FAQs
Last Updated: June 14, 2023 8:47:15 AM PDT
Give feedback
Expand section
Is participation in the CCR Initiative required?
Yes. The program was created at the request of campus executives in response to the UCSF ransomware incident. It will become a requirement for OCGA to have a certification on record to process proposals or awards.
The certification form looks like a lot of work. How long does it take to complete? Can I delegate it?
Population of the form can be delegated to anyone who works with you or in your lab. They will be asked to identify the PI who will receive a notification to login and certify the accuracy of the information provided before submission.
A 2018 study reported that 44% of research time is associated with obtaining and managing federally-funded research rather than actively conducting the research. The CCR program was crafted to avoid contributing to this problem.
Do I complete the online form or the Excel workbook? Or both?
The Excel Cyber Certification Data Collection workbook is optional unless you plan to upload a list of critical servers (those that can’t be blocked from the network without prior notification).
We recommend entering information into the workbook as you collect it. Once the workbook has been completed, transfer the information into the online certification form and submit.
When do I have to complete this?
We have been asked by the Chancellor to complete all of the high-risk labs and as many of the remaining researchers and labs as possible by June 30, 2021.
Am I considered a ‘high-risk’ lab?
The CCR program has identified 300 researchers whose work includes either DoD funding, CUI data, or COVID-19 research and a high funding amount. If you are on this list you and your unit head will be notified.
All high-risk lab certifications are reviewed by a team of IT and security professionals from the campus, SDSC, and Health for accuracy. Feedback on your submission will be provided.
If you’d like to have your certification reviewed but aren’t an identified high-risk lab, send a request to ccr-support@ucsd.edu.
Do I need to install your software on every piece of computing equipment?
In principle, yes. UC San Diego’s selected security and vulnerability identification software must be installed on every piece of equipment capable of supporting it. However, there will be equipment that cannot run the software. If the software conflicts with existing programs, please contact us for alternatives.
Classes of equipment that should run it include laptops, workstations, and most servers running Windows, Linux, or OSX.
Custom instrumentation, computing clusters, or data collection systems that cannot be interrupted for months on end are not required to run these programs. Note that such systems are still vulnerable to attack and we recommend you discuss how to protect them with the CCR support team or your local unit IT staff.
Please note:
Separate installation packages are available for members of UC San Diego Health, SDSC, and campus users (i.e., those not at SDSC or in the Health System, including the professional medical schools).
I’ve heard you describe the program as building “herd immunity” in our environment. Doesn’t herd immunity mean we all need to become infected?
We’ve used the metaphor of herd immunity to mean that by "vaccinating" your systems with our anti-malware product we are establishing a general immunity from compromise across campus.
It’s not a perfect metaphor (and just like a vaccine, no security product provides 100% resistance to infection.) Just as importantly, every “inoculated” computer acts as a tripwire for malicious software or hackers that move through our networked environment. Like a face mask, using the campus-provided anti-malware solution helps protect your neighbors and colleagues as much as yourself.
My research involves highly confidential information, some of which belongs to third-parties and requires us to sign NDAs. Does any of your software violate that? Will data or intellectual property be removed by the security office?
At no time will data be removed from a computer without your prior approval.
Typically, campus counsel, Research Affairs, and the Office of Contract and Grant Administration (OCGA) are also involved in these conversations. It is quite rare that an incident requires this detailed sort of forensics.
I don’t have a lab, so do I need to do this?
Yes. Every faculty member and researcher needs to complete the certification.
Every laptop or workstation must be running the campus-provided software and the information collected on the certification form permits us to contact you quickly if malicious activity is detected.
If you do not have a lab or your research only involves you and a laptop or workstation, the certification will only take a few minutes. Simply run the downloadable installers from the secure.assure.ucsd.edu website, complete the form and you’ll receive your certification good for two years.
How do I get started?
There is a detailed checklist on the secure.assure.ucsd.edu website.
In short:
- Ask someone who supports your research to download the spreadsheet and collect the data it requests.
- Have them install the required software on every computer that can run it.
- Create a date backup plan.
- Ask them to complete the form at certify.assure.ucsd.edu
- You (the PI) will receive a notification asking you to log in, review the information, and certify that it is correct.
- You’ll receive your certification by email.
What are the characteristics of the vulnerability identification software?
Vulnerabilities in software arise from software bugs. Keeping systems patched with security updates usually addresses the known vulnerabilities.
The vulnerability identification software installed as part of CCR performs two related functions:
First, it examines the version of every installed software program, including the operating system, and compares that version information with a database of known vulnerabilities that can be exploited by hackers or malicious software.
Second, it examines the system configuration to determine what system ports the system accepts connections on. While we currently scan the entire campus network externally every three days, our external scans for vulnerabilities are much more prone to false positives and thus less accurate.
What happens when you find a vulnerability?
Using a combination of automated processes and human analysis, we prioritize vulnerabilities that should be addressed.
Vulnerabilities known to be actively exploited, especially if accessible from the Internet, will be communicated to your technical staff with an expectation that they will be addressed.
Should a vulnerability be identified that is not correctable through a software patch or upgrade, we will discuss alternatives to protect your systems with your technical staff.
What role does anti-malware software play?
Once triggered, the software alerts the security office, which will review the alert.
The software will also begin collecting information related to the alert (though this information remains on the computer for future use). For example, it will track which files are being modified or what processes are running on the computer.
If the security office determines the compromise to be valid and needs additional information, you will be contacted to discuss before any action is taken.
Does running anti-malware software mean I don’t need to run antivirus software?
Correct, the anti-malware product includes a contemporary antivirus solution (BitDefender) that is also installed.
What is done with data collected from the anti-malware program we need to install?
As with any data collected for the purposes of incident detection and response, the information collected is strictly limited to this purpose. We have implemented a number of specific privacy protecting mitigations:
- Least Perusal - Data is only copied in the event of a security alert
- Least Disclosure - Data is shared with the minimum number of individuals needed per security event
- Minimal Retention - Data is retained for 30 days, unless analysts request longer retention – for up to one year to support an ongoing investigation – or by legal counsel
- Data Security - Security event data is classified as P4 per UC-wide data classification standards
What is done with the vulnerability information collected?
Vulnerability information is used to identify computers that are susceptible to attack. The information is only provided to IT staff working within the unit supporting the equipment and the researcher responsible for the equipment.
Vulnerability identification service accounts can be provided to whomever the researchers choose and reports listing vulnerabilities and recommendations for addressing them can be automatically generated and distributed.
Fore more information, see Routine System Monitoring Practices.
What about students and guests working in my lab?
A "Lab Worker Cybersecurity Attestation" is available at labworker.assure.ucsd.edu (login required). It covers best practices and requirements for information security, data handling, personal computers, and other individual responsibilities.
How can I return to a saved draft?
To access a saved draft, visit the Drafts tab in the "My Documents" section of the Kuali Build application at https://ucsd.kualibuild.com/app/builder/my/drafts.
Glossary
- High-Risk Lab: For the purposes of this program, a high-risk lab is one involved in either DoD funded research, COVID-19 research, or that works with Controlled Unclassified Information (CUI). We have prioritized this list by the aggregate sponsored funding they each receive. In the first year of the program only the first 300 labs are in scope for review.
- CUI: Controlled Unclassified Information. A federal data classification for information requiring exceptional security practices.
- Ransomware: a type of malware that encrypts your data and requires you to pay a ransom to receive the decryption information.
- Vulnerability: Typically a software bug, though also a software misconfiguration, that allows a hacker to access systems and data, and to bypass other security measures.