Research Cybersecurity and Compliance Services

The STRA Level 1 includes collection and analysis of high-level solution information at a specific time, and an assessment of this solution to identify possible threats. It is designed to identify the most prominent gaps in lower risk solutions (e.g.: projects collecting, processing and/or storing information classified as Low Risk or Medium Risk and/or using UBC supported services).

The STRA Level 2 consists of a thorough analysis of the solution and all associated components to identify any gaps or security risks. It includes everything from the level 1 assessment plus detailed technical, security, privacy, and governance information about the solution. Participation of the solution provider will be required. Technical understanding of the solution is recommended (e.g.: Research projects collecting, processing and/or storing information classified High or Very-High risk, or projects using a complex infrastructure).

What a STRA? 
A Security Threat Risk Assessment (STRA), is an analysis of a project’s security posture. For UBC research projects, the STRA includes: collection of information, processing, storage, as well as security, privacy and governance. The information collected is then analyzed to identify possible threats, gaps and associated security risks.  

Why should I complete a STRA? 
As research information custodians, researchers are accountable and responsible to ensure the information collected, processed and stored is properly secured from un-authorized access, disclosure, modification or deletion. Completing a STRA is an effective method to ensure significant gaps in an architecture are addressed, and possibly prevent cybersecurity incidents. Additionally, a STRA allows a research group to ensure UBC information security requirements are met.  

How long does it take to complete a STRA? 
Delivery time may vary depending on the level of STRA completed as well as current workload. ARC is committed to providing the STRA service in a reasonable time to researchers.  

I have a time sensitive matter; can I get the service expedited? 
At this time, expedited services are not available due to resources constraints. STRAs are offered on a first-come first-serve basis, but we will make the best effort to deliver the service to your research project as quickly as we can.  

When should I start the STRA process?
It is best to start the STRA process prior to an agreement being signed with the solution provider, and prior to implementation, but only once the solution's architecture has been selected. A STRA requires collection of technical information that will generally be available after the solution's architecture has been defined. Engaging in the STRA process sooner than later is recommended as this can allow flexibility for possible changes to be made prior to deployment.

What is the outcome of a STRA? 
Once the assessment is completed, the requester will receive a STRA report including findings, priority as well as recommendations for mitigation.  

Can ARC implement security controls for my research project? 
ARC does not provide technical implementation services at this time.