This is the process for obtaining Information Security Officer (ISO) signoff and Senior Official (SO) final institutional sign-off for government licenses to use datasets with personally identifiable information (PII) or personal health information (PHI). Example sources of these data sets include the Institute for Education Sciences and federal or state Departments of Health.

All licenses that require security signoff must use this process. The office of Technology and Industry Alliances facilitates this process. Most license signoffs do not require a meeting with the ISO or the SO

  • Steps

Signoff Process Steps

  • First determine if you have special requirements for handling sensitive information. Generally the license documents will specify a range of security controls that must be met in order to qualify for the license. These controls must be in place before the dataset is received, and the controls must be maintained until all sensitive data is disposed of in accordance with the license.

  • Whenever possible the Secure Compute Research Environment should be used for research using licensed data sets. If SCRE cannot be used, arrange for security controls required by the license with your department. Depending on the dataset these may include door locks off of master, locked storage, PC with required software not connected to the network, and other controls. An alternative is available that may make meeting security requirements easier. The Secure Computing Research Environment (SCRE) is a private, secured, virtual environment in which researchers may remotely analyze sensitive data, create research results, and output their research results and analysis. More information about the SCRE can be found here.

  • Complete the required security plan document reflecting the controls that you have established.

  • Obtain all signatures on the license document, the security plan, and, if required, notarized affidavits within your department. For most licenses, this will be the signature and affidavit from the researcher, the faculty sponsor, and all people with access to the locked office that will house the data.

  • Complete the UCSB MTA Incoming form from the Technology and Industry Alliances web site at https://tia.ucsb.edu/forms-policies/

  • Most licensors require wet (ink on paper) signatures and original notarizations. Scanned or faxed documents are not acceptable. Send the original signed license, security plan, MTA incoming form, and notarized affidavits to Jenna Nakano in the Office of Technology and Industry Alliances at Campus mail code 2055.

  • The TIA office will verify that all documents have been properly prepared and forward the license, security plan, and affidavit to the ISO for final signoff.

  • ISO may contact the researcher, faculty sponsor, and/or department IT staff to review or audit security controls before signoff. The ISO reserves the right to inspect or audit security controls at any time during the term of the license to ensure that required controls are maintained.

  • ISO will sign the license, security plan, and complete the notarized affidavit. These original documents will be returned to the TIA office for final processing and transmission to the government agency supplying the dataset.

  •