Research Infrastructure CoP Engagement Plan
4. Monitoring, Reporting and Evaluation
1. Executive Summary
The Research Infrastructure Community of Practice (CoP) aims to bring together research infrastructure providers who are, or intend to, deliver services for sensitive data and its analysis. The CoP provides a place to bring together shared content that helps the community to develop and deliver their services.
2. Introduction
This document describes a proposed engagement model to bring together research infrastructure service providers who have established, or who are establishing, services to cater for the sharing and analysis of sensitive data. By establishing a community of practice, it is intended that participating infrastructure service providers can share their experiences and leverage the knowledge and experience of others. The community of practice brings together the collective content and expertise into one place for all to benefit from when developing and delivering their services.
2.1. Background
With an increasing number of researchers seeking to analyse sensitive data, such as clinical, social, ecological, or commercial data, purpose built systems are required to ensure that appropriate protections are in place to safeguard the data. There are a range of criteria that infrastructure service providers need to meet to successfully deliver research services suitable for handling and analysing sensitive data. These criteria encompass a broad spectrum, and include aspects such as governance, personnel, standards, security, certification, ethics, trust, authentication, authorisation, and technology. With respect to providing safe systems for researchers to use for their analysis, it is believed that better outcomes can be achieved by collaborating and sharing knowledge and experiences between participating research infrastructure service providers, rather than by developing systems in isolation.
2.2. Purpose of this document
This document proposes an approach to bring together research infrastructure service providers into a community of practice centred on enabling the secure sharing and analysis of sensitive data.
2.3. Audience
The audience for this document are the organisations participating in the Research Infrastructure CoP, as part of the ARDC funded activity, to establish a set of Secure eResearch Platform (SeRP) environments to enable Australian researchers to analyse sensitive data. These organisations, which will establish the community of practice, are:
-
ARDC
-
Monash University
-
QCIF
-
Curtin University
-
University of Melbourne
-
University of New South Wales - Sydney
-
Sax Institute
The target audience for the outcomes of this engagement plan are research infrastructure service providers who have established, are establishing, or intend to establish services to provide researchers and research communities with the capabilities to securely share and analyse sensitive data. As at the time of writing this engagement plan, expressions of interest to participate have been received from TPAC and The University of Auckland, both of which are part of ARDC’s Nectar federation.
2.4. Overview
The engagement plan describes a set of activities designed to attract and retain infrastructure service providers who are developing and delivering services for the analysis of sensitive data. These activities can be broadly categorised into:
-
Establishing a repository for content and content sharing
-
Soliciting the involvement of like-minded research infrastructure service providers
-
Canvassing participating organisations for input, whether that is content to be shared or current challenges being faced
-
Organising the periodic gathering of participants to share experiences and solutions, potentially focussed on a particular aspect common to many participants
Over time, as the community of practice evolves, it may look to develop a maturity model that describes the capability progression, and associated criteria, for the delivery of services suited to sensitive data. Further, this may broaden to examine related capabilities such as the long term retention and management of sensitive data for research.
2.5. Engagement goals
The Research Infrastructure CoP will accelerate the development and dissemination of
learnings to support the adoption of the services established through the deliverables of the project.
The Research Infrastructure CoP working group will empower research infrastructure teams to deploy, operate, and support platforms for secure sharing and analysis of sensitive data (including SeRP) with shared learnings and best practices to build a high quality service, including certifications, governance, security, and tool integration.
3. Engagement
3.1. Engagement activities
| Objectives | Potential Activities |
|---|---|
| Awareness / familiarisation | - Roadshows - Conferences - Participation in ARDC Sensitive Data CoP - White papers |
| Champion / Advocacy | - Engage exemplar projects - Conferences - Participation in advisory committees - Newsletters - Social media |
| Development of policies / standards / best practice / governance | - Catalogue of Training Modules - SOP’s - Governance (Tech Working Group) |
3.2. Engagement topics
3.2.1 Infrastructure
The infrastructure for the secure sharing and analysis of sensitive data encompasses hardware, software, networks and the administration of these. The Research Infrastructure CoP will bring together the best practices, as well as lessons learnt, in the deployment, management, operations, and eventual decommissioning of infrastructure.
Key topics to consider initially:
-
Suitability of existing infrastructure for the sharing and analysis of sensitive data
-
Is the infrastructure for sensitive data a totally separate infrastructure or can research infrastructure providers leverage existing investments and operations?
