The document presents an overview of IT security practices and considerations for research data at UMBC, drawing on insights from the EDUCAUSE benchmarking initiative. EDUCAUSE’s annual data collection, supported in part by the Lumina Foundation, provides benchmarks on institutional technology maturity, with research computing and information security serving as focal areas for analysis. Results indicate that institutions with higher research activity (DR High and Very High) demonstrate greater maturity and deployment regarding research computing, especially in infrastructure, though centralization and prioritization remain areas for improvement. Conversely, larger institutions often exhibit less mature information security processes and procedures, with technology deployment surpassing progress in policy and procedural development. The document notes a general institutional lag in moving toward compliance with NIST 171 moderate standards, particularly relevant should financial aid data be designated under FISMA moderate.
At UMBC, a comprehensive approach is being adopted to manage and secure research data. The establishment of the Research Data Management Council (RDMC) and close collaboration between the Office of Sponsored Programs (OSP), the Department of Information Technology (DoIT), and its Chief Information Security Officer illustrate a governance structure aiming to increase oversight and responsiveness. Current efforts encompass both unprotected and protected data, including securing high-performance clusters, documenting security procedures, managing compliance with regulations such as HIPAA and FISMA, and pursuing contractual safeguards with cloud service providers. Looking forward, UMBC recognizes the need for increased faculty education regarding security costs and regulatory impacts, securing sustainable funding for protected data environments, mapping institutional policy against evolving NIST standards, and enhancing ongoing training for IT staff. The overarching goal is to position FISMA moderate as the default standard for the university’s sensitive data, aligning security practices with both regulatory demands and operational continuity.
