The Secure Enclave Service provides U-M researchers with high performance, secure, flexible computing environments where they can analyze sensitive data sets, through the hosting of Linux and Windows Servers, and Virtual Desktops.
The Secure Enclave Service provides a secure environment in which to maintain or share many types of the university’s sensitive institutional data. In addition, the service provides an environment that is compliant with regulations for some types of sensitive regulated data. Protecting sensitive data is a shared responsibility. You are responsible for ensuring that your use of the Secure Enclave Service complies with applicable laws, regulations, and policies.
Before using the Secure Enclave Service with any sensitive institutional data, a Declaration of Intent to store and process sensitive data is required during setup.
The U-M Office of Research has approved the service for the sharing or maintaining of Export Controlled research. You must also maintain your own Export Control-compliant practices and protocols when using the service.
The Secure Enclave Service includes the safeguards required by HIPAA; accordingly, you may use it to maintain Protected Health Information (PHI). To satisfy internal HIPAA requirements, you must declare the intent to store and process PHI at setup. This allows the use of a system template for tracking PHI as required by HIPAA. Complying with HIPAA's requirements is a shared responsibility. Users sharing and storing PHI in the Secure Enclave Service are responsible for complying with HIPAA safeguards, including:
- Using and disclosing only the minimum necessary PHI for the intended purpose.
- Obtaining all required authorizations for using and disclosing PHI.
- Ensuring that PHI is seen only by those who are authorized to see it.
- Following any additional steps required by your unit to comply with HIPAA.
The Secure Enclave Service includes safeguards required by NIST 800-171 Rev. 1 for Controlled Unclassified Information (CUI). The intent to store and process CUI must be declared at setup so a compliant system template can be applied. The service can be used to store and process CUI because of external audit and joint processes developed to process CUI information.