Security Guidelines for Research Partnerships - Industry and Partnership Services (IPS)

In Canada, research is an incredibly valuable asset which contributes to the Canadian society as a whole and also gives back to the world internationally. At the same time, this research is vulnerable to foreign hostile actors and regimes and there is a real risk that such actors will attempt to access, acquire and misuse research to undermine Canadian national security and critical infrastructure. According to CSIS, Canadian researchers are not alone in facing such risks.

Accessibility transcript for CSIS video

On January 16, 2024, the federal government of Canada responded to these risks with an announcement of the Sensitive Technology Research and Affiliations of Concern Policy. This policy clarifies that starting in early 2024, research grant and funding applications submitted by a university or affiliated research institution to the federal granting councils and the Canada Foundation for Innovation involving research that advances a sensitive technology research area will not be funded if any of the researchers involved in activities supported by the grant are affiliated with, or in receipt of funding or in-kind support, from a university, research institute or laboratory connected to military, national defence, or state security entities that could pose a risk to Canada’s national security. A list of these Named Research Organizations accompanied the announcement.

Data Storage and File Sharing at Carleton

Research Computing Services is offering a secure, online file sharing platform based on Citrix ShareFile for researchers to store their data and collaborate with Carleton faculty and students, as well as external collaborators. This service is similar to many commercial products like Dropbox, Google Drive, etc. The data is stored locally within the secured data centre on Carleton’s campus. RCS ShareFile has been fully assessed by ITS’s information security professionals to be operating within the acceptable risk tolerance as defined in the University’s Risk Management Framework. Based on this, the Carleton Research Ethics Boards deemed it an acceptable platform for research data. For more information, including how to get an account and how to get started, please visit https://carleton.ca/rcs/sharefile/.

What research areas are most at risk?

Please refer to this webpage for a list of sensitive areas of research.

What can I do?

To comply with the federal government’s STRAC policy, applicants must undertake a two-step process prior to applying to grant funding. Details are provided on the federal government’s website here. In addition, researchers can take an active role in protecting their research in the following ways:

Training and Resources

Become aware of research security risks and learn how to develop a risk mitigation plan for your project by completing the following two online courses (30-40 minute time commitment each):

1) Introduction to Research Security

2) Cyber Security for Researchers

Review the guidelines and tools page for a number of research security resources and use the Safeguarding Your Research portal

Consider also the information in University Canada’s guide on Mitigating Economic and/or Geopolitical Risks in Sensitive Research Projects when forming your risk mitigation plans.

Understand NSERC's national security requirements for research

NSERC alliance applicants are also required to submit a Risk Assessment Questionnaire along with their funding applications. Although NSERC is piloting this questionnaire with one program at this time, we expect that the national security risk questionnaires may be applied to other Tri-Council funding application processes in the future. The Introduction to Research Security and Cyber Security for Researchers courses are designed to help researchers complete this questionnaire.

Risk Assessment Best Practices

These best practices come from National Sciences and Engineering Research Council of Canada (NSERC) to help guide researchers and universities.

Best Practices

Researchers and institutions should use the tools and resources on the Safeguarding Your Research portal for information on how to identify and mitigate risks to security in research partnerships.

Have open discussions with your partner organization(s) to identify potential or perceived risks.
Conduct open source intelligence due diligence to identify any potential or perceived risks related to your partner organization(s).

When completing the risk assessment form:

Ensure to read the form in its entirety and consult any external resources mentioned in the form to ensure your responses are as accurate as possible.
Use the tools and resources on the Safeguarding Your Research portal for information on how to identify and mitigate risks to national security in research partnerships.
Use your best judgement and show due diligence when developing a mitigation plan that addresses the potential risks you have identified. Examples of specific mitigation measures to include in your plan are included in the form.
All projects are unique and thus should be addressed through tailored risk mitigation measures.

Seek Carleton support

Carleton researchers may contact their research facilitator when preparing a funding application that includes a Risk Assessment Questionnaire.

For advice on selecting secure online software and tools to conduct your research at Carleton, domestically and/or abroad, please contact the Research Computing Services branch of ITS.

To report an actual or suspected security breach associated with your Carleton project or to your Carleton information, please notify Chris Lannon in OVPRI and also contact the ITS Security Desk as per their Information Security Incident Response Policy

Please also do your part by reporting any real or potential threats to Canada’s critical infrastructure and national security directly to CSIS.

Consult Carleton Resources

Policy on the Responsible Conduct of Research	Office of the Vice-President (Research and International)
Risk Management Policy	Office of the President
Carleton’s Privacy Policies (in compliance with FIPPA)	Carleton University Privacy Office
Information Technology (IT) Security Policy	Information Technology Services
Information Security Incident Response Policy.	Information Technology Services
Cloud Computing Policy	Information Technology Services
Mobile Technology Services Policy	Information Technology Services
Administrative Data Collection, Access and Usage Policy	Information Technology Services & Enrolment Management
Password Policy for Information Systems	Information Technology Services (ITS)
Remote Network Access (VPN use) Policy	Information Technology Services (ITS)

See External Resources

Tri-Agency Framework: Responsible Conduct of Research (2021)	Panel on Responsible Conduct of Research
Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans – TCPS 2 (2018)	Panel on Research Ethics
Freedom of Information and Protection of Privacy Act (FIPPA)	Government of Ontario
Safeguarding Research at Ontario’s Universities	Government of Ontario
Personal Health Information Protection Act	Government of Ontario
Open Source Due Diligence Summary	Government of Canada
Travel Security Guide for University Researchers and Staff	Government of Canada
Government of Canada-Universities Working Group	Government of Canada
Regional Fact Sheets	Government of Canada
Safeguarding Science	Government of Canada
Roadmap for Open Science	Government of Canada
Research Support Fund	Government of Canada

Share: Twitter, Facebook
Short URL: https://carleton.ca/ips/?p=3131