Skip to Main Content

Research Data Management: Backups & Security


The Backup Rule of Three

  • Make 3 copies (1 original + 1 external and local + 1 external and remote)
  • Store copies such that they are geographically distributed (local vs. remote depends on recovery time needed)

If you choose to use CDs, DVDs and USB flash drives for working data or backup copies, you should:

  • Choose high quality products from reputable manufacturers.
  • Follow the instructions provided by the manufacturer for care and handling, including environmental conditions and labelling.
  • Regularly check the media to make sure that they are not failing, and periodically 'refresh' the data (that is, copy to a new disk or new USB flash drive).
  • Ensure that any private or confidential data is password-protected and/or encrypted.


You should always have up-to-date anti-virus software installed on your office and home computer. McAfee VirusScan software for Windows and Mac is available for free download to all CUNY faculty, staff, and students from the eMall in CUNY Portal.

You should also be aware of physical security. A computer that is not connected to a network is still vulnerable to theft and malicious damage/modification to data.

For suggestions of password management tools, consult the CUNY Academic Commons guide to Data Management Tools.

If you have sensitive data that is covered by privacy laws or confidentiality agreements, it is best to store it on a computer that is not connected to any network. If this is not possible, then you should encrypt your data. For more information on encryption software, see below.



Drives and disks where confidential data are stored should be encrypted, as should any electronic means (e.g., email) used to transmit confidential data. There are many proprietary and open-source encryption applications available. Encryption keys should always be written down and stored in two separate, secure locations.

AxCrypt is encryption software that integrates into Windows Explorer.

GPGTools (OS X) and Gpg4win (Windows) are free, open-source email encryption applications that use  GPG (GNU Privacy Guard).

Mailvelope is an application for encrypting webmail like Gmail, Outlook.

If you will be collecting data outside the United States, make sure that your encryption software will not violate Export Control regulations.

CITI Training

All CUNY faculty members, postdoctoral scholars, graduate and undergraduate students involved in research are required to complete the CITI RCR training within six weeks of initiating their research. A list of Research Integrity Officers by campus is available on the CUNY website.

This guide was developed by the CUNY Office of Library Services and is based on (and, in some cases, pulls from) guides created at the libraries at the CUNY Graduate Center, New York University, Massachusetts Institute of Technology, University of Massachusetts, University of Michigan, and Stanford University.