Ask CTSC: Questions for leadership to ask when considering handling regulated data.

We at CTSC field questions from the community about cybersecurity, either send directly to the team or via the ask@trustedci.org email address. To better help a broader portion of the community, we're going to start posting our responses here on the blog so they are available. (Don't worry, if your question is sensitive in some way we'll either answer it privately or work with you to sanitize it). This represents the first of such answers. -Von

Yesterday we received the following question from a member of the community:

What are the key questions that research computing leadership or a VP/VC/Dean of research should be asking themselves if they are considering taking on regulated data?

The question came with "I need this by Friday" plea, so here's our admittedly quick answer. Please chime in with a comment if you have suggestions.

Questions for leadership to ask when considering handling regulated data.

• How can you best be involved at the contract negotiation phase? A number of folks have success negotiating out regulated data terms from contracts.
  
• How do you track demand and judge when is it time to take the compliance plunge? Sometimes it will be one large project that will justify the cost, other times it will be an aggregation of smaller requests and expectation of future need.
  
• How do you track the actual need of the researchers? While we tend to think of compliance for infrastructure or projects, the real issue is around the workflows of the researchers from end-to-end. In general you want to implement your compliance infrastructure to satisfy as many workflows, hence projects, as possible.
  
• When does outsourcing compliance make sense? At the 2017 NSF Cybersecurity Summit, we heard from three major cloud vendors with compliance solutions and it was clear that while they handle key parts of compliance, it is at most a partnership and responsibility still resides with the institution.
  
• What formal processes and mechanisms will you need to institute to manage regulated data contracts?  Ideally, one would have the PI contact the Office of Research Administration, which will then work with the CISO/central IT/research computing/compliance to evaluate needs and provide resources and a security budget for the PI to include in the contract, and help PIs with reporting to the agency (e.g. for FISMA).



  
• How will you develop regulatory expertise/training?  Many campuses with medical schools have HIPAA expertise, but other regulations which contracts will likely include going forward, e.g. CUI/NIST 800-171 and FISMA, have not been a concern in academia.

  
• How will you manage third parties (e.g. business associates for HIPAA)?   This will require assessments of due diligence and possibly additional costs for services.



  
• How will you handle breach notification?

  

Added based on follow-up questions since the original post:

• How will you get buy-in from all the impacted parties? This will impact a number of groups on across campus. Some schools have used an initial task force composed of stakeholder to plan.
  
• How will you resource ongoing effort? Expect ongoing leadership to take a significant fraction of a person, with additional contributions by many others. As it ramps up, a full-time leader is not uncommon.

Thank you to Anurag Shankar of IU CACR for contributing to this post.