Introduction
- All Devices used for University Business – no matter whether they are owned by the University, by the User, or by a third party – need to be protected from theft and/or unauthorized access. This standard specifies the minimum security requirements that Users must comply with to protect these Devices. University IT Support Staff, including staff in the IT Service Centre, are available to assist Users in implementing these requirements where necessary.
- Two broad categories of Devices are covered by this standard:
- Computing Devices, e.g. servers, desktop and laptop computers, tablets and smartphones; and
- Mobile Storage Devices/Media, e.g. external hard drives, DVDs, and USB sticks.
- The Chief Information Officer has issued this document under the authority of Policy 104, Acceptable Use and Security of UBC Electronic Information and Systems. Questions about this standard may be referred to information.security@ubc.ca.
Electronic Security
- Computing Devices used for University Business must comply with the following electronic security requirements. Users with IT-related responsibilities should also see the Vulnerability Management standard.
| Servers | Desktops & Laptops | Tablets & Smartphones | |
|---|---|---|---|
| Password Control | All Devices must be password-protected in accordance with the Password and Passphrase Protection standard. Always lock Devices or log out before leaving them unattended. | ||
| Screensaver Locks | Automatically activate after no more than 5 minutes of inactivity | Automatically activate after no more than 30 minutes of inactivity (5 minutes is recommended for devices storing Medium, High or Very High Risk Information) | |
| Device Location | n/a | Enable any features that will allow the Device to be remotely located in the event of loss or theft | |
| Data Destruction | n/a | Enable the feature that automatically erases data if 10 consecutive incorrect passwords are entered | |
| Remote Wiping | n/a | Enable any features that will allow data stored on the Device to be erased in the event of loss or theft | |
| Antivirus & Spyware | Install up-to-date antivirus and spyware cleaning software and configure it to update at least once per day (except for tablets and smartphones that do not offer this feature). See the Antivirus Protection guideline. | ||
| Firewalls | Install and configure firewalls (except for tablets and smartphones that do not offer this feature). See the Firewalls guideline. | ||
| Operating System | The Device must run a version of its operating system for which security updates continue to be produced and are available. If this is not possible, see the Vulnerability Management standard for compensating controls. If the Device is University-owned, software updates must not be impeded, and no unauthorized changes may be made to the Device. | ||
| Data Availability | Any UBC Electronic Information stored on the Device must be regularly backed up to a secure location and checked periodically (preferably quarterly) to ensure the integrity and availability of the information such that it can be restored. See the Backup guideline. | ||
| Encryption | Refer to the Encryption Requirements standard. | ||
- Mobile Storage Devices/Media used to store High or Very High Risk Information must be encrypted as explained in the Encryption Requirements standard.
Physical Security
- For their protection, unattended Devices must be located in one or more of the following areas:
- a room or other enclosed area that is locked or otherwise access-controlled; and/or
- a locked cabinet or other fixed container such as a locked server cabinet/cage.
- Servers containing significant quantities of High or Very High Risk Information must be hosted in UBC Datacentres that are compliant with the Physical Security of UBC Datacentres standard, or third-party servers that have an equivalent level of security because these provide the highest level of security. To get access to server space in a UBC Datacentre, Users can rent space or use the EduCloud Server Service.
- Keys or swipe cards giving access to Devices must be limited to authorized individuals.
- Measures should be taken to ensure Devices cannot be viewed from outside the secure area, e.g. by drawing curtains or blinds.
- Cable locks are recommended as a supplementary security measure for Computing Devices, but they do not provide sufficient protection by themselves. It is safer to lock portable Devices, such as laptops, in a cabinet out of sight rather than relying on a cable lock.
- The use of alarms is highly recommended, especially to protect Devices used to store Medium, High or Very High Risk Information.
Use of Non-University-Owned Devices
- UBC recognizes that it is often convenient for Users to use their personally-owned Devices for work purposes and such use is permitted provided that they manage their Devices in accordance with this standard.
- Some Users may also use Devices supplied by third parties in connection with University Business. Users, in consultation with University IT Support Staff, are responsible for determining whether these Devices meet the minimum security requirements in this standard; for example, Health Authorities have good information security measures in place, and it is acceptable to use their computers for University Business.
Special Requirements for Servers
- Servers (especially Web and FTP servers) are attacked on a continual basis. To avoid creating security weaknesses, servers must not be used for general web browsing or email.
- Users must not run server applications on desktops or laptops (e.g. web or FTP servers) that are Internet- Facing. Exceptions may be approved by the Administrative Head of Unit, in consultation with University IT Support Staff, provided that compensating controls are put in place to control security risks.
Inventory of UBC-owned Laptops and Desktops
- Central UBC IT support staff must maintain an inventory of UBC-owned laptops and desktops that they have deployed, including which Users these devices are assigned to. All other University IT Support staff are recommended to maintain such inventories.
Return of Devices and Information upon Termination
- Upon termination of their employment, Users must return all of the UBC-owned Devices in their possession to an authorized employee of UBC, and must return and delete any UBC Electronic Information stored on their personally-owned Devices.
Loss Reporting Requirement
- Users who lose a Device used for University Business (no matter who owns the Device) or suspect that there could have been an unauthorized disclosure of UBC Electronic Information must report the loss/disclosure in accordance with the Reporting Information Security Incidents standard.
Related Documents
- Policy 104, Acceptable Use and Security of UBC Electronic Information and Systems
- Encryption Requirements standard
- Password and Passphrase Protection standard
- Physical Security of UBC Datacentres standard
- Reporting Information Security Incidents standard
- Vulnerability Management standard
- Antivirus Protection guideline
- Backup guideline
- Firewalls guideline