High Performance Computing (HPC) Security (S-33)

Standard: S-33
Responsible Executive: VP for Information Technology and Chief Information Officer
Responsible Office: Office of the Vice President for Information Technology
Date Issued: March 25, 2026
Date Last Revised: N/A

Table of Contents

Contacts
Individuals and Entities Affected
Statement of Standard
Responsibilities
Definitions (defined terms are capitalized throughout the document)
Related Documents, Forms and Tools
History and Updates
Appendix

Contacts

Clarification of Standard

Purdue Systems Security
765-494-4000 | itpolicyanswers@purdue.edu

Regulatory and Contract Determinations

Research Security and Export Controls
765-494-2518 | rsec@purdue.edu 

Senior IP Officer
765-494-1063 | PWL SPS Staff Directory

Campus IP Officer – PFW
260-481-6567 | research@pfw.edu

Campus IP Officer – PNW      
219-989-8092 | PNW Office of Research Staff

Campus IP Officer – PWL       
765-496-3305 | PWL SPS Staff Directory

Facilitation, Technical Specifications, and Support

Rosen Center for Advanced Computing (RCAC)
765-494-3500 | rcac-help@purdue.edu 

Individuals and Entities Affected

All individuals, departments, and units who may access High Performance Computing (HPC) resources at Purdue University.

Statement of Standard

Purdue University maintains a suite of High Performance Computing (HPC) resources intended to move research and academic initiatives forward. The security of HPC systems is crucial for safeguarding and maintaining the integrity of research. Securing HPC systems presents unique challenges due to their size, performance requirements, diverse and complex hardware, software and applications, varying security needs, shared resource nature, and their continuous evolution.

Purdue’s HPC systems follow Acceptable Use of IT Resources and Information Assets (VII.A.4), Information Security and Privacy (VII.B.8), and National Institutes of Health (NIH) Genomic Data Sharing policies. Additionally, HPC system administrators follow the standards identified in NIST 800-223 and NIST 800-234 (interim guidance) along with internal system security services for establishing, governing, and auditing an appropriate HPC security posture. Research requiring special controls for export controlled data or Controlled Unclassified Information (CUI) is subject to Purdue’s Research Security and Export Controls (RSEC) guidance and existing Purdue University policies and standards, including but not limited to the Controlled Unclassified Information in Research (S-32) standard.

The following security topics, unique to an HPC environment, are enforced.

Eligibility and Access

This section ensures that access is limited to authorized individuals for approved research and educational purposes, and that all users comply with institutional, legal, and regulatory requirements.

• Each research user of an HPC system must be affiliated with one or more allocations owned by a Principal Investigator (PI) who has direct oversight of the user’s work and resource use.
• Users of HPC resources for educational purposes must be actively affiliated with an approved course, workshop, or training activity.
• Users of HPC resources must have an active appointment with Purdue University or have authorized access through the request for privileges process, during which restricted party screenings are conducted as determined by RSEC.
• Purdue HPC resources may not be accessed from Foreign Adversary Nations without authorization from RSEC and the appropriate Intellectual Property Officer.
  • As technically feasible, HPC system administrators must implement network-based controls to restrict access from countries subject to University, federal, or regulatory restrictions (e.g., using IP address filtering, firewall rules, or other location-based security measures).
• The Authentication, Authorization and Access Controls (S-13) standard is followed for appropriately limiting account access. In addition, the following account management must also be implemented by HPS system administrators:
  • Discontinue access to research allocations after 365 days of inactivity.
  • Discontinue access to educational accounts after the end of the course’s academic term. Require reauthorization for continued access beyond the academic term.

Data Security and Classification

Proper data classification supports risk-based security controls, ensures regulatory compliance, and protects sensitive research information. HPC PIs and researchers are responsible for working with the Office of Research and RCAC to properly secure their data through the Research Data Security Planning service.

Incident Response and Forensics

HPC systems present unique challenges for incident response, including complex multi-user workloads, high data throughput, and the need to balance rapid research support with security controls. HPC security incidents are handled in accordance with the IT Security Incident Response Standard (S-17) and the University Incident Response Plan. 

