Information Security Issues in Research

Transcription

1 Information Security Issues in Research March 2019 The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Tax information, if any, contained in this communication was not intended or written to be used by any person for the purpose of avoiding penalties, nor should such information be construed as an opinion upon which any person may rely. The intended recipients of this communication and any attachments are not subject to any limitation on the disclosure of the tax treatment or tax structure of any transaction or matter that is the subject of this communication and any attachments. Baker Tilly Virchow Krause, LLP trading as Baker Tilly is a member of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities Baker Tilly Virchow Krause, LLP Your Presenters Mike Cullen, CISA, CISSP, CIPP/US Senior Manager, Baker Tilly Meghan Senseney Senior Consultant, Baker Tilly 2 1

2 Today s Objectives 1. Learn the specialized IT and cybersecurity risks associated with research activities 2. Explain the various IT and cybersecurity requirements typically associated with research activities (e.g., export controls and OFAC requirements, FAR/DFARS, NIST) 3. Provide an audit template of typical research IT and cybersecurity risks with recommended controls 3 Information Security Risks in Research Overview 4 2

3 Information Security Risks in Research People Processes Technology 5 People Risks Human subjects Researchers Collaborators Collection of data (does the subject provide explicit and informed consent) IRB approval Security of data De-identification of data Destruction of data Collection of data Storage and protection of data De-identifying individual level data (if required) and storing the key or coding scheme separately from data Deletion and/or destruction of data Secure data transfer to collaborators Protection of data (once data is shared, how do you ensure collaborators are following requirements for secure storage and/or protection?) 6 3

4 Process Risks - Sponsored Projects Lifecycle Finding funding Proposal & budget development Closeout & audit Routing & approval process Post-award administration Submission & review Award set-up Award review & acceptance 7 Process Risks - IT Centralized versus decentralized management Logical security (authentication, passwords) User access (internal transfers, terminations, reviews) Change management (changes made to applications used to store, manage, and track sponsored projects and awards) Physical security of workstations, laptops, tablets, servers, and other specialized equipment for researchers Funding for initial IT investments, as well as long term funding after sponsored agreement is done 8 4

5 Technology Risks Enterprise systems Research-specific systems Rogue systems Access control (when individuals in research areas transfer or leave, central IT may not be aware until days or later) Can data be accessed via mobile device Lack of centralized management Controls implemented by non-it individuals (e.g., grad students) Lack of controls implemented (backups, user access reviews) Interfaces with enterprise systems Unknowns central IT or research administration may not even be aware of these systems since they are not responsible for managing (where is the data, who has access, who is managing the system) Lack of basic controls implemented 9 Information Security in Higher Education Increased complexity and oversight challenges in a decentralized environment Subject to many laws and regulations due to: Breadth and nature of business operations Faculty, staff, students, and alumni from many states and countries Numerous stakeholders for research compliance responsibilities Culture values the open exchange of information for scholarship and research Global constituents and community members mean expanded legal requirements Size and complexity of IT environments, including multiple applications and data stores holding personally identifiable information (PII) 10 5

6 Focus on cross-disciplinary collaborations, innovations, and partnerships Changing world of research Increasing complexity in sponsor requirements Increasing expectations of accountability Decreasing federal funding and changing priorities of US government research sponsors 11 Human Subjects Definition A human subject is defined as a living individual about whom a researcher (whether a professional or a student) obtains data through intervention or interaction with the individual or from individually identifiable information Regulations and ethical guidelines governing the use of human subjects: 45 CFR 46: Protection of human subjects Guidelines for Conduct of Research Involving Human Subjects at NIH The Belmont Report: Ethical principles and guidelines for the protection of human subjects of research Nuremberg Code: Directives for human experimentation World Medical Association Declaration of Helsinki 12 6

