Research Security and Risk Management

Research Security and Risk Management

Data is central to research, innovation, and opportunity. However, all data, including research data, also carries risk. By appropriately managing your research data—and its inherent risks—you can help keep your project on track and avoid legal and regulatory penalties.

A simple research data security plan complements your data management plan and demonstrates your due diligence in planning for and managing risks to your project data.

To streamline the planning process and help you allocate more of your time to conducting research, use the Secure UD Research Security Plan Tool. This easy-to-use tool asks a series of yes/no questions that walks you through relevant risks and produces a self-documenting security plan for managing them. Creating your research data security plan takes less than an hour, and your finished plan is a valuable resource for protecting your work.

Secure UD Managing Research Data Risks complements the Secure UD Research Security Plan tool and the information on this page. It provides succinct summaries of the types of risk you may encounter and tips for managing those risks.

You can also contact IT Security for a consultation about research data risk and for assistance in incorporating risk management strategies into your data management plan, security plan, and research practices.

Download the Secure UD Research Security Plan Tool v1.00 (.docx)

Type of risk

Does it apply to you?

Physical asset risk

How will you manage devices and paper documents containing project data?

Physical assets include...

  • desktop and laptop computers
  • mobile devices (smartphones and tablets)
  • servers
  • removable storage media
  • paper documents

Every project involves some number of physical assets necessary for project activities. All of these assets facilitate the completion of your project, but they and the data they contain must be managed and protected appropriately.

Confidentiality risk

Will your project involve any data that has restrictions on who can view or access it?

Do you have any data that...

  • can only be disclosed to authorized parties?
  • is required by law, regulation, or contract to remain confidential?
  • is sensitive by nature and would have a negative impact if disclosed?
  • would be valuable to hackers, corporate spies, foreign intelligence, etc.?

Data confidentiality is about protecting data against unintentional, unlawful, or unauthorized access, disclosure, or theft.

Integrity risk

Will your project involve any data that, if not maintained with integrity, would significantly impact the accuracy or feasibility of the study?

Do you have any data that...

  • must remain accurate and uncorrupted?
  • must only be modified by certain individuals or in a controlled manner?
  • must come only from trusted sources?

Data integrity is about protecting data against improper maintenance, modification, of alteration. It includes data accuracy and authenticity.

Availability risk

Will your project involve any data that, if lost, stolen, or destroyed, would be irreplaceable or would significantly impact the feasibility of the study?

Do you have any data that...

  • must remain available or accessible during the project?
  • must remain available or accessible after the project is complete?
  • cannot be easily re-obtained or re-created?

Data availability is about the timeliness and reliability of access to and use of data. It includes data accessibility.

Privacy risk

Will your project involve any data that, either by itself or in combination with publicly available information, has the potential to violate privacy expectations or individuals?

Do you have any data that...

  • involves human subjects?
  • has explicit legal or regulatory privacy protection requirements?
  • is sensitive, or has the potential to be sensitive if combined with other information?

Data privacy is about respecting individuals' reasonable expectations to be free from unreasonable observation and excessive collection or use of personal data (what is being observed and how it is being used).

Privacy risks apply to projects involving human-related data, such as data related to individual's behavior, medical records, or learning patterns. Some projects may not involve data with privacy-related risks.

Legal, regulatory, and contractual risk

Will your project involve any data that is subject to legal, regulatory, or contractual requirements?

Do you have any data that...

  • is subject to laws or regulations (e.g., FERPA, HIPAA, Common Rule)?
  • is provided to you under a contract or agreement?
  • is subject to grant or contract restrictions or security requirements?

Data laws and regulations govern the handling of particularly sensitive kinds of information and may present the risk of fines, funding loss, or even imprisonment. Health data, education records, defense articles, and other data present legal and regulatory risk that goes hand-in-hand with other risks like confidentiality, privacy, human, etc.

Sponsored research agreements may specify data security standards and requirements that must be followed during or after the study. Data contracts may govern how data from a particular source or generated by a particular contract can be used or what rights researchers acquire to that data.

Human risk

Is every member of your team, including you, aware of data risk and security?

Is your team...

  • aware of their responsibility for security?
  • aware of security best practices?
  • watchful for unusual behavior that may indicate data theft?

Human risk includes human vulnerability to social engineering, awareness of security practices, and insider threats.