Research Security
At the University of California, Riverside (UCR), ensuring the security of research data is a priority. We work closely with UCR’s Information Security Team to provide comprehensive consulting services on securing your research projects. Our goal is to ensure that all research activities meet the highest standards of data security, complying with relevant regulations and university policies.
We assist researchers in several key areas:
- Understanding Your Research Security: We delve into the specifics of your research to identify any applicable regulations, requirements, and necessary controls.
- Data Security Plan: We aid in developing a Data Security Plan for your project. The DSP outlines Roles, Responsibilities, Policies, Processes, and Controls essential for safeguarding your data.
- Implementation: Our team is here to help implement the plans or controls developed, ensuring your research data is secure.
We encourage researchers to connect with the Research Computing Team to explore how we can support your data security needs.
Understanding your Research Security
Understanding and adhering to security policies and regulations is critical for safeguarding research data at UCR. All research data falls under a classification of security level ranging from P1 to P4, refer to the detailed descriptions of each level on the UCOP Security Classification page: UCOP Information Security Classification Standards:
- P1/P2 involving data without Personal Identifiable Information (PII)—P1 being public and P2 internal.
- P3/P4 categories deal with data containing PII, necessitating a Security Plan, where P3 is classified as sensitive and P4 as confidential.
By default, the systems we build and manage at UCR Research Computing are designed to comply with the UC IS-3 policy at the P2 level, ensuring a robust foundation for data security and integrity. While our infrastructure supports projects up to P4 level, accommodating the highest levels of data sensitivity, it is important to note that we do not support the handling of US classified data.
Our team provides guidance on key standards including, but not limited to, the UC IS-3 policy, external regulations from data providers, and state and federal guidelines. Here is an overview of the frameworks we adhere to and guide our research community in complying with:
- UC IS-3: As part of the UC system, we adhere to the University of California’s policy on information security, setting forth standards for protecting institutional and personal information across all UC campuses. This internal policy mandates a proactive approach to information security management, risk assessment, and incident response.
- External Requirements: Beyond the UC’s internal IS-3 policy, research projects may need to comply with external security requirements from specific data providers (e.g., Cal-Edison, Department of Education), state health departments, or regulations like NIST-800-171 and CMMC. These are crucial for projects that involve data from outside entities with their own security policies.
- CMMC (Cybersecurity Maturity Model Certification): Protects the defense industrial base from cybersecurity threats. It outlines cybersecurity standards and best practices for defense-related information and technologies.
- NIST 800-171: Guidelines for protecting controlled unclassified information (CUI) in non-federal systems, ensuring data security practices align with federal standards.
- NSPM-33: Focuses on securing systems related to National Security, Defense, and the Intelligence Community against espionage and theft.
Adherence to these standards is essential for maintaining the integrity and security of research activities at UCR. Our team is available to assist researchers in understanding these regulations and implementing the necessary security measures to comply with them. For more guidance or to discuss how these standards apply to your research, please reach out to our support team.
Data Security Plan (DSP)
At UCR Research Computing, we understand the critical importance of safeguarding your research data. To this end, we offer assistance in developing a Data Security Plan (DSP) tailored to your project’s specific needs. A DSP is a comprehensive document that outlines the Roles, Responsibilities, Policies, Processes, and Controls essential for the protection of your data. It serves as a blueprint to ensure that your research is conducted securely, in compliance with relevant standards, and with the utmost safety.
For research projects classified under P3 and P4 levels—which involve sensitive data containing Personal Identifiable Information (PII) necessitating a security plan—we adhere to a detailed template to guide the creation of your DSP. This template is designed with the aim of securing the highest levels of data sensitivity and ensuring compliance with both internal and external security requirements.
- UCR Data Security Plan Template: Our template facilitates the creation of Data Security Plans at UCR, providing a structured approach to identify and mitigate risks associated with handling sensitive data.
