Collaboration Guidelines

The most secure option is to use SFTP with client software or a terminal server setup.
- External SFTP client – Use at the PI’s discretion. Consult with CMT if using an external SFTP client for the first time to make sure good security protocols are followed.
- Internal SFTP client – ISR-Dropzone is now available. Projects should contact CMT to set up a Dropzone. Dropzone will require external users to get set up with our ISR Duo in order for them to use it.
Preference is for no research data in cloud services (MyDrive, Google Shared Drive, Dropbox), but IF needed, then research data in Dropbox is best option. PLEASE SCHEDULE A CONSULTATION with CMT before requesting a folder in Dropbox.
If you know you will be using a 3rd party platform like Dropbox to share data, include it in the data use agreement and IRB materials.
Encrypting files BEFORE you upload them to a shared service is recommended (see below)

If the data is sensitive or contains PII, please schedule a consultation with CMT
Create an MCommunity group and an associated Dropbox Team Folder that includes CMT.
Encrypt sensitive/PII data files locally (see encryption notes below) and then upload them.
Set expiration date for access to files in Dropbox.
Dropbox is not for long-term storage.

Create the project folder in SRO Projects.
Restrict editing access to only those users that will be actively working in the folder. You can further restrict access by removing groups from the sharing permissions list and restricting sharing in general. Stop, Limit, or Change Sharing in Google.
DO NOT REMOVE the SRO Google Drive Admin account. This is the main shared administrative account.
Google Drive is not for long-term storage.

Encrypt files using AES 256. Winzip offers sufficient encryption by default.
Send the encryption password by a different channel of communication. If you sent the file link via email, then use a different work email address (like a project email) to send the password or use SMS or a phone call.
$6 per WinZip license, by request.

Type of Data/Documentation	Approved Locations
Respondent Contact Information (not linked to SID)Names, addresses, emails, phone numbers	Dropbox (Consult CMT – encrypted first) SRO Secure Networks (e.g. L: Limited and TSG)
Respondent Addresses and Appointment Times (no identifying information )	Google Drive Dropbox SRO Networks
Sample IDs or Case IDs (not linked)	Google Drive Dropbox SRO Networks
Sample IDs (linked)	SRO Secure Networks (e.g. L: Limited and TSG) Dropbox(Consult CMT – encrypted first)
Survey Data (non-anonymized)	SRO Secure Networks (e.g. L: Limited or TSG) Dropbox (Consult CMT – encrypted first)
Survey Data (anonymized)	Dropbox SRO Networks
Recorded interviews	SRO Secure Networks (e.g. L: Limited or TSG) Dropbox (Consult CMT)
Social Security Numbers	Consult CMT
Health Data	SRO Secure Networks (e.g. L: Limited or TSG) Dropbox (Consult CMT- encrypted first)
Actigraph or Other	SRO Secure Networks (e.g. L: Limited or TSG) Dropbox (Consult CMT- encrypted first)
Interviewer Contact Information (names, addresses, phone numbers, emails)	Google Drive Dropbox SRO Networks
Interviewer Sensitive/Confidential Information	SRO Secure Networks (e.g. O: and DCO)

If a folder is synced to both Dropbox and Google Drive, errors will occur when files are updated
If a user’s laptop or desktop is infected with ransomware, the ransomware will encrypt the files, rendering them useless. Synced folders will then upload the newly encrypted files. Everyone who has synced to their own local computers will then download the encrypted files.
Active Directory Risks
- Keep groups up to date and restrict access wherever possible.
- A recent ransomware attack occurred with a person who had accumulated active directory permissions over the years due to the many projects they had worked on. When ransomware struck, it was able to shut down an entire server based on those old permissions.