Assessing your research project’s cyber risks
Overview
Research information security looks to protect your research information, data, intellectual property and systems by identifying, understanding and addressing potential information and cyber risks. By considering these risks throughout the various stages of your research projects, from planning through publication and beyond, you can help to reduce the potentiality of data loss, unauthorized knowledge transfer or agreement breach.
Your risk profile
Below you will find a non-exhaustive list of research scenarios and the potential risks associated with them. Resources and services offered by the University are provided to help guide your risk management process.
Highly sensitive research areas and data that are subject to export controls, involve working with controlled goods, have unintended and/or secondary military applications (dual use) or otherwise covered by compliance regulations require stronger security safeguards to reduce the risk of unauthorized access, disclosure or loss. In addition, the hardware and software that monitors and/or controls your equipment (known as operational technology), needs to be protected against unauthorized disruption or modification.
Please contact the Research Information Security Program for a research cyber security and risk review. We work closely with our colleagues from Environmental Health & Safety and the Research Oversight and Compliance Office to help ensure the security and well-being of our researchers and their research.
When drafting data transfer and use agreements with external institutions, it is important that you are aware of the outlined security obligations and do not agree to conditions that yourself or the University cannot meet. Failure to adhere to these security obligations can result in termination of the agreement and impact the progress and success of your research project.
While you work with our colleagues in the Innovations & Partnerships Office (IPO) or the Research Services Office (RSO) to prepare your agreement or contracts, if you have any concerns or questions about information, cyber or data security language, please contact the Research Information Security Program for additional assistance.
3. My research project includes collaborating with colleagues external to the University of Toronto.
Collaboration is often an essential and celebrated element of research, fostering a global academic community by allowing students and researchers from around the world to participate in and nurture the cutting-edge innovations that the University of Toronto is known for. Yet, as project complexity grows, so does the volume of potential paths, methods and scenarios (known as attack surface and attack vectors) for unauthorized access and data loss.
When sending or sharing your data (in transit), ensure that the data cannot be read or altered along the way. More practical guidance can be found at: Send, share or transfer data (InfoSec Handbook) and Best practices to secure systems and environments (InfoSec Handbook).
Please contact the Research Information Security Program for additional guidance and support when planning to send or share your data.
The Government of Canada has identified a list of advanced and emerging research areas which, “may also be of interest to foreign state, state-sponsored and non-state actors seeking to misappropriate Canada’s technological advantages to our detriment”. Due to the sensitivity of and interest in these research areas, stronger security safeguards may be required to reduce the risk of unauthorized access, disclosure or loss.
The Research Information Security Program works closely with colleagues from the Research Security Team to help minimize risks to research through the development of risk mitigation and cyber security plans.
Unauthorized access, disclosure, or loss of sensitive data can pose significant financial, reputational, legal or physical risk to data subjects, researchers, the University and community members. Sensitive data can take on many forms: from personal health information (PHI) to information that if disclosed could place data subjects and/or researchers at risk of foreseeable harm, to data bound by contractual, legislative, or regulatory requirements. What unites sensitive data is the need for strong cyber security safeguards to protect its confidentiality and integrity.
Information Security has compiled a list of best practices to secure systems and environments as a starting point for protecting your data. In the case of sensitive data, particularly Level 4 data, it is recommended that you consult with the Research Information Security Program for a research cyber security and risk review.
Risk types: compliance risk cyber risk reputational risk
Due to their potential size, large datasets can cause complications when looking to securely store, process, and transfer data. In addition, the nature, type and state of the datasets can increase its overall sensitivity and need for stronger cyber security safeguards.
Where feasible, it is recommended that researchers leverage institutional and divisional systems such as SciNet, Health Data Nexus and other available resources. Your local IT support staff may also suggest departmental or discipline-specific resources that can meet your project needs. The Research Information Security Program collaborates closely with technical support staff across the University and is available to assist with system security planning through research cyber security and risk reviews.
