1.2 Security and Privacy Policy

Privacy Policy for all ARCC resources.


Contents

https://arccwiki.atlassian.net/wiki/spaces/DOCUMENTAT/pages/64192662

https://arccwiki.atlassian.net/wiki/spaces/DOCUMENTAT/pages/33184


1.2.1 Data Collection

  • The information collected through this site, and other UW pages/sites linked from it (e.g. a help ticket system), includes the necessary information to provide and manage ARCC products and services. Examples include:

    • For a PI to request an allocation on some ARCC resources for their project, information about that project will be collected.

    • For a user requesting help via a ticket, information about the systems affected and problems being experienced will be collected.

    • Website usage data including browser type, operating system, page views, entry sources, exit pages, and other metrics, may be collected and used to help improve website organization and performance.

  • The least amount of data needed to perform the required functions will be collected.

  • This site complies with the general UW Privacy Policy / Website Usage statement found on the UWyo website.

1.2.2 Data Monitoring

ARCC users have no explicit or implicit expectation of privacy. UW retains the right to actively monitor all ARCC resources, activities on ARCC resources and networks, and to access any file without prior knowledge or consent of ARCC users, senders, or recipients. UW/ARCC may retain copies of any network traffic, computer files, or messages indefinitely without the user's prior knowledge or consent.

1.2.3 Data Sharing and Access Control

1.2.3.1 Reasonable prevention for unauthorized access and disclosure

UW ARCC will take reasonable steps to protect the information that you provide to us from unauthorized access or disclosure.

1.2.3.2 Third-party access

If and When ARCC services are facilitated through third parties, the information provided on the allocation request form may be shared with the third-party service providers for use in operating and managing the services, provided that reasonable steps are taken to ensure that the service providers are required to protect this information from unauthorized access or disclosure.

We will release information gathered through monitoring if required by law.

1.2.3.4 Incident response disclosure

UW/ARCC may, at its discretion, share information gathered through monitoring with incident response organizations.

1.2.4 Data and Security Restriction

1.2.4.1 Foreign Access Control (OFAC)

ARCC use by foreign nationals is generally permitted regardless of whether access to ARCC resources is from the United States or abroad. However, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) regulations prohibit the of ARCC resources by citizens of Cuba, Iran, Syria, or Sudan while residing and/or working in one of those countries.

1.2.4.2 Restricted Data

The use of UW/ARCC resources to store, manipulate, or remotely access information, software, or data (materials) that require additional controls or that could negatively impact or compromise administrative and business operations of ARCC resources requires prior written approval from the University. Such materials include, but are not limited to, export-controlled software or technical data subject to Export Administration Regulations (EAR) or International Traffic in Arms Regulations (ITAR); Personally Identifiable Information (PII) or health information subject to the Health Information Portability and Accountability Act (HIPAA), and materials subject to "Official Use Only" or similar government restrictions.

THE USE OF UW/ARCC RESOURCES TO STORE, MANIPULATE, OR REMOTELY ACCESS CLASSIFIED INFORMATION, UNCLASSIFIED CONTROLLED NUCLEAR INFORMATION (UCNI), NAVAL NUCLEAR PROPULSION INFORMATION (NNPI), SECRET RESTRICTED DATA (SRD), SPECIAL ACCESS REQUIRED DATA (SAR), THE DESIGN OR DEVELOPMENT OF NUCLEAR, RADIOLOGICAL, BIOLOGICAL, OR CHEMICAL WEAPONS, OR OF ANY WEAPONS OF MASS DESTRUCTION IS EXPRESSLY PROHIBITED.

UW/ARCC resources are operated as research systems and should only be used to access and store data related to research. These research systems are categorized as low per FIPS-199 and protected to the NIST 800-53 low-security control baseline.

1.2.4.3 System Security

UW/ARCC resources control data access via username and password authentication for network access and UNIX directory and file permissions for data storage. Network access and data storage systems provide no explicit encryption. ARCC users are responsible for protecting data files and acknowledge and understand that UW/ARCC security control implementation is sufficient for research data access and storage.

1.2.4.4 Licensing and Compliance

ARCC users must ensure that when using ARCC resources, all software is acquired and used according to appropriate licensing. Possession, use, or transmission of illegally obtained software on ARCC resources is prohibited.

ARCC users shall not copy, store or transfer copyrighted software or data using ARCC resources, except as expressly permitted by the copyright owner.

Installation of software on ARCC systems must include a valid license (if applicable). No software will be installed on the ARCC cluster(s) without prior proof of license eligibility.

Installation of commercial or licensed software will be performed in a best-effort manner. If the requirements for the software are outside the current configuration of ARCC systems, ARCC may reject the installation.

 

1.2.4.5 Data Retention

Users who leave UW: ARCC reserves the right to remove any data at any time and/or transfer data to other individuals (such as Principal Investigators working on a same or similar project) after a user account is deleted or permanently deactivated, or a user no longer has an association with UW/ARCC.

Data backup and retention:

Although ARCC takes steps to ensure the integrity of stored data, ARCC does not guarantee that data files are protected against destruction. ARCC users should read the information on data retention, backups, and data deletion in any applicable policies for the ARCC resources they use, and make backups of necessary data and software in an archive system or at other sites. In some cases, ARCC may elect to make backup copies of some data files. When backup copies are made, ARCC reserves the right, at its sole discretion, to hold such backup copies indefinitely or to delete them.