Research Security Threat Risk Assessment

Going through an STRA allows you to determine gaps within the solution you intend to use or develop. Request an STRA as soon as you know what solution you would like to use or a high-level architecture of the solution you wish to develop. 

Depending on project complexity, a research STRA requires some time to complete since it assesses the architecture and processes relevant to your research environment. In simple environments, an STRA can be completed in as little as a few hours. In complex environments, the entire assessment process can take on the order of months.  It is important that you allocate sufficient time for an STRA prior to beginning your project or launching your service. 

To expedite the process: 

• Familiarize yourself with UBC information Security Standards;
• Have potential solution providers or developers complete the ARC Security Compliance checklist to verify their suitability with UBC requirements;
• Ensure that the solution provider or development team can answer technical questions about the architecture and the security of the solution.   

The ARC Research STRA intake form is comprised of questions related to: 

• your research project/service;
• the research information involved;
• security controls and architecture of the solution/s and/or devices used in the project/service.  

Some of the questions ask about compliance with the UBC Information Security Standards. 

As you answer the questions in the form, think about your entire project lifecycle – think about what information is being collected, accessed, processed and stored and what solutions and devices are used during the entire process. 

The intake form has been designed to limit the technical expertise required to complete the form as much as possible. However, due to the nature of STRAs, some required information is technical in nature. It is strongly recommended that you consult with a technical resource when completing the form.  If you need assistance with the STRA Intake Form or need help interpreting the UBC policies and standards, contact the ARC Research Cybersecurity and Compliance team for help at arc.support@ubc.ca  

The STRA Intake form takes about 30 mins to 1 hour to complete depending on the technical information available at the time of completion. When applicable, connect with the technical experts, developers, or solution providers involved in the configuration and management of the solution to assist with the technical questions within the form. Having the assistance of your technical experts or developers not only can decrease your completion time, but it also may decrease the number of “I don’t know” responses. 

A Level 0 STRA provides an automated assessment of a UBC research project or service against selected controls from the UBC Information Systems Policy (SC14) and associated standards. It is designed for low-risk initiatives and helps identify basic compliance issues and high-level cybersecurity risks.

Analysis Method: Fully automated (no expert input)
Additional information needed after intake is submitted: No
Timeline: Should your project/service qualify for L0, you will receive the STRA report within 10 minutes of the intake form submission.

Building on the Level 0 assessment, Level 1 includes a brief review by a Research Cybersecurity and Compliance Specialist. Suitable for research projects or services with a medium-to-high risk profile, this level may require additional information to provide a more tailored and accurate assessment.

Analysis Method: Semi-Automated (includes a high-level expert review)
Additional information needed after intake is submitted: Yes
Timeline: Depending on workloads, you should expect to be contacted by one of our subject matter experts within 1 week after submitting the STRA intake form. Once we have all the necessary information, we strive to deliver the L1 STRA report within 2 weeks.

In addition to the compliance assessment provided by the STRA Level 0, a Level 2 STRA offers a thorough analysis of the security posture of a research project or service, including a detailed technical assessment, an in-depth analysis of the project's/service's associated components, as well as a governance and research data management review. It is intended for high-to-very-high risk projects or services. Participation from developers or solution providers is strongly recommended, and technical familiarity with the solution is required.

Analysis Method: Manual (Expert-led, in-depth analysis)
Additional information needed after intake is submitted: Yes
Timeline: While every effort is made to complete the assessment  in a timely manner, its completion timeline is often measured in months due to the complexity of the assessment. Depending on workloads, you should expect to be contacted by one of our subject matter experts within 1 week after submitting the STRA Intake Form to initiate the L2 process. 

How can I expedite an L2 STRA?

Below are required L2 STRA supplementary documentation that expedite the information gathering process:

Due to the confidential nature of the report, a one-time use download link is provided to you. Please download and save the STRA report document in a secure location. STRA reports are considered TLP:Amber which means information can only be shared on a need-to-know basis. You may share this document with stakeholders who require this information, for example the Research Ethics Board, Data Stewards, Funding Agencies, UBC Procurement, and/or your Academic Head of Unit. 

The STRA report is organized into the following sections:

1. Summary of the Initiative: 
   Provides an overview of your project or service, including timelines, supervisory roles, partnerships, and any related assessments such as a PIA, where applicable.
2. Information Management: 
   Outlines how information is handled within your initiative, covering classification, applicable requirements, sharing practices, ownership, and custody.
3. Information Processing: 
   Details the solutions used to process information, including solution providers, implemented security controls, and user management practices.
4. Information Storage: 
   Describes the solutions used for storing information, highlighting solution providers, security measures, and encryption methods.
5. Endpoint Security: 
   Focuses on endpoint devices that access, process, or store information related to your initiative.
6. Security Threat Risk Assessment: 
   Summarizes identified strengths and gaps, non-compliance with UBC policies and standards, and associated cybersecurity, information, and business risks. 

When reviewing the contents of the STRA report, consider the following: 

• Compliance with UBC policies and standards is mandatory.
• You may wish to meet with your solution developer/s or provider to address the identified gaps.
• The developer/solution provider’s mitigation plan should be documented along with a timeline for mitigation completion for each gap.
• Administrative control gaps such as those related to SOPs, processes, or training must be addressed by the research team. Contact the Research Cybersecurity and Compliance team at arc.support@ubc.ca for guidance, if required.
• If you still wish to use the solution and some non-compliance items that cannot be mitigated, follow UBC information Security Standard M1 (ISS-M1).

The STRA process looks at a project or service at a point in time. As your project or service evolves, or the use of the system(s) changes, the initial STRA may no longer accurately assess these changes. Consider a revised STRA any time there is a material change to the systems or use of those systems.