Cybersecurity Compliance

The University of Kansas and the University of Kansas Medical Center maintain a robust, risk-based cybersecurity program aligned with the NIST Cybersecurity Framework and NSPM-33 to protect federally funded research and institutional data. It includes strong access controls, mandatory training, continuous monitoring, and a formal incident response plan, all supported by regular assessments and recovery procedures to ensure resilience and compliance.

Summary

The University has implemented a comprehensive, risk-based cybersecurity program aligned with the NIST Cybersecurity Framework and the requirements of NSPM-33, ensuring the protection of federally funded research and institutional data.
 
This program is grounded in formal policies that govern visitor access, learning systems, and asset management, fostering a university-wide understanding of cybersecurity risks. Each year, the University assesses its cybersecurity posture across all campuses against the NIST Framework to identify areas for improvement. Strong access controls are enforced, including multi-factor authentication, least-privilege principles, and badge-based identification. Critical research systems are safeguarded through network segmentation, encryption, and device restrictions. All authorized users are required to complete mandatory cybersecurity awareness training, with a focus on phishing prevention, insider threat detection, and secure data handling. The University operates continuous monitoring and logging systems to detect and respond to cybersecurity events in real time. Malware protection, vulnerability scanning, and incident detection protocols are regularly maintained and updated. A formal Incident Response Plan, supported by designated response teams, ensures swift mitigation of cybersecurity incidents and timely coordination with federal agencies when necessary. To maintain resilience, the University has documented recovery plans and procedures in place, which are regularly tested and updated to ensure rapid restoration of services and data integrity.

Requirements and Related Policies

Identify - Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.  

Protect - Develop and implement appropriate safeguards to ensure delivery of critical services.  

Detect - Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.  

Respond - Develop and implement appropriate activities to take regarding a detected cybersecurity incident.  

Recover - Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. 

Provide regular cybersecurity awareness training for authorized users of information systems, including in recognizing and responding to social engineering threats and cyber breaches.  

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).  

Limit information system access to the types of transactions and functions that authorized users are permitted to execute. 

Verify and control/limit connections to and use of external information systems.  

Control any non-public information posted or processed on publicly accessible information systems.  

Identify information system users, processes acting on behalf of users, or devices.  

Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. 

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. 

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.  

Provide protection of scientific data from ransomware and other data integrity attack mechanisms. 

 Identify, report, and correct information and information system flaws in a timely manner.  

Provide protection from malicious code at appropriate locations within organizational information systems. 

Update malicious code protection mechanisms when new releases are available. 

Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. 

Controlled Unclassified Information  

 

Still have questions?

Please contact GRS at GRS@ku.edu or call 785-864-0821.