To ensure that UBC's confidential data and information systems are safe from a data breach, the university has Information Security Standards that govern the use and protection of university data and computing resources. As required by Policy SC14 (formerly Policy 104), Acceptable Use and Security of UBC Electronic Information and Systems, all faculty and staff are responsible and accountable for following these standards.
These Information Security Standards are subject to periodic reviews to adapt to changing expectations and risks. The current review cycle began in March 2018.
Review Phase I
- March 2018 - Review Cycle began
- March - April 2018 - Feedback gathering round
- May - September 2018 - Committee drafts amendments to the standards that generated the most feedback (ISS #1,2,3,5,14)
- October - November 2018 - Feedback gathering round #2
- November 2018 - Committee finalizes amendments
- December 2018 - CIO decision and approval of amendments
- January - February 2019 - Other Information Security Standards and all related documents updated to reflect amendments
- March 2019 - Updated standards are published:
Review Phase II
Beginning March 2019, the ISS Working Group began drafting amendments to the next set of standards that generated significant feedback. In addition, partial revisions were drafted to accommodate both changes in technology and the new minimum cybersecurity controls mandated by UBC Executive in support of UBC’s COVID-19 response, as well as changes to support the new “Securing IoT Devices” user standard. The Working Group has also proposed that the standards are renumbered – user standards will be prefixed with a ‘U’, and Management and Technical Standards will be prefixed with an ‘M’.
- Mar - Apr 2019 Selection of next set of standards for review
- May 2019 - Jun 2020 Working Group drafts amendments to the standards, including:
- User Standards
- #3 (U3), Transmission and Sharing of UBC Electronic Information (Partial Review)
- #5 (U5), Encryption Requirements (Partial Review)
- #6 (U6), Working Remotely (Full Review)
- #7 (U7), Securing Computing and Mobile Storage Devices/Media (Partial Review)
- #8 (U8), Destruction of UBC Electronic Information (Partial Review)
- #9 (U9), Outsourcing and Service Provider Management (Partial Review)
- U11, Securing Internet of Things (IoT) Devices (New)
- Management and Technical Standards
- #12 (M3), Privileged Account Management (Full Review)
- #14 (M5), Vulnerability Management (also published in Phase I)
- #15 (M6), Security of Wi-Fi Infrastructure (Full Review, formerly Wireless Networks)
- #19 (M10), Internet-Facing Systems and Services (in progress) (Partial Review)
- #20 (M11), Development and Modification of Software Applications (Partial Review)
- User Standards
We always invite feedback relating to the Information Security Standards. Email your feedback directly to email@example.com.
Feedback will be forwarded to the members of the review team, who will then make final amendments to the standards and forward them to the Chief Information Officer for approval. Comments submitted in the initial feedback gathering round are also available for your review.
If you have any questions or comments about this process, please send an email to firstname.lastname@example.org.