3-5 october 2007© 2007, briitebiomedical research institutions information technology exchange...
TRANSCRIPT
![Page 1: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/1.jpg)
3-5 October 2007© 2007, BRIITE Biomedical Research Institutions Information Technology Exchange
Implementing Security without Inhibiting Research:Mission Impossible?
( http://www.esp.org/briite/meetings )
Robert J. [email protected]
(206) 667 4778
![Page 2: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/2.jpg)
Biomedical Research Institutions Information Technology Exchange
Robert J. [email protected]
(206) 667 4778
( http://www.esp.org/briite/meetings )
3-5 October 2007© 2007, BRIITE
Implementing Security without Inhibiting Research:Mission Impossible?
![Page 3: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/3.jpg)
Implementing Security without Inhibiting Research:Mission Impossible?
Biomedical Research Institutions Information Technology Exchange
( http://www.esp.org/rjr/briite-RJR-salk-2005.pdf)
Robert J. [email protected]
(206) 667 4778
Impossible?Maybe not.
But it is very hard.
3-5 October 2007© 2007, BRIITE
![Page 4: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/4.jpg)
(206) 667 4778
Implementing Security without Inhibiting Research:Mission Impossible?
Impossible?Maybe not.
But it is very hard.
Biomedical Research Institutions Information Technology Exchange
( http://www.esp.org/rjr/briite-RJR-salk-2005.pdf)
Robert J. Robbins
3-5 October 2007© 2007, BRIITE
The challenge is real, yet we all need to figure out how to implement some kind of solution anyway.
![Page 5: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/5.jpg)
5© 2007, BRIITE http://www.briite.org
(206) 667 4778
Implementing Security without Inhibiting Research:Mission Impossible?
Impossible?Maybe not.
But it is very hard.
Biomedical Research Institutions Information Technology Exchange
( http://www.esp.org/rjr/briite-RJR-salk-2005.pdf)
Robert J. Robbins
3-5 October 2007© 2007, BRIITE
The challenge is real, yet we all need to figure out how to implement some kind of solution anyway.
And, we had better be prepared to replace our solution with a better solution every few years for the next decade.
![Page 6: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/6.jpg)
6© 2007, BRIITE http://www.briite.org
The Problem
• Culture clash between research and security.
![Page 7: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/7.jpg)
7© 2007, BRIITE http://www.briite.org
The Problem
• Culture clash between research and security.
• Work occurs within decentralized organizations.
![Page 8: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/8.jpg)
8© 2007, BRIITE http://www.briite.org
The Problem
• Culture clash between research and security.
• Work occurs within decentralized organizations.
• Work occurs across institutional boundaries.
![Page 9: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/9.jpg)
9© 2007, BRIITE http://www.briite.org
The Problem
• Culture clash between research and security.
• Work occurs within decentralized organizations.
• Work occurs across institutional boundaries.
• Problem keeps changing.
![Page 10: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/10.jpg)
10© 2007, BRIITE http://www.briite.org
The Problem
• Culture clash between research and security.
• Work occurs within decentralized organizations.
• Work occurs across institutional boundaries.
• Problem keeps changing.
• Rules keep changing.
![Page 11: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/11.jpg)
11© 2007, BRIITE http://www.briite.org
The Problem
• Culture clash between research and security.
• Work occurs within decentralized organizations.
• Work occurs across institutional boundaries.
• Problem keeps changing.
• Rules keep changing.
• Solution keeps changing.
![Page 12: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/12.jpg)
12© 2007, BRIITE http://www.briite.org
The Problem
• Culture clash between research and security.
• Work occurs within decentralized organizations.
• Work occurs across institutional boundaries.
• Problem keeps changing.
• Rules keep changing.
• Solution keeps changing.
• Human-subjects work is especially challenging.
![Page 13: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/13.jpg)
CultureClash
![Page 14: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/14.jpg)
14© 2007, BRIITE http://www.briite.org
Culture Clash
SECURITY
closed
RESEARCH
open
![Page 15: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/15.jpg)
15© 2007, BRIITE http://www.briite.org
Culture Clash
SECURITY
closed
planned
RESEARCH
open
opportunistic
![Page 16: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/16.jpg)
16© 2007, BRIITE http://www.briite.org
Culture Clash
SECURITY
closed
planned
structured
RESEARCH
open
opportunistic
creative
![Page 17: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/17.jpg)
17© 2007, BRIITE http://www.briite.org
Culture Clash
SECURITY
closed
planned
structured
respect authority
RESEARCH
open
opportunistic
creative
challenge authority
![Page 18: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/18.jpg)
18© 2007, BRIITE http://www.briite.org
Culture Clash
SECURITY
closed
planned
structured
respect authority
process driven
. . .
