Research Project Cybersecurity Planning

Last updated February 17, 2023

This web page is subject to periodic updates.

Purpose

This document is intended to help Principal Investigators (PIs) at the University of Waterloo develop cybersecurity plans for their research projects. Other researchers may also find this document helpful. This document is organized based on the model of the NIST Cybersecurity Framework. This framework has wide adoption in government and industry, so it is accordingly in the best interest of the PI to organize cybersecurity plans using the categories: Identify, Protect, Detect, Respond, and Recover. Cybersecurity plans should be made taking into consideration all stages of the research data lifecycle.

Identify

• Identify any inherent risks associated with the data (e.g., national security, sensitive personal information of study participants, intellectual property value/commercialization potential)
• Data Management Plan
  • Understanding data lifecycle helps in understanding where vulnerabilities may lie.
  • DMP Assistant can help. The Library should be able to assist.
• Inventory data, people, and systems/services
  • Have you considered all institutional, departmental, and Digital Research Alliance of Canada services for the project before considering other third parties?
• Identify who is responsible for what when it comes to the security of research project data and equipment.
• For technology assets on the UW campus network storing or processing research data, ensure the IST security team is informed of relevant devices and the name(s) of individuals who can act on cybersecurity events involving those devices.
• The support lifecycle of hardware and software needs to be taken into consideration when budget planning.  For example, will you be able to patch the operating system throughout the useful life of the system? If not, then you should work with your local IT support provider and the IST security team to develop risk mitigation plans.

Protect

Advice

• Request IST to complete a review of any third-party services (e.g., cloud, research partner) for security issues.
• Request IST to review security configuration of local equipment used for the project.
• PIs need to consider the physical security requirements, if any, of research data. The security requirements of some research activity may necessitate consultation with Waterloo’s Special Constable Services to ensure physical security controls are appropriate. This includes, but is not limited to, types of doors and locks, electronic access control, room/building construction, security cameras, and alarm systems.  Who has access and when they need access should be considered. For some government work, the Office of Research needs to be consulted to ensure compliance with government security programs.

Standards

• Active research data should be backed-up regularly. Backups should be encrypted and kept off-line when not in use. IST provides backup services.
• Researchers should store data in shared repositories, rather than personal spaces, to facilitate continuity of activity in the event of the departure of a member.
• Data storage should follow principles of least access and separation of duties, particularly when data are exchanged with third parties (e.g., clinicians).
• For servers or services containing research data that are directly accessible from the Internet:
  • Ideally, research servers should leverage institutional/federated authentication services.
  • Authentication should require a unique identifier for each person (username/email address)
  • Authentication should be strong. A password alone is not sufficient. Strong authentication can include:
    • SSH key-based authentication, with password authentication disabled
    • Multi-factor authentication (MFA), known at Waterloo as “Two-Factor Authentication (2FA)”
    • Certificate-based authentication (e.g., PKI)
  • Servers should be hardened (i.e., services exposed to the network are limited to those required)
• Automatic updates should be enabled on all systems on the campus network. If not, then there should be planned updates on a periodic basis. Computer systems with software out of support that cannot be updated must employ alternative risk mitigation controls to be on the campus network in consultation with IST.
• The transmission of research data should use modern Transport Layer Security (e.g., HTTPS, SSH) with known secure cyphers. Clear-text network protocols (e.g., HTTP, FTP, RSYNC) for the transmission of research data must be avoided.
• Portable media for storing research data should be avoided, except for encrypted backups stored in a physically secure location.
• Laptops should have automatic updates enabled and employ full-disk encryption.
• All researchers should complete cybersecurity awareness training that includes, at a minimum, the following:
  • Secure data handling (including data encryption)
  • Email security awareness
  • Safe Internet browsing
  • Malware/Ransomware
  • Password management
  • MFA/2FA best practices
  • Safeguarding Your Research (content developed by the Government of Canada)
  • Data security and international travel
  • Breach response procedure for the project
• IST provides security awareness training, with many materials hosted on LEARN.

Detect

• Professional IT and/or cybersecurity staff should be reviewing access logs. Ideally, access and other system logs are sent to a departmental or institutional log management system to facilitate threat analysis.
• IST monitors the campus network for security issues; however, IST does not have visibility of threats for equipment not centrally managed, nor equipment that may be off-campus. All researchers are encouraged to install software agents provided by IST that:
  • Inventories installed software and assesses security vulnerabilities (Qualys VMDR)
  • Actively monitor for threats (EDR/XDR - pending in 2023)

Respond

• PI must understand breach reporting obligations of the institution, organizations providing data, sponsors and potentially others (e.g., government, professional colleges).
• All stakeholders need to understand their role in breach response. This includes the PI, research team, departmental IT, IST, Office of Research, and others.

Recover

• Recovery procedure from backup media should be tested periodically.
• PI is responsible for procedure in recovering from incident where research data are lost or compromised.

References/Further reading

The NIST Cybersecurity Framework is a useful tool for managing a cybersecurity program including identification of considerations, controls, and measuring maturity.

The ability for a project and/or institution to adopt specific security standards will depend on factors including but not limited to the resources available, IT governance, regulatory/contractual requirements, and risk tolerance.

Recommendations for standards adoption are listed below, in order of increasing maturity/effort for compliance:

1. Canadian Centre for Cyber Security: Top 10 IT security actions
2. The top 18 CIS Critical Security Controls
3. NIST SP 800-171 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
4. NIST SP 800-53 - Security and Privacy Controls for Information Systems and Organizations

Getting help

The Information Security Services Team in IST is available to assist researchers with developing cybersecurity plans.  To start the process, PIs should complete IST’s Information Risk Assessment Intake Form for Research Initiatives.

Questions may be directed to ist-researchsecurity@uwaterloo.ca.