Essential Controls 
Essential Controls- Administrative Head of Unit
| # | |||||
|---|---|---|---|---|---|
U7 6.1 |
U1 3.2 The Administrative Head of Unit is responsible for knowing the types of UBC Electronic Information under their control, its information security classification and where it is stored. In order to comply with our legal obligations, it is recommended that the Administrative Head of Unit keep an inventory of types of records that contain High Risk and/or Very High Risk Information. At a minimum, the inventory should contain the type of information, description and storage location. Refer to the sample inventory attached to this standard. This responsibility may be delegated to the Information Steward/Owner. U7 6.1 Central UBC IT support staff must maintain an inventory of UBC-owned laptops and desktops that they have deployed, including which Users these Devices are assigned to. All other University IT Support staff are recommended to maintain such inventories. |
||||
M3 3.2 M2 5.1 M3 6.1 |
M2 2.1 Applications for User Accounts must be reviewed and approved by Information Steward/Owners and a record must be kept of all Users being granted these accounts and who provided authorization. This record must be retained for at least one year. M3 3.2 Unnamed Privileged Accounts may be shared between multiple Users. However, for all privileged account types, a single individual must be assigned with accountability for the security of the account. M2 5.1 Users’ access rights must be reviewed at regular intervals to ensure they remain aligned with current roles and responsibilities. The frequency of the review must be risk based (e.g. access rights to High or Very High Risk Information such as Personal Health Information should be reviewed more frequently than access rights to Medium Risk Information that may not do as much harm if exposed to unauthorized individuals). M3 6.1 Access to Privileged Accounts must be reviewed at an interval stipulated by the Technical Owner of the UBC System (in consultation with the Administrative Head of Unit), or at a minimum annually, to validate that they remain restricted to authorized personnel. Discrepancies must be reported in a in a timely manner to the Technical Owner for resolution. |
||||
|
U7 2.1 Any UBC Electronic Information stored on the Device must be regularly backed up to a secure location and checked periodically (preferably quarterly) to ensure the integrity and availability of the information such that it can be restored. See the Backup guideline. |
|||||
SC14 6.1.6 U4 1.2 |
U4 1.2 Standards for Users to report any suspicious incidents relating to the security of UBC Electronic Information and Systems. University IT Support Staff (including both departmental IT and UBC IT staff) are responsible for handling security incidents in coordination with UBC Cybersecurity. SC14 6.1.6 ensuring that breaches and potential breaches of this policy occurring within their unit are resolved and/or referred to the CIO, as appropriate, and that where they are so referred, continuing to assist in the investigation, preserving evidence where required U4 2.1 Users must report the following information security incidents (if there is uncertainty whether a violation has occurred, Users must err on the side of caution and report the incident anyway):
|
||||
SC14 6.1.7 |
SC14 6.1.8 working with UBC Information Technology to make training and other information and resources necessary to support this policy available to Users in their unit. SC14 6.1.7 ensuring that technical staff within their unit are aware of and adhere to this policy, and that they support University standards in the design, installation, maintenance, training, and use of UBC Electronic Information and Systems. |
||||
| M1 1.1 In order to protect University information assets, the Chief Information Officer (CIO) has issued binding Information Security Standards. Academic and administrative units that wish to deviate from these Information Security Standards are required to request a variance from the CIO. |
|||||
| U9 2.2 In addition to the requirement to use the above checklist, a Privacy Impact Assessment (PIA) is required if Personal Information is involved. Please refer to the PIA Process Overview for more information. |
|||||
| U9 5.1 Service Providers must sign a Security and Confidentiality Agreement (SACA) prior to being granted access to Medium, High or Very High Risk Information. The Administrative Head of Unit may request the Office of the University Counsel to grant a waiver of the requirement for a SACA where the primary contract with the Service Provider contains equivalent privacy and security language. Doctors, lawyers, accountants, auditors, psychologists and other professionals who are bound by a duty of confidentiality do not need to sign a SACA. |
|||||
M8 2.3 |
M8 2.1 The following key activities must be logged:
M8 2.3 Logs provide valuable information that can be used to validate the integrity and confidentiality of UBC Electronic Information; to be effective, logs must be:
|
||||
M6 5.1 M10 4.1 |
U3 5.1 Due to the sensitivity of Payment Card Industry (PCI) Information, it is subject to the following additional requirements:
M6 5.1 Users responsible for Merchant Systems must:
M10 4.1 University IT Support staff must configure Remote Access technologies, used in Merchant Systems, to automatically disconnect User sessions after a specific period of inactivity. 30 minutes is recommended. |
||||
| M11 5.1 Web Applications used to conduct University Business must be provisioned within the ubc.ca domain name space, e.g. widget.ubc.ca, unless not technically possible. |
Essential Controls- IT Representative
U7 6.1 |
U1 3.2 The Administrative Head of Unit is responsible for knowing the types of UBC Electronic Information under their control, its information security classification and where it is stored. In order to comply with our legal obligations, it is recommended that the Administrative Head of Unit keep an inventory of types of records that contain High Risk and/or Very High Risk Information. At a minimum, the inventory should contain the type of information, description and storage location. Refer to the sample inventory attached to this standard. This responsibility may be delegated to the Information Steward/Owner. U7 6.1 Central UBC IT support staff must maintain an inventory of UBC-owned laptops and desktops that they have deployed, including which Users these Devices are assigned to. All other University IT Support staff are recommended to maintain such inventories. |
