Research Cybersecurity Baseline
Research Cybersecurity Baseline
The Research Cybersecurity Baseline consists of basic practices you can implement to safeguard your research. These practices are appropriate for "fundamental research". Fundamental research is research that has no restrictions on dissemination or participation and is intended to be made publicly available.
Restricted (i.e., non-fundamental) research will generally require additional safeguarding measures to comply with the specific standards specified by applicable laws, regulations, or contractual obligations established by sponsors, data sources, or other entities - see our discussions about Restricted Data.
In May 2024, the Office of Budget and Management (OMB) introduced langauge (2 CFR 200.303(e)) requiring that recipients must "take reasonable cybersecurity and other measures to safeguard information including protected personally identifiable information (PII) and other types of information. This also includes information the Federal agency or pass-through entity designates as sensitive or other information the recipient or subrecipient considers sensitive and is consistent with applicable Federal, State, local, and tribal laws regarding privacy and responsibility over confidentiality.
Use SBU owned and managed computers & equipment:
Working with procurement and DoIT prior to procurement, ensures that your equipment is supported by the university, and compliant with Federal, state, and local regulations as well as contractual obligations.
- Additional information regarding purchasing your equipment can be found at the DoIT Institutional Hardware Purchasing page
Using a DoIT managed computer ensures that you’re always using the correct applications, updated to the latest versions, and featuring the latest security patches & updates.
- Additional information on DoIT managed computers and equipment can be found at the
DoIT Equipment & Hardware Support page.
Securely store and backup your data:
Box cloud services have been provisioned by SBU for long-term storage and backup of research data. SBU's institutional Box account is integrated with Single Sign-On (SSO) and protected by multi-factor authentication to ensure secure access.
When using Box, data can be stored within a designated project folder to ensure compliance with institutional data governance and security protocols. Contact the Office of Research Security to learn more.
Coming soon - The SBU's Secure Storage Finder tool will soon be available. This tool will allow you to find the proper storage solution based on the amount and sensitivity of your data.
Use SBU provided resources:
NetID - Your NetID is your key to unlock the many resources provided by SBU. SBU's institutional email and software accounts are protected by a host of security features not always found in products intended for personal use. Never use personal accounts for email and other cloud services when gathering, processing, analyzing, or storing your research data. Commingling your personal and research data threatens not only the privacy of your personal data, but the security of your research data as well. Keep them separate!
SoftWeb - SBU's Software Distribution Website for Actively-Enrolled Students and Active Employees is available for all SBU users to download university supported and licensed software. Please note that if you’re using a DoIT managed computer, some of these applications may have already been provided.
Security Training & Awareness - Stony Brook has partnered with KnowB4 to provide annual cybersecurity training for all faculty and staff. You can log in using your NetID at any time to see if you are scheduled for courses.
Duo Security Two-Step Login - SBU has partnered with Duo for multi-factor authentication services. Use of Duo is required to access all University resources. We recommend installing the Duo app on your smart phone. If a phone is not an option for you, physical tokens (i.e. yubikey) can be used.
Identifying Email Phishing Attempts - Several tips and tricks to help you identify phishing emails, as well as instructions for what to do when one is received.
Inventory your lab and regularly reassess authorizations and data access:
Maintain lists of the people, programs, and equipment that access your lab and its data. Limiting access to your labs physical and digital space protects your data from loss, theft, and compromise.
Regularly reassessing access data permissions allows you to consider any changes in the sensitivity and value of the data that personnel may access. Also consider what type of access is appropriate (e.g., read-only vs. edit rights).
Regularly review the external systems that your lab connects to, and shares data with. Collaborators, partners, vendors, and cloud service providers are all potential avenues for data loss or compromise.
Segregate and isolate your lab's digital environment. DoIT can assist in configuring the network settings to limit digital access to your computers, equipment, and data.
Additional Information: