Multi-factor Authentication Required for myVPN Starting July 22, 2024 - Learn More

CSP - AHoU - Scope of Assessment

Scope of Assessment  

A. Department

Please state the name of the Unit (e.g. Department/Faculty/Administrative Unit) the answers you will be providing for this self-assessment questionnaire.

B. IT Representation

Please indicate the name of the person(s) who will be acting as the IT Representative(s) and will be responsible for answering the questions in the Technical Self-Assessment for your unit.

Why is this Essential?

The response identifies the IT Representative accountable for providing IT related services to the unit or department.


A separate self-assessment containing a questionnaire of management and technical controls will be distributed to the IT Representatives specified by you. The IT Representative, in general, will be the heads of IT departments, where those exist, or the next most suitable staff member to centralize the gathering of the required information, e.g. a UBC IT Client Service Manager.

C. Scope of Control

Are all of the systems managed within the unit you represent, under your control?

Control or Process Description​

For the purposes of this self-assessment, please consider UBC Electronic Information and Systems under your control to be those services and systems delivered or provisioned for, or managed by, your unit.

This DOES NOT include centrally supported services for broad UBC use, e.g. Workday, Team-share, OneDrive, Microsoft Teams.

This DOES include UBC Information Services and components (e.g. virtual servers, Software as a Service, developed applications or infrastructure services) provisioned for your unit.

UBC Information Services are an integrated set of components for collecting, storing, and processing data and for providing information, to obtain a desired outcome. They are usually comprised of multiple UBC Systems (e.g. servers, applications, endpoint devices etc.).


Usually, we would expect all the UBC Information Services within a unit to be under the control of the Administrative Head of Unit, however if this is not the case in your unit, this question is intended to help you scope your response.

Control in this context means you are ultimately accountable for funding, decision making and risk management associated with the system.

What is Acceptable?

For this question, if a system within your unit is not under your control, the minimum expectation is that they are identified, and the owner is established.

D. Impact Rating

Considering all of the systems under you control, what would the impact be to the University be if the highest risk system was compromised?

Select the severity level that corresponds to the most significant type of impact. E.g. if the reputational impact is the highest, and Significant best describes the impact, select Significant.

Impact Severity:
   1. Minimal      2. Minor      3. Significant      4. Major      5. Massive   

Control or Process Description​

Please identify the most highest risk system in your unit/environment and determine what would the impact be to UBC. Take into consideration the financial, reputational, operational, strategic and/ or academic impacts resulting from a cyber incident.

Why is this Essential?

The response identifies the severity of the impact due to a breach or a compromise of the highest risk system in the unit or department.

Reference Links​
Risk Register Guidelines & Instructions

Please use the Enterprise Risk Management - Severity of Impact sheet below to select the severity level that corresponds to the most significant type of impact.


What is Acceptable?

Identifying the highest risk system in the unit and an understanding what would the impact be to the University be if the highest risk system was compromised.

UBC Crest The official logo of the University of British Columbia. Urgent Message An exclamation mark in a speech bubble. Caret An arrowhead indicating direction. Arrow An arrow indicating direction. Arrow in Circle An arrow indicating direction. Arrow in Circle An arrow indicating direction. Chats Two speech clouds. Facebook The logo for the Facebook social media service. Information The letter 'i' in a circle. Instagram The logo for the Instagram social media service. Linkedin The logo for the LinkedIn social media service. Location Pin A map location pin. Mail An envelope. Menu Three horizontal lines indicating a menu. Minus A minus sign. Telephone An antique telephone. Plus A plus symbol indicating more or the ability to add. Search A magnifying glass. Twitter The logo for the Twitter social media service. Youtube The logo for the YouTube video sharing service. Bell Warning