Ti	=	Introduction
1.sec	=	This document describes the data security infrastructure recommended for stakeholders in the Global Alliance for Genomics and Health (GA4GH) community. This is not meant to be a normative document, but it should be framed as a set of recommendations and best practices to enable a secure data sharing and processing ecosystem. However, it does not claim to be exhaustive, and additional precautions other than the ones collected herein might have to be taken to be compliant with national / regional legislations. As a living document, the Data Security Infrastructure Policy will be revised and updated over time, in response to changes in the GA4GH Privacy and Security Policy {FtNt.1.Xnum}, and as technology and biomedical science continue to advance.
2.sec	=	The GA4GH is an unincorporated collaboration among entities and individuals pursuing the common mission of accelerating progress in medicine and human health by advancing a common infrastructure of harmonized approaches to enable effective and responsible processing of clinical and genomic data. Towards that end, the GA4GH develops standards aiming to enable responsible genomic data processing within a human rights framework.
3.sec	=	All of these standards depend upon a safe, robust, and trustworthy technology infrastructure that, along with a set of common values and expectations set forth in the Framework for Responsible Sharing of Genomic and Health-Related Data {FtNt.2.Xnum}, provide the foundation for the GA4GH ecosystem. The viability and success of the envisioned GA4GH ecosystem are directly dependent upon trust – the ability of Alliance stakeholders to trust each other, the ability of users to trust the technology infrastructures within which the GA4GH standards are implemented, and the ability of individuals who contribute their personal clinical and genomic data to trust GA4GH stakeholders to use their data responsibly and respectfully.
4.sec	=	As an interdependent, emergent ecosystem, the GA4GH supports multiple physical and logical architectures. Therefore, the security technology outlines herein are not intended to describe a physical or operational implementation, but rather suggests a set of security and architectural standards, guidelines, and best practices for implementing and operating a trustworthy, federated environment within which data and services are shared. Given the important role that trust plays in pursuing the mission of the GA4GH, the security technology infrastructure is not limited to those mechanisms traditionally considered “security” technologies, such as authentication, authorization, access control, and audit, but also includes architectural guidance for building and operating trustworthy systems – that is, systems that can be relied upon to perform their expected functions and to withstand threats to data integrity, information confidentiality, and service availability.
5.sec	=	The Framework for Responsible Sharing of Genomic and Health-Related Data describes the principles that form the trust foundation for GA4GH. The GA4GH Privacy and Security Policy, which builds upon this Framework, articulates policies for securing the data and services provided under the auspices of the GA4GH with the privacy of the individuals who enable their genomic and health-related data to be discovered, accessed, and used. The Data Security Infrastructure Policy defines guidelines, best practices, and standards for building and operating a technology infrastructure that adheres to the GA4GH Framework principles and enforces the GA4GH Privacy and Security Policy.
6.sec	=	Fig) Figure 1. Framework, Data Privacy and Security Policy, and Data Security Infrastructure Policy relationships.
7.sec	=	The technology infrastructure defined herein aims to reflect the prevailing state of practice, while enabling emerging approaches to processing sensitive information on a massive scale. It is intended to support a broad range of existing use cases, while allowing innovation. We realize that as the volume and value of clinical and genomic data continue to increase exponentially, threat agents will become ever more determined to find and exploit vulnerabilities in the technology infrastructures that transmit, store, and process this data.
8.sec	=	We strongly encourage organizations to adhere to a recognized security framework, such as ISO/IEC 27001 {FtNt.3.Xnum} or the U.S. National Institute of Standards and Technology Special Publication 800-53 {FtNt.4.Xnum} to accomplish the control and assurance objectives arising from identified risks concerning data sensitivity and integrity, and services availability.
	=	[G/Z/paras/s8]