On August 25, 2023, University of Utah President Taylor R. Randall signed a memo revising the University’s information security regulations. While the complete rationale for the revisions are provided in the memo, broadly speaking, the update helps to (1) mitigate the current and increasing risk of cybersecurity incidents and (2) bring the University into compliance with the requirements established by federal regulations, Utah State Board of Higher Education Policy, and industry best practice. In support of these principles, the University President commissioned a University-wide Cybersecurity Program to develop and deploy cybersecurity tools and processes across all levels of the University, including individual departments and units.

In some instances, the implementation of these cybersecurity tools has raised concern among University researchers. The purpose of this statement is to address these worries and definitively affirm the VPR’s position that all research activities and personnel adhere to the University of Utah Information Security Policy (4-004) and all other pertinent University regulations, contractual requirements, state and federal laws.

1. Who owns research/scholarly data and materials?

The University of Utah owns all research and scholarly data and materials that are generated from University activities and projects. University ownership applies unless alternative ownership is expressly designated in a written agreement between the University and a third party (e.g., sponsor agreement, contract, award/gift terms) that has been fully approved and executed consistent with University Policy 3-004: Processing and Signing Official Documents.

This practice is in harmony with existing federal guidance, Institutional requirements, and the policies and practices of research universities nationally.

2. Who owns research funding?

The University of Utah is the recipient of all funding used to support University research and scholarly activities, whether the funds originate from an internal or external source.

Internal funding comes from within the University, through mechanisms such as departmental seed grants, development funds, etc. The Utah State Legislature provides these funds to the University. Thus, internal funds are appropriately owned by the Institution, who is ultimately responsible for ensuring the appropriate use and management of Utah State money.

External funding is received from outside the Institutions, through sponsored projects or from donor gifts. In either case, the funding is awarded or given to the University. Although funding may be given on behalf of an individual investigator and/or to support a specific project, the University is the custodian of the funding and has specific responsibilities to manage the award/gift in accordance with the terms of the sponsor/gift agreement and any applicable laws, regulations, institutional policies, and industry best practices. Accordingly, the University appropriately asserts ownership of these funds.

3. Who owns equipment purchased with research or University funds?

Equipment purchased with University-owned research funding, or any other University funds, belongs to the University. The University has a responsibility to ensure that University-owned assets are properly secured and protected. As such, equipment must comply with University security requirements.

4. Can personal equipment (e.g., computers) be used to perform research and scholarly work?

While the use of personal equipment to perform University business may be technically allowed under current federal policies and University regulations, the University requires that such personal equipment become subject to the same UIT security policies and tools as University-owned and -provided equipment, effectively making the personal equipment subject to University-management.

Moreover, the VPR is opposed to the use of personal equipment in University research activities and expects that faculty, staff, and students are provided with University-owned and -supported equipment to conduct research work. The use of University-owned and -managed equipment will ensure the protection of your research data while also guaranteeing the separation and privacy of personal data.

5. Is the installation of the UIT security tools a requirement?

Yes. The UIT security tools are required by University regulation 4-004: Information Security Policy and it’s associated rules, the President of the University, and the Vice President for Research.

The implementation of the UIT security tools applies to all equipment used to conduct University business, regardless of ownership. The University is not currently requiring installation of the UIT security tools on phones, other mobile devices, and tablets. For additional information and definitions, see the FAQ provided by the Information Security Office, “What devices are covered by this initiative?”

6. Is it possible to be given administrator rights?

University regulation R4-004D: Access Management prohibits granting permanent administrator rights without first obtaining an exception to the policy, as outlined in University Policy 4-004. The University has provided a tool for granting varying levels of administrator-like access if the following conditions are satisfied: (1) there is a business need, (2) an exception is obtained in accordance with Policy 4-004, and (3) administrator rights are supported by unit-specific practices and procedures. The process for requesting graduated administrative rights is initiated by contacting your unit-specific IT support team.

7. Is there a possibility that the UIT security tools limit academic freedom?

Academic freedom in research represents the right to conduct scholarly inquiry and research without censure. UIT’s security measures do not limit any faculty’s ability to freely select and pursue research and scholarly interests, but simply ensures that data and equipment are secure.

Compliance with the UIT security tools is not an issue of academic freedom but of employee responsibility to protect data and information.

8. What if a University employee refuses to use the UIT security tools?

Refusal to adhere to the UIT security requirements will be escalated to the University’s Chief Information Security Officer (CISO). If compliance cannot be achieved through the CISO, the matter will be referred to the University President. Continued refusal presents unacceptable risk to University data and security, and may result in a discontinuation of University resources for the individual until compliance is achieved.

9. Can a researcher or PI take their research data and/or funding to another institution?

Researchers should not automatically assume that they can take their project and data with them if they move to another institution. As the owner of the research funding and associated data, the University may have rights and obligations relative to the project and/or data. The appropriate offices (i.e., Office of Sponsored Projects (OSP), Technology Licensing Office (TLO), Advancement Office, or internal funding unit) must be consulted to make a determination regarding the transfer of University research and data.

10. What are the information security practices at other academic research institutions?

There are two main factors motivating academic research institutions both locally and nationally to implement policies and tools similar to those currently required by UIT and the VPR:

1. First, such policies and tools are required for proper cybersecurity and/or ransomware insurance.
2. Second, federal regulations and funding agency policies governing research security require minimum standards for the University to be compliant and competitive in receiving research awards (e.g., NSPM-33 and CMMC Level 1).

As a result, peer institutions are implementing similar policies with comprehensive data security standards.

11. Can UIT security tools be used as spyware or workplace management software (i.e., to monitor or track my device activity or usage)?

The UIT security tools are not spyware or workplace management software. The tool set does not monitor or track device or internet activity. None of the tools monitor or log internet use.

12. Can UIT security tools be used to share, steal, leak, or delete data on my equipment?

No, the UIT security tools do not view, copy, share, store, archive, or delete data.

13. What data on my equipment does the UIT security tools analyze?

The only data analytics function performed by the security tools is to routinely check for Medical Record and Social Security Numbers (MRNs and SSNs) against the University’s electronic medical record system (i.e., EPIC) and log that the identified MRN/SSN was on the identified machine on a specific date. The data analytics function of the software is tightly scoped around Protected Health Information (PHI) to ensure compliance with federal regulations in the event of a data breach.

If you have additional concerns or questions not addressed above, please review the FAQ provided by the Information Security Office, here. Any remaining questions should be directed to the UIT Partner Relations team at uit_partner_relations@utah.edu. Following statement can be found online here.