It is important to consider cybersecurity at every stage in the lifecycle of any research project; from planning to delivery and operations, and even beyond if the project involves long term information storage. UBC and industry good practices recommend that cybersecurity considerations be evaluated from the earliest stage (planning) of a research project to prevent delays in delivery, compliance issues, or cybersecurity incidents.
Before you read this page
Regardless of the nature of your research, it is recommended that you consult an Information Security professional when planning a research project that will collect, process, store, and/or share sensitive information. This page covers high-level concepts about Information Security and may not include all information applicable to specific research project.
For assistance, please contact arc.support@ubc.ca
A 7 Step Approach to Planning Research with Cybersecurity in Mind
The following steps provide key cybersecurity considerations for researchers to keep in mind during the planning phase of their research projects.
Step 1: Identify your research information
The following questions may help identifying your research information:
- What is (will be) the nature of the research?
- Does it include collection, procession and/or storage of information?
- Who is the owner of the information?
- Is the information subject to a specific regulation, or bound by a data sharing agreement?
- Does it include any information that would allow an individual (or group of) to be identified?
- Does it include Intellectual Property?
Step 2: Classify your research information
When considering the security of your research information, one of the first actions you should take is identify its classification. Information classification (also known as data classification) is a crucial step in building your research projects security posture, as it defines the safeguarding requirements that should be in place to ensure your research remains safe, and compliant. Information classification is also a requirement of UBC Information Systems Policy SC14 and is defined in UBC Information Security Standard U1 (ISS-U1).
To assign a classification to your information:
- Consult UBC Information Security Standard U1 (ISS-U1) and our Research Information Classification page;
- Review the nature of your information;
- Identify the elements you collect, process or store that meets the highest risk in ISS-U1
- Assign an information classification to your research information based on the results of step 3.
Notes:
- Regardless of the amount of information you collect, process, or store, the most sensitive element identified should be the one defining your information classification.
- If your project has an associated ethics application, the risk level listed in the ethics application may be different from the risk level of your data under the UBC ISS-U1.
Step 3: Identify your project requirements
Now that you’ve identified your information classification, it is important that you evaluate your project requirements. Here are a few key considerations:
- What is the expected size of the information collected, processed, or stored?
- Who will need access to the information?
- How will the information be collected?
- How will the information be analyzed/processed?
- Will a third party be involved in collection, processing, or storage?
- What will happen to the information after the research is completed?
- How long will the information be retained?
For more information, visit rdm.ubc.ca
Step 4: Identify compliance items
Security and Privacy requirements can be divided in three segments:
UBC Security requirements:
UBC information must be protected following the requirements of UBC Information Systems Policy. To facilitate the compliance verification process, you may complete our Security Compliance Checklist, or visit our Information Security page.
UBC Privacy requirements:
Based on the nature of your project’s information, and the risk involved, you may be required to complete a Privacy Impact Assessment. Visit our Information Privacy page for more information.
Regulatory and contractual requirements:
If you work with regulated data, or information that is bound by a data sharing agreement, you may be required to meet specific security and privacy requirements that are defined by the regulation, or agreement. It is recommended that you review all regulation(s) and/or agreement(s) to identify any security and privacy requirements. Need help? Contact us at arc.support@ubc.ca.
Funding agencies and partnership requirements:
When collaborating with funding agencies or partner organization (including partner institutions in the public and private sector), it is important to consider compliance with Canadian regulation, institutional policies, as well as contractual requirements. Visit the UBC Safeguarding Your Research page for more information.
Step 5: Find the right storage, collection, and analysis tools
Once you’ve identified your information, what you plan to do with it, and what are the safeguarding requirements; the next step is to find where it should live during, and after completion of the research project. UBC offers a number of storage solutions and the best solution will vary depending on the requirements identified in the previous steps. Try our UBC Research Storage Finder or contact us at arc.support@ubc.ca for help.
Step 6: Create a Research Data Management Plan
Your Data Management Plan (DMP) covers the entire lifecycle of the information associated with your research project, from planning to long term preservation. From a cybersecurity perspective, the DMP allows you to identify the security controls required at each stage of the project lifecycle. For more information, visit rdm.ubc.ca.
Step 7: Create Standard Operating Procedures (SOP)
Regardless of how your information is collected, processed, and stored, you should have standard operating procedures in place to ensure it is properly handled and safeguarded during its lifecycle. Here are a few recommended procedures to document:
- On-Boarding and Off-Boarding procedures;
- Responsible, Accountable, Consulted, Informed (RACI) chart;
- User Access review and audit procedure;
- Participant Consent Withdrawal procedure;
- Information transfer and sharing procedures
- Information backup and restore procedures;
- Incident response plan;
Additional Resources
To learn more about UBC information privacy and security, visit:
To learn more about UBC security requirements, visit:
Office of the Chief Information Officer
To learn more about UBC legal requirements, visit:
Can’t find what you are looking for?
Send us an email at arc.suport@ubc.ca to talk to one of our subject matter experts.