Skip to content

Gen3 Data Security Guidelines for VA Data Commons Users

  1. Never share credentials (ssh private key, password, S3 credentials) with other people.
  2. Do not take protected data from a VA Data Commons storage location (e.g. S3 bucket, database) and share it with users who may not have the same permissions.
  3. Do not save your API key(s), password(s), or S3 credentials in insecure locations such as an excel spreadsheet, or notepad or send them to any device via insecure connections such as SMS, Slack, or email. 
  4. Never send or share data with external devices of any kind including but not limited to emailing data to your personal email, sending data to your personal computer, and sharing data with users without approved access to VA Data Commons (email: info@data-commons.org). 
  5. Never connect to unsecured WiFi networks (e.g. airports, hotels, restaurants, etc.) or public Wi\Fi networks to access VA Data Commons unless leveraging a secure and approved VPN solution. 
  6. Never modify the security controls to any resource in the VA Data Commons without prior authorization by the VA Data Commons security team. 
  7. Never access, download or upload from unknown sites/domains from within the VA Data Commons workspace. 
  8. Never hard-code secrets or credentials as code/config in GitHub. 
  9. All users who have access to, and develop code in, VA Data Commons repositories must install Git pre-commit hooks to detect secrets. Pre-commit installed – both locally on your laptop (best option); or on the VM on which one is working. 
  10. Use only approved Internet Web Browser, patched with the latest version to access VA Data Commons.
  11. Immediately report any possible disclosure, breach, or alteration of confidential information, or any possible unauthorized access or compromise of the VA Data Commons to the appropriate internal security team including CTDS Information Security (email: ctdscsoc@uchicago.edu).  
  12. The above best security guidelines including the quiz are specific to VA Data Commons users and should be followed in conjunction with user’s organizational security policies including but not limited to state and federal laws.