RESEARCH
open
opportunistic
creative
challenge authority
one-off mentality
. . .
![Page 19: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/19.jpg)
DecentralizedOrganizations
![Page 20: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/20.jpg)
20© 2007, BRIITE http://www.briite.org
Decentralized Organizations
Would this work in your organization:
![Page 21: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/21.jpg)
21© 2007, BRIITE http://www.briite.org
Decentralized Organizations
Would this work in your organization:
Your convenience is no reason for me to sacrifice the security of my network…
![Page 22: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/22.jpg)
22© 2007, BRIITE http://www.briite.org
Decentralized Organizations
Would this work in your organization:
But it does work in the military, where this quote originates.
Your convenience is no reason for me to sacrifice the security of my network…
![Page 23: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/23.jpg)
23© 2007, BRIITE http://www.briite.org
True Story
Conversation between network administrator (N) and faculty member (F):
![Page 24: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/24.jpg)
24© 2007, BRIITE http://www.briite.org
True Story
Conversation between network administrator (N) and faculty member (F):
N: These changes will improve the security of our network.
![Page 25: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/25.jpg)
25© 2007, BRIITE http://www.briite.org
True Story
Conversation between network administrator (N) and faculty member (F):
N: These changes will improve the security of our network.
F: But they will make it impossible for my lab to carry out its research.
![Page 26: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/26.jpg)
26© 2007, BRIITE http://www.briite.org
True Story
Conversation between network administrator (N) and faculty member (F):
N: These changes will improve the security of our network.
F: But they will make it impossible for my lab to carry out its research.
N: With a little effort you should be able to find a work-around.
![Page 27: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/27.jpg)
27© 2007, BRIITE http://www.briite.org
True Story
Conversation between network administrator (N) and faculty member (F):
N: These changes will improve the security of our network.
F: But they will make it impossible for my lab to carry out its research.
N: With a little effort you should be able to find a work-around.
F: My staff and I have already devoted substantial effort to the problem and there is no work-around for us. However, we have determined that a relatively minor change in your security plan would meet your security needs while still allowing us to carry out our research.
![Page 28: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/28.jpg)
28© 2007, BRIITE http://www.briite.org
True Story
Conversation between network administrator (N) and faculty member (F):
N: These changes will improve the security of our network.
F: But they will make it impossible for my lab to carry out its research.
N: With a little effort you should be able to find a work-around.
F: My staff and I have already devoted substantial effort to the problem and there is no work-around for us. However, we have determined that a relatively minor change in your security plan would meet your security needs while still allowing us to carry out our research.
N: What do you know about network security?
You’re just an end user.
![Page 29: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/29.jpg)
29© 2007, BRIITE http://www.briite.org
True Story
Conversation between network administrator (N) and faculty member (F):
N: These changes will improve the security of our network.
F: But they will make it impossible for my lab to carry out its research.
N: With a little effort you should be able to find a work-around.
F: My staff and I have already devoted substantial effort to the problem and there is no work-around for us. However, we have determined that a relatively minor change in your security plan would meet your security needs while still allowing us to carry out our research.
N: What do you know about network security?
You’re just an end user.
Yes, but this end user also had a Nobel Prize and about two attractive job offers a month from other institutions.
![Page 30: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/30.jpg)
30© 2007, BRIITE http://www.briite.org
True Story
Conversation between network administrator (N) and faculty member (F):
N: These changes will improve the security of our network.
F: But they will make it impossible for my lab to carry out its research.
N: With a little effort you should be able to find a work-around.
F: My staff and I have already devoted substantial effort to the problem and there is no work-around for us. However, we have determined that a relatively minor change in your security plan would meet your security needs while still allowing us to carry out our research.
N: What do you know about network security. You’re just an end user.
Yes, but this end user also had a Nobel Prize and about two attractive job offers a month from other institutions.POP
QUIZ
![Page 31: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/31.jpg)
31© 2007, BRIITE http://www.briite.org
True Story
Conversation between network administrator (N) and faculty member (F):
N: These changes will improve the security of our network.
F: But they will make it impossible for my lab to carry out its research.
N: With a little effort you should be able to find a work-around.
F: My staff and I have already devoted substantial effort to the problem and there is no work-around for us. However, we have determined that a relatively minor change in your security plan would meet your security needs while still allowing us to carry out our research.
N: What do you know about network security. You’re just an end user.
Yes, but this end user also had a Nobel Prize and about two attractive job offers a month from other institutions.
The most likely outcome was:
![Page 32: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/32.jpg)
32© 2007, BRIITE http://www.briite.org
True Story
Conversation between network administrator (N) and faculty member (F):
N: These changes will improve the security of our network.
