Cybersecurity and Data Management

As a matter of policy, the University of Pittsburgh only endorses research projects the results of which can be published and freely shared with the public. The University relies on its faculty members to protect the results of research until they decide to publish or release these results. Since most data is saved electronically, University hosts should provide electronic access to Academic Visitors only to the extent that it aligns with the Visitors' approved scope of activities.

Unless otherwise specified, the University’s security standard for protecting the confidentiality, integrity, and availability of research data is NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This standard addresses the following security domains:

Access Control

Media Protection

Awareness and Training

Personnel Security

Audit and Accountability

Physical Protection

Configuration Management

Risk Assessment

Identification and Authentication

Security Assessment

Incident Response

System and Communications Protection


System and Information Integrity

Pitt IT and Research-Data Security

Through Pitt IT, the University offers a comprehensive set of computer and network services, including storage, email, software, and security services, to support researchers. All of these services comply with NIST 800-171. Many of them are described on the Pitt IT Research Services and Security websites.

The University offers many options for researchers to process, store, and transmit data, but researchers must consult Pitt IT's Data Risk Classification and Compliance website to understand which services are approved for each data type. Security guides for several popular services also are available from this website to help ensure that research data are well protected. Please request that Pitt IT perform a Vendor Security Risk Assessment if you, as a researcher, will use a vendor to support your research. Researchers also can contact the Pitt IT Help Desk to request a data-security consultation. 

The University requires that all Category 2 and 3 Academic Visitors take the Security Awareness Foundations training course, which is designed to create a University-wide baseline of information-security knowledge. The course is available on the Pitt IT Information Security Training website and covers a range of information-security topics, including how to identify social engineering and phishing attacks, password strength, social media use, safe web browsing, and what to do if one suspects a data breach.

Additional Pitt IT Security Resources