It is important to consider cybersecurity at every stage in the lifecycle of any research project; from planning to delivery and operations, and even beyond if the project involves long term information storage. UBC and industry good practices recommend that cybersecurity considerations be evaluated from the earliest stage (planning) of a research project to prevent delays in delivery, compliance issues, or cybersecurity incidents.
Before you read this page
Regardless of the nature of your research, it is recommended that you consult an Information Security professional when planning a research project that will collect, process, store, and/or share sensitive information. This page covers high-level concepts about Information Security and may not include all information applicable to specific research project.
For assistance, please contact arc.support@ubc.ca
A 7 Step Approach to Planning Research with Cybersecurity in Mind
The following steps provide key cybersecurity considerations for researchers to keep in mind during the planning phase of their research projects.
Step 1: Identify your research information
The following questions may help identifying your research information:
- What is (will be) the nature of the research?
- Does it include collection, procession and/or storage of information?
- Who is the owner of the information?
- Is the information subject to a specific regulation, or bound by a data sharing agreement?
- Does it include any information that would allow an individual (or group of) to be identified?
- Does it include Intellectual Property?
Step 2: Classify your research information
When considering the security of your research information, one of the first actions you should take is identify its classification. Information classification (also known as data classification) is a crucial step in building your research projects security posture, as it defines the safeguarding requirements that should be in place to ensure your research remains safe, and compliant. Information classification is also a requirement of UBC Information Systems Policy SC14 and is defined in UBC Information Security Standard U1 (ISS-U1).
To assign a classification to your information:
- Consult UBC Information Security Standard U1 (ISS-U1) and our Research Information Classification page;
- Review the nature of your information;
- Identify the elements you collect, process or store that meets the highest risk in ISS-U1
- Assign an information classification to your research information based on the results of step 3.
Notes:
- Regardless of the amount of information you collect, process, or store, the most sensitive element identified should be the one defining your information classification.
- If your project has an associated ethics application, the risk level listed in the ethics application may be different from the risk level of your data under the UBC ISS-U1.
Step 3: Identify your project requirements
Now that you’ve identified your information classification, it is important that you evaluate your project requirements. Here are a few key considerations:
- What is the expected size of the information collected, processed, or stored?
- Who will need access to the information?
- How will the information be collected?
- How will the information be analyzed/processed?
- Will a third party be involved in collection, processing, or storage?
- What will happen to the information after the research is completed?
- How long will the information be retained?
For more information, visit rdm.ubc.ca
Step 4: Identify compliance items
Security and Privacy requirements can be divided in three segments:
UBC Security requirements:
UBC information must be protected following the requirements of UBC Information Systems Policy. To facilitate the compliance verification process, you may complete our Security Compliance Checklist, or visit our Information Security page.
UBC Privacy requirements:
Based on the nature of your project’s information, and the risk involved, you may be required to complete a Privacy Impact Assessment. Visit our Information Privacy page for more information.
Regulatory and contractual requirements:
If you work with regulated data, or information that is bound by a data sharing agreement, you may be required to meet specific security and privacy requirements that are defined by the regulation, or agreement. It is recommended that you review all regulation(s) and/or agreement(s) to identify any security and privacy requirements. Need help? Contact us at arc.support@ubc.ca.
Funding agencies and partnership requirements:
When collaborating with funding agencies or partner organization (including partner institutions in the public and private sector), it is important to consider compliance with Canadian regulation, institutional policies, as well as contractual requirements. Visit the UBC Safeguarding Your Research page for more information.
Step 5: Find the right storage, collection, and analysis tools
Once you’ve identified your information, what you plan to do with it, and what are the safeguarding requirements; the next step is to define how and where it will be be collected, processed and stored. Finding the right tool might be challenging, but it is important to keep in mind your requirements and compliance items when considering options. Here are a few tips:
- Use UBC Approved tools where possible. UBC offers a number of solution like UBC Survey tool, ARC REDCap, Nvivo, Tableau and more. visit the UBC Software Licensing page or try our UBC Research Storage Finder for storage options.
- Use our Information Security Compliance Checklist to ensure the solution provider meets UBC Information Security requirements.
- Look for a Security and Privacy Statement on the website of the solution provider. While not required, it usually helps with assessing compliance.
- Consider at least a couple options and ask for demos. Contacting a few solution providers to compare pricing and see how their solution works is recommended.
- Consult with UBC procurement before signing any contracts. Depending on the solution and its associated cost, you may not have the signing authority to enter in a contract with a solution provider.
- Consult with one of our subject matter experts during your solution provider search. Contact us at arc.support@ubc.ca for help.
Note: New solution may require a Security Threat Risk Assessment. Consult our Security and Privacy page for more information about his service.
Step 6: Create a Research Data Management Plan
Your Data Management Plan (DMP) covers the entire lifecycle of the information associated with your research project, from planning to long term preservation. From a cybersecurity perspective, the DMP allows you to identify the security controls required at each stage of the project lifecycle. For more information, visit rdm.ubc.ca.
Step 7: Create Standard Operating Procedures (SOP)
Regardless of how your information is collected, processed, and stored, you should have standard operating procedures in place to ensure it is properly handled and safeguarded during its lifecycle. Here are a few recommended procedures to document:
- On-Boarding and Off-Boarding procedures;
- Responsible, Accountable, Consulted, Informed (RACI) chart;
- User Access review and audit procedure;
- Participant Consent Withdrawal procedure;
- Information transfer and sharing procedures
- Information backup and restore procedures;
- Incident response plan;
Additional Resources
To learn more about UBC information privacy and security, visit:
To learn more about UBC security requirements, visit:
Office of the Chief Information Officer
To learn more about UBC legal requirements, visit:
Can’t find what you are looking for?
Send us an email at arc.support@ubc.ca to talk to one of our subject matter experts.