CSP - AHoU - Scope of Assessment

 

Scope of Assessment

 

A. Department

Please state the name of the Unit (e.g. Department/Faculty/Administrative Unit) the answers you will be providing for this self-assessment questionnaire.




B. IT Representation

Please indicate the name of the person(s) who will be acting as the IT Representative(s) and will be responsible for answering the questions in the Technical Self-Assessment for your unit.

Why is this Essential?

The response identifies the IT Representative accountable for providing IT related services to the unit or department.


Instructions​

A separate self-assessment containing a questionnaire of management and technical controls will be distributed to the IT Representatives specified by you. The IT Representative, in general, will be the heads of IT departments, where those exist, or the next most suitable staff member to centralize the gathering of the required information, e.g. a UBC IT Client Service Manager.




C. Scope of Control

Are all of the systems managed within the unit you represent, under your control?


Control or Process Description​

For the purposes of this self-assessment, please consider UBC Electronic Information and Systems under your control to be those services and systems delivered or provisioned for, or managed by, your unit.

This DOES NOT include centrally supported services for broad UBC use, e.g. Workday, Team-share, OneDrive, Microsoft Teams.

This DOES include UBC Information Services and components (e.g. virtual servers, Software as a Service, developed applications or infrastructure services) provisioned for your unit.

UBC Information Services are an integrated set of components for collecting, storing, and processing data and for providing information, to obtain a desired outcome. They are usually comprised of multiple UBC Systems (e.g. servers, applications, endpoint devices etc.).


Instructions​

Usually, we would expect all the UBC Information Services within a unit to be under the control of the Administrative Head of Unit, however if this is not the case in your unit, this question is intended to help you scope your response.

Control in this context means you are ultimately accountable for funding, decision making and risk management associated with the system.


What is Acceptable?

For this question, if a system within your unit is not under your control, the minimum expectation is that they are identified, and the owner is established.





D. Impact Rating

Considering all of the systems under you control, what would the impact be to the University be if the highest risk system was compromised?

Select the severity level that corresponds to the most significant type of impact. E.g. if the reputational impact is the highest, and Significant best describes the impact, select Significant.

Impact Severity:
   1. Minimal      2. Minor      3. Significant      4. Major      5. Massive   

 
Control or Process Description​

Please identify the most highest risk system in your unit/environment and determine what would the impact be to UBC. Take into consideration the financial, reputational, operational, strategic and/ or academic impacts resulting from a cyber incident.


Why is this Essential?

The response identifies the severity of the impact due to a breach or a compromise of the highest risk system in the unit or department.


Reference Links​
Risk Register Guidelines & Instructions

Instructions​
Please use the Enterprise Risk Management - Severity of Impact sheet below to select the severity level that corresponds to the most significant type of impact.

Impact Severity

What is Acceptable?

Identifying the highest risk system in the unit and an understanding what would the impact be to the University be if the highest risk system was compromised.