UBC's Information Security Standards were created under the authority of Policy #104, Acceptable Use and Security of UBC Electronic Information and Systems (issued in June 2013) to provide a comprehensive set of security requirements to the UBC community on the protection of electronic information. These Standards are intended to reduce information security risks, especially in relation to personal information, because a major privacy breach would likely have a significant financial, reputational and legal impact on the university; furthermore breaches such as these could cause a major setback to individual or group research agendas or to teaching objectives.
The Standards were created under the direction of the Chief Information Officer by a task force comprised of representatives of UBC IT, the Office of the University Counsel, and Risk Management Services, and were reviewed by the Information Security Governance Committee, a cross-departmental advisory body. The Standards have also been the subject of an extensive consultation process, including feedback from the University Community.
The Standards were published in final form on August 15, 2014 to provide an approved baseline for detailed implementation planning to commence. While they are published as final, the Standards are considered living documents and additional reviews will be conducted in January and July 2015, to address further concerns or questions.
The Standards provide a solid foundation that Administrative Heads of Unit can fully leverage to fulfill their responsibilities for protecting UBC electronic information through the implementation of reasonable security measures.
The Standards have been divided into two categories: User Standards and Management and Technical Standards and the following audiences should approach these Standards as outlined below:
- Faculty and Staff - should read and take personal responsibility for meeting the requirements in the User Standards #1 to #10.
- University IT Support Staff - should read and take responsibility for meeting the requirements in the Management and Technical Standards #11 to #20, in addition to their personal responsibility for the User Standards and providing assistance for Users in meeting the User Standards as necessary.
- Administrative Heads of Unit - should understand what Standards exist, and take the necessary steps to delegate the responsibility to the appropriate individuals for implementation.
Recognizing that it will take time to fully meet all of the requirements in the Standards, Faculties and Departments are expected to gradually implement these requirements over time. An example implementation roadmap has been created for reference. The Administrative Head of Unit is responsible for creating an implementation roadmap that is suitable for their Faculty or Department, taking into account risks and available resources.
For more information about the Standards, see our Frequently Asked Questions.
POLICY AND STANDARDS
Information Security at the University of British Columbia is governed by Policy #104: Acceptable Use and Security of UBC Electronic Information and Systems. Policy 104 requires the Chief Information Officer to issue Information Security Standards, which are mandatory for all Users of UBC Electronic Information and Systems. The Chief Information Officer also issues Information Security Guidelines. While these Guidelines are not binding, they provide useful procedural guidance for the user.