CCR Guidance for SIO

Implementation steps

In order to streamline the implementation of the campus-wide Cybersecurity Certification for Research (CCR) program at SIO, we recommend that you follow these steps toward achieving (and maintaining) compliance.

 

Note: Not all the tools mentioned here are available yet. The ETA is August 11.

 

Step 1 - Registration

Fill out the SIO CCR Registration Form so we can provide your research group with an online CCR data collection worksheet. Our worksheet replaces the Excel spreadsheet provided by the campus and has several benefits:

  • It is web-based so it can be worked on by several people at the same time.
  • It is a living document that can be updated easily in the future.
  • It collects some additional information to create security groups for your systems.
  • It allows us to report to SIO management that you are working towards CCR compliance.
  • The information will be shared with the campus CCR team so it does not need to be entered again in their online form.
Step 2 - Discovery

Schedule a meeting with your research group to review the SIO CCR Data Collection Worksheet so everyone understands the importance of adding their information. It is hard to protect what you don't know about, so the worksheet is focused on collecting three types of information:

  • All people who are part of the research group, as employees, students, volunteers and/or remote collaborators, and who need to access any of the computers that store the group's data. We also ask about their campus usernames so we can create VPN accounts for collaborators if needed.
  • All systems (i.e. desktops, laptops, servers, etc.) that are used by these people to access the data, whether university-owned or personal. We also ask whether each system has the minimum CCR security software installed.
  • All types of research data (using broad categories) that are stored on each system. We also ask whether this data needs to be backed up, and - if so - what backup mechanism is in place.

At the end of the discovery process, you will have a comprehensive overview of the current state of your group's IT infrastructure. This may take several weeks to put together for larger groups, but the worksheet is needed to start on the remediation step. In addition, it is information that can be kept up to date easily going forward, which is a requirement for ongoing compliance.

Step 3 - Remediation 

Reach out to your IT support team (NetOps for IGPP research groups; otherwise likely Scripps IT) to review the results of the worksheet and develop a plan to address the compliance gaps that have been identified. This step will require technical work and collaboration between members of the research group and the IT support teams. The IT infrastructure of each group is different and the plan needs to map the available compliance resources to the unique needs of the group. Nevertheless, the desired state is clear:

  • All people who need access to the group's systems have an AD account with DUO two-step login enabled.
  • At least two security group exist - one that lists all the group's members; and another one that lists which group members should have administrator privileges on important systems. (Additional groups may be created to reflect specific projects.)
  • All systems (see caveat below) have the security software installed on them, and are fully patched and updated until they are in a known good state. Some systems may need to be retired or replaced.
  • Caveat: some dedicated research systems must be kept at a specific configuration to support their scientific purpose. These systems are documented, and each of them is set up with a custom layer of network protections.
  • The primary copy of irreplaceable research data is moved to an online storage platform so it can be shared as needed and - critically - backed up efficiently and automatically.
  • Irreplaceable data that only resides on individual computers is also backed up on a regular basis via an documented process to a separate platform or device.
  • When irreplaceable data can not be backed up in an automated manner - as is often the case during fieldwork - a procedure is documented to describe how the data will be protected until an automated backup is available. 

The remediation process can obviously be started as soon as the discovery step identifies issues that need to be addressed. Most groups will spend a significant amount of time on the remediation, simply because they haven't used a baseline configuration for compliance before. Progress will be tracked in the worksheet as security software is installed and automated backups are set up. When about two-thirds of the remediation work has been completed (and continues!) you can move on to the next step. 

Step 4 - Management

Determine who is going to be responsible for keeping the IT infrastructure and documented information up to date, and make sure they have time to do so. The initial discovery and remediation steps are time-consuming so you want to make sure you don't have to start from scratch ever again. This will likely need to be a shared task. Schedule some time at group meetings to verify that everyone is doing their part, including verifying that the ongoing remediation is staying on schedule.

Other important management tasks rely on reports:

  • Work with your IT support team to receive regular reports about the compliance status of each computer. When new issues come up, remediate them quickly. You are far less likely to run into issues when you update computers weekly or monthly than when you have them catch up on many months worth of updates all at once.
  • Similarly, make sure you receive regular reports about the automated backup processes so you are aware if they stop working at any time. Verify that the backups cover the required systems, and prune any that are no longer needed.
  • Similarly, make sure you review on a regular basis who the members are of your security groups, so you can remove people who left the group and weren't removed already.

Where feasible, switch from local accounts on computers to ones that depend on the campus AD credentials. This makes it easy to add/remove access as needed using the access groups and also provides some accountability compared to shared accounts. (The passwords for shared accounts are rarely reset, so they become an increasing security issue over time.)

If your group doesn't have the internal resources to take care of management on an ongoing basis, reach out to your IT support team to review their options to help out. There may be a cost associated with it, but this can be written into new proposals. 

Step 5 - Compliance

Make sure your IT support team has provided the current data from the worksheet to campus and then attest compliance on the official campus CCR compliance form! Your submissions will be reviewed for completeness, and you may receive follow-up questions from several campus IT professionals to verify the accuracy of your answers.

Note that compliance is an ongoing process so spot-check that people in your group are both aware of their responsibilities and performing them on an ongoing basis. When computers are purchased or retired, ask if someone has updated the worksheet. Similarly for new and separated group members, as well as data storage and backups for new projects.

At the moment, the campus CCR certification will be valid for 3 years. This is a very long time in the life of an active research group, so at SIO we will implement a quick review at least every 12 months. You will be notified that your group has been moved back to the discovery step in our dashboard. However, it shouldn't take long to get back to compliance again:

  • Confirm within the group that the information in the online worksheet is complete.
  • Reach out to your IT support team for some spot-checks.
  • Review the latest management reports for accuracy.

