In June 2013, after an extensive drafting and consultation process, Policy SC14 (formerly Policy 104) (Acceptable Use and Security of UBC Electronic Information and Systems) was approved by the Board of Governors to replace two older policies, Policy 104 (Responsible Use of Information Technology Facilities and Services) and Policy 106 (Access to and Security of Administrative Information).
Policy SC14 requires the Chief Information Officer (CIO) to publish Information Security Standards regarding the security of UBC Electronic Information and Systems. The Information Security Standards were first published in August 2014.
The Policy and Standards apply to all Users of UBC Electronic Information and Systems that are intended to be used for University Business. Essentially all University-supported administrative, academic and research activities are covered by these requirements.
The purpose of the Information Security Standards is to maintain the availability and integrity of UBC Electronic Information and protect it from unauthorized access, disclosure or deletion, and to protect UBC Systems from disruption. Specifically, the Standards are intended to reduce system "down-time", improve productivity, eliminate data breaches, and comply with data protection laws such as the Freedom of Information and Protection of Privacy Act (FIPPA).
The Standards were created with reference to information security best practice frameworks published by the International Standards Organization, Payment Card Industry, and the BC Office of the Information and Privacy Commissioner. All requirements were adjusted, as required, to reflect the maturity level of the University's IT systems and information management practices. The goal of the process was to strike a balance between UBC's need for simple, straight forward information security rules and the legal requirement to implement "reasonable security measures" for the protection of Personal Information.
The Information Security Standards were initially developed in 2013 - 2014 by representatives of UBC Information Technology, Risk Management Services, and the Office of the University Counsel. They were distributed to the University community for consultation and were also reviewed by the Information Security Governance Committee, an advisory body with representatives from faculty and administrative units across campus. Drafts were approved by the Chief Information Officer in March 2014. Feedback was provided by the community during a broad review in the summer of 2014. The first iterations of the Information Security Standards were published in final form in August 2014. The Standards are reviewed periodically to address any additional feedback and concerns.
The Standards were then reviewed in 2018 by a committee comprising representation from Cybersecurity, Office of the University Counsel, Risk Management Services, Advanced Research Computing, Academic and Research Faculty, and Faculty IT. This review committee made revisions to the standards that generated the most community feedback, comprising:
- #1 Security Classification of UBC Electronic Information
- #2 Password and Passphrase Protection
- #3 Transmission and Sharing of UBC Electronic Information
- #5 Encryption Requirements
- #14 Vulnerability Management
The CIO approved the recommended changes to these Standards in December 2018 and they were published in March 2019. A number of associated Standards and Related Documents were also updated to comply with the new nomenclature as appropriate.
The review committee is now working on draft amendments for the next set of standards. Learn more about the review process.
The Standards are considered living documents and will be reviewed periodically to address ongoing concerns or questions. Every comment or question received is carefully reviewed and the Standards are amended where necessary. Feedback regarding the Standards is welcomed. Please submit all feedback to the Privacy Matters email address at email@example.com.
Application of the Standards
All Users are required to follow the Standards. Where the Standard says that Users "must" or are "required" to do something, this is a mandatory requirement under the authority of Policy SC14. Where the standard says that Users "should" or are "recommended" to do something, this is not mandatory; it is a guideline.
The Information Security Standards cover a wide variety of topics. For convenience, the Standards are divided into two categories: those that are applicable to all Users, and Management & Technical Standards that are mainly applicable to University IT Support Staff and Administrative Heads of Unit.
Compliance with the Standards
This website contains an array of resources to assist Users in complying with the Information Security Standards, which includes procedures, guidelines, forms and checklists. For more information about these documents, see the Resources page.
While there are many requirements in the Standards, some of them only apply to High Risk and Very High Risk information because this information poses the highest risk to UBC if it is not adequately protected. For Users handling lower-risk types of information, including some teaching and research information, it should not take a significant amount of time to meet the requirements in the Standards.
It is recognized that some units may have specific circumstances that merit a variance from the Information Security Standards. Administrative Heads of Unit that wish to deviate from these Standards must request a variance from the Chief Information Officer, in accordance with the Standard on Requesting Variances from Information Security Standards.
Protection of Personal Information
The Freedom of Information and Protection of Privacy Act (FIPPA) requires the University to protect Personal Information, which is defined as "recorded information about an identifiable individual" (with the exception of the names and work contact information of University employees). Failure to protect Personal Information may be investigated by the provincial Information and Privacy Commissioner. If the Commissioner determines that there has been a privacy breach, this may result in a fine of up to $500,000. The University is required to take 'reasonable' measures to protect Personal Information, which should depend on the sensitivity of the information. Therefore, highly sensitive information such as SINs, financial history or personal health information is subject to more stringent controls.
Students' names fall under the legal definition of Personal Information ("recorded information about an identifiable individual") and are therefore protected under the terms of the Freedom of Information and Protection of Privacy Act (FIPPA). While the unauthorized access or disclosure of a single class list would probably not have serious consequences, the disclosure of other personal information about students, such as their grades, contact information or counselling records, could be a serious matter.
Like many organizations, UBC requires work to be conducted using business email systems such as FASmail. Gmail and other services that are hosted in the "cloud" are not suitable for work purposes for the following reasons:
- Privacy: The Freedom of Information and Protection of Privacy Act (FIPPA) requires Personal Information to be stored and accessed in Canada. Since Gmail is hosted outside Canada, it should not be used by UBC faculty or staff to transmit Personal Information.
- Security: UBC has an obligation to ensure that Medium, High or Very High Risk Information is reasonably secure from unauthorized use or disclosure. It cannot guarantee the safety of the information if it is stored in a personal email account on Gmail.
- Records management: UBC's Records Management Policy requires staff and faculty members to manage and preserve records of value, which includes email messages. Emails that are stored on external email accounts may not be preserved as required under that policy.
At UBC, we are regulated by the Freedom of Information and Protection of Privacy Act (FIPPA), which requires us to protect Personal Information from unauthorized collection, use, or disclosure. In support of the law, UBC requires that all Mobile Devices— including laptops, smartphones, tablets and mobile storage media such as USB keys, whether UBC-supplied or personally-owned—used for University Business be encrypted. Encryption is also a requirement for desktop computers containing High or Very High Risk Information. Security breaches can cause a lot of wasted time, money, and stress, and can harm the university's reputation. In addition, these devices are vulnerable to loss, damage or theft, and it is especially important to ensure they are adequately protected. Encrypted data is unreadable without a password.
It is also essential to ensure that data from these devices is regularly backed up to a secure location.
For Users' convenience, tablets and smartphones are permitted to have a weak (5-digit) password, which does not meet minimum standards under the Freedom of Information and Protection of Privacy Act (FIPPA). Therefore, we need to have compensating controls in place to ensure that these devices are adequately protected from unauthorized access. One of these controls is a feature that automatically erases data if 10 consecutive incorrect passwords are entered. This feature has been in place for years on FASmail with not one case of accidental wiping reported to-date. Furthermore, some operating systems have a time delay feature requiring the user to wait a progressively longer period of time after each bad password is entered.
Your mobile device should never be the sole storage location for your important data. As these devices are vulnerable to loss, theft or damage, they must be regularly backed up to a secure location.
The Office of the University Counsel publishes several useful Privacy Fact Sheets covering privacy issues.
Protection of Paper Records
The Information Security Standards only apply to the security of UBC Electronic Information and Systems. For hardcopy records, see the fact sheet on Security of Paper Records, which is published by the University Archives.
Contact firstname.lastname@example.org if you have any questions about the Standards.