Research Data & Security

The University of Nebraska is committed to the safeguarding of research data in accordance with all applicable federal, state, and University regulations. Those involved in research activities at the University of Nebraska have certain rights and responsibilities with respect to research data. All data from sponsored or non-sponsored research activities must be recorded, maintained, and made accessible in a reasonable and responsible manner by research personnel and in accordance with all applicable federal, state, and University requirements. EM41

In 2024, guidance for covered institutions on how to meet the requirements of the National Security Presidential Memorandum – 33 (aka NSPM-33) was released, which is about national security policy related to US government-supported Research and Development (R&D). These standards cover four areas: Research Security Training, Cybersecurity, Export Control, and Foreign Travel Security. UNL is already compliant in many areas, but look forward to specific federal funders' guidelines coming in 2025.

UNL has a variety of resources to support research data and security: 

  • NU Executive Memorandum No. 41, Policy on Research and Data Security includes information on data ownership, the responsibilities of researchers and research personnel, risk classifications, data retention, etc.
  • Research Compliance Services provides a great deal of information related to research security, including policies/procedures, templates/forms, guidance topics, and trainings: Research Data & Security 
  • UNL Libraries offers trainings and support around data management, data sharing, planning for the future, and more
  • NU ITS can help researchers with their computing systems and settings to match the risk of their data

Security Information for Common Software

Sharepoint

UNL’s SharePoint is hosted in Microsoft’s 365 Commercial environment. The environment is owned and managed by Microsoft.  Microsoft’s 365 Commercial environment employs a consistent control framework and uniform implementations of controls based on the U.S. National Institute for Standards and Technology (NIST) Special Publication (SP) 800-53. Microsoft’s 365 Commercial has successfully completed a FedRAMP High Impact Level audit, including a SAR (Security Assessment Report). Microsoft’s completed its scope of responsibility towards FedRAMP accreditation for a Federal agency ATO and Microsoft 365 Commercial supports accreditation with Federal agencies at the FedRAMP High Impact Level. Microsoft 365 Commercial has accreditation from the Department of Health and Human Services (DHHS) for the FedRAMP Moderate Impact Level as formally acknowledged in the FedRAMP Marketplace.  Microsoft Commercial cloud environments also has implemented controls for NIST 800-171, NIST 800-171 is a set of controls used to secure Non-Federal Information Systems (commercial systems) and is derived from NIST 800-53.  Additionally, the University’s agreement with Microsoft includes a HIPAA BAA (Business Associates Agreement) for use with Restricted Sharepoint.

Qualtrics

Data collection via Qualtrics utilizes security features provided by the web survey platform, which uses a TLS (aka HTTPS) encryption for all transmissions. Their servers are stored in a tier one data storage facility that includes security measures such as biometric entry and double card swipe. The data centers hosting the data are SSAE-18 SOC and ISO 27001 certified.

REDCap

REDCap (Research Electronic Data Capture) is a secure, web application designed to support data capture. REDCap is specifically designed for HIPAA-Security guidelines, and the UNL REDCap servers are HIPAA-compliant. REDCap uses SSL/TLS (aka HTTPS) encryption for all transmissions, ensuring the confidentiality and security of data during transmission. The AWS data centers that host REDCap include SSAE-18 SOC and ISO 27001 certifications, ensuring a high standard of security and compliance.