(determine_security_tier)=

# Determine security tier

Before starting any Turing project, you should have completed a Data Protection Assessment Process (DPAP) in consultation with the Turing Data Protection Team.
It is likely that there will also be various data sharing agreements (DSAs) in place.

(security_tier)=

## Security tiers

The Turing TRE can operate in three different configurations, known as security tiers.
Adding technical controls can reduce the chance of a data incident but may also impose additional constraints on the {ref}`role_project_team`.

| Security control | Tier 1 | Tier 2 | Tier 3 |
| :---- | :------: | :------: | :------: |
| Inbound connections | Anywhere | Approved networks | Approved networks |
| Outbound internet | Allowed | Forbidden | Forbidden |
| User devices | BYOD | BYOD | Managed |
| Copy-and-paste | Allowed | Forbidden | Forbidden |
| Data ingress | Allowed | Approval needed | Approval needed |
| Data egress | Allowed | Approval needed | Approval needed |
| Software libraries | Any | PyPI/CRAN | Approval needed |

:::{important}
Based on the DPAP and DSAs the {ref}`role_project_team` should decide on the appropriate SRE security tier for the project
:::

## Guidance

When deciding on the appropriate tier you may want to consider the following factors:

- Personal data
  - Consider whether personal data might be present in non-obvious ways (for example names, faces or IDs visible in images)
  - If the project will be handling any special category data a higher security tier may be appropriate
- Medical data
  - Data that is easily available to researchers without restriction, is likely to require a lower security tier
  - Data that has been rigorously pseudonymised is likely to require a lower security tier
- Commercially-sensitive data
  - Consider whether any personal data (for example on customers or employees) is included in the data