F: But they will make it impossible for my lab to carry out its research.
N: With a little effort you should be able to find a work-around.
F: My staff and I have already devoted substantial effort to the problem and there is no work-around for us. However, we have determined that a relatively minor change in your security plan would meet your security needs while still allowing us to carry out our research.
N: What do you know about network security. You’re just an end user.
Yes, but this end user also had a Nobel Prize and about two attractive job offers a month from other institutions.
The most likely outcome was:
1.The researcher totally changed his research program to meet the new security standards, or . . .
![Page 33: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/33.jpg)
33© 2007, BRIITE http://www.briite.org
True Story
Conversation between network administrator (N) and faculty member (F):
N: These changes will improve the security of our network.
F: But they will make it impossible for my lab to carry out its research.
N: With a little effort you should be able to find a work-around.
F: My staff and I have already devoted substantial effort to the problem and there is no work-around for us. However, we have determined that a relatively minor change in your security plan would meet your security needs while still allowing us to carry out our research.
N: What do you know about network security. You’re just an end user.
Yes, but this end user also had a Nobel Prize and about two attractive job offers a month from other institutions.
The most likely outcome was:
1.The researcher totally changed his research program to meet the new security standards, or . . .
2.The network administrator found himself with the opportunity to spend more time with his family.
![Page 34: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/34.jpg)
Work SpansInstitutionalBoundaries
![Page 35: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/35.jpg)
35© 2007, BRIITE http://www.briite.org
Much biomedical research is now conducted by teams of collaborators, often spanning multiple institutions.
Research that starts at one institution segues into multi-institutional work as students graduate, post-docs move on, and other changes occur.
Work Spans Institutions
![Page 36: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/36.jpg)
36© 2007, BRIITE http://www.briite.org
Research often is accomplished by INFORMAL teams of workers, spanning multiple organizations.
These teams dynamically come into existence to meet a research need, then disband.
Work Spans Institutions
![Page 37: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/37.jpg)
37© 2007, BRIITE http://www.briite.org
Portions of tens (or hundreds) of such teams exist at any one time within any research organization.
These teams are often not based on any formal relationships between the home institutions of the researchers.
Work Spans Institutions
![Page 38: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/38.jpg)
38© 2007, BRIITE http://www.briite.org
Delivering high quality security across such teams either involves:
a proliferation of accounts across institutions, or
a security system designed for a totally decentralized federation
Work Spans Institutions
![Page 39: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/39.jpg)
39© 2007, BRIITE http://www.briite.org
Delivering high quality security across such teams either involves:
a proliferation of accounts across institutions, or
a security system designed for a totally decentralized federation
Work Spans Institutions
No currently available security system is designed to meet the needs of a totally decentralized
federation.
![Page 40: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/40.jpg)
Problem KeepsChanging
![Page 41: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/41.jpg)
41© 2007, BRIITE http://www.briite.org
Changes in Problem Scope
Achieving security of research systems:
![Page 42: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/42.jpg)
42© 2007, BRIITE http://www.briite.org
Changes in Problem Scope
Achieving security of research systems:
within labs
![Page 43: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/43.jpg)
43© 2007, BRIITE http://www.briite.org
Changes in Problem Scope
Achieving security of research systems:
within labs
across labs
![Page 44: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/44.jpg)
44© 2007, BRIITE http://www.briite.org
Changes in Problem Scope
Achieving security of research systems:
within labs
across labs
across departments
![Page 45: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/45.jpg)
45© 2007, BRIITE http://www.briite.org
Changes in Problem Scope
Achieving security of research systems:
within labs
across labs
across departments
across campuses
![Page 46: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/46.jpg)
46© 2007, BRIITE http://www.briite.org
Changes in Problem Scope
Achieving security of research systems:
within labs
across labs
across departments
across campuses
across institutions
![Page 47: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/47.jpg)
47© 2007, BRIITE http://www.briite.org
Changes in Problem Scope
Achieving security of research systems:
within labs
across labs
across departments
across campuses
across institutions
across state boundaries
![Page 48: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/48.jpg)
48© 2007, BRIITE http://www.briite.org
Changes in Problem Scope
Achieving security of research systems:
within labs
across labs
across departments
across campuses
across institutions
across state boundaries
across national boundaries
![Page 49: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/49.jpg)
49© 2007, BRIITE http://www.briite.org
Changes in Problem Domain
New problems keep arising:
financial system
confidential data on lost laptops
web site break-ins
student music downloads
termination policies
HIPAA
. . .
![Page 50: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/50.jpg)
50© 2007, BRIITE http://www.briite.org
Changes in Logical Status
Some change is so profound that jokes become reality.
