Information Security Policy, Standards and Resources

Information Security Standards

UBC Information Security Standards are subject to periodic reviews to adapt to changing expectations and risks. There is a review cycle underway and your input is needed. Learn more

NEW AS OF APRIL 15, 2020 - Minimum Cybersecurity Controls

As part of UBC's COVID-19 response, there are new minimum cybersecurity requirements for faculty, staff and researchers accessing UBC Electronic Information and Systems remotely. These new cybersecurity controls should be considered in addition to the requirements outlined in the Information Security Standards below. Learn more

As required under Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems, the CIO has published Information Security Standards, which are mandatory for all Users of UBC Electronic Information and Systems. To learn more about the application of these standards, see the roles and responsibilities table.

The Standards are listed in the tables below, along with resources to assist Users with compliance. While these resources are very useful, they are not mandatory unless explicitly stated. Recognizing that it will take time to fully meet all of the requirements in the Standards, Faculties and Departments are expected to gradually implement these requirements over time. See the example implementation roadmap for more information. Each Faculty and Department is responsible for creating its own implementation roadmap, based on risk and resource considerations.

The Standards have been divided into two categories: User Standards and Management and Technical Standards and the following audiences should approach these Standards as outlined below:

Faculty and Staff - should read and take personal responsibility for meeting the requirements in the User Standards #1 to #10.
University IT Support Staff - should read and take responsibility for meeting the requirements in the Management and Technical Standards #11 to #20, in addition to their personal responsibility for the User Standards and providing assistance for Users in meeting the User Standards as necessary.
Administrative Heads of Unit - should understand what Standards exist, and take the necessary steps to delegate the responsibility to the appropriate individuals for implementation.

The Standards, associated resources and example implementation roadmap were originally published in August 2014 and they are subject to periodic reviews to adapt to changing expectations and risks. In 2018, an Information Security Standard review cycle began, resulting in updates being made to the following standards:

For more information about the Standards, see our Frequently Asked Questions. For definitions of the dotted underlined terms used in the Standards, see the Glossary.

A single PDF version of the all the Information Security Standards is also available: Download the PDF

Standards for All Users

Standard#	Standard	Resources
#1	Security Classification of UBC Electronic Information
#2	Password and Passphrase Protection	Password Safe guideline
#3	Transmission and Sharing of UBC Electronic Information	Faxing Medium, High or Very High Risk Information guideline
#4	Reporting Information Security Incidents	UBC Incident Response Plan Securing and Preserving Electronic Evidence guideline
#5	Encryption Requirements	Encrypting Mobile Devices guideline How to Encrypt Files Using Common Applications guideline How to Encrypt USB Sticks and Other Removable Media guideline Security Considerations for International Travel with Mobile Devices guideline
#6	Working Remotely
#7	Securing Computing and Mobile Storage Devices/Media	Anti-virus Protection guideline Firewalls guideline Backup guideline Securing Computing and Data Storage Devices Checklist
#8	Destruction of UBC Electronic Information	Data Destruction Confirmation Form
#9	Outsourcing and Service Provider Access	Security and Confidentiality Agreement Service Provider Security Risk Assessment checklist
#10	Accessing Electronic Accounts and Records	Request to Access Electronic Accounts and Records form

Management and Technical Standards

Standard#	Standard	Resources
#11	User Account Management
#12	Privileged Account Management	Authorization for Privileged Account Access procedure System Administrators' Code of Ethics
#13	Securing User Accounts
#14	Vulnerability Management	UBC Systems and Applications Hardening guides Appropriate Notification Services guideline Severity Ratings for Vulnerabilities (CVSS v2.0) guideline Securing Drupal Guideline Securing WordPress Guideline
#15	Wireless Networks
#16	Cryptographic Controls	Key Escrow guideline
#17	Logging and Monitoring of UBC Systems
#18	Physical Security of UBC Datacentre
#19	Internet-Facing Systems and Services
#20	Development and Modification of Software Applications	Software Applications Security Risk Assessment checklist
#21	Requesting Variances from Information Security Standards