Wednesday, September 27, 2017

CTSC welcomes two leading CIOs to its Advisory Committee

We are very pleased to welcome new members to the CTSC Advisory Committee:

Dr. David Halstead is the CIO for the National Radio Astronomy Observatory, a facility of the NSF operated under cooperative agreement by AUI, where his responsibilities are divided between Data Management for the Observatory’s HPC infrastructure in support of the national radio telescopes, and the general IT support for 500+ employees. He has served on number SuperComputing committees and is a founding member of the ACM’s SIGHPC Education Chapter. Prior to joining NRAO, he worked in the DOE Scalable Computing Laboratory in Ames Lab, and in the private sector with Celera Genomics.  

Dr. Melissa Woo is the Senior Vice President for Information Technology (IT) and Chief Information Officer at Stony Brook University. Prior to joining Stony Brook University, Melissa was the Vice Provost for Information Services and Chief Information Officer at the University of Oregon. Melissa has also worked for the central IT organizations at the University of Wisconsin-Milwaukee and the University of Illinois at Urbana-Champaign leading and supporting a number of areas, including research cyberinfrastructure, enterprise IT services, and IT operations and infrastructure.

David and Melissa join a committee that consists of Tom Barton of the University of Chicago, Neil Chue Hong of the UK Software Sustainability Institute, Nicholas Multari of Pacific Northwest National Lab (PNNL), and Nancy Wilkins-Diehr of the San Diego Supercomputing Center.

Both David and Melissa bring key expertise and experiences to the advisory committee. David, as CIO of NRAO, has the perspective of an NSF Large Facilities and the cybersecurity challenges they face in supporting research. Melissa, as CIO at Stony Brook, brings a wealth of experience in higher education IT and the key role it has supporting research nationally.

We thank both David and Melissa for joining the CTSC Advisory Board and look forward to working closely with them to support research and science cybersecurity challenges.

We also take this opportunity to thank Don Middleton of NCAR for his service on the Advisory Committee and wish him well in retirement.

Thursday, September 21, 2017

Ask CTSC: Questions for leadership to ask when considering handling regulated data.

We at CTSC field questions from the community about cybersecurity, either send directly to the team or via the email address. To better help a broader portion of the community, we're going to start posting our responses here on the blog so they are available. (Don't worry, if your question is sensitive in some way we'll either answer it privately or work with you to sanitize it). This represents the first of such answers. -Von

Yesterday we received the following question from a member of the community:
What are the key questions that research computing leadership or a VP/VC/Dean of research should be asking themselves if they are considering taking on regulated data?
The question came with "I need this by Friday" plea, so here's our admittedly quick answer. Please chime in with a comment if you have suggestions.

Questions for leadership to ask when considering handling regulated data.
  • How can you best be involved at the contract negotiation phase? A number of folks have success negotiating out regulated data terms from contracts.
  • How do you track demand and judge when is it time to take the compliance plunge? Sometimes it will be one large project that will justify the cost, other times it will be an aggregation of smaller requests and expectation of future need.
  • How do you track the actual need of the researchers? While we tend to think of compliance for infrastructure or projects, the real issue is around the workflows of the researchers from end-to-end. In general you want to implement your compliance infrastructure to satisfy as many workflows, hence projects, as possible.
  • When does outsourcing compliance make sense? At the 2017 NSF Cybersecurity Summit, we heard from three major cloud vendors with compliance solutions and it was clear that while they handle key parts of compliance, it is at most a partnership and responsibility still resides with the institution.
  • What formal processes and mechanisms will you need to institute to manage regulated data contracts?  Ideally, one would have the PI contact the Office of Research Administration, which will then work with the CISO/central IT/research computing/compliance to evaluate needs and provide resources and a security budget for the PI to include in the contract, and help PIs with reporting to the agency (e.g. for FISMA).

  • How will you develop regulatory expertise/training?  Many campuses with medical schools have HIPAA expertise, but other regulations which contracts will likely include going forward, e.g. CUI/NIST 800-171 and FISMA, have not been a concern in academia.

  • How will you manage third parties (e.g. business associates for HIPAA)?   This will require assessments of due diligence and possibly additional costs for services.

  • How will you handle breach notification?

Added based on follow-up questions since the original post:
  • How will you get buy-in from all the impacted parties? This will impact a number of groups on across campus. Some schools have used an initial task force composed of stakeholder to plan.
  • How will you resource ongoing effort? Expect ongoing leadership to take a significant fraction of a person, with additional contributions by many others. As it ramps up, a full-time leader is not uncommon.
Thank you to Anurag Shankar of IU CACR for contributing to this post.

Monday, September 11, 2017

DesignSafe-CI and CTSC Engage for Cyber-checkup

CTSC has initiated an engagement with DesignSafe-CI (DesignSafe) (NSF-1520817, NSF-1612144, NSF-1612843), a component of the Natural Hazards Engineering Research Infrastructure (NHERI) and funded by the NSF under a Cooperative Agreement through the Division Of Civil, Mechanical, & Manufacturing Innovation (CMMI) (NSF-1520817). The scope of the engagement is to perform a cyber-checkup -- a high-level review of the project’s cybersecurity program. The process tailored to DesignSafe’s needs will constitute a fact-finding exercise that delves into DesignSafe’s security processes, policies and protocols. Due to the maturity of DesignSafe’s existing security program, CTSC anticipates the engagement will be completed by November 2017.

CCoE Webinar Sept. 25th 11am ET: Demystifying Threat Intelligence

CERN's Romain Wartel is presenting the talk "Demystifying Threat Intelligence" on September 25th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.

Threat intelligence has become a very popular keyword among security professionals in the recent years. What is this all about? Is this a service for sale or rather an intangible asset resulting from a trust relationship? Every organization is seeking relevant and target intelligence, ideally at little to no cost and yielding no false-positives. What are the myths and realities? Is threat intelligence a worthy investment? Is it more suitable to favor local or global sources? Are there services or tools that can facilitate threat intelligence management. Beyond obtaining information, an often overlooked aspect are the challenges linked with building the ability to take promptly and effectively action based on specific intelligence. Making good use of threat intelligence is what makes its value, but this requires time and efforts. Yet, a well-designed threat intelligence management and flow may in fact be the only realistic and affordable strategy for our community to mitigate sophisticated threats or well-funded attackers on a daily basis.

More information about this presentation is on the event page.
Presentations are recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Tuesday, September 5, 2017

CTSC begins engagement with DKIST Data Center

The DKIST Data Center (NSF AST-0946422) is the operations data management and processing center for the Daniel K. Inouye Solar Telescope (DKIST), which at the time of its scheduled completion in 2019 will be the largest solar telescope in the world. The data center team has the challenge of managing the terabytes of data coming in daily from the summit in Haleakala, Maui, Hawaii to the data center facility in Boulder, Colorado. With assistance from CTSC, the DKIST Data Center team plans to develop a cybersecurity program that will help them focus appropriately on the Integrity, Availability and Confidentiality of the data and services in support of DKIST.