Cybersecurity Issues in Research: Can Higher Education Institutions Keep up with Research Data Security Requirements?

February 12, 2020

Introduction

Research is central to the mission of, and is a top strategic priority for, many higher education institutions. Effective information technology (IT) and cybersecurity are essential for conducting research. A critical component to research is safeguarding the confidentiality, integrity, and availability of research data. Additionally, sponsors, particularly federal agencies, are increasingly adding terms and conditions to research grants, contracts, and cooperative agreements related to IT and cybersecurity protection requirements.

Institutions are party to potentially hundreds, maybe thousands, of contracts, grants, cooperative agreements, and data use agreements related to research activities, many of which have data compliance requirements for handling, storing, and securing research data. It is critical for institutions to have processes in place for tracking and monitoring these research data security requirements.

Higher education institutions could be responsible for compliance with laws, regulations, and requirements, such as:

Health Insurance Portability and Accountability Act (HIPAA)
General Data Protection Regulation (GDPR)
Export controls
Data Use Agreements (DUA)
Controlled Unclassified Information (CUI)
Federal Acquisition Regulation (FAR) clauses
Defense Federal Acquisition Regulation Supplement (DFARS) clauses
Federal Information Security Management Act (FISMA)
Department of Defense Cybersecurity Maturity Model Certification (CMMC)

Higher education values the open exchange of information for scholarship and research; therefore, it can seem counter-intuitive for individuals to think about implementing internal controls in this area. The size and complexity of IT environments at higher education institutions include multiple applications/systems and data stores holding personally identifiable information (PII), federal data, intellectual property, and potentially many other types of sensitive data.

There are numerous risks associated with the governance, people, processes, and technology components involved in enabling and conducting research while managing research data. A sample of key risk areas and potential actions to mitigate these risks are detailed below.

Sample Key Risk Areas	Sample of Potential Actions
Governance
Roles for managing research data security are not properly defined IT and information security may not be adequately involved at key points in the sponsored research lifecycle (e.g., funding, proposal and budget development, routing and approval processes, submission and review, award review and acceptance, award set up, post-award administration, closeout, and audit)	Define roles, responsibilities, and senior leadership ownership for managing research data security during research administration (e.g., pre-award, post-award, data use agreements, and monitoring processes) Require information security and/or IT review of grants, contracts, and agreements with research data security requirements
People
Researchers: Collection and storage of data by researchers who may not understand data security expectations or requirements for protection Deletion and/or destruction of data at the end of the research work/project Collaborators: Data transfer to collaborators may not be secure Human subjects: Collection of data, including explicit and informed consent from the subject, may not be secure or approved	Develop and document expectations for researchers for protecting data, including appropriate systems for storage/retention and appropriate systems for sharing of data Require collaborators to sign an agreement stating how they will handle the institution’s data Require the Chief Information Security Officer (CISO) or other representative sit on the Institutional Review Board (IRB)
Processes
Centralization or decentralization of management of research processes Funding for initial investments, as well as long-term funding after the sponsored agreement is complete Change management (changes made to applications used to store, manage, and track sponsored projects and awards)	Implement mechanisms within sponsored research systems for tracking proposals with research data security requirements Implement processes for periodically assessing certain critical or high-risk agreements for compliance with research data security requirements Implement closeout processes for final data activities (e.g., storage, disposal, publish) after agreement ends and integrate into the institution’s award closeout process
Technology
Enterprise systems: Access control (central IT function may not receive timely notification when individuals or collaborators in research areas transfer or leave) Research-specific systems: Controls implemented by non-IT individuals (e.g., graduate students) Lack of controls implemented (e.g., backups, user access reviews) Rogue systems: Unknowns–central IT or research administration may not be aware of these systems since they are not responsible for managing (e.g., where is the data, who has access, who is managing the system)	Establish and document service level agreements between the central IT department and research administration offices to define expectations for service, as well as how costs will be covered to meet security requirements within research agreements The central IT department should work with distributed IT and/or research units to review the controls in place, or lack thereof, within research-specific and/or rogue systems that are not managed by the central IT function

Cybersecurity Requirements Can Spread Across the Institution

Higher education institutions are subject to many laws and regulations because of the breadth and nature of business operations as well as having faculty, staff, students, and alumni from many states and countries. Having global constituents and community members means expanded legal requirements and numerous stakeholders for research compliance.

Additionally, a common issue is subcontracts where flow-down requirements from the prime contractors apply to the institution. Subcontractors are ultimately responsible for implementing cybersecurity safeguarding controls and will be held accountable for breaches if they have not implemented required controls. Furthermore, prime contractors may be impacted by breaches involving their subcontractors.

Sample Control Questions to Assess Specific Research Projects

When planning an internal audit or advisory project related to research data security, there are many places to start. Below is a sample of key control questions to build knowledge and understanding of this area:

What are all of the types of data that the research project(s) collects, analyzes, and/or creates (e.g., human subjects, health data, intellectual property, government supplied data)?
Have the necessary knowledge, skills, and abilities been identified for all functional roles (prioritizing those mission-critical to the research and its security)?
Does the research project:
- Require the management of any data following a data use agreement for any sponsored work?
- Have any documented data management plans for any sponsored work?
- Prioritize (i.e., categorize) research data based on classification, criticality, and business value?
- Manage and protect the physical access to data and devices used for research work?
- Utilize centrally-managed anti-malware software to continuously monitor and defend each of the workstations and servers used for research work?
- Ensure that all system data is automatically backed-up on a regular basis?

Conclusion

As higher education institutions have the unique challenge adhering to different laws and regulations, internal audit departments should tailor any audits or advisory projects for the institution accordingly. Without adequate protections, research data is at risk for corruption, loss, or theft. Data corruption could render research data useless or lead to inaccurate results. Data loss, due to breach or other incidents, could result in regulatory penalties and loss of future awards. Furthermore, data theft could result in the loss of intellectual property as well as future monetary gains from potential copyrights and patents.

About the Authors

Meghan Senseney

Meghan is a manager in Baker Tilly’s risk and internal audit consulting practice and has over five years of experience providing cybersecurity and IT risk and internal controls solutions. Meghan has worked with clients in multiple industries, with a dedicated focus and extensive experience with higher education and research institutions. She has experience leading and executing IT risk assessments, a variety of engagements in the areas of internal audit, IT risk analysis, cybersecurity assessments, and compliance reviews. She has also conducted cybersecurity assessments and application audits.

Articles
Cybersecurity Issues in Research: Can Higher Education Institutions Keep up with Research Data Security Requirements?

Mike Cullen

Mike is a Director in Baker Tilly’s risk and internal audit consulting practice with more than 17 years of experience in cybersecurity, IT risk management and IT internal auditing. Mike has worked with clients in multiple industries, with a dedicated focus and extensive experience with higher education and research institutions. He has significant experience leading and executing IT risk assessments, myriad IT internal audits, various IT consulting projects, project risk reviews and multiple IT compliance reviews. He has also led strategic IT governance projects, cybersecurity assessments, information privacy reviews, application audits, the development of IT processes/policies/procedures, digital forensic investigations and IT controls examinations.

Articles
Cybersecurity Issues in Research: Can Higher Education Institutions Keep up with Research Data Security Requirements?