An R-CSTRA (Research Cyber Security, Threat and Risk Assessment) evaluates the security threats and risks associated with research projects and the information systems they use. The assessment aims to:

• Identify and report potential security threats and risks.
• Provide recommendations to improve the overall security of the research project.

Requesting an R-CSTRA is a foundational step in meeting the expectations outlined in the University’s Institutional Research Data Management Strategy, including:

• “Researchers must ensure security requirements and guidelines are implemented and follow the institutional Information Security Control Standard and applicable actions based on levels of criticality in the Data Classification Standard.”
• “Researchers should assess risks to data and implement appropriate security controls to protect against malicious attacks, geopolitical or economic threats, data corruption and data loss.”

Cyber security is a crucial aspect of research due to contractual, funding and sponsor requirements; research ethics and integrity obligations; governmental and University policies; the value of intellectual property; and the increasing targeting of researchers by cyber criminals and nation-states.

Ideally, an R-CSTRA should be requested early in a research project when information systems and solutions are being planned. Early assessments allow for greater flexibility in making necessary security changes. However, an R-CSTRA remains valuable at any stage of the project.

An R-CSTRA is recommended but not required. However, certain research agreements or ethics protocols may mandate an assessment.

Upon completion, the requester will receive a report from RISP detailing:

• Triaged security priorities
• General findings
• Recommendations for risk mitigation

Timelines vary based on workload and the complexity of the assessment. RISP strives to complete assessments in a reasonable timeframe and recommends requesting an R-CSTRA early in the project.

While an R-CSTRA provides recommendations and guidance to mitigate risks, RISP does not implement these recommendations. However, RISP can assist existing technical staff with clarification where needed.