Best Practices:

• Should contact the University IT, Info Security or CIO, and determine what practices are in place for their university
• Consult experts when filling out any requirements rather than doing it yourself
• Document what services are in place for the study
• Consider using an existing cloud platform that provides a secure environment for neuroimaging rather than setting up your own
• Make sure that your local IT understands how to create a secure cloud environment by asking specific questions, e.g., do you have support for creating a FISMA moderate compliant environment in X cloud platform?
• Consult any policies from the funding source around security
• In the absence of clear security policies from either source, return to the data owner for guidance as you should not move forward without clear policies. 
• Understand what level of security is required
• Plan for regular compliance review as the project evolves
• Since shared compute resources are built upon a specific OS, and OS's have security implications, it's important to keep your shared cloud compute resources with up-to-date OS security patches.

Things to Avoid:

• Do not have a graduate student be in charge of security.
• Do not assume that you know the answer without consulting with the relevant agencies/resources: security policies and guidelines change all the time; need to confirm that you are right.
• Avoid being shortsighted—establish a framework that is agile.
• Do not assume that the Cloud environment handles all your security concerns (e.g., a malicious web browser extension could send data in the browser anywhere).
• Do not assume that additional security features are free or turned on by default.
• Ensure that the settings you choose don't create avenues for data access that you didn't intend (e.g., external IPs that you didn't plan for).

Value Set Definitions: 

• Low: ISO 27001
• Medium: FISMA/FedRAMP moderate; NIST 800.53 rev4
• High: FISMA/FedRAMP high or data residency & exfiltration controls (in/out)

Value of Use Case Example:

Medium/High - Platform will have to comply with appropriate security standards which may change depending on what types of data Jordan ends up collecting.

Discussion of Use Case:

Not all Cloud environments are HIPAA compliant and even if they are, Jordan is still responsible for setting it up and using it properly. Thus, it is critical that Jordan understand the relevant security issues herself, or partner with the experts on her campus to ensure that she has the appropriate security controls. It will also be important for Jordan to regular review and update security protocols as there may be changes in relevant requirements and policies over time. Again, this can be accomplished in part by continued engagement with experts on campus or elsewhere.