From Beocat
Revision as of 14:45, 29 March 2022 by Mozes (talk | contribs)
Jump to: navigation, search

Export Controlled Data on Beocat

Export-controlled information housed on Beocat must be managed in accordance with these guidelines. Export-controlled information that is received by or brought to KSU must be housed on a server designated for this purpose. Any exceptions must be explicitly approved by the Chief Information Security Officer, the Director of Export Compliance, and the Vice Provost for Research.

Guidelines

Data subject to ITAR or EAR export control restrictions is referred to collectively below as Controlled Information.

Access controls

Do not post Controlled Information on public websites or websites that rely solely on IP addresses for access control. Instead, secure access using individually-assigned accounts requiring username/password, user certificates, or other user-specific authentication methods.
All Beocat accounts are individually assigned requiring username/passwords This is done through K-State's eID system, using their account and password policies.
Protect Controlled Information by at least one physical or electronic barrier (e.g., locked container or room, login and password) when not under direct individual control.
All Beocat accounts are protected by a username/password. Beocat physical servers are in locked data centers in Durland Hall and Nichols Hall.

System management

Use regularly-updated malware protection software
Keep computers hosting Controlled Information up to date on security patches and updates.
All Controlled Information must be encrypted if stored on mobile computing devices such as laptops, PDA's and removable media such as thumb drives or CD/DVD. See additional notes below.
Wipe electronic media in accordance with NIST 800–88
Guidelines for Media Sanitization

Transmission of Data

Do not transmit or email Controlled Information unencrypted. If encryption is not available, data must be individually encrypted using at least application-provided mechanisms such as the password-based encryption provided in Microsoft Office 2007 and above.
All access to Beocat is encrypted.
Provide monitoring and control over inbound and outbound network traffic. Block unauthorized ingress and egress.
Adam/Kyle?
Detect exfiltration of data using firewalls, router policies, intrusion prevention/detection systems, or host-based security services.
Adam/Kyle?
Transfer controlled information only to subcontractors with a need to know. Subcontractors must adhere to these same data protection requirements. Include these data protection requirements, including this requirement, in all subcontracts if access to or generation of controlled data will take place.
Information transfer to subcontractors is controlled by, and the responsibility of, the individual Beocat user.

Shared Systems

In such cases where the Controlled Information is a software executable that will be run on a shared (multi-user) system such as a compute cluster, the following additional guidelines apply:

The directories containing the software shall be access controlled so that only its designated user(s) as approved by the PI will have read, write and execute permissions. All others shall have no access permissions.
All Beocat user directories are access controlled so that only its designated user(s) as approved by the PI will have read, write and execute permissions. All others have no access permissions.
The shared system shall be managed solely by U.S. Persons, as defined in the export regulations. All users with root or sudo privileges must be U.S. Persons.
All Beocat staff and those with root/sudo privileges are U.S. Persons.
Only U.S. Persons shall have unescorted physical access to the shared system.
Visitors to the Engineering and Nichols Data Centers are required to be escorted.