CCR Guidance for SIO

Implementation steps

In order to streamline the implementation of the campus-wide Cybersecurity Certification for Research (CCR) program at SIO, we recommend that you follow these steps toward achieving (and maintaining) compliance.

Step 1 - Registration

Fill out the SIO CCR Registration Form so we can provide your research group with access to the SIO Systems Tracker platform. This will make it easier to eventually submit the official CCR Certification Request Form and also creates a communication channel between us to answer any questions.

Step 2 - Discovery

Review the official CCR documentation and schedule a meeting with your research group to review the CCR Data Collection Workbook so everyone understands the program. It is hard to protect what you don't know about, so discuss how to collect these three types of information:

All people who are part of the research group, as employees, students, volunteers and/or remote collaborators, and who need to access any of the computers that store the group's data. (Note that any external collaborators can receive campus accounts so they can access the VPN.)
All systems (i.e. desktops, laptops, servers, etc.) that are used by these people to access the data, whether university-owned or personal. Note that each system will need to have the minimum CCR security software installed.
All types of research data (using broad categories) that are stored on each system, and what backup mechanism is in place.

At the end of the discovery process, you will have a comprehensive overview of the current state of your group's IT infrastructure. This may take several weeks to put together for larger groups, but the workbook is needed to start on the remediation step.

Step 3 - Remediation

Reach out to your IT support team (NetOps for IGPP research groups; otherwise likely Scripps IT) to review the results of the discovery phase and develop a plan to address the compliance gaps that have been identified. This step will require technical work and collaboration between members of the research group and the IT support teams. The IT infrastructure of each group is different and the plan needs to map the available compliance resources to the unique needs of the group. Nevertheless, the desired state should look like this:

All people who need access to the group's systems have an AD account with DUO two-step login enabled.
At least two security group exist - one that lists all the group's members; and another one that lists which group members should have administrator privileges on important systems. (Additional groups may be created to reflect specific projects.)
All systems (see caveat below) have the security software installed on them, and are fully patched and updated until they are in a known good state. Some systems may need to be retired or replaced.
Caveat: some dedicated research systems must be kept at a specific configuration to support their scientific purpose. These systems are documented, and each of them is set up with a custom layer of network protections.
The primary copy of irreplaceable research data is moved to an online storage platform so it can be shared as needed and - critically - backed up efficiently and automatically.
Irreplaceable data that only resides on individual computers is also backed up on a regular basis via an documented process to a separate platform or device.
When irreplaceable data can not be backed up in an automated manner - as is often the case during fieldwork - a procedure is documented to describe how the data will be protected until an automated backup is available.

The remediation process can obviously be started as soon as the discovery step identifies issues that need to be addressed. Most groups will spend a significant amount of time on the remediation, simply because they haven't used a baseline configuration for compliance before. Progress can be tracked in the SIO Systems Tracker platform as security software is installed on each computer.

Step 4 - Management

Determine who is going to be responsible for keeping the IT infrastructure and documented information up to date, and make sure they have time to do so. The initial discovery and remediation steps are time-consuming so you want to make sure you don't have to start from scratch ever again. This will likely need to be a shared task. Schedule some time at group meetings to verify that everyone is doing their part, including verifying that the ongoing remediation is staying on schedule.

Other important management tasks rely on reports:

Work with your IT support team to receive regular reports about the compliance status of each computer. When new issues come up, remediate them quickly. You are far less likely to run into issues when you update computers weekly or monthly than when you have them catch up on many months worth of updates all at once.
Similarly, make sure you receive regular reports about the automated backup processes so you are aware if they stop working at any time. Verify that the backups cover the required systems, and prune any that are no longer needed.
Similarly, make sure you review on a regular basis who the members are of your security groups, so you can remove people who left the group and weren't removed already.

Where feasible, switch from local accounts on computers to ones that depend on the campus AD credentials. This makes it easy to add/remove access as needed using the access groups and also provides some accountability compared to shared accounts. (The passwords for shared accounts are rarely reset, so they become an increasing security issue over time.)

If your group doesn't have the internal resources to take care of management on an ongoing basis, reach out to your IT support team to review their options to help out. There may be a cost associated with it, but this can be written into new proposals.

Step 5 - Compliance

Make sure your IT support team has provided the current data from the worksheet to campus and then attest compliance on the official campus CCR compliance form! Your submissions will be reviewed for completeness, and you may receive follow-up questions from several campus IT professionals to verify the accuracy of your answers.

Note that compliance is an ongoing process so spot-check that people in your group are both aware of their responsibilities and performing them on an ongoing basis. When computers are purchased or retired, ask if someone has updated the worksheet. Similarly for new and separated group members, as well as data storage and backups for new projects.

At the moment, the campus CCR certification will be valid for 3 years. This is a very long time in the life of an active research group, so at SIO we will implement a quick review at least every 12 months. You will be notified that your group has been moved back to the discovery step in our dashboard. However, it shouldn't take long to get back to compliance again:

Confirm within the group that the information in the online worksheet is complete.
Reach out to your IT support team for some spot-checks.
Review the latest management reports for accuracy.

