Information Security · Teachers College
Your Researcher Pathway
Not sure where to start — or who to talk to first? Select your role and your situation below. We'll walk you through the right steps, in the right order, with the right people.
I am a…
Select your role to see your personalized pathway.
What describes your situation?
Choose the scenario that best matches where you are right now.
Starting a new funded research project
You have a grant award or are preparing a proposal involving data collection.
Received a data use agreement
An external organization has sent you a DUA to sign before sharing data.
Need to share data with another institution
You want to collaborate with researchers at another university or organization.
Just arrived at TC
You're new to Teachers College and want to set up secure research practices.
Starting a new funded research project
Follow these steps in order — the sequence matters, especially if human subjects are involved.
-
1IRB
Determine if IRB review is required
If your project involves human subjects, IRB review must begin before data collection. Contact the TC IRB office to confirm whether your project qualifies and what level of review is needed.
Visit the TC IRB office → -
2Information Security
Schedule a consultation with Information Security
Meet with the InfoSec team to review your data types, storage plan, and any sponsor cybersecurity requirements. We can also help you draft the data security section of your IRB protocol or grant proposal.
Schedule a consultation → -
3You
Create a data security plan
Document how your research data will be stored, accessed, shared, and destroyed. InfoSec can review and co-develop this with you. Many sponsors require this as part of the award.
Download the template → -
4Office of the General Counsel
Submit any contracts or agreements to OGC
If your grant comes with a sponsored research agreement, data use agreement, or other contract, submit it to the Office of the General Counsel for review before signing.
Contact the OGC → -
5IRB
Complete your IRB submission
Submit your full IRB protocol, including the data security plan reviewed by InfoSec. Do not begin data collection until IRB approval is received.
Visit the TC IRB office →
Received a data use agreement
Do not sign a DUA until OGC and InfoSec have both reviewed it.
-
1Office of the General Counsel
Submit the DUA to OGC first
OGC must review and approve all data use agreements before they are signed. Do not sign anything until OGC has cleared it. Send them the full agreement along with a description of the data involved.
Contact the OGC → -
2Information Security
Schedule a consultation with Information Security
Once OGC is reviewing, bring InfoSec in to assess the cybersecurity requirements in the DUA. We'll help you understand what controls are required and confirm whether TC's systems meet them.
Schedule a consultation → -
3You
Create a data security plan
Most DUAs require a documented plan for how the data will be handled. InfoSec can help you create one that satisfies both the DUA requirements and TC's own policies.
Download the template → -
4Office of the General Counsel
OGC executes the agreement
Once all reviews are complete, OGC will sign the DUA on behalf of TC. Faculty members cannot sign DUAs in their individual capacity.
Contact the OGC →
Just arrived at TC
The first few months are the best time to establish secure habits. Here's where to start.
-
1Information Security
Schedule a new faculty security consultation
Meet with the InfoSec team to discuss your research plans, data types, and any compliance obligations you're bringing from a prior institution. We'll help you get set up correctly from day one.
Schedule a consultation → -
2You
Complete required security awareness training
All TC faculty must complete annual information security awareness training. Access it through the TC Portal — it takes about 30 minutes and covers phishing, data handling, and remote work security.
Access training → -
3You
Review TC's data classification guidelines
Understanding how TC classifies data (Public, Internal, Confidential, Restricted) will help you make the right decisions about storage and sharing throughout your research.
View the data classification guide → -
4Information Security
Register and encrypt your research devices
Laptops and other devices used for research must be encrypted and registered with TCIT. Contact the Service Desk or your InfoSec consultant to get this done.
Contact the Service Desk →
What describes your situation?
Choose the scenario that best matches where you are right now.
Working on a faculty research project
You've been brought onto a faculty member's existing research project as a research assistant or collaborator.
Conducting independent research
You're running your own study — dissertation research, a course-based project, or independent work involving data collection.
Working on a faculty research project
Your faculty advisor leads the compliance process — but you have responsibilities too.
-
1You
Talk to your faculty advisor first
Your advisor will tell you what data you'll be working with, what your access permissions are, and what security and compliance requirements apply to the project. This is always your first step.
-
2IRB
Complete CITI training if working with human subjects
If the project involves human subjects data, you will need to complete CITI training before you can access data or interact with participants. Your advisor can confirm whether this applies to you.
Visit the TC IRB office → -
3You
Complete TC security awareness training
You may be required to complete TC's security awareness training before accessing research data. Check with your advisor or the Service Desk to confirm.
