Information security for research

Introduction

The use of information classified as Restricted (see Policy 46) presents a major risk to the university. Any unauthorized disclosure (i.e., breach) of Restricted information will normally require the university to disclose that such a breach has taken place; this has a negative impact on the university's reputation.

This page describes the information security roles, responsibilities, and considerations for sponsored research activities at the University of Waterloo. Investigators initiating sponsored research activities involving information classified as Restricted are expected to read this document and consult the University Information Security Officer:

Jason Testart
Director, Information Security Services
Information Systems & Technology

Roles and responsibilities

All individuals involved in research activities at the University of Waterloo must read and familiarize themselves with Policy 46. The Principal Investigator of a sponsored research project serves the role of Information Steward for that project. Information Custodians for a sponsored research project include:

  • Co-investigators
  • Students engaged in research activities
  • Administrative support staff in custody of research information
  • Technical support staff involved in the deployment, maintenance, and administration of information technology where research information is stored and/or transmitted

The responsibilities for these roles are outlined in Policy 46.

Information security considerations

"Information Security is a journey, not a destination."

It is important to understand that information security threats and vulnerabilities are constantly changing. Conducting any activity, including research, on Internet-facing computers requires an on-going commitment of time and money to ensure security is maintained.

Physical security considerations

  • Where will the information be stored?
    • What kind of physical security controls are in place? (door locks, alarm systems, etc…)
  • Will Restricted information be stored on laptops?
    • If yes, then encryption must be used.

Software security considerations

  • What is the expected lifespan of the employed software?
  • Will you be able to obtain security updates for employed software (including operating system) on an on-going basis?
  • Will you be developing software that collects and/or processes Restricted information?
    • If yes, then it needs to be reviewed by Information Systems & Technology (IST).

Technology support considerations

  • Do you have a designated individual who is responsible for ensuring software and systems are maintained (e.g., regular application of security patches)
  • Do you have a designated individual to respond to security incidents?
  • What existing university IT services do you expect to use?

Information management considerations

  • Do you have the technology and process to recover from a disaster?
  • Do you have a defined policy for the retention of data?
  • Are you aware of the university's guidelines for the secure destruction of media?