Some deviations will likely be detected, but that's a good thing. We don't expect 100% compliance (outside of the regulated environments where the sponsors require it), but the delta can't get large.

Resources

Important Links

Campus

Main Cybersecurity Certification for Research page on Blink
Official communications about the program
List of FAQs

SIO

IT Support Teams

IGPP Help Desk (NetOps)
Scripps IT

Software Downloads

these are Required!

Using our installers rather than the generic ones available from the campus CCR site allows us to determine immediately that the agents have been installed on SIO systems. Otherwise they get mixed in with all the other UC San Diego systems.

You can find the latest versions and installation instructions on our Software site.

Systems Tracker

We are using Snipe-IT to implement the SIO Systems Tracker platform. It combines information from a number of sources so it is easier to keep track of the computers (and other networked devices) that are associated with your research group, as well as their current compliance status. To get access to the platform, please fill out our registration form.

Backup Options

After determining what you need to back up, select tools that are appropriate for the type of system and the amount of data involved. It is advisable to use solutions that run automatically so there is little room for manual error. (You will still want to receive automated reports confirming that the backups are running correctly!)

For endpoints (i.e. macOS, Windows, and Linux laptops as well as most desktops with data sets under 5TB), we recommend Code42 CrashPlan Cloud. It is a backup solution that allows users to control backups of their system. CrashPlan backs up data automatically, with no user intervention required, and enables users to easily restore their own data. The cost is about $100/year per user license, and each license can be linked to up to 4 devices. CrashPlan is available through the Scripps IT and IGPP support teams.
For servers or other devices with large storage capacities, it will likely be cost-prohibitive to store backups in a cloud platform. (Note: Google Drive's unlimited free storage policy will end between 2022 and 2024. Details TBD.) Contact your IT support team to ask for options to create automated backups to their servers. For example, Scripps IT has backup servers at the San Diego Supercomputer Center with one-time provisioning charges of $55/TB and a monthly management fee of $35 per 100TB of storage.

Questions and Answers

Is using Google (Shared) Drive sufficient to have a backup?
Google Drive is a really safe place to put files but it would still make sense to create at least monthly backups of the entire Drive(s) to a separate storage platform - whether a server at SIO or cloud storage from another vendor. The Trash in Google Drive only retains files for 30 days, and there's always the risk of a catastrophic failure in a single platform. Rclone is a free tool that makes it relatively easy to copy between various online and local destinations, so it's worth looking into. If you would like us to set it up, we can do so but there would be some recharge costs involved.

Do I need to comply with CCR if I don't have any awards?

Anyone who has sponsored projects is in scope for CCR, whether the money comes from federal, state, private, or international entities. If people are self-funded or don't plan to submit proposals any more, they can ignore CCR. Of course, it still makes sense for them to make sure they keep their computers and data safe and backed up. Just about all of CCR is about basic security practice everyone should be doing anyways. Separately, the measures often overlap with the SIO cybersecurity policies and/or the campus minimum network security standards.

Can I use Dropbox for Business to store my research data?

It keeps 180 days worth of changes to your files, which is is more than enough to handle most data loss scenarios. However, there are still some issues to consider:

There is no agreement in place between the university and Dropbox so using a campus-blessed alternative would be preferable. The university insists on contract language to protect data ownership and privacy that is typically missing from standard user agreements.
It would be good to make regular backups of all the data in Dropbox to a system outside of their control. This could be a system on our campus or in a different online platform. This protects you against any catastrophic event at Dropbox, however unlikely.
It would be useful to have a lab document describing which files should be stored in Dropbox (and how), and preferably a regular review to make sure no data is being missed.
Dropbox can't be linked to campus AD, so an alternative process is needed to maintain who can access the files.

Does CCR apply to personal computers?
The scope of CCR includes any and all systems that are used for the research activities of a group. If anyone is using a personal computer, it should also have the same protections in place. Basically, the requirements follow the data. Just about all of these requirements make good sense though on any computer, so it's hard to argue that they shouldn't be implemented where possible. (Note that there is general campus policy as well in addition to CCR that states that all university data should be protected wherever it is stored. This isn't really a new requirement in CCR.)

Can we make exceptions for fieldwork computers?
Data acquisition and other dedicated scientific systems can be exceptions, with the caveats that they still need to be documented as such, and also protected via alternative means. For example, if you have a data acquisition computer that still has to run Windows 7 for compatibility reasons, it should live in a very small and very well protected network bubble where it can only communicate with one or two up to date lab systems for data transfers. Computers collecting data that can't be backed up automatically should have a (short) documented process describing how and when they are backed up manually. If any data is transitory and/or can be reproduced, it can be excluded from the backups - again as long as the reason is documented.

How do we handle people or computers that are part of research activities for several PIs?

Ideally, they are listed under the CCR submission for each PI. The user accounts should be part of the access group(s) for both PIs, and the data types, locations and backup mechanisms could be different for each PI. The standard cybersecurity measures only need to be implemented once so the only (near) duplication of efforts is in tracking the relevant contributions for each research group.