Information Security Standards Review

To ensure that UBC's confidential data and information systems are safe from a data breach, the university has Information Security Standards that govern the use and protection of university data and computing resources. As required by Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems, all faculty and staff are responsible and accountable for following these standards.

The Information Security Standards are living documents, and are subject to periodic reviews to adapt to changing expectations, risks and technologies. The review cycle began in March 2018 with a large community feedback exercise. Since that time, the Information Security Standards Review Committee (comprised of UBC faculty and staff with responsibilities related to privacy and information security and who are experts in the content of the UBC Information Security Standards) has been drafting amendments to the standards for review and approval by the CIO. Details of the review process and timeline are below, including the Summary of Changes for each release of the standards.

Feedback

We always invite feedback relating to the Information Security Standards or the review process. Email your feedback directly to privacy.matters@ubc.ca.

Review Process/Timeline

2024 Review

2024 Review

Topic areas reviewed in 2024 included:

Email forwarding: UBC has updated Std U3, Transmission and Sharing of UBC Electronic Information, to more clearly state UBC’s email auto-forwarding policies, which do not permit forwarding to personal accounts and restrict forwarding to external business accounts to specific public bodies within British Columbia. A new ‘UBC Email Auto-forwarding Agreement’ has been introduced, requiring approvals and emphasizing adherence to UBC's Records Management Policy.

Incident response: Changes in Std U4, Reporting Information Security Incidents and supporting documents focus on updating UBC's cybersecurity incident response procedures to reflect current practices. In addition, there’s a new protocol for isolating systems during "hands-on-keyboard" attacks.

Logging and monitoring: The primary change is the introduction and mandatory use of the UBC MyLogs service for log storage, especially for ERP logs which now must be stored there and are automatically retained for 365 days. While general logging and monitoring requirements remain largely the same, the document now explicitly favours the MyLogs service over other storage methods, while still allowing for alternative offsite secure storage when use of MyLogs is not possible.

Privacy Impact Assessments: The core change for this topic is the introduction of the Security Threat Risk Assessment (STRA) as a potential alternative to the Privacy Impact Assessment (PIA) for academic research projects using tools exclusively for research purposes. The standards reference the PIA & STRA webpage, which has been updated with detailed guidelines for the PIA and STRA processes.

Encryption: UBC’s encryption requirements have been significantly restructured, and include a new Storage Encryption Risk and Classification Model, which categorizes encryption into Tiers based on the level of protection they provide against various unauthorized access risks. Higher Tiers offer stronger protection, ranging from basic device-level encryption (Tier 1) to comprehensive application-level database encryption (Tier 3+).

This year's update also includes a range of changes across various standards, primarily focused on refining security practices and updating resources. Key changes include an update to the Sample Inventory in Std U1, and a streamlined process for Security and Confidentiality Agreements (SACAs). View the Summary of Changes for a complete list of revisions.

Timeline

  • March 2024: Selection of topics for review
  • April 2024 – Dec 2024: Working Group drafts amendments to the relevant standards and supporting documents, with consultation and feedback from subject matter experts and ISS Review Committee
  • January 2025: Presentation of draft revisions to the Information Security Standards Review Committee (ISSRC), including discussion and feedback; ISSRC approval of finalized amendments
  • Feb 2025: CIO review and approval of amendments
  • March 2025: Updated standards are published
2023 Review

2023 Review

The 2023 review included reframing the security classifications of UBC Electronic Information to become "Electronic Information and Services" and the introduction of a classification model for UBC Electronic Services, specifically Low Risk Service, Medium Risk Service, High Risk Service and Very High Risk Service. This classification model allows the addition or modification of specific controls in the Information Security Standards based on the confidentiality, availability and integrity risk of the services.

In addition, this year's review provided an update on the data residency requirements outlined in FIPPA, as well as a modification to the Criteria for Access to UBC Electronic Information without consent to clarify access when UBC is legally obligated to do so.

  • Jan 2023: Selection of next topics for review (prioritized)
  • Feb 2023 - Oct 2023: Working Group drafts amendments to the relevant Information Security Standards and supporting documents
  • Nov 2023: Presentation of drafts and updates to the Information Security Standards Review Committee (ISSRC), including discussion and feedback
  • Jan 2024: CIO review and approval of amendments
  • April 2024: Updated standards are published
2022 Review

2022 Review

Topic areas for review in 2022 include ‘Cyber Maturity Assessment and Security Framework Mapping’, ‘System Identification and Risk Classification’, and ‘Cloud and Containers’.

  • Jan 2022: Selection of next topics for review (updates across multiple standards)
  • Feb 2022 (ongoing): Working Group identifies affected standards and drafts amendments, with continual consultation and feedback from subject matter experts and ISS Review Committee
2021 Review

2021 Review

Beginning February 2021, the ISS Review Committee began drafting amendments to standards based on topic areas, including ‘Access to personal information and records’ and ‘Multi-factor Authentication’.

  • Feb - Mar 2021: Selection of next topics for review (updates across multiple standards)
  • Mar 2021 – Oct 2021: Working Group identifies affected standards and drafts amendments, with consultation and feedback from subject matter experts and ISS Review Committee
  • Nov 2021: ISS Review Committee approves finalized amendments
  • Dec 2021: CIO review and approval of amendments
  • Jan 2022: Updated standards are published (View Summary of Changes)
2019/20 Review

2019/20 Review

Beginning March 2019, the ISS Review Committee began drafting amendments to the next set of standards that generated significant feedback. In addition, partial revisions were drafted to accommodate both changes in technology and the new minimum cybersecurity controls mandated by UBC Executive in support of UBC’s COVID-19 response, as well as changes to support the new “Securing IoT Devices” user standard. The Review Committee has also proposed that the standards are renumbered – user standards will be prefixed with a ‘U’, and Management and Technical Standards will be prefixed with an ‘M’.

  • Mar - Apr 2019: Selection of next set of standards for review
  • May 2019 - Jun 2020: Working Group drafts amendments to the standards.
  • Jul - Aug 2020: Feedback gathering round (ISS Review Committee)
  • Sep 2020: Committee finalizes amendments
  • Oct 2020: Drafts published for UBC community awareness and feedback
  • Nov 2020: Committee finalizes amendments
  • Dec 2020: CIO decision and approval of amendments
  • Jan 2021: Updated and new standards are published (View Summary of Changes)
2018 Review

2018 Review

  • Mar 2018: Review Cycle began
  • Mar - Apr 2018: Feedback gathering round (View submitted comments)
  • May - Sep 2018: Committee drafts amendments to the standards that generated the most feedback (ISS #1,2,3,5,14)
  • Oct - Nov 2018: Feedback gathering round #2
  • Nov 2018: Committee finalizes amendments
  • Dec 2018: CIO decision and approval of amendments
  • Jan - Feb 2019: Other Information Security Standards and all related documents updated to reflect amendments
  • Mar 2019: Updated standards are published (View Summary of Changes)