Training & Awareness
5. Training
Have you informed users and IT Support Staff within your unit of the importance of adhering to the Information Systems Policy and confirmed that they have completed both "Privacy & Information Security - Fundamentals" courses and "Privacy & Information Security - IT Professionals" training, as applicable to their role?
Control or Process Description
I have communicated the requirement to adhere to information security policy and to complete information security training. There is a process in place to follow up with users (employees, contractors, student appointments) that have not completed required training.
Why is this Essential?
All employees of UBC, where relevant, contractors and third party users shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.
Information security is everyone's responsibility. User and IT professional training provide people with the information they need to protect UBC information and systems. People are often considered information securities weakest link.
Reference Links
Policy SC14 - Acceptable Use and Security of UBC Electronic Information and SystemsPrivacy Matters @UBC – Training
Instructions
Training reporting can be generated by following the self-help instructions below.
How to Create Privacy Course Reports
The Administrative Head of Unit and the IT Representative should evaluate the report for accuracy and use the information to follow up with users. Please reach out to "UBC PrISM Compliance(prism.compliance@ubc.ca) to report inconsistencies or if any questions.
Reporting in relation to contractors is not available.
What is Acceptable?
Training compliance stats have been reviewed and reminders have been sent. Although the expectation is the unit is 100% compliant achieving over 85% within reports can be considered a 'yes' from a compliance reporting perspective
6. Variances
Are users and IT Support Staff in your unit aware of the requirement for Administrative Heads of Units to request variances from the Information Security Standards and will they inform you when they believe one is required?
Control or Process Description
There is an ongoing process to set the expectation (e.g. through ongoing communications/ questioning) that the Administrative Head of Unit be made aware of significant non-compliance with UBC's Information Security Standards.
Why is this Essential?
IT Representatives/ System Owners, or a custodian of data or system are aware of the requirements pertaining to security requirements (policies, standards and controls). Especially, in understanding the risks of being non-compliant.
Non-compliance with the information security standards significantly increases the risk of a breach. Building a culture where risks and non-compliance issues are reported enables evaluation of the situation and the potential for compensating controls to be implemented with help from UBC IT & Cybersecurity.
Reference Links
Information Security Standards – M1 Requesting Variances from Information Security Standards
Instructions
Examples of Variance:- Legacy systems that are past End of Life and no longer supported by vendors. For example: computers that are running Windows7 or WindowsXP, that control microscopes whose vendors do not support software upgrades to Windows 10 or other updateable systems.
- EduCloud virtual server to stay in service after end-of-support, for a period of time to give the unit time to upgrade the operating system and validate the software running on it.
- Request to share a common login/credential for x number of laptops to be used in classroom by a large a varied number of students.
- Compute node running an operating system/version which is non-compliant with UBC security policy requirements, such as "Ubuntu 14.04.3 LTS".
- A server, for technical reasons, cannot run Crowdstrike, therefore being out of compliance with UBC policy.
- Cannot meet the password complexity requirements due to technological reasons.
- Cannot implement/ enforce MFA to a certain authentication request.
- Cannot meet encryption requirements in certain circumstances.
- Data/ system cannot be stored in one of UBC approved datacenter.
- Disabling vulnerability scanning of internet facing devices temporarily or long term due to technical reasons.
What is Acceptable?
The Administrative Head of Unit and corresponding IT Representative, Technical System Custodian within the unit and System Owners actively discuss compliance with the Information Security Standards(ISS). When for operational reasons unable to comply to an ISS, they are reported to the Administrative Head of Units. The Administrative Head of Units are encouraged to seek a variance/support with the CIO.