BU Office of Sponsored Programs, Industry Engagement, and other offices negotiate and sign research contracts, such as awards and data use agreements, for researchers. Today, more of these contracts include regulatory requirements and contractual requirements, such as compliance with HIPAA, NIST, or CMMC and using an isolated computer when working with the data.

We collaborate with our research contracting offices to ensure we can meet contractual security requirements. Where requirements seem unreasonable, we propose alternative contract language. In most cases, our standard offerings – BU network drive for identifiable health information and BU Shared Computing Cluster for anonymized data – will satisfy contract requirements. When a contract requires additional controls, we work with the research lab and IS&T or Partner IT group to implement them.

As part of our review, we provide guidance on what BU services can be used, and verify any devices that will be used meet our BU Minimum Security Standards.

Why do managed and personal computers need to be checked as part of this process?

We need to check BU-managed computers to ensure they are encrypted, and the operating system is up to date. While most BU-managed computers have encryption enabled, a few older computers do not. For personal computers used by students, we open a ticket for a technician to verify personal computers have these four minimum safeguards:

1. Current and supported Operating System
2. Malicious software protection (BU Crowdstrike can be downloaded at no cost)
3. Encryption turned on
4. 15 minute or less automatic screen lock