Research Cybersecurity and Compliance Services

A Level 0 STRA provides an automated assessment of a UBC research project or service against selected controls from the UBC Information Systems Policy (SC14) and associated standards. It is designed for low-risk initiatives and helps identify basic compliance issues and high-level cybersecurity risks.

Building on the Level 0 assessment, Level 1 includes a brief review by a Research Cybersecurity and Compliance Specialist. Suitable for research projects or services with a medium to high risk profile, this level may require additional information to provide a more tailored and accurate assessment.

In addition to the compliance assessment provided by the STRA Level 0, a Level 2 STRA offers a thorough analysis of the security posture of research project or service, including a detailed technical assessment, an in-depth analysis of the project's/service's associated components, as well as a governance and research data management review. It is intended for high to critical risk projects or services. Participation from solution providers is often required, and technical familiarity with the solution is strongly recommended.

What a STRA? 
A Security Threat and Risk Assessment (STRA) analyzes the security posture of a research project or service. For UBC research, it includes reviewing how information is collected, processed, and stored with a focus on cybersecurity and compliance with UBC Information Security requirements. The assessment identifies potential threats, gaps, and associated risks.

Why are STRAs important? 
At UBC, researchers are responsible for securing research information against unauthorized access, disclosure, modification, or deletion. A STRA helps identify significant security gaps, supports compliance with UBC policies, and can help prevent cybersecurity incidents. 

Are STRAs required
STRAs may be required to meet institutional policies, regulations, funding agency requirements, ethics board expectations, or contractual obligations. Not sure if you need one? Check the use cases here under "Are research project treated differently" or contact us for help.

How long does it take to complete a STRA? 
Timelines vary depending on the STRA level and current workload. ARC aims to deliver assessments in a reasonable timeframe.

I have a time sensitive matter; can I get the service expedited? 
Expedited service is not currently available due to resource constraints. STRAs are processed on a first-come, first-served basis, but we’ll do our best to support your timeline.

When should I start the STRA process?
It is best to start the STRA process prior to an agreement being signed with the solution provider, and prior to implementation, but only once the solution's architecture has been selected. A STRA requires collection of technical information that will generally be available after the solution's architecture has been defined. Engaging in the STRA process sooner than later is recommended as this can allow flexibility for possible changes to be made prior to deployment.

What is the outcome of a STRA? 
You’ll receive a report summarizing the project or service, its components (if applicable), and identified risks and recommendations.  

Can ARC implement security controls for my research project? 
ARC does not currently offer technical implementation services.