Some deviations will likely be detected, but that's a good thing. We don't expect 100% compliance (outside of the regulated environments where the sponsors require it), but the delta can't get large.

 

Resources

Important Links

Campus

SIO

IT Support Teams

Software Downloads 

Required

Using our installers rather than the generic ones available from the campus CCR site allows us to determine immediately that the agents have been installed on SIO systems. Otherwise they get mixed in with all the other UC San Diego systems. 

IGPP research groups should follow these instructions to install Qualys and FireEye HX.

All other SIO groups can find the software packages here:

  • Qualys - patch status reporting agent (all platforms)
  • FireEye HX - anti-virus/malware agent (Windows and macOS)
  • Sentinel One - anti-virus/malware agent (Linux)

Note: While there is a Linux version of the FireEye HX agent available, it currently does not provide significant protection against malware. 

 

Optional

  • Nessus - SIO-managed vulnerability management agent (all platforms)
  • Company Portal - Microsoft Active Directory linked device agent (Windows, macOS, iOS, Android)
  • Managed Software Center - software installation agent (macOS)

 

System Tracker

We will be using the Snipe-IT asset management system and are currently pre-populating it with the data that we already have available.
 

Backup Options

After determining what you need to back up, select tools that are appropriate for the type of system and the amount of data involved. It is advisable to use solutions that run automatically so there is little room for manual error. (You will still want to receive automated reports confirming that the backups are running correctly!)

  • For endpoints (i.e. macOS, Windows, and Linux laptops as well as most desktops with data sets under 5TB), we recommend Code42 CrashPlan Cloud. It is a backup solution that allows users to control backups of their system. CrashPlan backs up data automatically, with no user intervention required, and enables users to easily restore their own data. The cost is about $100/year per user license, and each license can be linked to up to 4 devices. CrashPlan is available through the Scripps IT and IGPP support teams.
     
  • For servers or other devices with large storage capacities, it will likely be cost-prohibitive to store backups in a cloud platform. (Note: Google Drive's unlimited free storage policy will end between 2022 and 2024. Details TBD.) Contact your IT support team to ask for options to create automated backups to their servers. For example, Scripps IT has backup servers at the San Diego Supercomputer Center with one-time provisioning charges of $55/TB and a monthly management fee of $32 per 100TB of storage.
     
Questions and Answers

Is using Google (Shared) Drive sufficient to have a backup?
Google Drive is a really safe place to put files but it would still make sense to create at least monthly backups of the entire Drive(s) to a separate storage platform - whether a server at SIO or cloud storage from another vendor. The Trash in Google Drive only retains files for 30 days, and there's always the risk of a catastrophic failure in a single platform. Rclone is a free tool that makes it relatively easy to copy between various online and local destinations, so it's worth looking into. If you would like us to set it up, we can do so but there would be some recharge costs involved.


Do I need to comply with CCR if I don't have any awards?

Anyone who has sponsored projects is in scope for CCR, whether the money comes from federal, state, private, or international entities. If people are self-funded or don't plan to submit proposals any more, they can ignore CCR. Of course, it still makes sense for them to make sure they keep their computers and data safe and backed up. Just about all of CCR is about basic security practice everyone should be doing anyways. Separately, the measures often overlap with the SIO cybersecurity policies and/or the campus minimum network security standards.


Can I use Dropbox for Business to store my research data?

It keeps 180 days worth of changes to your files, which is is more than enough to handle most data loss scenarios. However, there are still some issues to consider:

  • There is no agreement in place between the university and Dropbox so using a campus-blessed alternative would be preferable. The university insists on contract language to protect data ownership and privacy that is typically missing from standard user agreements.
  • It would be good to make regular backups of all the data in Dropbox to a system outside of their control. This could be a system on our campus or in a different online platform. This protects you against any catastrophic event at Dropbox, however unlikely.
  • It would be useful to have a lab document describing which files should be stored in Dropbox (and how), and preferably a regular review to make sure no data is being missed.
  • Dropbox can't be linked to campus AD, so an alternative process is needed to maintain who can access the files.

Does CCR apply to personal computers?
The scope of CCR includes any and all systems that are used for the research activities of a group. If anyone is using a personal computer, it should also have the same protections in place. Basically, the requirements follow the data. Just about all of these requirements make good sense though on any computer, so it's hard to argue that they shouldn't be implemented where possible. (Note that there is general campus policy as well in addition to CCR that states that all university data should be protected wherever it is stored. This isn't really a new requirement in CCR.)


Can we make exceptions for fieldwork computers?
Data acquisition and other dedicated scientific systems can be exceptions, with the caveats that they still need to be documented as such, and also protected via alternative means. For example, if you have a data acquisition computer that still has to run Windows 7 for compatibility reasons, it should live in a very small and very well protected network bubble where it can only communicate with one or two up to date lab systems for data transfers. Computers collecting data that can't be backed up automatically should have a (short) documented process describing how and when they are backed up manually. If any data is transitory and/or can be reproduced, it can be excluded from the backups - again as long as the reason is documented.


How do we handle people or computers that are part of research activities for several PIs?

Ideally, they are listed under the CCR submission for each PI. The user accounts should be part of the access group(s) for both PIs, and the data types, locations and backup mechanisms could be different for each PI. The standard cybersecurity measures only need to be implemented once so the only (near) duplication of efforts is in tracking the relevant contributions for each research group.