Security Practices and Processes

Risk Assessment

  • Work with the Security Office to perform a security risk assessment both for new and existing projects
  • Document this process while also prioritizing risks
  • Review risk assessments at least yearly to ensure that reports are kept current
  • Manage any risks. This includes:
    • Accepted risks
    • Unaccepted risks
    • Risks with a temporary mitigation in place

Cybersecurity Baseline for Federal Contract Information(FCI)

FCI has special cybersecurity requirements defined in FAR 52.204-21 

Review required safeguards to ensure that they are performed. The requirements are basic cybersecurity protections. If data is meant to be private and protected, the safeguards should already be performed for the research program. It is important to document procedures to ensure the security controls are performed. Work with IT if there are managed systems.

Cybersecurity Baseline for CUI

NIST 800-171

NIST 800-171 is a set of guidelines that standardizes how executive agencies and federal government contractors protect CUI.

More about NIST 800-171

NIST 800-171 Rev.2 provides the security requirements for protecting CUI when the information resides on nonfederal systems. All requirements in 800-171 Rev.2 must be addressed. The security requirements contained in 800-171 Rev.2 are only applicable to a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.

Exceptions or deficiencies to the security requirements are managed using a plan of action. This document helps manage risk, do not use it as a supplement to implementing controls. 

Self attest to compliance. 800-171A provides assessment procedures and a methodology for conducting assessments of the CUI security.

System Security Plan (SSP)

An SSP is a plan that: Provides the overview of the security requirements of a system, describes the controls in place(or planned to be in place), and describes responsibilities and expected behavior of all individuals who access the system.

NIST 800-171 covers the requirement to create and maintain an SSP. They do provide a template as supplement material.

A system security plan should:

  • Record system categorization
  • Define owners for the data, system, and security
  • Provide a general description and purpose for the system
  • Describe the environment
    • Hardware components
    • Software components
    • Maintenance options
  • Status of the required security controls
    • Implemented
    • Planned to be implemented
    • Variance to the original control
  • Diagrams:
    • System boundaries
    • System interconnections
    • Key devices
    • Network Boundaries
    • Data Flow
Additional Plans to Consider
  • A plan to deal with publication restrictions or to track approvals
  • A plan to deal with potential shipping restrictions
  • When dealing with CUI specified there could be additional handling controls outlined by an agency that differs from those for CUI Basic.

Why are Security Controls Important?

Not only are controls required by regulation, but they project the confidentially, integrity, and availability of the information system and the data.

The Research Team

Define an oversight role for the team on your project. This is to ensure that compliance and security requirements are maintained throughout the lifecycle of the project. This should be given to people with a leadership role within the project. Create a partnership with IT, Regulator, and Security Offices. This will help reduce work related to compliance and security activities by allowing for effective communication between trusted parties.

Plan to:

  • Update IT systems regularly
  • Train Staff on compliance and security requirements
  • Manage whole disk encryption
  • Maintain Technology Control Plans and Additional Documentation
  • Manage Authorization Resources

Regulatory Oversight

The institution regulatory office should be reviewing the following:

  • Publication approvals
  • Restrictions on participants
  • Dissemination limits
  • Jurisdiction Review
  • Technology Review
  • Foreign Sponsors

Contract Review is a key component to identify controlled research via specific contracting terms.

Technology Control Plans(TCP) or System Security Plans could be required when working with CUI

Most institutions have required compliance training for staff on controlled research projects. This could be required before beginning research activities.

The Role of the Researcher

  • Protect People's Privacy
  • Protect Research Data
  • Protect Systems, Update Software
  • Look for Insider Threats
  • Look for Malicious System activity using Antivirus
  • Use Approved Networks
  • Reduce incidents using the defined processes
  • Report IT security processes promptly
  • Reduce risk by keeping systems up to date

Insider Threats may include:

  • Sabotage
  • Theft
  • Espionage
  • Fraud
  • Competitive Advantage 
Insider Threat Types
Malicious Inadvertent
Sabotage Human Error
Intellectual Property Bad Judgment
Espionage Phishing
Fraud Malware
  Unintentional Aiding and Abetting
Stolen Credentials
Convenience

The Role of the Institution

  • Security Awareness Program
  • Data Security Plans
  • Automated System Updates
  • Have an Insider Threat Program
  • Alert on Malicious Activity
  • Automated System Updates
  • Annual Regulatory Review
  • Incident Response and Policy Procedures
  • Track Risk

Installing Security Requirements

Implement security controls outlined in the previously created SSP. Amend the SSP if the controls change. Communicate milestones to the project team, researchers, regulatory office, and IT teams. It is important to conduct new security reviews if there are major changes to the plan. When making changes, ensure they still meet regulatory requirements.

Testing Systems

Test the security and compliance controls prior to going live. Create a security report outlining any findings while testing. Adjust any findings, or, determine if it is safe to operate. Add the remaining findings to risk assessment or adjust the security plan.