<\/p>\n
Boston University Information Security helps researchers conduct their research efficiently and securely. We engage researchers throughout the research lifecycle<\/a> to assist with navigating Data Use Agreements and regulatory requirements. We also provide support and resources to solve common use cases, such as sharing with collaborators or closing out a study.<\/p>\n Our goal is to reduce the security and compliance burden, letting you do what you do best \u2013 groundbreaking research<\/em>.<\/p>\n Here are some of the most common questions we hear:<\/strong><\/p>\n Yes, we can implement most requirements on BU managed computers and servers, but for the highest security requirements of NIST 800-53, NIST 800-171, and CMMC, we are now encouraging researchers to contract with a UCSD program called Sherlock<\/a> through IS&T.\u00a0 Cost for this service should be taken into consideration for grant proposals, but we will handle the contracting and security requirements for you. In some circumstances we have implemented isolated (no internet) systems, but we encourage you to consider Sherlock<\/a> instead.<\/p>\n For example, the Centers for Medicare and Medicaid Services (CMS) now require all researchers to comply with NIST 800-53, and submit a Data Management Plan Security Attestation Questionnaire (DMPSAQ), detailing their plans for complying with NIST 800-53.\u00a0 Researchers will need to contract with Sherlock through IS&T, but we\u2019ve completed the DMPSAQ for you.<\/span><\/p>\n <\/div>\n<\/div>\n<\/strong><\/p>\n We can help with that! We regularly help researchers as well as our research contracting offices understand specific security requirements.<\/div>\n<\/div>\n<\/strong><\/p>\n Yes. The Department of Defense will soon start requiring compliance with a new compliance program called Cybersecurity Maturity Model Certification (CMMC)<\/a> that requires third party audits. We are working on making Shared Computing Cluster compliant with CMMC Level 1 but expect most CMMC Level 2 research will need to go to Sherlock<\/a>.<\/div>\n<\/div>\n<\/strong><\/p>\n We have a few answers to common security questions<\/a> here. Users of the Shared Computing Cluster (SCC)<\/a> may also wish to refer to BU’s Cyberinfrastructure Plan.<\/a> We can always help you with other questions, just reach out to buinfosec@bu.edu<\/a>. <\/div>\n<\/div>\n<\/strong><\/p>\n Yes, we regularly review security requirements in proposals to ensure we can agree to any requirements. If the proposal is approved we will work with you to implement any additional controls.<\/p>\n In some cases, we may be reaching out to you. When research contracts have regulatory or non-standard cybersecurity requirements, the Office of Sponsored Programs and\/or Industry Engagement will ask us to work with you to ensure your computing environment will meet contractual requirements. Some of the changes we\u2019ve seen here range from an increased focus on encryption to requiring assertions or audits of compliance with federal standards like the National Institute of Science and Technology Special Publication 800-53 (NIST 800-53). Unfortunately, not all solutions are free or fast, so if you are considering research with CMS, CHIA, or other regulated data, we encourage you to contact us<\/a> early to understand the requirements, and to take advantage of templates we have prepared.<\/p>\n <\/div>\n<\/div>\n<\/strong><\/p>\n We offer the following services to help you succeed:<\/strong><\/p>\n Please check out our resources, or reach out to buinfosec@bu.edu<\/a>, and we\u2019ll help you understand how to comply with security requirements in grants, contracts, and data use agreements:<\/p>\n As part of the Institutional Review Board's (IRB) role in protecting the rights and welfare of human subjects, researchers must identify which electronic platforms, data transfer methods, data\/document storage plans etc. are being proposed in the research. This information can be documented in the Confidentiality of Data section of the IRB application.<\/p> Further information for BUMC Researchers to ensure data security.<\/p> These apps have been reviewed by the BU Information Security team and cleared for individually identifiable human subject data classified as Restricted Use or HIPAA data.<\/p> These record management companies have been cleared for management and destruction of individually identifiable human subject data.<\/p> Here we outline what services are approved for each data classification.<\/p> Start with these examples answers for research applications that require information on our security practices.<\/p> These apps have been reviewed for research purposes at various classification levels by the BU Information Security team. These apps are not managed by BU and accounts must be managed by the research team.<\/p>Ways We Can Help<\/h1>\n
Can you help me design a secure workflow?<\/h3>
Can BU support security requirements in my grant, contract, or DUA?<\/h3>
What does this security clause in my grant, contract, or DUA mean (e.g., NIST, FISMA, CUI, FCI, HIPAA Limited Data Set)?<\/h3>
\n
<\/ul>\n<\/li>\n<\/ul>\n
Are any new security regulations coming down the pike that will impact me?<\/h3>
Can you help me fill out the security section of a proposal?<\/h3>
Can you review my proposal to see if I am meeting security requirements?<\/h3>
Getting Started<\/h1>\n
\n
<\/ul>\n
Self Help Resources<\/h1>\n
CRC Institutional Review Board Guidance<\/h2>
BUMC Institutional Review Board Guidance<\/h2>
BU Reviewed & Cleared Apps<\/h2>
Paper Record and Media Management<\/h2>
Data Classification & Services<\/h2>
Data Use Agreement Security Language<\/h2>
Apps Not Managed by BU<\/h2>