Determine security tier#
Before starting any Turing project, you should have completed a Data Protection Assessment Process (DPAP) in consultation with the Turing Data Protection Team. It is likely that there will also be various data sharing agreements (DSAs) in place.
Security tiers#
The Turing TRE can operate in three different configurations, known as security tiers. Adding technical controls can reduce the chance of a data incident but may also impose additional constraints on the 🧑🔬 Project team.
Security control |
Tier 1 |
Tier 2 |
Tier 3 |
|---|---|---|---|
Inbound connections |
Anywhere |
Approved networks |
Approved networks |
Outbound internet |
Allowed |
Forbidden |
Forbidden |
User devices |
BYOD |
BYOD |
Managed |
Copy-and-paste |
Allowed |
Forbidden |
Forbidden |
Data ingress |
Allowed |
Approval needed |
Approval needed |
Data egress |
Allowed |
Approval needed |
Approval needed |
Software libraries |
Any |
PyPI/CRAN |
Approval needed |
Important
Based on the DPAP and DSAs the 🧑🔬 Project team should decide on the appropriate SRE security tier for the project
Guidance#
When deciding on the appropriate tier you may want to consider the following factors:
Personal data
Consider whether personal data might be present in non-obvious ways (for example names, faces or IDs visible in images)
If the project will be handling any special category data a higher security tier may be appropriate
Medical data
Data that is easily available to researchers without restriction, is likely to require a lower security tier
Data that has been rigorously pseudonymised is likely to require a lower security tier
Commercially-sensitive data
Consider whether any personal data (for example on customers or employees) is included in the data