![Page 51: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/51.jpg)
51© 2007, BRIITE http://www.briite.org
Changes in Logical Status
Some change is so profound that jokes become reality.
Sarcastic comment:
DNA is inherently identifiable. Pretty soon we’ll have to start putting deliberate errors into DNA sequences before we can share them…
![Page 52: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/52.jpg)
52© 2007, BRIITE http://www.briite.org
Changes in Logical Status
Some change is so profound that jokes become reality.
Sarcastic comment:
DNA is inherently identifiable. Pretty soon we’ll have to start putting deliberate errors into DNA sequences before we can share them…
Recent article in Science
![Page 53: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/53.jpg)
53© 2007, BRIITE http://www.briite.org
Changes in Logical Status
Page 2:
Tactics for de-identifying genomic data:
![Page 54: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/54.jpg)
54© 2007, BRIITE http://www.briite.org
Changes in Logical Status
Page 2:
Tactics for de-identifying genomic data:
![Page 55: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/55.jpg)
55© 2007, BRIITE http://www.briite.org
Changes in Logical Status
Page 2:
Tactics for de-identifying genomic data:
When reality starts to resemble parody, things are getting too
complex for comfort.
![Page 56: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/56.jpg)
Rules KeepChanging
![Page 57: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/57.jpg)
57© 2007, BRIITE http://www.briite.org
Rules Keep Changing
HIPAA
Sarbanes Oxley
News stories of lost laptops
Internal audit departments
Non-research savvy auditors
Engaged boards of directors
. . .
![Page 58: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/58.jpg)
Solution KeepsChanging
![Page 59: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/59.jpg)
59© 2007, BRIITE http://www.briite.org
Solution Keeps Changing
We need comprehensive support for implementing security in a totally decentralized federation.
No such solution exists.
So we keep implementing the approximation du jour (or maybe de jure).
![Page 60: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/60.jpg)
Human SubjectsResearch
![Page 61: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/61.jpg)
61© 2007, BRIITE http://www.briite.org
What is Human Subjects Research?
Certain activities are obviously human subjects research, appropriately covered by IRB rules and procedures.
But, where are the limits? What activities are covered and what are not?
Effect of food additive?
Price of popcorn in movie theaters?
Production of recipe book?
![Page 62: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/62.jpg)
62© 2007, BRIITE http://www.briite.org
HSR Criteria
Project:
MBA student wants to interview theater managers about price of popcorn at different times and for different features.
Problem:
Should this activity be considered research involving human subjects covered by 45 CFR part 46?
Answer:
![Page 63: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/63.jpg)
63© 2007, BRIITE http://www.briite.org
HSR Criteria
Project:
MBA student wants to interview theater managers about price of popcorn at different times and for different features.
Problem:
Should this activity be considered research involving human subjects covered by 45 CFR part 46?
Answer:
![Page 64: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/64.jpg)
64© 2007, BRIITE http://www.briite.org
HSR Criteria
Project:
MBA student wants to interview theater managers about price of popcorn at different times and for different features.
Problem:
Should this activity be considered research involving human subjects covered by 45 CFR part 46?
Answer:
![Page 65: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/65.jpg)
65© 2007, BRIITE http://www.briite.org
Project:
MBA student wants to interview theater managers about price of popcorn at different times and for different features.
Problem:
Should this activity be considered research involving human subjects covered by 45 CFR part 46?
Answer:
HSR Criteria
?
![Page 66: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/66.jpg)
66© 2007, BRIITE http://www.briite.org
HSR Criteria
Project:
Research team wants to interview IRB heads, security officers, other institutional leaders to determine the policy requirements governing the deployment of multi-site digital security systems.
Problem:
Should this activity be considered research involving human subjects covered by 45 CFR part 46?
![Page 67: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/67.jpg)
67© 2007, BRIITE http://www.briite.org
HSR Criteria
Project:
Research team wants to interview IRB heads, security officers, other institutional leaders to determine the policy requirements governing the deployment of multi-site digital security systems.
Problem:
Should this activity be considered research involving human subjects covered by 45 CFR part 46?
![Page 68: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/68.jpg)
68© 2007, BRIITE http://www.briite.org
HSR Criteria
Project:
Research team wants to interview IRB heads, security officers, other institutional leaders to determine the policy requirements governing the deployment of multi-site digital security systems.
Problem:
Should this activity be considered research involving human subjects covered by 45 CFR part 46?
?
![Page 69: 3-5 October 2007© 2007, BRIITEBiomedical Research Institutions Information Technology Exchange Implementing Security without Inhibiting Research: Mission](https://reader035.vdocument.in/reader035/viewer/2022070305/5514ea7a55034693478b5bec/html5/thumbnails/69.jpg)
END