Revised VA Information Security Program Handbook Released
A revised VA Handbook 6500 - Risk Management Framework For VA Information Systems – Tier 3: VA Information Security Program was published September 20, 2012.
ORO previously posted a “New ORO Guideline for Enforcement of VA Handbook 6500 §6.c(4)(j) Regarding VA Sensitive Research Information on Non-VA “Other Equipment” on January 31, 2012, with a provision that the ORO Guideline automatically expires upon issuance of a revised VA Handbook 6500. ORO considers this guideline expired and is updating relevant ORO review checklists for consistency with this new Handbook. Click here to view this Handbook.
Revised November 2013.
VA Laptop Encryption
On November 15, 2011, the Assistant Secretary for Information and Technology issued a Memorandum (VAIQ #7117920) regarding VA Laptop Encryption. The Memorandum requires that all VA government-owned (VAGFE) laptops (including Macs) must have fully functional VA-approved disk level encryption software installed or an approved waiver in place by February 29, 2012. The Memorandum provides some examples of VAGFE laptops that may be granted encryption waivers, including laptops connected to research devices which would hinder the application from operating as intended.
Note that all waivers currently in place for laptop encryption will become void on February 29, 2012, and an application for a new waiver must be resubmitted using the process described in the Memorandum.
Checklist for Reviewing Privacy, Confidentiality and Information Security in Research
This Checklist was designed to assist Privacy Officers and Information Security Officers in their review of VHA research protocols. Please see the accompanying Instructions for Use and Research Checklist Memorandum. Please note that the use of this Checklist is highly encouraged but not mandatory.
Interim ORO Guidance On Data Disclosure For Collaborative Studies
The Office of Research Oversight (ORO) has developed interim guidance on data disclosures for collaborative research studies. The guidance clarifies current requirements for the disclosure of VA research data to academic affiliates and other non-VA entities for “collaborative” human subject research, including requirements related to the retention of VA research records, disclosure of data under the Health Insurance Portability and Accountability Act (HIPAA), data ownership, information security, “dual appointment” research investigators, and combining data collected at a VA site and an affiliate/collaborator site.
An accompanying PowerPoint presentation can be found here.