Shared Goal
Protecting UBC information & systems is critical to fulfilling UBC’s vision purpose & values. We partner across the university to support units in identifying and meeting their information security responsibilities. Together we protect the UBC community from a major privacy or information security breach.
Program Overview
The Compliance Support Program exists to communicate essential controls, clarify accountability for securing information systems, and support units in understanding their gaps to be able to develop plans and processes to improve security. The program will be systematically engaging with units across UBC in waves. Administrative/Academic Heads of Units must work with the program to identify key stakeholders and allow time to enable their team to support the program.
The attestation will begin focusing on Administrative Heads of Units (both Academic and Administrative portfolios) and IT Representatives. IT Representatives are focal points to gather technical information on controls practiced by each unit, as appointed by each Administrative Head of Unit. In general, they will be the heads of IT departments, where those exist, or the next most suitable staff member to centralize the gathering of the required information e.g. a UBC IT Client Service Manager.
- Administrative Heads of Units are responsible for establishing and maintaining UBC Electronic Information and Systems within their areas of responsibility.
In the event of an information security breach, the extent to which the unit can demonstrate compliance with the information systems policy (specifically essential controls) will impact the following decisions:
- Cost allocation associated with incident response and recovery
- The necessity to conduct a full audit of information security controls within the unit
- Performance assessments for individuals who have failed to carry out their responsibilities under the Information Systems policy, including any appropriate performance management or disciplinary measures
If you would like to learn more about whether you are well-positioned to participate in the compliance support program as the Administrative Head of Unit, please refer to the FAQ section below.
- If you/your department has not done so already, all staff who are either Technical Owners of UBC systems or are University IT Support Staff must complete Privacy & Information Security – IT Professionals training
- Build an inventory of all servers with security patches and software updates (to ensure servers are regularly updated with the latest security patches and software updates).
- Ensure that Endpoint Detection and Response (EDR) solutions are installed on all servers, in accordance with established information security standards.
- Implement multi-factor authentication measures to safeguard your departmental VPN pools by adding an extra layer of protection against unauthorized access. Request Access to an IT Service for additional support.
- Conduct a review of your firewall rules to ensure they align with the current security requirements. Specifically, ensure that remote access ingress from the general VPN pool (SSH, RDP, etc.) is blocked. Contact UBC Cybersecurity for details.
- Restrict access from the general VPN pool to your departmental networks, limiting access to only authorized individuals as necessary. Contact UBC Cybersecurity for details.
Participation Benefits
Participation benefits units by:
- Assuring that essential controls are in place, a clear path toward improvement and an opportunity to advocate for the support required to provide secure systems
- Communicating which information security controls are considered essential, helping clarify accountability for securing information systems, and supporting units in understanding their maturity to be able to develop plans and processes to improve security
Available Support
The Compliance Support Program exists to communicate essential controls, help clarify accountability for securing information systems, and support units in understanding their maturity so as to be able to develop plans and processes to improve security. It offers services including:
- Advice in relation to best practices, UBC support services and technologies are available to support improved maturity
- Attestation processes for Administrative Heads of Units and their IT Representatives to help surface any significant compliance gaps
- Continuous follow-up on key risks and mitigations identified
The Compliance Attestation Process will support any UBC units, including faculties, administrative, and research units.
Frequently Asked Questions
Go Further...
- How to complete the self-assessment using ISORA?
- Policy SC14- Acceptable Use and Security of UBC Electronic Information and Systems
- Information Security Standards Glossary
- Defining University Glossary Terms Office of the CIO
- Privacy Matters @UBC - Personal Information, How to protect personal information online
- Subdomain Registration
- Data Governance at UBC
- UBC’s How to Stay Secure
- Policy, Standards and Resources