Compliance Support

Compliance Support

Protecting UBC Information and Systems, Together.

Shared Goal

Protecting UBC information & systems is of critical importance to enabling fulfilment of UBC’s vision purpose & values. We partner across the university to support units in identifying and meeting their information security responsibilities. Together we protect the UBC community from a major privacy or information security breach.








Program Overview



The Compliance Support Program exists to communicate essential controls, clarify accountability for securing information systems, and support units in understanding their gaps so as to be able to develop plans and processes to improve security. The program will be systematically engaging with units across UBC in waves. It is essential that Administrative/Academic Heads of Units work with the program to identify key stakeholders and allow time to enable their team to support the program.


The attestation will begin focusing on Administrative Heads of Units (both Academic and Administrative portfolios) and IT Representatives. IT Representatives are focal points to gather technical information on controls practiced by each unit, as appointed by each Administrative Head of Unit. In general, they will be the heads of IT departments, where those exist, or the next most suitable staff member to centralize the gathering of the required information e.g. a UBC IT Client Service Manager.


Accountability

Securing UBC information & systems in UBC’s custody is of critical importance to fulfill UBC’s vision, purpose & values.

  • The risk of a major privacy/information security breach is one of UBC’s top-rated institutional risks.
  • Administrative Heads of Units are responsible for establishing and maintaining UBC Electronic Information and Systems within their areas of responsibility.
  • In the event of an information security breach the extent to which the unit is able to demonstrate compliance with the information systems policy (specifically essential controls) will impact the following decisions:
    1. Cost allocation associated with incident response and recovery
    2. The necessity to conduct a full audit of information security controls within the unit
    3. Performance assessments for individuals who have failed to carry out their responsibilities under the Information Systems policy, including any appropriate performance management or disciplinary measures
    If you would like to learn more about whether you are well-positioned to participate in the compliance support program as the Administrative Head of Unit, please refer to the FAQ section below.



Important Links










Take Action Now 






This program aims to support compliance with essential controls, establish clear accountability for information system security, and assist units in identifying and addressing any existing gaps.

To best prepare for Compliance Support Engagement we kindly request the following proactive steps be taken:







Participation Benefits 






Participation benefits units by:

  • Providing assurance that essential controls are in place, a clear path towards improvement and an opportunity to advocate for the support required to provide secure systems
  • Communicating which information security controls are considered essential, helping clarify accountability for securing information systems, and supporting units in understanding their maturity so as to be able to develop plans and processes to improve security







Available Support 






The Compliance Support Program exists to communicate essential controls, help clarify accountability for securing information systems, and support units in understanding their maturity so as to be able to develop plans and processes to improve security. It offers services including:

  • Advice in relation to best practices, UBC support services and technologies are available to support improved maturity
  • Attestation processes for Administrative Heads of Units and their IT Representatives to help surface any significant compliance gaps
  • Continuous follow-up on key risks and mitigations identified







Self-Assessment Process 














Resources 












Frequently Asked Questions 






Where is the Compliance Support in UBC’s organizational structure?

The Compliance Support area is part of PrISM – Privacy and Information Security Management, under the leadership of Michael Lonsdale-Eccles. PrISM is part of SRS – Safety & Risks Services, led by RaeAnn Aldridge, within the VPFO – VP of Finance and Operations. Along with Compliance Support, PrISM is also responsible for all the PIAs/STRAs performed at UBC, for the Privacy and Information Security training offerings.

How will the attestation information be gathered?

The information collection will be through questions in the UBC Survey Tool - Qualtrics. Surveys will be distributed to in-scope Administrative Head of Units and their appointed IT Representative.

Is the Compliance Support Program attestation going to be a standalone initiative?

It is expected that it will be a cyclical ongoing process, however, that is yet to be decided.

Do all Administrative Heads of Units have to participate?

The Compliance Support Program is designed to cover all of UBC. However in reality some Administrative Heads of Unit have very little accountability for information systems, as they have no staff, or they own no systems, or responsibility for information security.

For this reason when engaging with units we conduct a stakeholder analysis to identify the Administrative Heads of Unit that are appropriate to participate. The following guidance support the decision and can be used in deciding which Administrative Heads of Units must participate, and those that do not.

Must participate (if any of the following apply):

  • Own a portfolio of applications or servers
  • Have an IT function reporting to them
  • Have staff the use UBC Systems

Note, if the above apply but it is possible to group a number of departmental assessments together into combined into a single assessment, this is generally desirable. If IT support/people management processes are highly inconsistent between grouped departments this approach is not advisable.

Are not required (if all the following apply):
  • No information systems are owned by the department
  • Staff do not interact with UBC Systems.

What does good governance look like?

We have outlined six steps for implementing good governance. Importantly, the Administrative Head of Unit can implement these steps without any prior IT experience.