Re: Faculty Grant Machines

[Faith Mcgrath <faith.mcgrath () YALE EDU>]

Mike: My experience is that the grant or contract explicitly states
whether you must comply with FISMA and depending on the *.gov agency
they should then also be willing to define for you what FISMA
certification and accreditation framework they are requesting  (e.g.,
NIST http://csrc.nist.gov/groups/SMA/fisma/overview.html). At our
medical school we are currently see this requirement with some NIH
contracts, but not grants (yet). A NIH guidance document was issued in
April that stated currently "FISMA applies to grantees only when they
collect, store, process, transmit or use information on behalf of HHS
or any of its component organizations" (http://grants.nih.gov/grants/guide/notice-files/NOT-OD-08-066.html
).

If you have grants involving VA.gov protected information you may also
have to comply with FISMA and as a part of those requirements your
hard/software cryptographic modules must be NIST FIPS 140-2 validated 
(http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
).

We are also beginning to receive questions from clinical researchers
related to FDA 21 CFR Part 11(guidelines on electronic records and
electronic signatures - http://www.fda.gov/cder/guidance/7359fnl.pdf).
I am not as familiar with those requirements (especially related to
electronic signatures), but I believe for the most part the controls
required are in alignment with NIST Recommended Security Controls (SP
800-53). -fm


On Aug 8, 2008, at 4:49 PM, Harris, Michael C. wrote:

> Please forgive my lack of knowledge in this area, grants are not
> something I regularly deal with.
>
> If it is a Federal grant, do FISMA or FIPS standards apply and need to
> be followed? Even if not explicitly called out in the grant process?
>
> > From the few I have touched encryption and data transfer standards
> > are
> called out FIPS 140-1 or 140-2 and sometimes (rarely) electronic
> signature standards come up, but what other standards are mandated,
> required vs suggested, or just good practice.
>
> Does the grant explicitly need to call out the best practice framework
> required? Or is there some implication that you must follow FISMA,
> FIPS,
> NIST...
>
> Mike
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Cal Frye
> Sent: Thursday, August 07, 2008 9:55 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Faculty Grant Machines
>
> Zach Jansen wrote:
> > I'm wondering how other schools handle computers purchased by faculty
> > using grant money. Do you require that those machines be managed by
> > your security software such as AV, patch management, etc? Do you
> > segregate those from the rest of the network and leave them alone? Or
> > do you let faculty do whatever they wish to do with the machines?
> > Does anyone know what the institutions responsibility is in the event
> > of a breach of confidential information on grant purchased research
> > machines? Any sage advice or information is appreciated.
>
> Most of the normal cases have already been discussed, but we do have
> some systems that are part of instruments where the instrument vendor
> claims they cannot be patched or altered. Those we either keep
> entirely
> off the network or severely restrict network access through firewall
> rules, granting them access to printing only, for example. We've
> gotten
> little feedback, especially as we can cite past examples of bad
> behaviour ;-)
>
> --
> Regards,
> -- Cal Frye, Network Administrator, Oberlin College
>
>    www.calfrye.com,  www.pitalabs.com
>
>
> "Seen it all, done it all, can't remember most of it."

Faith McGrath
Yale University ITS - Information Security
faith.mcgrath () yale edu
voice: 203.737.4087
security () yale edu || security.yale.edu


Please be aware that email communication can be intercepted in
transmission or misdirected. Please consider communicating any
sensitive information by telephone, fax or mail. The information
contained in this message may be privileged and confidential. If you
are NOT the intended recipient, please notify the sender immediately
and destroy this message. If you wish to confirm the content of this
message and/or the identity of the sender please contact me at the
phone number given above.