This is the process for obtaining Information Security Officer (ISO) signoff and Senior Official (SO)
final institutional sign-off for government licenses to use datasets with personally identifiable information
(PII) or personal health information (PHI). Example sources of these data sets include the Institute for Education Sciences
and federal or state Departments of Health. All licenses that require security signoff must use this process. The office of
Technology and Industry Alliances facilitates this process. Most license signoffs do not require a meeting with the ISO or the SO.
- First determine if you have special requirements for handling sensitive information. Generally the license documents will
specify a range of security controls that must be met in order to qualify for the license. These controls must be in place before
the dataset is received, and the controls must be maintained until all sensitive data is disposed of in accordance with the license.
- Arrange for security controls required by the license with your department. Depending on the dataset these may include door
locks off of master, locked storage, PC with required software not connected to the network, and other controls.
- Complete the required security plan document reflecting the controls that you have established.
- Obtain all signatures on the license document, the security plan and if required notarized affidavits, within your department.
For most licenses this will be the signature and affidavit from the researcher, the faculty sponsor, and all people with access to
the locked office that will house the data.
- Complete the UCSB MTA Incoming form from the Technology and Industry Alliances web site at http://tia.ucsb.edu/wp-content/uploads/2012/11/MTA-Incoming-Form.pdf
- Most licensors require wet (ink on paper) signatures and original notarizations. Scanned or faxed documents are not acceptable.
Send the original signed license, security plan, MTA incoming form, and notarized affidavits to Jenna Nakano in the Office of
Technology and Industry Alliances at Campus mail code 2055.
- The TIA office will verify that all documents have been properly prepared and forward the license, security plan and affidavit to
the ISO for final signoff.
- ISO may contact the researcher, faculty sponsor and/or department IT staff to review or audit security controls before signoff.
The ISO reserves the right to inspect or audit security controls at any time during the term of the license to ensure that required
controls are maintained.
- ISO will sign the license, security plan, and complete the notarized affidavit. These original documents will be returned to the
TIA office for final processing and transmission to the government agency supplying the dataset.