Policy, Standards & Resources

Information Security Standards

Revised Standards published January 2021

As part of the latest review cycle, revisions to the Information Security Standards were published on January 25, 2021, including a new Securing Internet of Things (IoT) Devices user standard. View the complete Summary of Changes or learn more about the review process at https://cio.ubc.ca/security-standards-review.

As required under Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems, the CIO has published Information Security Standards that govern the use and protection of University data and computing resources. All Users of UBC Electronic Information and Systems are responsible and accountable for following these Standards.

The Standards are divided into two categories: User Standards (prefixed with a 'U') and Management and Technical Standards (prefixed with an 'M'). They are linked in the tables below, along with resources and links to assist Users with compliance. Learn more about the types of resources available:

Types of Resources (click to expand)

To support all Users of UBC Electronic Information and System in meeting the requirements of the Standards, additional resources have been provided:

  • Procedures are a mandatory series of actions or steps performed to comply with an Information Security Standard.
  • Guidelines are non-mandatory details or suggestions on how to meet the requirements of an Information Security Standard.
  • Checklists are designed to assist with the systematic review of compliance of one or more requirements within an Information Security Standard.
  • Forms are documents designed to allow individuals to provide information as required by an Information Security Standard.

Links to resources that are referenced by specific Information Security Standards can be found in the tables below.

To learn more about the application of these Standards and how specific audiences should approach them, see the Roles & Responsibilities:

Roles & Responsibilities (click to expand)

Below are the roles of individuals involved in the implementation of UBC's Information Security Standards:

Role Responsibilities Delegation of Responsibilities
Chief Information Officer (CIO) Has overall responsibility for the Information Security Standards, as set out in Policy SC14, section 3. May delegate responsibilities to Associate Director, Information Security Management
Administrative Head of Unit Ultimately responsible and accountable for establishing and maintaining UBC Electronic Information and Systems within their areas of responsibility, as set out in Policy SC14, section 6.

All Administrative Heads of Unit should understand what Standards exist, and take the necessary steps to delegate responsibility to the appropriate individuals for implementation.
While always remaining accountable, may delegate responsibilities to Information Stewards/Owners, University IT Support Staff, and other individuals where appropriate.
Information Steward/Owner Appointed by an Administrative Head of Unit to be responsible for a specified UBC System, database or collection of UBC electronic information. Determines:
  • the appropriate classification of this information (see the Security Classification of UBC Electronic Information standard);
  • how the information may be used;
  • who is authorized to access the information;
  • where the information may be stored;
  • what security measures must be used to protect the information; and
  • how to comply with any statutory or regulatory obligations that apply to the information.
n/a
University IT Support Staff Assists the Administrative Head of Unit or delegate to implement Information Security Standards.

All University IT Support Staff should read and take responsibility for meeting the requirements in the Management and Technical Standards, in addition to their personal responsibility for the User Standards and providing assistance for Users in meeting the User Standards as necessary.
n/a
User Uses or accesses UBC Electronic Information and Systems. Must comply with all Information Security Standards relevant for Users.

All faculty and staff should read and take personal responsibility for meeting the requirements in the User Standards.
n/a

For more information about the Standards, see our Frequently Asked Questions. For a complete list of definitions of the dotted underlined terms used in the Standards, see the Glossary.

A single PDF version of the all the Information Security Standards is also available: Download the PDF

Std # Legacy Std # Standard Last Revised
Standards for All Users
U1 #1 Security Classification of UBC Electronic Information | PDF 2021-01
U2 #2 Passphrase and Password Protection | PDF 2021-01
U3 #3 Transmission and Sharing of UBC Electronic Information | PDF 2021-01
U4 #4 Reporting Information Security Incidents | PDF 2021-01
U5 #5 Encryption Requirements | PDF 2021-01
U6 #6 Working Remotely | PDF 2021-01
U7 #7 Securing Computing and Mobile Storage Devices/Media | PDF 2021-01
U8 #8 Destruction of UBC Electronic Information | PDF 2021-01
U9 #9 Outsourcing and Service Provider Management | PDF 2021-01
U10 #10 Accessing Electronic Accounts and Records | PDF 2021-01
U11 n/a Securing Internet of Things (IoT) Devices | PDF 2021-01
Management and Technical Standards
M1 #21 Requesting Variances from Information Security Standards | PDF 2021-01
M2 #11 User Account Management | PDF 2021-01
M3 #12 Privileged Account Management | PDF 2021-01
M4 #13 Securing User Accounts | PDF 2021-01
M5 #14 Vulnerability Management | PDF 2021-01
M6 #15 Security of Wi-Fi Infrastructure | PDF 2021-01
M7 #16 Cryptographic Controls | PDF 2021-01
M8 #17 Logging and Monitoring of UBC Systems | PDF
Resources
2021-01
M9 #18 Physical Security of UBC Datacentres | PDF 2021-01
M10 #19 Internet-facing Systems and Services | PDF 2021-01
M11 #20 Development and Modification of Software Applications | PDF 2021-01

Feedback

The Standards are subject to periodic reviews to adapt to changing expectations and risks. We encourage you to provide feedback by email to privacy.matters@ubc.ca. Learn more about the review process.