7 Human Subjects Oversight Human subject research is controlled based on oversight and monitoring by the Institutional Review Board (IRB) The IRB is responsible for approving any research protocols involving human subjects, and monitoring the conduct of these research activities The IRB reviews human subject research projects according to three principles: Minimize the risk to human subjects (beneficence) Ensure all subjects consent and are fully informed about the research and any risks (autonomy) Promote equity in human subjects research (justice) All human subjects research (including but not limited to recruitment) must be approved by the IRB before commencing The IRB typically approves projects for one year, thereafter conducting annual reviews 13 Human Subjects IT/Cyber Considerations Research involving human subjects does not alone trigger an IT security requirement; however, a lot of research is medical-related There is a high chance that the research being done involving human subjects would fall under HIPAA, DFARS, and/or other IT security requirements Researchers and PIs are likely not trained to recognize IT security requirements or understand the implications 14 7

8 IT and Cybersecurity Requirements in Research 15 Data Management Plans and Data Use Agreements Data Covered Why Higher Ed? Summary of Requirements Research sponsors typically reserve the right to audit data and examine records relevant to a grant In most cases, the institution owns the rights to the data. However in some sponsored research, the sponsor retains ownership. Certain agreements require institutions to store data for a certain period of time Certain agreements require institutions to publish data to allow for public access after research activities are completed The Bayh-Dole Act of 1980 allowed universities to have control of the intellectual property generated from federally-funded research Sponsors, including federal agencies, include data use requirements in grants, contracts, and cooperative agreements NSF policy, effective as of January 18, 2011, requires all proposals to include a data management plan Various federal agencies and other research sponsors have different data security and retention requirements. Sponsors also have requirements related to the timely sharing of data. 16 8

9 HIPAA Data Covered Why Higher Ed? Summary of Requirements Protected health information (PHI): Names; addresses; telephone; Dates (except year) Any unique identifying numbers (e.g., SSN; medical record; account) Device identifiers; web URLs; IP addresses Biometric identifiers; full-face photographs; identifying genetic information Applies to an educational institution which is designated as a covered entity, business associate, or hybrid entity Three main rules: 1. Privacy rule - Notice and consent 2. Security rule - Administrative safeguards - Technical safeguards - Physical safeguards 3. Data breach rule - Breach response plan Designate a HIPAA privacy officer and a HIPAA security officer Formalize policies and procedures Conduct periodic risk assessments 17 Potential audit/advisory activities (HIPAA): Determine the privacy and security officers roles and responsibilities with respect to development of policies and practices Gain an understanding of the system(s) in place that log system activity on users access to personal health information (PHI) Perform a HIPAA security risk assessment to trace the flow of PHI inside and outside the institution; focusing on for critical areas: processes, people, technology, & governance Identify the controls in place that maintain the disclosure logs for six years Review HIPAA training to ensure it covered HIPAA requirements 18 9

10 GDPR Data Covered Why Higher Ed? Summary of Requirements Personal data of EU individuals: Governs the collection, processing, use, and storage of personal data relating to any individual in the European Union (EU), including: - Citizens - Residents - Visitors - EU citizens living abroad Personal data is broadly defined, but includes: - Name - IP address - address - Date of birth - Gender Applies to all organizations (regardless of location) processing and holding the personal data relating to any EU individual Potentially applies if your institution has: - EU campus(es) - EU-based partner institutions - Students studying in the EU - Faculty teaching in the EU - Students, applicants, athletes, staff, faculty, alumni, donors, or patients who are EU citizens/residents - Visiting faculty or other visitors from the EU - EU-based vendors - Research subjects from the EU Breach notification Right to access Right to be forgotten Data portability Privacy by design - Data minimization Data Protection Officer 19 Potential audit/advisory activities (GDPR): What is your institution s GDPR footprint? (meaning, how does this apply to us?) Do you know how and where your institution s GDPR-covered personal data resides and how it is used, including EU citizen and resident students, faculty, staff, applications, donors, alumni, and human subjects? Does your institution practice data minimization? Does your institution practice privacy by design and privacy by default? Has your institution defined its risk threshold for GDPR? Is your institution prepared for right to be forgotten and data portability? 20 10

