Help Desk: (814)865-HELP security@psu.edu

Frequently Asked Questions

What is an enclave?

An enclave can be loosely defined as a segment of network and computing devices which have defined security measures that meet regulatory and contractural compliance for certain data types. You can visualize this as a “container” in which all the needs of the business process occur. You access the enclave from your day-to-day workstation through a secure connection point. Based on your current workflow and in compliance with regulations, you may move data in and out of this container.

How do I get started?

The first step is to submit an Authority to Operate (ATO) request via Service Now. This request will help track and manage your enclave project for its entire life cycle. This Service Now ticket will be how you communicate to receive necessary agents, work through the phased controls, or coordinate your move to an on-prem or cloud environment.

OIS initially collected metrics on level 3 and level 4 systems through a sensitive data inventory spreadsheet. Submitting this information into the ServiceNow ATO request process allows you to have a single point of communication for the project.

What is the user's IT Department security responsibility for the VM (patching, Cylance program updates, Splunk forwarder updates, etc.) ?

The IT Administrator is responsible for the security of the OS and applications, including (but not limited to) security patching, Cylance, and Splunk.

 

How are users, researchers, or administrators able to use peripherals such as a printer or lab device within the enclave?

Special considerations and planning will need to occur for specialized devices such as robotic, laboratory, and medical equipment. These devices will need permission to pass through the enclave firewall or may need to operate on a separate physical system that has approved access through the network and into the enclave. 

USB mass storage devices such as thumb drives and external hard drives are prohibited from connecting to the enclave storage. 

Printing will also require special network configuration to be able to print information from the enclave to your standard printer or multi-function device. Unit IT staff will work with you to coordinate this process if necessary.

Who needs an enclave?

Anyone who processes Restricted/High Plus (Level 4) or High (level 3) data requires an enclave. Security enclaves house data and process information for a wide variety of units, from administrative function to research projects and initiatives. OIS has develop a tool to help you decide which level applies to your information.

How do I become compliant and receive an ATO?

System owners who process and store Level 3 and Level 4 data must demonstrate compliance with level-specific criteria prior to receiving an Authority to Operate (ATO) from the Office of Information Security (OIS).

Please review the quick start guide and security website for more information:

EIT and OIS have created an engagement team to assist with achieving compliance. 

Why does Penn State need enclaves?

In 2017, Penn State implemented two new policies:

AD-95 and its associated standards detail which security controls are required for systems storing and processing Restricted and High information. These controls are in-line with NIST (National Institute of Standards and Technology) 800-171 guidance.

With data breaches on the rise and continuing at a rapid pace, the federal government included two new contract clauses to help safeguard the storage and processing of sensitive data: DFAR 242.204-7012 and FAR 52.204-214.  Both clauses reference the implementation of controls found in NIST 800-171.

By December 2017, all contracts that require controls in 800-171 must be met.

Ready To Get Started?