Information security (also known as data security) is one of the most important aspects of Research Data Management. Regardless of research information classification (sensitivity level), security safeguards should be in place to ensure it is not lost, stolen, or otherwise compromised.
Before reading this page
Regardless of the information classification associated with a research project, it is strongly recommended that researchers consult an information security professional when planning a research project that will collect, process, store, and/or share research information. This page covers high-level concepts about information security and may not include all information applicable to specific research projects.
For assistance, please contact arc.support@ubc.ca
At UBC, researchers are responsible to ensure the information collected, processed, stored, and shared meets the university security and privacy requirements, as well as provincial, national, and international applicable regulations.
Classification
Information classification (also known as data classification) is a crucial step in building a research projects’ security posture. It identifies the safeguarding requirements that should be in place for the project to be compliant with the university policies.
To identify information classification:
- Consult UBC Information Security Standard U1(ISS-U1) and our Research Information Classification page;
- Review the nature of the information;
- Identify the elements collected, processed or stored that meet the highest risks in ISS-U1;
- Assign an Information classification to all research information based on the results of step 3.
Note
Regardless of the amount of information collected, processed, stored, or shared, the most sensitive element identified should be the one defining the overall information classification.
Processing
Part of research project planning is usually to identify how Information will be processed, and which tools will be used.
Before starting the procurement process, researchers must ensure the solution to be used meets UBC requirements of Policy SC14, and associated Standards. To facilitate this process UBC Advanced Research Computing (ARC) offers information security services, including self-service tools, consultations, and various types of security assessments
Take a deeper dive
To find out more about ARC security services, visit our Security and Privacy Services page.
To find out more about UBC Information Systems Policy and Standards, visit the Office of the CIO website.
Storage
Information storage plays a central role in Research Data Management. Storage must be considered from the beginning to the end of a research project; and beyond when retention policies apply or when research information is deposited.
Properly safeguarding stored information is one of the most important aspects of a robust information security plan. When planning for information storage, consider the following:
Is information subject to specific regulations?
Privacy regulations such as FIPPA may restrict the storage location of certain types of information, like personally identifiable information. Before establishing a data repository, researchers should ensure regulation requirements are met.
What are the different type of storage?
- Short-term or active storage is where information is actively used for collection or analysis.
- Long-term storage, passive storage, or archiving is where information is stored in a stale state and will only be retrieved as needed.
- Backup storage is a copy of active or archiving information, usually in a compressed format, that is kept separated from the original dataset, and that can be retrieved as needed.
- Replication storage is an exact copy of active information that is kept in a different location than the original, and that can be accessed in the event of unavailability of the original storage. Replication is common in cloud environments.
- Preservation storage is a subset of a dataset that has been uploaded to a public or restricted repository after the completion of a research project, for secondary use by other researchers.
What are UBC security requirements for information storage?
UBC’s Information Security Standard U7 applies to research information, regardless of where it is stored, and includes safeguarding requirements for devices such as local computers, external hard drives, cloud, and servers.
Consult UBC Information Security Standard U7 (ISS-U7) for more information about these requirements or book a consultation with one of our subject matter experts.
Note: UBC research information stored outside the UBC infrastructure may be subject to UBC Information Security requirements.
What kind of storage solutions can I use to store research information?
UBC storage solutions
UBC offers several solutions for information storage that meet the security requirements of the university and their use is recommended. Try the UBC ARC Research Storage Finder tool to find out which UBC approved solution is best suited for your research project.
Public Cloud storage solutions
Cloud storage has become increasingly popular due to its accessibility, and scalability. While cloud can be a suitable option for your research information storage, it is important to remember that:
- Cloud storage has an associated cost that may vary based on space and actions taken on the information (e.g.: downloads);
- Cloud storage is only available for as long as the subscription is paid. Once the cloud provider stops receiving payments, your information will be purged;
- Default cloud storage configuration is designed for the storage to be publicly available. Ensure proper safeguards are in place before storing any information in the cloud.
Third party (vendor, service provider) storage solutions
Are you using a collection or analysis tool that includes storage? If so, keep in mind that the storage included with this tool is still subject to UBC Information Security policy and standard requirements. Visit the UBC Office of the CIO website for more information.
Local server, computer or mobile devices
Requirements for storing UBC information on servers, computer and mobile devices are defined in UBC Information Security standard U7 (ISS-U7). Compliance with these requirements varies based on data classification and is mandatory.
Internet of Things (IoT) devices
Requirements for storing UBC information on IoT devices are defined in UBC Information Security standard U11 (ISS-U11). Compliance with these requirements varies based on data classification and is mandatory.
Is research information subject to a specific ownership, sharing, or copyright agreement?
Responsibility for safeguarding research information as well as any specific security requirements may be defined within a data agreement. Researchers should carefully read such agreements before completing a Research Data Management plan to ensure all security requirements are covered.
Will research information be in the custody of an external party?
When research information is in the custody of an external party (e.g. solution provider or other institution), the agreement between UBC and this external party should define responsibility for safeguarding the information, as well as any specific security requirements.
Visit the University-Industry Liaison Office page for more information.
Will information be stored outside the UBC infrastructure?
Where possible, it is recommended that researchers make use of UBC approved and supported information storage options. UBC information stored outside the UBC infrastructure is still subject to UBC Information Security requirements.
Note: Research information may be subject to retention requirements. For more information about data retention, visit our Research Data Management page.
Sharing
When sharing information with external collaborators, researchers will need to consider information management, custody/ownership, and safeguarding requirements.
Additional Resources
To learn more about UBC information privacy and security, visit:
To learn more about UBC security requirements, visit:
Office of the Chief Information Officer
To learn more about UBC legal requirements, visit:
Can’t find what you are looking for?
Send us an email at arc.suport@ubc.ca to talk to one of our subject matter experts.