Managed Hosting for Export-Controlled Data

IMSS offers a service for housing export-controlled research data. This service adheres to the guidelines described in Safeguarding Export-Controlled Data.

The managed hosting service provides the following:

Access control

The server is housed in a climate-controlled, locked data center with physical access controlled via individually-issued electronic card keys using a card-key system that logs all entry events.

Physical access to the server is limited to authorized US Person staff employed by Caltech Information Management Systems and Services (IMSS).

A local software firewall and an external hardware firewall provides monitoring and control over inbound and outbound network traffic. Only authorized network traffic will be permitted. Firewall permit and deny events are logged.

Access will be granted to a limited number of authorized users only, as determined and requested by the PI. Access requests and approvals will be logged. No access will be granted to non-US Persons without an export license, exemption, or other government authorization. US Person status will be confirmed with Caltech's Human Resources department before access requests are granted. Exception status will be confirmed with Caltech's Export Compliance Officer.

All remote access to the server will be controlled via unique username and password credentials. All authentication events, including username, date/time and source IP address, will be logged to a central server monitored by Caltech's Information Security office.

Maintenance and configuration

The server utilizes up-to-date malware detection software.

The server's operating system and software will be kept current on security patches by authorized US Person staff employed by Caltech IMSS.

Data will be backed up via an encrypted network connection to a remote site leased by Caltech and staffed by US Persons. Access to backups will be limited to authorized US Person staff employed by Caltech IMSS.

Decommissioning

Decommissioned drives will be wiped in accordance with NIST 800–88, Guidelines for Media Sanitization.

Remote access

All remote access to the data will be conducted via encrypted network connections. Wireless network access to the data is disallowed except from Caltech Beavernet or where Caltech VPN is used.

Remote access from shared, public computers or from computers with no local access control is prohibited by policy.

Copying of data from the server is prohibited by policy unless:

1) the data is transmitted via a local, private network to an access-controlled authorized backup device, or

2) the data is transmitted via an encrypted network connection to an encrypted volume by an authorized user with prior approval from the PI, or

3) the data is transmitted via an encrypted network connection in the form of an encrypted file or volume from an authorized user, to an authorized recipient as determined by and with prior approval from the PI.

Fee for service:
There is a $25/month fee for this service, which includes 1Gb of data storage. Additional storage capacity is available upon request at a rate of $0.33 per Gb per month.

Requesting service:
To request housing export-controlled data, please contact IMSS at athttp://help.caltech.edu (request type IMSS-->Web Hosting & Development-->Other.
To request, revoke or change user access to the server, please email security@caltech.edu. Note that access requests must originate from, or be explicitly approved by, the listed PI for the project.


Updated 9/18/2014