Responsibilities

Rosen Center for Advanced Computing (RCAC)

• Ensure overall security posture of HPC resources align with Purdue University policies and standards.
• Approve system architecture and major configuration changes.
• Oversee implementation of security controls, access policies, and acceptable use requirements.
• Coordinate with stakeholders, including PIs and Purdue Systems Security, to address security needs.
• Support annual security reviews and audits, including remediation of identified issues.
• Maintain secure configurations and enforce system hardening baselines.
• Implement and manage access controls, including user account provisioning, deprovisioning, and multi-factor authentication.
• Ensure network segmentation and isolation of management, compute, and storage networks.
• Collect and review logs from login nodes, schedulers, and management interfaces.
• Monitor for anomalous activity and escalate incidents per the University’s Incident Response Plan.
• Support forensic readiness through appropriate logging, retention, and evidence preservation.
• Apply updates, patches, and changes through formal change management processes.
• Assist with user training and awareness efforts as needed.

Users

• Use HPC resources solely for authorized research or educational purposes consistent with allocation objectives.
• Comply with the prohibitions outlined in the Export Administration Regulations (15 CFR § 736), the policy on Acceptable Use of IT Resources and Information Assets (VII.A.4), and all security requirements.
• Follow data handling practices consistent with the classification level of the data they access or process.

• Protect accounts and credentials.
• Complete all required training before accessing HPC resources.
• Obtain explicit approval from RSEC and the appropriate IP Officer before accessing an HPC system while in a Foreign Adversary Nation.
• Report suspected security incidents or policy violations promptly.

Principal Investigators (PI) / Researchers

• Review and classify data intended for processing on HPC systems according to institutional data classification policies.
• Ensure research team members understand acceptable use requirements and security responsibilities.
• Maintain direct oversight of allocations and associated user access.
• Verify that only authorized users with a legitimate need are granted access to HPC resources and apply changes immediately when applicable.
• Support audits or security reviews as needed to demonstrate compliance.

Purdue Systems Security

• Develop and maintain institutional information security policies and standards, including HPC security requirements.
• Support risk assessments, security reviews, and penetration testing of HPC systems.
• Provide guidance on secure system architecture, configurations, and controls.
• Assist with monitoring, incident detection, and response activities.
• Coordinate forensic investigations and ensure compliance with institutional Incident Response Plan.
• Review security incidents and support continuous improvement of HPC security posture.

Senior IP Officer and Campus IP Officers

• Provide guidance on research involving the use of HPC resources that requires special controls for research data access, research data sharing and/or intellectual property.
• Review scenarios in which HPC resources involve intellectual property issues and/or access to intellectual property by a Foreign Adversary Nation and determine whether to approve.

Research Security and Export Controls (RSEC)

• Oversee the restricted party screening process for users of HPC resources.
• Review scenarios in which HPC resources must be accessed from a Foreign Adversary Nation and determine whether to approve.
• Provide guidance for research involving the use of HPC resources that requires special controls for export controlled data or Controlled Unclassified Information (CUI).

Definitions

All defined terms are capitalized throughout the document. Refer to the central Policy
Glossary for additional defined terms.

Campus IP Officer
Refer to the definition of this term in the policy on Intellectual Property (I.A.1).

Controlled Unclassified Information
Refer to the definition of this term in the standard on Controlled Unclassified Information in Research (S-32).

Foreign Adversary Nation
Refer to the definition of this term in the policy on Foreign Adversary Nations (III.B.7).

Senior IP Officer
Refer to the definition of this term in the policy on Intellectual Property (I.A.1).

Related Documents, Forms and Tools

This standard is issued in support of the policy on Information Security and Privacy (VII.B.8), as amended or superseded.

Additional related policies and standards:

• Acceptable Use of IT Resources and Information Assets (VII.A.4)
• Authentication, Authorization and Access Controls (S-13)
• Classified Computing (S-9) 
• Controlled Unclassified Information in Research (S-32)
• Export Controls and OFAC Regulations (I.A.2)
• Foreign Adversary Nations (III.B.7)
• Information Security and Privacy (VII.B.8)
• Intellectual Property (I.A.1)
• IT Resource Logging (S-11)
• IT Security Incident Response (S-17)
• Privileged Accounts and Service Accounts (S-15)
• Research Security Program (I.A.6)
• User Credentials (S-16)

University resources:

• Data Classification and Handling Procedures
• Purdue University “About Export Control Regulations”

External resources:

• National Institute of Standards and Technology (NIST) 800-223
• NIST 800-234 (interim guidance)
• NIH Genomic Data Sharing Policy

History and Updates

March 25, 2026: This is the first standard to address these issues.

Appendix

There are no appendices to this standard.