11 Export Controls Data Covered Why Higher Ed? Summary of Requirements Covers dual use items found on the Commerce Control List (CCL), which includes goods, equipment, materials, and software and technology Regulates items designed for commercial purposes which also have military applications (computers, pathogens, civilian aircraft, etc.) Institutions must be aware of deemed exports (transfer of items within a lab to foreign nationals) Sanction mechanisms intended to advance US trade interests and foreign policy initiatives, and to protect and promote our national security Governed by three federally-managed lists: International Traffic in Arms Regulations (ITAR); Department of State Export Administration Regulations (EAR); Department of Commerce Office of Foreign Assets Control (OFAC); Department of the Treasury Regulations apply to goods, technology, and related information 21 Potential audit/advisory activities (Export Controls): Applicability of exemptions Deemed exports Licensing Shipping and payments to foreign persons outside the US Faculty, staff, grad students Travel o Physically taking items with you on a trip such as: Laptop Encryption products on your laptop Cell phone Data/technology Blueprints, drawings, schematics Other tools of the trade Giving controlled technology/data to a foreign person outside the US 22 11

12 Controlled Unclassified Information (CUI) Data Covered Why Higher Ed? Summary of Requirements CUI: Names; addresses; telephone; Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls Excluding information that is classified Every federal agency has different CUI The National Archives, as the Executive Agent of CUI, has developed the CUI Registry ( which is the authoritative source for guidance regarding CUI policies and practices Applies to an educational institution which engages in research activities sponsored by or contracts/agreements with the federal government 23 Varies based on contract but all require basic cybersecurity protections be implemented DFARS Cyber Rule requires NIST SP FAR Basic Safeguarding Rule requires 17 basic controls from NIST SP FISMA requires NIST SP Types of Federal Information CUI CDI Controlled Unclassified Information - Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified (see Executive Order and CUI Registry at Covered Defense Information - Unclassified information provided to the contractor by or on behalf of DoD in connection with the performance of the contract, or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract (see DFARS ) CDI FCI Federal Contract Information - Any information provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided to the public (e.g., publicly accessible website data) or simple transactional data (e.g., billing or payment processing data) 24 12

13 Examples of Federal Information CUI see CUI Registry FCI Critical Infrastructure Financial Proprietary Business Information CDI Unclassified Controlled Technical Information or other information as described in the CUI Registry requiring safeguarding! see DFARS Any information that is NOT provided to the public or simple transactional data! see Federal Register; Basic Safeguarding ruling 25 FAR Case (CUI) Data Covered Why Higher Ed? Summary of Requirements Implements the National Archives and Records Administration (NARA) CUI program of E.O As the executive agent designated to oversee the Government-wide CUI program, NARA issued regulations in 2016 to address agency policies for designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI. Applies the requirements contained in the 32 CFR Part 2002 and NIST SP to industry (i.e., beyond defense contractors) Specific clause 32 CFR Safeguarding Types of CUI standards (i.e., basic or specified) Non-Federal information systems must use NIST SP

14 DFARS (CDI) Data Covered Why Higher Ed? Summary of Requirements Unclassified information provided to the contractor by or on behalf of DoD in connection with the performance of the contract, or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract Where contractor is handling CDI on their systems, must implement safeguarding controls according to NIST SP For systems operated on behalf of the government, see specific contract guidance and/or DFARS Cloud Computing Services if applicable Any other such services or systems (i.e., other than cloud computing) are subject to the security requirements specified in those contracts Implement adequate cybersecurity safeguarding controls on all covered contractor information systems following NIST SP Rapidly report cyber incidents affecting contractor information systems or CDI residing within those systems to the Federal Government A cyber incident is any action taken through computer networks resulting in the compromise, or an actual or potentially adverse effect, of an information system and/or the information residing within those systems 27 FAR Part (FCI) Data Covered Why Higher Ed? Summary of Requirements Effective June 2016; requires contractors to implement 15 safeguarding controls and procedures, mapping to 17 control requirements in NIST SP Establishes basic, minimal information system safeguarding standards which Federal agencies are already required to follow internally and most prudent businesses already follow as well Applies to covered contractor information systems owned or operated by contractors that process, store, or transmit FCI 17 controls from NIST SP Rule does not apply to sales of commercially available off-the-shelf (COTS) items. For example, contractors who are resellers of COTS items (e.g., printers, copiers) may not be impacted