Access training → -
4Information Security
Contact InfoSec if you handle sensitive data directly
If you'll be storing, processing, or transferring sensitive research data on your own devices or accounts, reach out to InfoSec for guidance on approved tools and device security.
Contact Information Security →
Conducting independent research
When you're leading your own study, the compliance responsibilities rest with you — but you don't have to figure it out alone.
-
1IRB
Determine if IRB review is required
If your research involves human subjects — including surveys, interviews, observations, or existing datasets about people — you likely need IRB review before you begin. Contact the TC IRB office to confirm.
Visit the TC IRB office → -
2Information Security
Schedule a consultation with Information Security
InfoSec can help you plan how to store and protect your data, select approved tools, and draft the data security section of your IRB protocol. This is especially important if you'll be handling sensitive or identifiable data.
Schedule a consultation → -
3You
Complete your IRB submission
Submit your IRB protocol — including your data security plan — and wait for approval before beginning data collection. Your faculty advisor or sponsor must be listed on the protocol.
Visit the TC IRB office → -
4You
Use only TC-approved tools for data collection and storage
Do not use personal cloud accounts, personal email, or consumer apps to collect or store research data. Ask InfoSec or the Service Desk for the current list of approved platforms.
View approved software →
What describes your situation?
Choose the scenario that best matches your relationship to the research project.
Continuing on a faculty member's project
A TC faculty member is sponsoring your continued access so you can assist with their ongoing research.
Completing your own research project
You graduated before finishing your own research (e.g. dissertation or independent study) and a faculty member is supervising your continued work.
Continuing on a faculty member's project
Access is granted for a default of 4 months. Extensions up to 12 months require InfoSec approval. HR processes the request first — InfoSec is the final sign-off.
-
1You / Faculty Sponsor
Confirm your faculty sponsor and initiate the request
Either you or your faculty sponsor can start this process — you both have a TC email address. Confirm with your sponsor that they are willing to vouch for your access, the scope of your role on the project, and an expected end date. Default access is 4 months.
-
2HR
Submit the affiliate request to HR
The temporary research affiliate request goes to HR first. HR will process the affiliation and confirm the employment and access basis before passing it along for security review.
Submit request to HR → -
3Information Security
InfoSec reviews and approves resource access
Once HR approves, InfoSec reviews the request and determines what TC resources and data the affiliate may access. InfoSec is the final sign-off. If you need access beyond 4 months (up to 12 months maximum), that request must be approved by InfoSec at this stage.
Contact Information Security → -
4IRB
Confirm IRB protocol covers your continued involvement
If the project involves human subjects data, confirm with the faculty sponsor that the IRB protocol still covers your role. If your student status was listed on the protocol, an amendment may be required to reflect your affiliate status.
Visit the TC IRB office → -
5You / Faculty Sponsor
Establish an offboarding plan upfront
Before access is granted, agree with your faculty sponsor on what happens at the end of the access period: what data you will return or delete, which TC systems you will be removed from, and what happens to any research outputs you've contributed to.
Completing your own research project
Access is granted for a default of 4 months. Extensions up to 12 months require InfoSec approval. HR processes the request first — InfoSec is the final sign-off.
-
1You / Faculty Sponsor
Confirm your faculty supervisor and initiate the request
Either you or your faculty supervisor can start this process. Confirm that your supervisor is willing to serve as your sponsor, document the scope of the remaining research work, and agree on an expected completion date. Default access is 4 months.
-
2IRB
Confirm or amend your IRB protocol
Confirm with your faculty supervisor that your existing IRB protocol remains active and covers your continued work as an affiliate. If your student status was a condition of the protocol, an amendment may be needed before data collection or analysis can continue.
Visit the TC IRB office → -
3HR
Submit the affiliate request to HR
HR processes the temporary research affiliate request first, confirming the affiliation basis and access period before routing to InfoSec for final review.
Submit request to HR → -
4Information Security
InfoSec reviews and approves resource access
InfoSec reviews what TC systems and data you need access to and gives final approval. If your project will take longer than 4 months to complete, request an extended access period (up to 12 months maximum) at this stage — extensions require InfoSec approval.
Contact Information Security → -
5You / Faculty Sponsor
Establish a data and offboarding plan upfront
Agree with your faculty supervisor on what happens when the access period ends: what data stays at TC, what you may take with you, what gets deleted, and which systems you'll be removed from. Clarifying data ownership now avoids disputes later.
Still not sure where to start?
The Information Security team is happy to help you figure out your next step. · 212-678-3300 servicedesk@tc.columbia.edu