Access to the Secure Data Enclave is contingent upon understanding terms and conditions of the approved Data Use Agreement (DUA), compliance with University policies, NIST SP 800-171 controls, and this Acceptable Use Policy. Users acknowledge that access is a privilege that carries responsibility for protecting sensitive information and maintaining system integrity.
User Requirements#
Endpoint Security#
Use only approved University-owned and managed devices (laptops, computers within secured labs) and the Northwestern GlobalProtect VPN to access the enclave.
Keep devices updated with security patches and endpoint protection, which may require a reboot.
Use of personal devices to access the enclave is disabled and prohibited.
Identity and Access#
Protect authentication credentials (NetIDs, NetID passwords, multi-factor authentication devices); do not share them.
Access only the information required for your job responsibilities (least privilege).
Enable a screen protector or log off and lock devices when unattended.
Secure and monitor protected data in physical locations, such as the office, home, and public spaces.
Training and Awareness#
Complete required security training prior to access and annually thereafter. Required training may include:
Department of Defense Mandatory Controlled Unclassified Information (CUI) Training
HIPAA training: for Feinberg School of Medicine researchers ; for other Northwestern researchers
Acknowledge and understand your role-based privileges.
Acknowledge and understand how to report a security incident.
Data Handling#
Ensure protected data only resides within the enclave or approved data storage platforms with compensating security controls configured.
Secure protected data that are in paper formats when not in use.
Use code only from approved code repositories and to perform required analysis and research aligned to approved roles and responsibilities.
Use code libraries that can work offline.
Analyze data within the enclave (e.g. a non-persistent VM or BigQuery).
Egress data from the enclave contingent upon approval from Northwestern IT and according to compliant workflows.
Dispose of protected data according to University-approved sanitization procedures after Northwestern IT approval.
Reporting Requirements#
Report all known or suspected security incidents, data breaches, or suspicious activity to the PI, Data Engineer, and Northwestern IT immediately.
Report staffing or role changes to the Data Engineer immediately (e.g., transfers, departures).
Report lost or stolen equipment to the Data Engineer and Northwestern IT immediately.
Background Check#
Successfully complete a University-approved background check prior to access.
Prohibited Activities#
Endpoint Security#
Do not attempt to bypass security controls, elevate privileges, or reconfigure systems, including devices, within the environment.
Identity and Access#
Do not use another user’s account or share your credentials.
Data Handling#
Do not remove, copy, or transfer protected data to unapproved systems or media (e.g., USB drives, personal devices, public folders, cloud drives).
Do not take screenshots of or print sensitive data.
Do not download data to local endpoint disk to perform analyses.
Do not push data to unapproved code repositories from the SDE. Code can only be pushed to the allowed code repository.
Disable code libraries that depend on online services to run.
Do not use University IT resources for unauthorized commercial, political, or inappropriate purposes.
Do not conceal, falsify, or destroy information for personal use or gain.
Additional Requirements for Privileged Users#
Personnel with elevated privileges (e.g., Data Engineer) have added responsibilities.
Environment Configuration and Integrity#
Ensure only required domains are allow-listed to ingress and egress data.
Ensure only required software and functions are approved for use in the SDE environment.
Implement and enforce least-privilege access control policies when designing, requesting, and provisioning user-based access.
Report and investigate all suspected or known security violations.
Identity and Access#
Safeguard privileged credentials and use them only for authorized administrative tasks.
Report staffing or role changes (e.g., transfers, departures) immediately to Northwestern IT.
Data Handling#
Ensure approved workflows are adhered to for compliant ingress and egress of data, including documentation of approvals and maintaining audit logs.
Ensure data is sanitized to remove any sensitive or confidential information prior to posting or sharing outside the enclave, while adhering to the DUA’s data use and sharing policies.
Datasets should only leave the enclave if required and permitted by the DUA. Aggregated reports, findings, and code can be egressed.
Onboarding/Offboarding#
Ensure all researchers are onboarded and offboarded according to the terms of use of the environment, including any prerequisites to gaining access to the SDE, familiarization of roles and responsibilities, and returning devices.
Verify users have completed a background check and training before granting or maintaining access.
Track certification renewals and ensure renewal before deadlines.
Advise researchers on security and risk management according to the DUA.
Ensure security incident reporting is communicated and documented.
Report staffing or role changes within 3 business days (e.g., access needs, transfers, departures). Conduct a quarterly review of access and attest to its accuracy.