Managing Information Technology Risk

What is the risk?

Illegal penetration of IT networks and systems to obtain proprietary and, in some cases, sensitive intellectual property (IP) continues to be a highly significant concern for both U.S. Government agencies and industry partners. Scenarios of concern include unqualified or unreviewed permission to gain remote international access to university servers; laptops used in international travel; data security requirements associated with federal defense and DOE contracts; unauthorized access to High Performance Computing capabilities; unqualified/unreviewed access to information systems granted to temporary visitors on campus or non-institutional research collaborators; and receipt of software programs from international sources that enable data penetration.   

FIU’s Response:

In response to these concerns, FIU deploys a number of “best-in-class” safeguards to protect the university’s information technology systems at the enterprise IT level as well as at the College and administrative unit levels. FIU’s Office of Export Controls coordinates closely with the Information Security Office within the Division of Information Technology to implement federal-mandated security controls pertaining to export controlled data and data which is subject to NIST 800-171 requirements (Controlled Unclassified Information – CUI).   

However, procedural safeguards alone are not entirely sufficient to prevent unauthorized access to data systems: it remains up to all FIU personnel to responsibly manage their respective IT resources across research, academic and business/operational activities. Toward that objective, the following eight “awareness points” will help secure FIU’s information technology environment:

1. When traveling internationally, ensure that your FIU laptop does not contain export controlled, institutional confidential, or IP-sensitive data. When necessary, obtain an FIU “loaner” laptop which can be customized for your particular travel-business objectives.
2. When proposing remote, international access into an FIU server by any student, researcher, or other FIU staff member, follow the procedure set forth by the IT Security Office and proactively communicate all potential uses and users related to the access request, so as to enable a thorough evaluation and solution.
3. When proposing to host Persons of Interest (POIs) who are foreign national visitors for research, study, or work-related positions, coordinate IT access with your College-level or Business-unit IT administrator (as well as the FIU Export Controls Office where export controlled data may be at issue); follow prescribed guidelines concerning defined access permissions and restrictions.
4. When working on a sponsored project involving export controlled and/or Controlled Unclassified Information (CUI), adhere to all cyber security requirements set forth in the Technology Control Plan (TCP), System Security Plan (SSP), and mandatory FIU Cyber-security trainings.
5. Do not share your authorized access points with anyone who has not been individually authorized to access FIU’s computational resources and data servers.
6. Do not use personal laptops, desktops, or tablets for professional use.
   
7. Immediately report any incident which involves the unauthorized disclosure, acquisition or breach of the University’s data, maintained in an electronic form or medium to the Chief Compliance Officer and or the Chief Information Security Officer.
   
8. If you become aware of an IT-related concern, report this concern immediately to security@fiu.edu.

Questions:

• For questions concerning Sponsored Research-related IT safeguards, please contact ORED Research Information Systems.
• For questions concerning IT safeguards among FIU business units, please contact the FIU Division of Information Technology– Information Security.
• For questions concerning Export Control requirements, please contact the Export Control Office.