Cybersecurity Checklist for Researchers
As a researcher, you are a major target for scammers and even nation-state actors. Your research is valuable, and they want it, whether to sell it to others or hold it ransom from you. To help protect the cybersecurity and compliance of your data and projects, you should err on the side of extreme caution. Above and beyond the foundational cybersecurity best practices above, every NYU researcher should follow the guidance in the checklist below.
- Understand and comply with your Data Use Agreements (DUA)
- Understand your data’s risk classification and use appropriate systems
- Secure your privileged accounts with unique and extra-strong passwords
- Use NYU-managed equipment (laptops, servers, etc.), not personal devices
- Protect your research data and devices when traveling
- Be vigilant about access and permission settings
- Use secure services to share sensitive information and back up your data
- Review your risk factors every semester
- When in doubt, ask the experts
- Familiarize yourself with other NYU resources for researchers
Researchers Checklist
Understand and comply with your Data Use Agreements (DUA)
Any contract, especially Data Use Agreements (DUA), can increase data classification risk and restrict how you analyze and store your data. For example, a DUA might require the use of a storage system that is locked in your lab and/or not connected to the internet. DUAs are dataset/system-specific per researcher and must be understood and complied with individually. NYU’s Office of Sponsored Programs (OSP) and the NYU IT Secure Research Data Environment support team collaborate on the review of DUAs.
Resources
- OSP’s DUA Checklist is designed to help identify the type(s) of data being exchanged. This document should be completed when NYU is receiving and/or sharing data.
- For more information, see the NYU Office of Sponsored Programs (OSP)’s DUA Guidance and Workflow wiki.
Understand your data’s risk classification and use appropriate systems
In addition to understanding and complying with your Data Use Agreements (DUA), knowing your data risk classification according to NYU’s policy is essential for selecting an appropriate storage environment for your data.
Resources
- Electronic Data and System Risk Classification Policy
- Data and System Security Policy
- Working with Research Data
- File Storage Services Comparison
- NYU’s Institutional Review Board, Office of Sponsored Programs, and Global Office of Information Security are available to help with data risk classification. And experts on the Secure Research Data Environment (SRDE) team are available to help with any questions regarding secure data. To start the conversation on either topic, contact the Secure Research Data Environment (SRDE) team by completing this intake form or emailing srde-support@nyu.edu.
Secure your privileged accounts with unique and extra-strong passwords
Stolen credentials can be damaging if an attacker gets access to any account. This is especially true if the attacker gets access to login information that is used on multiple computers or gives them privileged/administrative access to a system. if you have one or more privileged access accounts:
- It is critical to use unique and strong passwords for each system. Never use the same username and password or other credential to administer multiple computers or systems.
- Passwords or passphrases must be hard to guess and resistant to brute force attacks. For privileged access accounts, this means creating passwords with a complexity of 32 characters or more with a combination of lowercase, uppercase, symbols, and numbers.
Use NYU-managed equipment (laptops, servers, etc.), not personal devices
Using NYU-managed devices for your research projects helps ensure your data is less vulnerable to cyber attacks and breaches than it would be on a personal device. NYU-managed devices are compliant with NYU IT Policies, up-to-date with software upgrades and security patches, and equipped with security tools and monitoring software.
Resources
- Talk to your local IT staff or departmental administrator for information about NYU-managed equipment offerings for your department
- Review the NYU Policy on Responsible Use of NYU Computers & Data
Protect your research data and devices when traveling
When traveling abroad for NYU business, instruction, or research, it is essential to follow cybersecurity best practices for travel and be aware of the various laws and regulations governing technology that you must follow. A number of countries have restrictions on what items you can export or take with you when departing that country, including electronic equipment not declared on arrival. In addition to local laws at NYU’s locations and countries where NYU conducts research and other programs, awareness of and compliance with NYU's policies, guidelines, and regulations are critical wherever an NYU community member uses, stores, and/or transports data or hardware.
Resources
Be vigilant about access and permission settings
Remove research affiliates from your systems if they are no longer involved in your project. Be vigilant about the access and permission settings when you create or store documents, spreadsheets, and other files in a cloud service such as NYU Drive (Google) or NYU Box. This reduces the risk of your data getting into the wrong hands.
Resources
- Affiliate and Account Management (SailPoint)
- NYU Box:
- NYU Drive:
Use secure services to share sensitive information and back up your data
Be careful what information you share and how you share it. When it is necessary to share data, ensure that the service you use is adequately secure based on NYU’s Electronic Data and System Risk Classification Policy and the data use agreement (DUA) specifications. Doing so is essential to maintaining the confidentiality of the data. Email should never be used to share sensitive data.
Securely backing up your research data on a regular basis is essential, since it gives you options if you or NYU becomes the victim of a cyberattack. NYU offers a number of file storage services for the community but as a researcher, you should ask your school or unit IT support to learn what backup and recovery options are recommended, and to check whether you’re using the right backup strategy and adhering to NYU’s Electronic Data and System Risk Classification Policy and your data use agreement (DUA) specifications.
Resources
Review your risk factors every semester
Set a review process once per semester to review your passwords, project team members, access permissions, contracts, and any other factors that may impact your project’s cybersecurity. Having a set review process gives you the opportunity to routinely update your project details and strengthen your cybersecurity posture.
When in doubt, ask the experts
As a general rule, always err on the side of being overly secure. NYU IT is here to help.
- Discuss cybersecurity best practices for researchers and get assistance with designing and building secure, scalable, and resilient environments to store, share, and analyze moderate and high-risk data (as per the NYU Electronic Data and System Risk Classification Policy) from NYU IT’s Global Office of Information Security (GOIS). Email sec-arch@nyu.edu for more information.
- The Secure Research Data Environments (SRDE) support team is familiar with the needs of research projects and can help identify and address concerns, review DUAs, answer technology-related research questions, and provide additional guidance. Contact the SRDE team by completing this intake form or emailing srde-support@nyu.edu.
Familiarize yourself with other NYU resources for researchers
There are many NYU resources and services available to support the cybersecurity of your project based on the project’s NYU data classification, DUA, and other needs.