There are two aspects to research systems and BPM12004 compliance: requirements imposed by Data Classification Level (DCL) requirements and general IT requirements relating to security and supportability.
- Access Attribution: Unique userid and password for all users who will access the system
- Operating System Security: Operating systems must be supported and configured to receive updates
- Standard User Privilege: Operate normally with standard user privileges
- Centralized Logging: Access and activity logs must be stored in a central logging facility as the logs are generated
- External Dependencies: Enumeration of all external dependencies required for operation, or support of software or equipment
While each of these points is listed individually they are not truly separable and have interactions. For example, using domain logins touches on access attribution, standard user privilege and centralized logging. The requirements must always be considered holistically and in the specific context of the systems in question.
To best ensure a good outcome the earlier these considerations are addressed the better. If there will be a request for proposal (RFP) then writing the RFP to include the requirements identified here can be used as a filter to identify vendors that will be able to provide the best solution.
Access Attribution
All access to computing devices must be in a way that provides attributable access. This is achieved on managed systems through the use of domain accounts where each account is assigned to an individual and passwords are not shared. Any system that provides access to Data Classification Level (DCL) 2 data must have attributable access controls and access must be limited by those authorized to access the data.
Unpublished research is, at a minimum, DCL2 and so must be protected in this fashion. Note that access must also be revocable as only those who are authorized to access the data are allowed to do so. If the data will be stored on the local storage of a specific computing device in a way that all users who login will have access to then access to the computing device itself must be restricted to those who are authorized to access it. For example, by placing the computing device in a location which has access controlled by an electronic lock that will only unlock for authorized users.
Caution: In such a case it is best for the location to have a single purpose — having multiple purposes complicates room access control as users for some purposes may not be authorized for a restricted purpose. This can result in conflicts where a user must be allowed access for one purpose while being denied it for another.
Some computing devices, particularly those provided by a vendor, may not support individually attributable access. These cases require individual evaluation to determine whether a compensating control can be used.
Operating System Security
In order to maintain the confidentiality, integrity and availability of the University network and systems, computing devices are required to be supported and configured to receive updates. This means the operating system must be one that is supported by the operating system vendor and receive patches for security vulnerabilities as those are identified.
This is not just a consideration of the moment in time when the equipment is acquired, but for the entire lifetime of the equipment. Consequently the expected lifetime of the equipment and the operating system must both be considered. Microsoft has a defined roadmap for future support of their operating systems. If equipment is reasonably expected to still be in use after the end-of-life for support then a commitment from the vendor to move to a supported version is required.
For example, with end-of-life for Windows 10 being October of 2025 vendors will need to either supply Windows 11 or commit to an upgrade path to Windows 11 before that date.
Standard User Privilege
In keeping with the best-practice of following the principle of least privilege, computing devices must operate normally with standard user privileges. The minimization of elevated or administrator privileges has been mandated for all campuses and is an important factor in minimizing the impact of security incidents.
If normal operation of a computing device requires that users have elevated privileges then IT can be engaged to determine if there is a way to avoid this. Sometimes a vendor failure to properly work with access control mechanisms can be resolved and in others a novel approach may resolve the issue. All such cases require individual evaluation to determine whether the issue can be resolved.
Any default administrator accounts, such as Administrator in Windows or root in Linux, must be disabled or removed to avoid facilitating attacks. If the use of the computing device requires a local administrator account then a different account or mechanism must be used. IT managed computers use dedicated administrator accounts or Windows Local Administrator Password Solution while Linux systems may use sudo.
Centralized Logging
All access and activity logs must be stored centrally so that they can be relied upon for general support activities and when investigating incidents. To avoid an attacker manipulating logs that would reveal their actions the logs must be shipped off device as they are generated. While an attacker could manipulate log generation after they have achieved access any logs generated before and during that achievement would be stored off-system.
