The Handbook is currently under development and may change at any point - it is not meant for production use
Skip to content Skip to footer

Legal indicators IT security for research data (RD) and associated services

This indicator evaluates the maturity of IT security measures employed to safeguard research data and associated services. It focuses on whether protections are reactive or proactive, how well staff understand and follow security practices, and whether systems are certified, monitored, and continuously improved.

Level 1 – Security measures for RD and services are ad hoc or minimal. There are few or no documented policies and/or procedures. Staff have limited awareness of IT security. Basic protections like antivirus software and standard firewalls are used reactively.

  • Ad hoc or minimal protections: Security measures exist but are informal, inconsistent or dependent on individual initiative.
  • Limited awareness: Staff have a low understanding of IT security risks and responsibilities.
  • Basic tools only: Antivirus, standard firewalls, and default system protections are applied reactively, with no broader strategy.

Impact: Research data is at risk from common threats. Security relies on individual vigilance rather than organisational systems.

Level 2 – Implementation of documented policies/procedures for security of RD; regular staff training of recognition and response to cyber threats; access control and password management systems are in place; regular software updates and patches.

  • Policies and procedures: Security measures and procedures for research data are formally documented and applied across the organisation.
  • Staff training: Regular training sessions on recognising and responding to cyber threats are in place.
  • Access management: Password policies, user access controls and permissions are used.
  • Regular update: System and security updates are consistently applied and maintained.

Impact: Security is consistent and reduces common risks, but remains largely ineffective in addressing more sophisticated risks/breach attempts. Staff understand their responsibilities, and basic safeguards are in place.

Level 3 – Incident response and disaster recovery plans for RD are in place and tested; proactive security measures, vulnerability testing and assessment; Multi-Factor Authentication (MFA) is enforced for sensitive systems; tools for advanced threat detection and response are in place.

  • Incident response: Response and disaster recovery plans exist and are regularly tested.
  • Proactive security: Vulnerability assessments, penetration testing, and threat monitoring occur routinely.
  • Advanced protections: Multi-Factor Authentication (MFA) and advanced detection tools are enforced for sensitive systems.

Impact: Research data is actively protected as threats are identified and addressed promptly, and security practices are integrated into daily operations.

Level 4 – ISO certification or similar (ISO/ NIST, …); real-time threat monitoring for RD and automated response mechanisms are in place; regular audits and continuous improvement.

  • Certification: Systems are aligned with recognised standards (e.g. ISO 27001, NIST) and are periodically revalidated.
  • Real-time monitoring: Automated threat detection and response mechanisms are operational.
  • Continuous improvement: Regular audits, policy updates, and iterative enhancements ensure evolving threats are mitigated.

Impact: IT security is robust, proactive, and trusted. Research data protection is embedded into organisational culture, with ongoing monitoring and continuous enhancement.

Contributors
AJ

HM

Heleri Inno Contributor

University of Tartu / ELIXIR-EE

Jana Martínková Contributor