ouhscbbmc / redcapgovernancedocs Goto Github PK

@wibeasley

when you have a moment, would you review this external module? It sounds interesting and may be useful for us at some point.

https://bbmc.ouhsc.edu/redcap/redcap_v9.0.0/ExternalModules/?prefix=api_sync&page=README.md

In the spirit of #8, I'd like to collect material about security and keep it in this thread, along with any accompanying comments that we have.

Also, there may be issues relevant to

• Plugin Security in Issue #8, and
• API Security in Issue #10.

Important: Remember that this is a GitHub repository, and is visible to people outside OUHSC. Please don't post any material that has PHI, or material that can help someone get a step closer to REDCap PHI, such as usernames, tokens, or even URLs

From https://github.com/OuhscCcanMiechvEvaluation/MReporting/issues/314

Build upon the the previous audit log. But instead of just listing names, have it compare against a list from the IRB that has two columns: (a) IRB Project ID, and (b) OUHSC username.

1. Create a simple report for IRB Auditing (do tonight)
2. Draft a proposed mechanisms for how a reviewer looks at the flagged cases (ie, usernames who accessed a REDCap project, but weren't on the IRB list given to us). (do in the next few days)
3. Look for precedence set by other universities for this auditing mechanism.

The proof of concept for now will assume everyone has an OUHSC username. When REDCap moves to one of the open standards (for collaboration with other universities), we'll need to expand this somehow.

@wibeasley @bard1536

With regards to upgrading the instances of REDCap:

What do we want to test?
How do we want to test them?

Ideas that David and I discussed:

Creating bogus projects in the devbox. After REDCap has been upgraded, test these bogus projects to ensure that all features are working correctly.

Have a standard "new" project to create in the new version on the devbox.

Testing the superuser features (deleting a project etc)

What are your thoughts?

I created this issue (ie, "Meeting 2013-10-28") in the wrong repository

From https://github.com/OuhscCcanMiechvEvaluation/MReporting/issues/293.

After receiving the products of #1 and #2, @bard1536 will send the documents to the IRB to review.

Include FERPA in documents.

And go back in time and aska question on the REDCap Google groups that sounds something like this:

FERPA Compliance Statement
We are needing to add a FERPA compliance statement to our REDCap documentation. Does anybody have an example that they could share?

@thomasnwilson, there seems to be some good materials/discussions on the REDCap Forums and Wiki. Let's post them in this issue as we see them. I'm going to close it, but keep posting when you see something.

Also, if you're looking for issues related to Plugin security, please scan Issue #10.

Important: Remember that this is a GitHub repository, and is visible to people outside OUHSC. Please don't post any material that has PHI, or material that can help someone get a step closer to REDCap PHI, such as usernames, tokens, or even URLs

spun off from https://github.com/OuhscCcanMiechvEvaluation/MReporting/issues/326

Create a REDCap governance pptx for next week's meeting

• highlighting parts of the report
• prompt attendees about how granularly/closely users need to be tracked
• Look at email from David sent 2.5 hours ago

spun off from Thomas's post:

On the big meeting yesterday (eg, Wilson, Thomas N (HSC); Beasley, William H.; Moore, Randy W. (HSC); Steward, Shad (HSC); Mack, Cliff W (HSC); Miller, Tony D. (HSC); Bard, David E. (HSC)), Randy, Shad, and other supported a protocol that would update the REDCap components every 6 months, with ad hoc updates whenever there was a serious security update.

There are several components that need to be updated, such as

1. REDCap code itself
2. MySQL
3. phpMySQL (ie, a web GUI for MySQL; a relevant forum discussion)
4. PHP
5. Linux (which is Red Hat, I think)

@thomasnwilson, are there any extra layers that need to be installed/updated explicitly, such as JDBC/ODBC drivers?

@thomasnwilson, can you please add columns to the project (that stores metadata about other REDCap projects) that allows a single REDCap project to be associated with multiple IRB numbers?

From https://github.com/OuhscCcanMiechvEvaluation/MReporting/issues/293

@thomasnwilson will setup an automated REDCap something to email alerts to a Project Owner to upload their annual IRB approval document.

@thomasnwilson

I'd like for our REDCap address name to change from miechvprojects.
to redcapbbmc.

Also, please check to see if we can use aliases for individual projects. Be sure to ask what happens when an alias is appended with a private survey tag.

Thanks.

@wibeasley

Where are the BBMC logos stored? Also, can you direct me to the code you used to create the logos? I am needing the specific color codes. You can just e-mail me directly. I would have e-mailed you, but you're still in e-mail timeout.

From https://github.com/OuhscCcanMiechvEvaluation/MReporting/issues/293

Create a plyr-ized report of the audit log and send to @bard1536.

The headings will be

• REDCap Project
• User
• Activity Type

For each activity type, there will be

• the number of times it occurred during the reporting period
• the first time it occurred during the reporting period
• the last time it occurred during the reporting period

After the REDCap governance meeting last week, Randy suggested that I list all the ways a user might be flagged during the audit. We'll Then asses the probabilty of that occurring. And then assess the potential damage of each. He generously said he'd help with the last two, after I create a list.

From https://github.com/OuhscCcanMiechvEvaluation/MReporting/issues/293

@wibeasley will pull example audits (from Psycho Demo) and send to @bard1536

In the spirit of #8 and #10, I'd like to collect material about REDCap API and keep it in this thread, along with any accompanying comments that we have.

Important: Remember that this is a GitHub repository, and is visible to people outside OUHSC. Please don't post any material that has PHI, or material that can help someone get a step closer to REDCap PHI, such as usernames, tokens, or even URLs

From https://github.com/OuhscCcanMiechvEvaluation/MReporting/issues/293

@bard1536 will try to find that example brochure/webpage for REDCap that some other school did

I need to talk to campus IT about snapshotting the VMs before @thomasnwilson upgrades them.

@wibeasley

We need to discuss a plan to "flip the switch" from LDAP to LDAP+table-based. There is a project coming online in early January that needs the table-based authentication.

Let me know when would be a good time to talk over the break.

@bard1536, as discussed today in the meeting, the governance committee needs to decide which new projects get routed to @thomasnwilson and which to Pravina.

In the spirit of #8 and #10, I'd like to collect material about REDCap API and keep it in this thread, along with any accompanying comments that we have.

Also, if you're looking for issues related to API security, please scan Issue #10.

Important: Remember that this is a GitHub repository, and is visible to people outside OUHSC. Please don't post any material that has PHI, or material that can help someone get a step closer to REDCap PHI, such as usernames, tokens, or even URLs