In June 2013, after an extensive drafting and consultation process, Policy 104 (Acceptable Use and Security of UBC Electronic Information and Systems) was approved by the Board of Governors to replace two older policies, Policy 104 (Responsible Use of Information Technology Facilities and Services) and Policy 106 (Access to and Security of Administrative Information).
Policy 104 requires the Chief Information Officer (CIO) to publish Information Security Standards regarding the security of UBC Electronic Information and Systems. The Information Security Standards were published in August 2014.
The Policy and Standards apply to all Users of UBC Electronic Information and Systems that are intended to be used for University Business. Essentially all University-supported administrative, academic and research is covered by these requirements.
The purpose of the Information Security Standards is to maintain the availability and integrity of UBC Electronic Information and protect it from unauthorized access, disclosure or deletion, and to protect UBC Systems from disruption. Specifically, the Standards are intended to reduce system "down-time", improve productivity, eliminate data breaches, and comply with data protection laws such as the Freedom of Information and Protection of Privacy Act.
The Standards were created with reference to information security best practice frameworks published by the International Standards Organization, Payment Card Industry, and the BC Office of the Information and Privacy Commissioner. All requirements were adjusted, as required, to reflect the maturity level of the University's IT systems and information management practices. The goal of the process was to strike a balance between UBC's need for simple, straight forward information security rules and the legal requirement to implement "reasonable security measures" for the protection of Personal Information.
The Information Security Standards were developed in 2013 - 2014 by representatives of UBC Information Technology, Risk Management Services, and the Office of the University Counsel. They were distributed to the University community for consultation and were also reviewed by the Information Security Governance Committee, an advisory body with representatives from faculty and administrative units across campus. Drafts were approved by the Chief Information Officer in March 2014. Feedback was provided by the community during a broad review in the summer of 2014. The Standards were published in final form in August 2014 to allow Faculties and Departments to commence implementation planning. The Standards will be reviewed periodically to address any additional feedback and concerns.
The Standards are considered living documents and will be reviewed twice in the first year (January and July 2015) and annually after the first year to address ongoing concerns or questions. Every comment or question received is carefully reviewed and the Standards are amended where necessary.
Application of the Standards
All Users are required to follow the Standards. Where the Standard says that Users "must" or are "required" to do something, this is a mandatory requirement under the authority of Policy 104. Where the standard says that Users "should" or are "recommended" to do something, this is not mandatory; it is a guideline.
The Information Security Standards cover a wide variety of topics. For convenience, the Standards are divided into two categories: those that are applicable to all Users, and Management & Technical Standards that are mainly applicable to University IT Support Staff and Administrative Heads of Unit.
Compliance with the Standards
This website contains an array of resources to assist Users in complying with the Information Security Standards, which includes procedures, guidelines, forms and checklists. For more information about these documents, see the Resources page.
In the fall of 2014 risk assessment tools will be created and piloted to assist Departments and Faculties to ensure that key privacy and information security risks related to Personal Information are reasonably managed.
While there are many requirements in the Standards, many of them only apply to Confidential information because this information poses the highest risk to UBC if it is not adequately protected. For Users handling lower-risk types of information, including most teaching and research information, it should not take a significant amount of time to meet the requirements in the Standards.
While the Information Security Standards were finalized in August 2014, it is recognized that there needs to be a transition period before Users of UBC Electronic Systems and Information are in a position to fully meet all of the requirements in these documents. Therefore, we have prepared an example implementation roadmap to provide guidance in meeting the requirements of the Standards. This roadmap was developed using a risk-based approach, taking into account the sensitivity of the information in question as well as the complexity of the requirements in the Standards. The dates in the example implementation roadmap are merely intended to be illustrative. If they do not meet your needs, your Administrative Head of Unit may develop a roadmap that is better suited to the needs of your Department or Faculty. UBC IT is always available to assist in development of implementation roadmaps.
It is recognized that some units may have specific circumstances that merit a variance from the Information Security Standards. Administrative Heads of Unit that wish to deviate from these Standards must request a variance from the Chief Information Officer, in accordance with the Standard on Requesting Variances from Information Security Standards.
Protection of Personal Information
The Freedom of Information and Protection of Privacy Act (FIPPA) requires the University to protect Personal Information, which is defined as "recorded information about an identifiable individual" (with the exception of the names and work contact information of University employees). Failure to protect Personal Information may be investigated by the provincial Information and Privacy Commissioner. If the Commissioner determines that there has been a privacy breach, this may result in a fine of up to $500,000. The University is required to take 'reasonable' measures to protect Personal Information, which should depend on the sensitivity of the information. Therefore, highly sensitive information such as SINs, financial history or personal health information is subject to more stringent controls.
Students' names fall under the legal definition of Personal Information ("recorded information about an identifiable individual") and are therefore protected under the terms of the Freedom of Information and Protection of Privacy Act (FIPPA). Names, by themselves, are considered to be 'lower-risk' Personal Information, which does not require the same level of protection as personal financial or health information. While the unauthorized access or disclosure of a single class list would probably not have serious consequences, the disclosure of other personal information about students, such as their grades, contact information or counselling records, could be a serious matter.
Like many organizations, UBC requires work to be conducted using business email systems such as FASmail. Gmail and other services that are hosted in the "cloud" are not suitable for work purposes for the following reasons:
- Privacy: The Freedom of Information and Protection of Privacy Act (FIPPA) requires Personal Information to be stored and accessed in Canada. Since Gmail is hosted outside Canada, it should not be used by UBC faculty or staff to transmit Personal Information.
- Security: UBC has an obligation to ensure that Confidential or Sensitive information is reasonably secure from unauthorized use or disclosure. It cannot guarantee the safety of the information if it is stored in a personal email account on Gmail.
- Records management: UBC's Records Management Policy requires staff and faculty members to manage and preserve records of value, which includes email messages. Emails that are stored on external email accounts may not be preserved as required under that policy.
The Freedom of Information and Protection of Privacy Act (FIPPA) requires all mobile devices -- including laptops, tablets, smartphones and mobile storage media such as USB keys -- to be encrypted if they are used to store Personal Information. Since mobile devices are vulnerable to loss, damage or theft, it is especially important to ensure that these devices are adequately protected. It is also essential to ensure that data from these devices is regularly backed up to a secure location.
For Users' convenience, tablets and smartphones are permitted to have a weak (5-digit) password, which does not meet minimum standards under the Freedom of Information and Protection of Privacy Act (FIPPA). Therefore, we need to have compensating controls in place to ensure that these devices are adequately protected from unauthorized access. One of these controls is a feature that automatically erases data if 10 consecutive incorrect passwords are entered. This feature has been in place for years on FASmail with not one case of accidental wiping reported to-date. Furthermore, some operating systems have a time delay feature requiring the user to wait a progressively longer period of time after each bad password is entered.
Your mobile device should never be the sole storage location for your important data. As these devices are vulnerable to loss, theft or damage, they must be regularly backed up to a secure location.
The Office of the University Counsel publishes several useful Privacy Fact Sheets covering privacy issues.
Protection of Paper Records
The Information Security Standards only apply to the security of UBC Electronic Information and Systems. For hardcopy records, see the fact sheet on Security of Paper Records, which is published by the University Archives.
Contact firstname.lastname@example.org if you have any questions about the Standards.