Skip to main content

Research Cybersecurity - FAQ

Compliance Assistance

How can I get a security review for my IRB human research study?

To initiate a security review for your IRB human research study, please reach out to our team at

I have been told I have to create a system security plan (SSP). How do I start? How do I get assistance if needed?

For assistance, reach out to our Research Cybersecurity team by emailing We can provide guidance, templates, and support throughout the process of developing your SSP.

How can I get assistance with CMMC compliance since I will be receiving CUI from a government entity/agency?

Email for further assistance

Can I use a personal computer while working on a research project?

Personal computers cannot be used for research projects that involve University Confidential and Highly Confidential data, but it must adhere to the guidelines outlined in the University's Acceptable Use of CU Boulder's IT Resources policy. 

Please review the Acceptable Use of CU Boulder’s IT Resources and APS-6005 - IT Security Program policies to ensure compliance and responsible usage of IT resources.

How do I collaborate and share documents with external entities?

Depending on the data classification for the information you will be using during your project security concerns must be addressed prior to collaborating and sharing project information with external entities, please email the Research Cybersecurity team at for detailed information regarding university approved methods for sharing and collaboration. Keep in mind that for specific situations, distinctions will be made between activities that can be conducted in the commercial tenant and the secure enclave, The Preserve, based on compliance and security requirements.

How do I request a compliance audit of my lab's IT system?

To request a compliance audit of your lab's IT system, please email the Research Cybersecurity team at

How do I perform a risk assessment?

To perform a risk assessment, begin by referring to the NIST 800-30 document, which offers guidance on the process. While creating your risk assessment, consider factors such as identifying potential risks, evaluating their impact, likelihood, and mitigation strategies. Your assessment may involve further steps beyond NIST guidelines to comprehensively address the unique aspects of your project or study.

Policies and Procedures

Does the university have a CUI policy?

The university has a CUI policy that is currently moving through the appropriate policy approval process at the university. We will update this information with the link to the CUI policy when the approval process is complete.

What university IT policies do I need to comply with?

Visit The University of Colorado’s IT policies page for a full list. APS-6005 - IT Security Program policy is especially applicable in research cybersecurity situations.

What is my responsibility as an IT user at that university?

For detailed information about your obligations and best practices, please refer to the APS 6005 - IT Security Program policy. This document outlines the expectations and guidelines for ensuring the security and integrity of IT resources and data.

General Security Guidance

What security safeguards do you suggest for endpoints?

For comprehensive security safeguards for endpoints, please refer to the Secure Computing Standard for Computers.

Can I store data on a thumb drive?

University data is allowed to be stored on encrypted thumb drives. Contact the Research Cybersecurity program for recommended encryption standards.

What physical security can I put in place to protect my IT environment?

To ensure effective implementation of IT security measures and for further guidance, refer to the complete System-Wide Baseline Security Standards for guidance and more specifically 1.1.1 Physical and Environmental Protection controls.

How do I secure my server?

To secure your server, follow the guidelines outlined in our Secure Computing Standard for servers. If you are working with Highly Confidential information, please contact the research cybersecurity program for additional guidance on required settings and controls.

How can I protect research subject recordings captured in the field?

To safeguard research project recordings collected in the field, guidance is to use an encrypted recorder for university highly confidential data. Secure deletion processes should be followed when the device is disposed or reused.

OIT Secure Resources

How do I transfer large data sets?

The Large File Transfer - Requesting Files tutorial guides you through the process of transferring large data sets. 

Please note: If using Large File Transfer for transferring large files with external entities or internally for highly confidential data, encrypt the file prior to upload. 

What are OIT's recommended data storage solutions?

Visit the File Transfer, Storage and Infrastructure page to learn more about recommended storage solutions

Does the university provide logging services?

If you are using OIT services, those services typically log events on servers managed by OIT. If you manage your own server, you will be responsible for collection of logs.

How do I encrypt my laptop?

Visit the PGP Encryption software for Windows page to learn more about encryption. For CU owned devices that are not managed by OIT Dedicated Desktop Services, you can use the native encryption for the OS installed on your device, such as Bitlocker for Windows and FileVault for Macs.

How can I find an approved resource for my research study or project?

To find an approved resource for your research study or project, please visit the Research Computing team website. This platform provides a comprehensive list of resources that are vetted and suitable for research purposes. There are also directions on how to contact the team if you prefer to discuss your needs with the team directly.

What resources can I use to analyze and compute a large research data set?

Contact Research Computing for assistance with tools that can be used for your research project.

What survey tool can I use for my study?
  • If you have a project at CU Boulder that requires collection of university confidential data, you can use Qualtrics, the university approved tool for surveys.
  • If you have a project that requires collection of university highly confidential data, REDCap on the Anschutz campus can be used.
  • If there is a product that you would like to use that is not listed above, follow the CU Boulder ICT process.
I want to use a vendor application for my research study. Do I need to get it approved?

When considering a vendor application for your research project, it's essential to follow the University of Colorado Boulder's ICT review process. Go to the ICT review process page for detailed information regarding when vendor application approvals are required and how to proceed with the process.