Training
Educate Researchers on Regulations and Cybersecurity Practices
Create materials to train scientists on regulatory requirements set by funding agencies, how they should be prepared to handle data to comply with them, and how to map agency requirements to appropriate campus cyberinfrastructure resources
Empower Campus IT
Empower Campus IT with a standard campus framework for data security by creating a campus framework for research cybersecurity based on NIST SP 800-171. By aligning with NIST. groundwork will be laid for potential future requirements to handle CUI, and for building a general capability for supporting HIPAA.
Improve Processes for Research Administration
Develop a single process for intake, contracting and facilitate easy mapping to CI resources for the sponsored program office, human subjects office, and export control office.
Contract Review
Contract review is a key component to identify controlled research via specific contracting terms.
Develop CI Professionals
Use undergraduate student participation in creation of the framework. Students will be well suited to understand the risks associated with regulated data as they apply their conceptual knowledge to real-world problems. By pairing students with staff mentors and area Information Systems Security Managers, we will help prepare them to become skilled cybersecurity professionals ready to contribute as they join the workforce.
Use Common Language
When working with CUI, new terms, definitions, and categories might be introduced. Learning common terms will help with project communication and communication with the regulatory office. Below is an example of common language to security access to systems and data.
Service | Security Level | Example Data Types | Platform | Heightened Security Controls |
---|---|---|---|---|
Level 1 Fundamental Research |
Published and shared broadly within the research community | Community Cluster Storage PURR Cloud Storage |
Common Security Controls as designated by University policy and guidelines. | |
Level 2 Sensitive Research |
Non-Personal Data (De-Identified data) | Lab or Departmental Storage Controlled Cloud Storage |
Previous levels +
|
|
REED+ Ecosystem | Level 3 Restricted Research |
Health Data (HIPAA, PHI, PII...) Student Data (FERPA) |
Controlled Cloud Storage | Previous levels +
|
Level 4 Export Control Research |
Government Regulated Technology Defence non-classified related Data (ITAR, EAR) |
On-Prem Weber Cluster | Previous levels +
|
Annual Training is not Enough
Approximately three trainings per year is optimal if the messaging if slightly different each time. Training does not stick with most team members for more than a few months, so having quick, recurring training events a few times a year will help prevent mistakes. This also identifies gaps and conflicting practices sooner.
Promote Good Security Practices
Providing rewards for good security practices can be successful for promoting those practices. Incentivize reporting suspicious behavior is a good way to help keep the workspace and the project secure.
Training for Incident Response-Perform Risk Assessments
Goals
- Evaluate capabilities and assess progress towards meeting capability targets.
- Reach consensus on identified threats and areas for improvement and develop a set of improvements that directly assess core capability gaps
- Improvements must be resolved through the implementation of concrete correction actions
Questions to ask After the Training
- What went right?
- What changes need to be made to plans and procedures to improve incident response?
- What changes to equipment or resources are needed to improve performance
- What training is needed to improve performance?
- What are the top 3 lessons learned for approaching similar problems in the future?
Types of Role Based Training
Researcher Based Training:
- Incident Reporting
- System Usage
- Technology Enforce Controls
- Mobile
- Insider Threats
- Data Handling
- Local Policies
- Where to Gain Additional Help
Export Control Staff
- TCP
- Insider Threats
- Web Portal
- Physical Exports
- Data Egress
System Administrators
- Regulations
- Penalties
- Architecture
- Access
- Insider Training
- Expectations
- Incident Management
Management
- Insider Threats
- CUI Legal
- Hiring Requirements
- Incident Management
This work is supported by the National Science Foundation under Grant No. 1840043. Any opinions, recommendations, findings, or conclusions expressed are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.