For projects classified under P1 and P2 levels, which involve data without Personal Identifiable Information (PII), nothing is requiered. We are building a streamlined and modified version of the DSP template. This adaptation reflects the reduced risk and security requirements associated with these levels of data sensitivity.
Our commitment at UCR Research Computing extends to collaborating closely with your lab and the UCR Information Security Office (ISO) team. This collaboration ensures that we provide comprehensive support in planning and conducting your secure research as smoothly and efficiently as possible.
Research Security Resources:
- UCR Data Security Plan Template: A template designed for use at UCR to facilitate the creation of comprehensive Data Security Plans.
- UC Data Protection Level Classification: UC’s established classifications for the protection level of information and IT resources, guiding researchers on the security measures needed for their data.
- Cloud Services Protection Level Handout: An overview of the protection levels applicable to cloud services, ensuring researchers choose the right platforms for their data security requirements.
- CMMC (Cybersecurity Maturity Model Certification): A framework designed to protect the defense industrial base from cybersecurity threats. CMMC outlines a comprehensive range of cybersecurity standards and best practices to ensure the security and resilience of defense-related information and technologies.
- UC IS-3: The University of California’s policy on information security, which sets forth the standards for protecting institutional and personal information across all UC campuses. This policy mandates a proactive approach to information security management, risk assessment, and incident response.
- NIST 800-171: Provides guidelines for protecting controlled unclassified information (CUI) in non-federal systems and organizations. NIST 800-171 is critical for research projects that handle sensitive information, ensuring that data security practices align with federal standards for information confidentiality, integrity, and availability.
- NSPM-33: A National Security Presidential Memorandum focused on improving the security of systems related to National Security, Defense, and the Intelligence Community. NSPM-33 emphasizes the importance of securing research and development activities against espionage, theft, and exploitation.
Computing Resources and Security Classifications
| Resource Type | Resource | Description | Top Security Classification | Remarks |
|---|---|---|---|---|
| Compute | High-Performance Computing Center (HPCC) | A key resource for intensive computational tasks. | P3 | Suitable for a broad range of research workflows. |
| Compute | NSF Compute Resources | Advanced computing systems and services provided by the NSF. | Varies | Accessibility to national-scale computational infrastructure. |
| Compute | Cloud Computing | Offers a wide range of computational resources including on-demand HPC clusters. | P4 | Requires all security controls to be in place. |
| Compute | Sherlock Cloud | A secure, managed cloud platform designed to meet stringent security requirements. | FISMA, HIPAA, & NIST CUI | Operated by the San Diego Supercomputer Center. |
| Compute | On-Prem Solutions | Department-specific VMs, file sharing services, and physical computing resources. | P4 | Supports sensitive data with appropriate security measures. |
| Storage | Google Drive & Ursa Major Secure Research Storage | Cloud-based storage solutions for collaboration and secure data storage. | P4 | UCR-subsidized resources for secure, scalable storage. |
| Storage | GCS & AWS S3 | Scalable and secure cloud storage solutions for a wide range of data types. | P4 | Supports sensitive data up to P4 with proper security controls. |
| Storage | HPCC-GPFS Cluster Storage | High-performance cluster storage attached to the HPCC. | P3 | High-speed, parallel computing storage suitable for compute-intensive tasks. |
| Storage | Ceph Secure Research Storage | Scalable, resilient storage solution designed for diverse research needs. | P3 | Upcoming enhancement to UCR’s research computing infrastructure. |
| Storage | Dryad | Platform for publishing and archiving research data for enhanced discoverability. | Public | Focused on open science and data sharing. |
| Storage | Backup Solutions (e.g., CrashPlan) | Services for data protection and disaster recovery. | P4 | Ensures data safety and integrity across research projects. |
Collaboration for Security
Collaborating with UCR’s Research Computing Team ensures that your research projects are secure and compliant with the latest data protection standards. Our team is dedicated to supporting UCR researchers in navigating the complexities of research security, offering tailored solutions that meet the unique needs of each project.