Risk types: cyber risk economic risk geopolitical risk national security risk reputational risk
Similarly to the Sensitive Technology Research Areas, intellectual property that has potential commercial applications or patentable benefit may also be of interest to malicious groups and individuals (state and non-state sponsored) looking to misappropriate and capitalize off your work and ingenuity.
Information Security has compiled a list of best practices to secure systems and environments as a starting point for protecting your data. The Research Information Security Program is available for research cyber security and risk reviews and works closely with colleagues from the Research Security Team, Innovation & Partnerships Office and local IT support staff to help minimize risks to your intellectual property through the development of risk mitigation and cyber security plans, as well as other protection mechanisms.
8. The equipment and/or systems I am using for my research are self-managed (or personally-managed).
Risk types: compliance risk cyber risk reputational risk research continuity risk
While institutional and divisions systems exist to help shift the security and maintenance responsibilities off the researcher and onto University staff, use of these systems is not always feasible or practical given how unique research projects can be. When managing your own systems, it is important to understand how the classification of your data impacts the baseline security safeguards that should be in place to protect your data.
At the University of Toronto, these safeguards are split into 14 domain groups, which focus on a number of topics, including: how access is controlled to data and systems, implementing maintenance and update schedules, managing software and system configurations and settings, ensuring accountability through proper logging, protecting data through encryption and how to handle and respond to a security incident.
Information Security has compiled a list of best practices to secure systems and environments, including industry-standard security baselines and benchmarks, as a starting point for protecting your data. If you are unsure of or unfamiliar with how you should be protecting your data, the Research Information Security Program is available for research cyber security and risk reviews and works closely with colleagues from University and local IT to help determine adequate safeguards.
Risk types: compliance risk cyber risk geopolitical risk reputational risk research continuity risk
Whether for storing or processing data, cloud-based and third-party solutions are ubiquitous within research. While not inherently less secure than solutions developed and/or hosted in-house (on-premises), your reliance on the best practices and due diligence of a third-party introduces an additional form risk.
Risk assessments of vendors and tools/services help to identify and manage the potential risk, security and availability implications of using a particular solution for your research. While exploring solutions, please contact the Research Information Security Program for a research cyber security and risk review.
Service agreements, data protection agreements, privacy policies, and other contractual documents help to dictate the rights and responsibilities of the vendor and the user. It is preferred, where possible, that these documents are reviewed and modified by the University prior to research sign-off or agreement. The Research Information Security Program works closely with colleagues from the Risk Management Team and Office of University Counsel on contractual matters.
Information Security has compiled a list of best practices to secure systems and environments, including industry-standard security baselines and benchmarks, as a starting point for protecting your data on a variety of platforms. If you are unsure of or unfamiliar with how you should be protecting your data, the Research Information Security Program is available for research cyber security and risk reviews and works closely with colleagues from University and local IT to help determine adequate safeguards.
Risk types: cyber risk reputational risk research continuity risk
While data can be lost through malicious interference or attack, it is most commonly caused by simple human error or a system failure. While the hope is that your data will always be there for you, a good backup strategy will help to minimize such loss and allow you to recover faster to carry on your research, thus reducing the risk to research continuity.
Your local IT support staff may have recommended tools, techniques and services already available to you for backing up your data.
Information Security provides guidance on developing a resilient backup strategy and on backing up your data, other you can contact the Research Information Security Program for additional assistance.
Travelling for research, whether for completing field work, presenting at a conference, visiting an affiliated lab or meeting with new collaborators, can be a regular occurrence. It also means that you are likely to encounter untrusted or public digital infrastructure (e.g., wired and wireless networks) and even data security restrictions on the use of encryption, virtual private networks (VPNs) and passwords/biometrics.
Just as you plan for travel by reviewing travel guides and advisors and booking transportation and accommodations, you should have a digital travel plan as well. Information Security has compiled a list of tips and resources to help you protect your data while travelling or working remotely. If you are still unsure of how to protect your data while travelling, the Research Information Security Program is available for consultation and works closely with colleagues from University and local IT to help determine adequate safeguards.
