Rosen Center for Advanced Computing

Training

All roles involved in a CUI Program require some level of compliance training. Materials need to be developed and delivered to faculty, research team members, IT support personnel, and executive leadership so that responsibilities are understood, and compliance requirements met.

Educate Researchers on Regulations and Cybersecurity Practices

Create materials to train scientists on regulatory requirements set by funding agencies, how they should be prepared to handle data to comply with them, and how to map agency requirements to appropriate campus cyberinfrastructure resources

Empower Campus IT

Empower Campus IT with a standard campus framework for data security by creating a campus framework for research cybersecurity based on NIST SP 800-171. By aligning with NIST. groundwork will be laid for potential future requirements to handle CUI, and for building a general capability for supporting HIPAA.

Improve Processes for Research Administration

Develop a single process for intake, contracting and facilitate easy mapping to CI resources for the sponsored program office, human subjects office, and export control office.

Contract Review

Contract review is a key component to identify controlled research via specific contracting terms.

Develop CI Professionals

Use undergraduate student participation in creation of the framework. Students will be well suited to understand the risks associated with regulated data as they apply their conceptual knowledge to real-world problems. By pairing students with staff mentors and area Information Systems Security Managers, we will help prepare them to become skilled cybersecurity professionals ready to contribute as they join the workforce.

Use Common Language

When working with CUI, new terms, definitions, and categories might be introduced. Learning common terms will help with project communication and communication with the regulatory office. Below is an example of common language to security access to systems and data.

Security levels and examples
Service Security Level Example Data Types Platform Heightened Security Controls
Level 1
Fundamental Research		 Published and shared broadly within the research community Community Cluster Storage
PURR
Cloud Storage		 Common Security Controls as designated by University policy and guidelines.
Level 2
Sensitive Research		 Non-Personal Data (De-Identified data) Lab or Departmental Storage
Controlled Cloud Storage		 Previous levels +
  • Systems Encryption in Transit
  • Encrypted at Rest Authentication & Authorization
  • Least Privilege
  • Research Project Separation Transactions Logged and Monitored
  • Firewalls or Network Access Controls Required
  • Compliance Controls
REED+ Ecosystem Level 3
Restricted Research		 Health Data (HIPAA, PHI, PII...)
Student Data (FERPA)		 Controlled Cloud Storage Previous levels +
  • Controlled Folder
  • Limited Sharing Access
  • Increased Monitoring
Level 4
Export Control Research		 Government Regulated Technology
Defence non-classified related Data (ITAR, EAR)		 On-Prem Weber Cluster Previous levels +
  • US Persons access only
  • Segregated Physical Controls

Annual Training is not Enough

Approximately three trainings per year is optimal if the messaging if slightly different each time. Training does not stick with most team members for more than a few months, so having quick, recurring training events a few times a year will help prevent mistakes. This also identifies gaps and conflicting practices sooner.

Promote Good Security Practices

Providing rewards for good security practices can be successful for promoting those practices. Incentivize reporting suspicious behavior is a good way to help keep the workspace and the project secure.

Training for Incident Response-Perform Risk Assessments

Goals

  • Evaluate capabilities and assess progress towards meeting capability targets.
  • Reach consensus on identified threats and areas for improvement and develop a set of improvements that directly assess core capability gaps
  • Improvements must be resolved through the implementation of concrete correction actions

Questions to ask After the Training 

  • What went right?
  • What changes need to be made to plans and procedures to improve incident response?
  • What changes to equipment or resources are needed to improve performance
  • What training is needed to improve performance?
  • What are the top 3 lessons learned for approaching similar problems in the future?

Types of Role Based Training

Researcher Based Training:

  • Incident Reporting
  • System Usage
  • Technology Enforce Controls
  • Mobile
  • Insider Threats
  • Data Handling
  • Local Policies
  • Where to Gain Additional Help

Export Control Staff

  • TCP
  • Insider Threats
  • Web Portal 
  • Physical Exports
  • Data Egress

System Administrators

Management

  • Insider Threats
  • CUI Legal
  • Hiring Requirements
  • Incident Management

This work is supported by the National Science Foundation under Grant No. 1840043. Any opinions, recommendations, findings, or conclusions expressed are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.