Educause Security Discussion mailing list archives
Re: Faculty Grant Machines
From: Faith Mcgrath <faith.mcgrath () YALE EDU>
Date: Wed, 13 Aug 2008 22:40:57 -0400
Mike: My experience is that the grant or contract explicitly states whether you must comply with FISMA and depending on the *.gov agency they should then also be willing to define for you what FISMA certification and accreditation framework they are requesting (e.g., NIST http://csrc.nist.gov/groups/SMA/fisma/overview.html). At our medical school we are currently see this requirement with some NIH contracts, but not grants (yet). A NIH guidance document was issued in April that stated currently "FISMA applies to grantees only when they collect, store, process, transmit or use information on behalf of HHS or any of its component organizations" (http://grants.nih.gov/grants/guide/notice-files/NOT-OD-08-066.html ). If you have grants involving VA.gov protected information you may also have to comply with FISMA and as a part of those requirements your hard/software cryptographic modules must be NIST FIPS 140-2 validated (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm ). We are also beginning to receive questions from clinical researchers related to FDA 21 CFR Part 11(guidelines on electronic records and electronic signatures - http://www.fda.gov/cder/guidance/7359fnl.pdf). I am not as familiar with those requirements (especially related to electronic signatures), but I believe for the most part the controls required are in alignment with NIST Recommended Security Controls (SP 800-53). -fm On Aug 8, 2008, at 4:49 PM, Harris, Michael C. wrote:
Please forgive my lack of knowledge in this area, grants are not something I regularly deal with. If it is a Federal grant, do FISMA or FIPS standards apply and need to be followed? Even if not explicitly called out in the grant process?From the few I have touched encryption and data transfer standards arecalled out FIPS 140-1 or 140-2 and sometimes (rarely) electronic signature standards come up, but what other standards are mandated, required vs suggested, or just good practice. Does the grant explicitly need to call out the best practice framework required? Or is there some implication that you must follow FISMA, FIPS, NIST... Mike -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Cal Frye Sent: Thursday, August 07, 2008 9:55 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Faculty Grant Machines Zach Jansen wrote:I'm wondering how other schools handle computers purchased by faculty using grant money. Do you require that those machines be managed by your security software such as AV, patch management, etc? Do you segregate those from the rest of the network and leave them alone? Or do you let faculty do whatever they wish to do with the machines? Does anyone know what the institutions responsibility is in the event of a breach of confidential information on grant purchased research machines? Any sage advice or information is appreciated.Most of the normal cases have already been discussed, but we do have some systems that are part of instruments where the instrument vendor claims they cannot be patched or altered. Those we either keep entirely off the network or severely restrict network access through firewall rules, granting them access to printing only, for example. We've gotten little feedback, especially as we can cite past examples of bad behaviour ;-) -- Regards, -- Cal Frye, Network Administrator, Oberlin College www.calfrye.com, www.pitalabs.com "Seen it all, done it all, can't remember most of it."
Faith McGrath Yale University ITS - Information Security faith.mcgrath () yale edu voice: 203.737.4087 security () yale edu || security.yale.edu Please be aware that email communication can be intercepted in transmission or misdirected. Please consider communicating any sensitive information by telephone, fax or mail. The information contained in this message may be privileged and confidential. If you are NOT the intended recipient, please notify the sender immediately and destroy this message. If you wish to confirm the content of this message and/or the identity of the sender please contact me at the phone number given above.
Current thread:
- Faculty Grant Machines Zach Jansen (Aug 06)
- <Possible follow-ups>
- Re: Faculty Grant Machines Sarah Stevens (Aug 06)
- Re: Faculty Grant Machines Kieper, David (Aug 06)
- Re: Faculty Grant Machines Cal Frye (Aug 07)
- Re: Faculty Grant Machines Harris, Michael C. (Aug 08)
- Re: Faculty Grant Machines Faith Mcgrath (Aug 13)