Information Security Standards
Revised Standards published January 2022Revisions to the Information Security Standards were published on January 27, 2022. View the complete Summary of Changes or learn more about the review process at https://cio.ubc.ca/security-standards-review.
As required under Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems, the CIO has published Information Security Standards that govern the use and protection of University data and computing resources. All Users of UBC Electronic Information and Systems are responsible and accountable for following these Standards.
The Standards are divided into two categories: User Standards (prefixed with a 'U') and Management and Technical Standards (prefixed with an 'M'). They are linked in the tables below, along with resources and links to assist Users with compliance. Learn more about the types of resources available:
To support all Users of UBC Electronic Information and System in meeting the requirements of the Standards, additional resources have been provided:
- Procedures are a mandatory series of actions or steps performed to comply with an Information Security Standard.
- Guidelines are non-mandatory details or suggestions on how to meet the requirements of an Information Security Standard.
- Checklists are designed to assist with the systematic review of compliance of one or more requirements within an Information Security Standard.
- Forms are documents designed to allow individuals to provide information as required by an Information Security Standard.
Links to resources that are referenced by specific Information Security Standards can be found in the tables below.
To learn more about the application of these Standards and how specific audiences should approach them, see the Roles & Responsibilities:
Below are the roles of individuals involved in the implementation of UBC's Information Security Standards:
|Role||Responsibilities||Delegation of Responsibilities|
|Chief Information Officer (CIO)||Has overall responsibility for the Information Security Standards, as set out in Policy SC14, section 3.||May delegate responsibilities to Associate Director, Information Security Management|
|Administrative Head of Unit||Ultimately responsible and accountable for establishing and maintaining UBC Electronic Information and Systems within their areas of responsibility, as set out in Policy SC14, section 6.
All Administrative Heads of Unit should understand what Standards exist, and take the necessary steps to delegate responsibility to the appropriate individuals for implementation.
|While always remaining accountable, may delegate responsibilities to Information Stewards/Owners, University IT Support Staff, and other individuals where appropriate.|
|Information Steward/Owner||Appointed by an Administrative Head of Unit to be responsible for a specified UBC System, database or collection of UBC electronic information. Determines:
|Technical Owner||Ultimately responsible for providing a system’s service/functionality to the campus. Often the Technical Owner is a manager or director. The Technical Owner is responsible for ensuring that operating procedures are developed that meet the policies, information security standards and guidelines as defined by the University.||n/a|
|University IT Support Staff||Assists the Administrative Head of Unit or delegate to implement Information Security Standards.
All University IT Support Staff should read and take responsibility for meeting the requirements in the Management and Technical Standards, in addition to their personal responsibility for the User Standards and providing assistance for Users in meeting the User Standards as necessary.
|User||Uses or accesses UBC Electronic Information and Systems. Must comply with all Information Security Standards relevant for Users.
All faculty and staff should read and take personal responsibility for meeting the requirements in the User Standards.
For more information about the Standards, see our Frequently Asked Questions. For a complete list of definitions of the dotted underlined terms used in the Standards, see the Glossary.
A single PDF version of the all the Information Security Standards is also available: Download the PDF
The Standards are subject to periodic reviews to adapt to changing expectations and risks. We encourage you to provide feedback by email to email@example.com. Learn more about the review process.