Online Data Collection & Storage of Electronic Data
[show all sections]
[hide all sections]
All human subject research involving online surveys, regardless of exemption status, must comply with the VT IRB's Policy for Online Research Data Collection Activities and the Storage of Electronic Data Involving Human Subjects [view/download Policy]
Basic Guidance to Ensure SSL is Properly Enabled
In determining whether SSL is properly enabled on an active online survey researchers must ensure that when a research participant visits the online survey the following occur:
- The URL begins with https:// (http:// is inadequate). If, while attempting to access the online survey, a research participant erroneously enters the URL using http:// in place of https://, then he/she is automatically (and without fail) rerouted to the correct (https://) URL.
- Security certificate must verify high-level encryption. To check the security certificate, double-click on the padlock or similar symbol (typically found at the bottom right of the browser window). Help
Further Security Guidance
Note: the implementation of the below is not an IRB requirement for approval of research involving online data collection and/or storage. This is simply guidance to further protect yourself and others during the collection of data over the Internet and storage of data on servers. The below list provides MINIMUM STANDARDS! It is recommended that a qualified system administrator (for server security) and IT Security (for web-based security) review for proper security.
User Level:
- Do NOT use SSN, Student/Faculty�s Pids or Passwords as part of the login
- USE complex passwords containing a mixture of upper case letters, lower case letters, numbers, and symbols (i.e !@#$%^&*_). Your password should not be a word from a dictionary or a name.
- Ensure updated Firewall is turned ON
- Ensure updated Virus Protection is turned ON
Web Level:
- SSL (i.e. https://) or similar encryption on the login AND all other pages (note: this is a requirement for IRB approval)
- Cookies from previous sessions are not used
- Remote access disabled
- Technical aspect of errors should not be viewed by standard user
- Regular scans for potential holes (preferably third party besides vendor)
- Code Based: 1) include code within your web applications that replaces single apostrophes with double apostrophes; 2) encode output based on input parameters for special characters; 3) filter input parameters for special characters; and 4) filter output based on input parameters for special characters.
Server Level:
- Secure and patched operating system
- Complex passwords for everyone who has access to those servers
- No old user accounts (i.e. for ex-employees)
- Servers located in a locked room
- Know how long the information will be retained on the server
- Use encryption
- User shadow passwords
What makes a strong password?