15 Federal Information Security Management Act (FISMA) Data Covered Why Higher Ed? Summary of Requirements Provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets NIST charged with developing guidelines and control standards Applies to federal agencies, as well as contractors operating systems on behalf of the government Certain agencies now include FISMA requirements within federal grants and contracts, impacting higher education institutions NIST control standards require documented evidence of control effectiveness 29 Who is Impacted? For subcontractors and suppliers, flow-down requirements apply! Subcontractors are ultimately responsible for implementing cybersecurity safeguarding controls to be in compliance Subcontractors will be held accountable for breaches if they have not implemented required controls Prime contractors may be impacted by breaches involving their subcontractors Prime contractors may proactively engage key subcontractors to understand their current security posture and assess risk to their contracts Collaborative solutions are being implemented to capture information on subcontractors cybersecurity safeguarding practices 30 15

16 Federal data protection audit tips Work with your general counsel or legal on all privacy related audits/assessments/reviews due to the complex nature and variety of privacy and security laws and regulations Include privacy and security specific questions or criteria into the scope of all types of audits (e.g., financial, operations, IT) Be prepared to modify the scope of audits due to privacy and security s pervasive reach 31 Federal data protection audit tips (cont.) During a privacy/security risk assessment or audit, Internal Audit should involve: - General counsel or legal - Compliance - Information technology and security - Human resources - Admissions - Financial aid - Registrar - Development/Advancement - Clinic and counseling center - Finance and accounting - Dining services - Athletics 32 16

17 Federal data protection audit tips Perform an early morning or late night inspection of departments and offices (with cooperation of police/public safety/security) to identify: Unsecured (e.g., out on desks, left on printers/copiers) physical records containing personal information Computer equipment not physically secured or screen locked Review mobile device (e.g., smart phones, tablets, laptops) security configurations by working with technical experts in IT/security Review information security plans/programs against legal requirements 33 Audit Templates for Research IT and Cybersecurity Controls 34 17

18 Example control questions to ask What are all of the types of data that your lab collects, analyzes, and/or creates (e.g., human subjects, health data, intellectual property, government supplied data)? Does your lab have to manage any data following a data use agreement for any sponsored work? Does your lab have any documented data management plans for any sponsored work? Does your lab manage any network security devices (e.g., firewalls) or configurations? Does your lab maintain an up-to-date inventory of all hardware devices on the lab network? Does your lab maintain an up-to-date inventory of all authorized software that is required in the lab for any research purpose on any research system? 35 Example control questions to ask (cont.) Does your lab prioritize (i.e., categorize) research data based on classification, criticality, and business value? Does your lab review existing user accounts and administrative privileges on computers, networks, and applications quarterly? Does your lab review existing versions of system security agent software and regularly apply the most current security updates to devices in your lab? Does your lab manage the security configurations on devices in your lab (e.g., workstations, laptops, desktops, tablets, phones)? Does your lab have encryption on workstations (laptops, desktops, phones, tablets) or hard drives in the lab? Does your lab manage and protect the physical access to data and devices within the lab? 36 18

19 Example control questions to ask (cont.) Does your lab utilize centrally-managed anti-malware software to continuously monitor and defend each of the lab's workstations and servers? Does your lab ensure that all system data is automatically backed up on a regular basis? Does your lab maintain an inventory of all accounts organized by authentication system? For all functional roles in the lab (prioritizing those mission-critical to the research and its security), are the necessary knowledge, skills and abilities identified? Are all employees instructed to report any suspicious or unauthorized use of personal or research data in accordance with the University's policies and procedures? 37 Contact information Mike Cullen, CISA, CISSP, CIPP/US Senior Manager, Baker Tilly mike.cullen@bakertilly.com Meghan Senseney Senior Consultant, Baker Tilly meghan.senseney@bakertilly.com

20 Questions? 39 20

21

22

23

24

25

26

27

28

29

30