About the initiative
Learn more about why privacy matters at UBC.
Privacy and information security at UBC is largely dependent on faculty and staff taking an active role in keeping data secure. UBC provides security tools such as anti-virus software, firewalls, and spam filtering. However, these tools can only do so much. We need your help.
The Privacy Matters @ UBC initiative aims to increase the awareness of privacy and information security at UBC. Higher education institutions are often the target of data breaches, which not only affect the individuals whose personal information is compromised, but also the organization experiencing the breach.
Through comprehensive communication strategy and online training, our goal is to provide the campus community with the information needed to protect personal information and to keep UBC's data secure.
Privacy and Information Security Management (PrISM)
The mandate of PrISM is to enhance the privacy and security of information in electronic and hard-copy format through a series of campaigns related to technology, maintenance, data mapping and risk management, training, awareness, and communications.
Learn more about the current initiatives that are a part of PrISM.
Online Privacy and Information Security Training
PrISM has developed online privacy and information security training for all faculty and staff at UBC. This 20-30-minute training session will empower you to protect personal information and other confidential UBC information and systems.
Risk Assessment Process
RMS provides a risk management service to the University community to facilitate the identification and management of key privacy and information security risks related to the collection, use, storage, disclosure, and disposition of Personal Information (PI). In most cases, our approach is to:
- Perform PI data mapping, at the category or unit level, to determine what PI repositories exist (electronic and paper-based), and which ones present the highest-risk.
- Identify opportunities to stop collecting high-risk PI, and any other PI, if it is not necessary to support the unit’s activities. Additionally, we explore ways to reduce the need to download PI from source systems and store it on mobile devices.
- Take a risk-based approach, and partner with units to perform PI risk assessments to determine if PI is handled in a secure manner. Currently available risk assessments include:
- Operational Risk Assessment (ORA) – a management tool to assess at the department / unit level key risks and levels of compliance associated with end-user requirements defined in the Information Security Standards and Privacy Fact Sheets;
- User Risk Assessment (URA) – an end-user tool built to support management’s completion of the ORA, and provide an educational tool that any employee can use to familiarize themselves with key privacy and information security requirements; and,
- Application Risk Assessment (ARA) – a technical tool for IT personnel to assess the level of risk and compliance associated with the technical requirements defined in the Information Security Standards.
- Following up with units semi-annually to obtain a progress report and provide any additional support that may be required for them to move into compliance with the University’s key privacy and information security requirements.
- A simple, practical action plan for units to reduce key risks and compliance gaps with the Privacy Fact Sheets and Information Security Standards, and a unit heat map to enable them to prioritize the actions based on the level of risk they are currently exposed to.
- Our work significantly informs other PrISM initiatives including:
- Updates to the Information Security Standards – we provide feedback to UBC IT on areas that units are struggling to comply with and the reasons why.
- Privacy & Information Security Training and Awareness – we provide common risk areas (identified during our risk assessment activities), to ensure these are addressed in a manner that helps educate employee’s on their responsibilities.
Encryption is the most effective way to keep your personal information and UBC’s data secure. Encryption is a method of making information unreadable in order to protect it from unauthorized access. When information is encrypted, a password is required to make it readable again.
UBC policy and British Columbia law require all mobile devices (including laptops) that are used to store confidential information to be encrypted. The PrISM team is working to encourage encryption of all devices used for work purposes by departments and faculties at UBC. Learn more about encryption.
Awareness and Communication
The awareness and communication project is working to increase education and awareness to change behavior and build a privacy and information security conscious culture. The creation of the Privacy Matters @ UBC initiative to ensure that all faculty and staff are regularly exposed to communications about privacy and information security requirements. The comprehensive communications strategy is working to sustain awareness and engagement among faculty and staff at UBC.
UBC Cybersecurity Confidential Communications
In a continued effort to increase the dialogue and transparency about cybersecurity at UBC, we will be relaunching the confidential communications website for information security. This site will be a secure, non-public environment meant for UBC staff, faculty, researchers, and affiliates. The information posted on the website is confidential and is therefore subject to specific access and sharing restrictions.
Basic access to this site requires Campus-Wide Login (CWL) credentials. If you are located off-campus, a myVPN connection is required. As an added level of security, users are required to apply for access to privileged information. A request form is available after logging in to the new site and accepting the Terms and Conditions. The website is now available at cc.cybersecurity.ubc.ca.
Network Security Upgrades (Phase 1)
As part of the ongoing effort to enhance cybersecurity at UBC, network security upgrades will be implemented at the UBC Okanagan campus for all university-based wired and wireless networks (ubcsecure, ubcvisitor, ubcprivate, and eduroam). This upgrade will add a layer of protection to prevent unintentional visits to malicious websites.
After the upgrade, if a user on the UBC network accidently clicks on a link to a high-risk website, their browser will redirect them to a block page. Only websites that are known to be malicious will be blocked by the system, including:
- Malware sites that host malicious software, mobile threats, and more
- Phishing sites that aim to trick users into handing over personal or financial information
- ‘Command and Control Callbacks’ that allow compromised devices to communicate with an attackers’ infrastructure
Please note: this process is automatic and this new service will not track or log individual user website activity.
The network security upgrade at UBC Okanagan is Phase 1 of this project and we will be making similar upgrades at the Vancouver campus within the next few months. More details will be made available shortly.
Information Security Standards Review
To ensure that UBC’s confidential data and information systems are safe from a data breach, the university has Information Security Standards that govern the use and protection of university data and computing resources. As required by Policy #104, Acceptable Use and Security of UBC Electronic Information and Systems, all faculty and staff are responsible and accountable for following these standards.
These Information Security Standards are subject to periodic reviews to adapt to changing expectations and risks. The next review cycle begins this year. All staff and faculty are invited to provide feedback on the standards. You can provide feedback at privacymatters.ubc.ca/issreview or by emailing email@example.com.
All feedback will be forwarded to the members of a review team made up of staff and faculty members for analysis. The team will then publish draft amendments to the standards for comment by the campus community. The team will then make final amendments and forward them to the Chief Information Officer for approval.
The current information security standards can be found at https://cio.ubc.ca/information-security-standards
All are encouraged to participate in this important process and your input is greatly appreciated.
As part of our ongoing effort to enhance cybersecurity at UBC, we will be introducing multi-factor authentication (MFA) across the university within the next year. By adding MFA to frequently used university applications, we will strengthen access security by requiring two or more methods to verify a user’s identity. We are amongst the first universities in Canada to introduce multifactor authentication broadly into our applications, joining other organizations including Facebook, Harvard, and MIT.
We are currently working with Duo Security to create an experience that is as seamless and simple as possible. The first phase of the project will include multifactor authentication for:
- Several high-traffic sites and applications used by UBC IT employees
- UBC IT VPN Pool
We will provide regular updates about the project within the next few months on this website.