Cybersecurity and risk management are shared responsibilities across campus. As individuals entrusted with our academic and research mission, we must work fearlessly forward to bridge gaps and ensure we are collectively protecting the cyberinfrastructure of all research conducted at University of Maryland. The research community is often met with unique challenges and security compliance requirements that we want to help alleviate through collaboration and facilitation.
DIT’s Research Computing Cybersecurity Program
The Research Computing team's Research Cybersecurity program aims to encourage researchers to take control of their data, understand their implementation of security controls, assess security risks, and encourage an overall better security posture across UMD's research community. The program provides clarity on centrally-managed services vs. what individuals are responsible for.
By maintaining a complete inventory of all UMD research systems in OneTrust, the Research Computing team will develop a deeper understanding of university risks and be able to assist in reviewing data use agreements, system security plans, research software, etc. in order to provide well-informed recommendations based on the self-attestation form completed, DIT's security controls list, and federal compliance regulations.
The Quick Fives
Five steps UMD researchers can take to improve cybersecurity, protect confidential information, and prevent data loss:
- Use campus email for university business (IT-14: Standard on Institutional Email), always pay attention to the sender’s email, and be suspicious of unfamiliar links.
- Back up your data and store offline copies.
- Use UMD owned devices with campus anti-malware solution (FireEye) or use the UMD Virtual Workspace.
- Automatically install updates onto your devices.
- Use UMD Box to collaborate with high risk data. Use Secure Share to send messages and files containing sensitive information.
Five steps UMD researchers with servers and lab equipment can take to improve cybersecurity, protect confidential information and prevent data loss:
- Back up your data and store offline copies.
- Use UMD owned devices with campus anti-malware solution (FireEye).
- Automatically install updates onto your servers and periodically scan for vulnerabilities.
- Use Duo Multi-Factor Authentication to access your servers and contact DIT to help set up network firewalls.
- Limit, monitor, and log physical access to your server facilities.
IT Managers/System Security Officers: Review the IT-5 Checklist (Standard on the Security of Information Technology Resources) and ensure your systems are meeting campus standards.
- Use the Research Cybersecurity Toolkit below to safeguard your systems and devices.
- Request a Research Computing Consultation if needed.
- Complete the Cybersecurity Self-Attestation Form in OneTrust and submit to DIT.
- Attestations should be submitted every two years or when significant changes are made to the system (decommission, new hardware, major OS updates), whichever is shorter.
Restricted Research Data: Some data types require specific controls and processes for protections. Contact firstname.lastname@example.org or email@example.com for assistance if your research involves this data.
Prevent data loss and harm to the university by following best practices, documenting your security-focused implementations, and sharing your contact information with us so we can reach out to you when there are cybersecurity threats to our campus and data. DIT provides various cybersecurity tools and services that you can use to secure your systems. The practices are based on guidelines listed in NIST 800-171, UMD IT-4: Standard for Protecting Sensitive Information, and UMD IT-5: Standard on the Security of Information Technology Resources.
Research Cybersecurity Toolkit
- Fully understand the sensitivity of the function or operation being supported by the system and the data being stored or manipulated on the system.
- Encrypt stored sensitive data wherever possible to minimize disclosure if the system is compromised. Ensure that sensitive data can be recovered.
- Encrypt sensitive data being transmitted to-and-from the system to ensure the data is protected in transit.
- Securely remove data from media once that data or device is no longer required, in order to prevent unauthorized disclosure of data. Drive destruction is a very effective method.
- Provide protection of scientific data from ransomware and other data integrity attack mechanisms.
- Control any non-public information posted or processed on publicly accessible information systems.
- Choose not to employ operating systems or software for which security support is no longer provided. If you must, strictly limit network access to those systems.
- Proactively seek out and apply vendor-supplied fixes necessary to repair security vulnerabilities, within a time frame commensurate with the level of risk.
- Remove or disable unneeded services and software, especially those that are network accessible.
- Unless a system is on a private network, scan computers for security vulnerabilities at least monthly, to ensure new vulnerabilities are promptly identified and addressed. Scans should also be conducted:
- Immediately after installation or configuration of a new system is completed.
- Immediately after introduction of a new operating system or an upgrade to an existing operating system.
- Immediately after installation or upgrade of networking or other system software.
- Install and maintain anti-virus software on operating systems for which the university has licensed such software and maintain current virus pattern files.
- Subscribe to vendor and other advisory services applicable to the operating environment being maintained.
- Stay current on security issues that affect the university environment by joining the UTCC community of practice and visiting the security section of the DIT website.
- Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
- Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- Identify, report, and correct information and information system flaws in a timely manner.
- Provide protection from malicious code at appropriate locations within organizational information systems.
- Update malicious code protection mechanisms when new releases are available.
- Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
- Ensure that IT resources are secured against theft and systems holding sensitive data are protected from unauthorized physical access.
- Deploy encrypted communications methods for secure access to the system.
- Where technically possible, only allow legitimate and authorized network access to systems.
- Require all users to be identified and authenticated before access is allowed.
- Perform day-to-day work as a non-privileged user and only use privileged accounts for tasks that require additional capabilities.
- How to comply:
- Create non-privileged accounts for all users.
- Create separate accounts for users who need additional privileges and instruct them to only use those accounts when they need to utilize those additional privileges.
- How to comply:
- Ensure that all accounts require a password. When technically feasible, utilize CAS (Central Authentication Service) for authentication to leverage central account management and multi-factor authentication.
- Where technically practicable, use multi-factor authentication for privileged access to servers, applications, and network infrastructure.
- Ensure that reusable passwords are not sent over the network in clear-text.
- How to comply:
- Enable SSL or other encryption capabilities.
- SSL certificates can be requested free of charge from the IT Service Catalog.
- How to comply:
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Verify and control/limit connections to and use of external information systems.
- Identify information system users, processes acting on behalf of users, or devices.
- Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- If a system is capable, log the following list of system activities. Work with DIT to determine if these logs are a good candidate for inclusion in the centralized Splunk enterprise logging solution: [IA.1.076]
- Successful user logins, including the location from which the logins originated.
- Unsuccessful login attempts, including the location from which the attempts originated.
- Unsuccessful file access attempts.
- Successful file accesses for files and databases containing sensitive data.
- The following activities must be reported immediately to the DIT IT Security Office (301-226-4225):
- Suspected or actual security breaches of university information or of information systems.
- Systematic unsuccessful attempts to compromise information.
- Suspected or actual weaknesses in the safeguards protecting university information or information systems.
- Missing or stolen equipment. Such incidents must also be reported to University Police.
- Provide regular cybersecurity awareness training for authorized users of information systems, including in recognizing and responding to social engineering threats and cyberbreaches.