Centralized logging is important as it is leveraged to facilitate early detection and response to security incidents which helps limit their impact. The University network is under constant attack. Fortunately, most attempts are stopped by our border firewall but some attacks are more sophisticated. For example, a phishing email, an email with a malicious attachment disguised as a document, search engine poisoning, or Domain Name System poisoning, can result in action originating from within our network. By having the resultant activity logged centrally it is possible to detect such attacks and potentially limit the damage.
For a domain joined Windows computer where domain accounts are used this requirement is satisfied for login actions as those events are generated and stored on the University’s domain controllers. If local accounts are used then authentication logs will have to be stored centrally as those events occur.
For a Windows computer with Defender installed and configured properly then significant activity logs are stored centrally. Systems without Defender must be configured to store significant activity logs centrally.
External Dependencies
This is an open-ended consideration whose identification is important to ensure that the request is reviewed holistically. Examples of external dependencies include, but are not limited to,
- Cloud access
- Network Bandwidth
- Storage requirements
- Database
- Domain Name Service (DNS)
- Network protocols
- Access from outside the University’s network
Although this list is not, and cannot be, comprehensive, the listed items are discussed to improve understanding of how external dependencies can impact a request.
Cloud Access
If data will be created in, stored in, or transit a cloud service then the nature of that data must be identified and classified according to the University’s Data Classification Level system. As unpublished research is, at a minimum, DCL2, this means that requirements for treatment must be met considering the cloud. This normally requires a vendor assessment. The University uses IT Standards and Requirements Questionnaire (ITSRQ) for this purpose with S&T using Isora to manage assessments. The Higher Education Community Vendor Assessment Toolkit (HECVAT) is also accepted.
The assessments are required in order to document the vendor’s specific attestations. While information provided on a website can be helpful it can also be changed at any time and lacks the specificity of attestation that the assessments provide.
Provision of an ITSRQ or HECVAT does not automatically result in approval. What matters are the vendor responses to the questions.
Network Bandwidth
If a research system will have significant network bandwidth requirements then special accommodations may be required. While network devices may have gigabit network interfaces the infrastructure may only support 100 mbit. Wireless networks are also subject to limitations and the theoretical bandwidth of the protocol used may not be achieved.
Early identification of network bandwidth requirements and engagement with IT networking can help ensure that the needs are best met.
Storage Requirements
Some research creates very large data sets resulting in special storage requirements. Others require very low latency or very high speed data transfer rates. While in general storage media provides sufficient capacity, latency and data transfer, those parameters exist in a balance with cost and meeting specific needs may require customization.
Early identification of storage requirements and engagement with IT can help ensure that the needs are best met.
Database
Some research may depend on access to a database external to the equipment in question and have requirements as to the type of database and its configuration that are supported. While Structured Query Language (SQL) databases are interchangeable in principle, in practice this is often not the case and there are other types of databases as well.
Even if the database is part of the research equipment in question it is important to consider, at the least to ensure that other points (attributable access, operating system security, standard user privilege, and centralized logging) are addressed with specific consideration of the database in question.
Early identification of any database requirements and engagement with IT can help ensure that the needs are best met.
Domain Name Service (DNS)
Some research may require DNS accommodations, for example having a particular network name created and assigned to it.
Network Protocols
If the research will make use of the network then identification of the network protocols involved is necessary for a complete assessment. If file sharing is needed it matters what the underlying protocol is as the details differ significantly. For example, use of an SFTP service versus SMB or NFS.
Some protocols are particularly problematic. For example, the design of the bit torrent protocol makes it particularly poor for usage over wireless networks.
Early identification of any network protocols required and engagement with IT can help ensure that the needs are best met.
External Access
If external access to network device residing on the University network is required then a security assessment of that external access will need to be performed and, if approved, a firewall accommodation required in order to meet the need. For example, if a network camera needs to be accessed from off campus then the camera’s security will have to be evaluated and, if an exception is approved, a firewall exception entered.
For security reasons some methods of external access, such as Team Viewer, are banned. They can only be used following an exception grant and coordination with IT Security.
Early identification of any external access requirements and engagement with IT can help ensure that the needs are best met.