-
What additional infrastructure requirements exist
-
Best practices for infrastructure software deployment and upgrade maintenance
3.2.2 Security
The security of these environments relies on both infrastructure and user security, and the management of these. The CoP will share members’ knowledge of identification, evaluation, and recommendation of best practices to assist with Security and Incident Management.
Key topics include:
-
Physical access security
-
Provision of user access and restrictions
-
Management of patching and upgrades
-
Assessment methods
-
International developments in cybersecurity best practice
-
Security audits and penetration testing
-
Policies and procedures for identified breaches
3.2.3 Tools
The organisations represented in the CoP bring a wealth of knowledge and expertise in the management of their cyber infrastructure. The CoP will share their knowledge of identification, evaluation, and recommendation of tools to help with cybersecurity and infrastructure.
Key topic areas include:
-
Tools currently used in Infrastructure management
- New and emerging tools and techniques, particularly in the security
domain
-
Research data planner for data custodian decision support
-
Home-baked tools and hacks
- Lessons learned
An example of secure data sharing tools available from the CSIRO is:
https://data61.csiro.au/en/Our-Research/Focus-Areas/Privacy-Preserving-Technologies
3.2.4 Risks
Protecting sensitive data requires the risks associated with users, devices, networks, servers, applications and data to be identified and assessed. Research infrastructure providers play a critical role in enforcing and controlling all these elements to minimise risk, whilst enabling researchers to access and analyse sensitive data.
The CoP will bring together the combined expertise in risk identification and management in the context of the provision of infrastructure for the sharing and analysis of sensitive data. A stretch goal is to develop a risk identification and management framework that can be used by CoP members, to reduce members’ long term effort in this context. An output of this activity would be a standardised risk assessment matrix with associated definitions for likelihoods, consequences, and calculated risk level response strategy.
3.2.5 Regulations and Requirements
There is a range of international, national, state, and organisation specific cybersecurity standards, policies, and assessment frameworks. The CoP will provide a forum to discuss the impact of these obligations, and how research infrastructure providers can navigate and meet such requirements.
Example requirements include:
-
International
-
Health Insurance Portability and Accountability Act (HIPAA)
-
ISO27001
-
General Data Protection Regulation (GDPR)
-
Higher Education Community Vendor Assessment Toolkit (for high education)
-
-
National
-
Office of the National Data Commissioner’s accreditation framework
-
Commonwealth Privacy Act
-
Australian Government’s Data Sharing Principles
-
Australian Government Information Security Manual
-
-
State
-
Queensland Government’s Information security policy (IS18:2018)
-
And many others!
-
4. Monitoring, Reporting and Evaluation
The CoP will need to establish a Monitoring, Reporting and Evaluation process that is informed by the requirements of the Management Committee, the CoP members and their host institutions.
Monitoring can be attained via:
-
CoP Meetings, which can be conducted Bi-Monthly
-
Reviews by the CoP members and Technical Working Group
-
Statistics - A mixture of quantitative and qualitative data capture.
Reporting can be via:
-
Progress reports to Management Committee
-
Progress reports to CoP members in regular meetings
-
Progress reports to hosting institutions
-
Progress reports to funding bodies.
Evaluation can be a powerful tool for decision making and building support for ongoing funding, and future road maps. The CoP should use evaluation processes such as those that are widely used in the public health domain. The CoP will establish the Success Criteria for the CoP’s engagement activities, which could include:
-
having an established repository for community members
-
the growth of the body of knowledge
-
growth in number of participants
-
uptake of systems for the sharing and analysis of sensitive data.
Key principles:
-
It is a continuous (not just one-off) process informing planning and delivery as the project develops;
-
It involves all those with an interest in the project in defining the questions they want answered;
-
Allows transparency and accountability to the wider community;
-
It encourages an honest appraisal of progress, so that you can learn from what hasn’t worked as well as what has.
-
Find out ‘what works’ and ‘what doesn’t work’
-
Conduct self‐assessment
-
Provide space for group members to self‐reflect
-
Improve capacity
-
Identify new goals
-
Demonstrate effectiveness of CoP
Processes:
-
Questionnaire
-
Reflections
-
Group Assessment
-
Evaluate most significant changes
5. Governance
In addition to Monitoring, Reporting, and Evaluation the CoP will need to establish a governance structure with assigned roles and responsibilities. Such decisions are beyond the scope of this plan and should be established during the initial meetings of the members. The Research Infrastructure CoP Plan provides a foundation on which a governance structure can be built.