||||
SC14 6.1.7 |
SC14 6.1.8 working with UBC Information Technology to make training and other information and resources necessary to support this policy available to Users in their unit SC14 6.1.7 ensuring that technical staff within their unit are aware of and adhere to this policy, and that they support University standards in the design, installation, maintenance, training, and use of UBC Electronic Information and Systems |
||||
M6 5.1 M10 4.1 |
U3 5.1 Due to the sensitivity of Payment Card Industry (PCI) Information, it is subject to the following additional requirements:
M6 5.1 Users responsible for Merchant Systems must:
M10 4.1 University IT Support staff must configure Remote Access technologies, used in Merchant Systems, to automatically disconnect User sessions after a specific period of inactivity. 30 minutes is recommended. |
||||
SC14 6.1.6 U4 1.2 |
U4 1.2 Standards for Users to report any suspicious incidents relating to the security of UBC Electronic Information and Systems. University IT Support Staff (including both departmental IT and UBC IT staff) are responsible for handling security incidents in coordination with UBC Cybersecurity. SC14 6.1.6 ensuring that breaches and potential breaches of this policy occurring within their unit are resolved and/or referred to the CIO, as appropriate, and that where they are so referred, continuing to assist in the investigation, preserving evidence where required U4 2.1 Users must report the following information security incidents (if there is uncertainty whether a violation has occurred, Users must err on the side of caution and report the incident anyway):
|
||||
|
U5 3.1 Encryption requirements apply to Devices, whether UBC-supplied or personally-owned, that are used to access UBC Electronic Information and Systems, or store UBC Electronic Information. For more information on Device Encryption requirements click here |
|||||
|
Computing Devices used for University Business must comply with the following electronic security requirements. Endpoint Detection and Response (EDR) Servers: EDR software approved by the CISO must be installed on all UBC-owned Servers. Workstation: EDR software approved by the CISO must be installed on all UBC-owned Workstations, where technically possible. On Computing Devices not required to have EDR, install up-to-date anti-malware and spyware cleaning software (except for smartphones and tablets that do not offer this feature) and configure it to update at least once per day. See the UBC IT Malware Protection page. |
|||||
|
Computing Devices used for University Business must comply with the following electronic security requirements. Automatic Blocking of Malicious Websites Servers: Servers on-premises and in the cloud (Infrastructure as a Service) must be protected by a DNS firewall. It is recommended that Servers on-premises use UBC Domain Name Servers, which make use of DNS firewall protection. Workstation: UBC-owned Devices that access, process or store Medium, High or Very High Risk Information must be protected by a DNS firewall. It is recommended that on-premises Devices use UBC Domain Name Servers, which make use of DNS firewall protection. For all other Devices, a DNS firewall is recommended. |
|||||
| Firewalls: Install and configure firewalls (except for tablets and smartphones that do not offer this feature). |
|||||
| M5 6.2 Firewalls are only as effective as their Access Control List (ACL) rule set, which determines how traffic is blocked or passed. Firewall ACL rule sets must be configured as follows:
|
|||||
| U7 2.1 U7 2.1 The Device must run a version of its operating system for which security updates continue to be produced and are available. If this is not possible, see the Vulnerability Management standard for compensating controls. If the Device is University-owned, software updates must not be impeded, and no unauthorized changes may be made to the Device. |
|||||
| M5 2.1 University IT Support Staff are responsible for subscribing to the Appropriate Notification Services to ensure they are aware of new vulnerabilities and corresponding patches as soon as they are available. |
|||||
| M5 2.5 Unpatched software is frequently exploited by malicious individuals to access information or resources. To mitigate this threat, vendor provided patches for UBC Systems (e.g. operating systems, applications, databases, etc.) must be patched, with service outages where required, in accordance with Severity Ratings for Vulnerabilities (CVSS) or as defined by the vendors or other third parties as follows:
|
|||||
| M5 3.3 University IT Support Staff have the responsibility to obtain a vulnerability scan for all new or substantially modified Internet-facing servers and applications attached to the UBC network prior to going into production. Any detected vulnerabilities must be resolved in accordance with their severity, as outlined in section 2.5 above; rescans are required until passing results are obtained. |
|||||
| M5 3.4 University IT Support Staff must not block UBC’s Vulnerability Scanners. |
|||||
| U7 2.1 Any UBC Electronic Information stored on the Device must be regularly backed up to a secure location and checked periodically (preferably quarterly) to ensure the integrity and availability of the information such that it can be restored. See the Backup guideline. |
|||||
| U9 2.1 Before Service Providers provision software applications or are granted access to UBC Electronic Information and Systems, information security risks must be assessed and managed using the Service Provider Security Checklist. U9 5.1 Service Providers must sign a Security and Confidentiality Agreement (SACA) prior to being granted access to Medium, High or Very High Risk Information. The Administrative Head of Unit may request the Office of the University Counsel to grant a waiver of the requirement for a SACA where the primary contract with the Service Provider contains equivalent privacy and security language. Doctors, lawyers, accountants, auditors, psychologists and other professionals who are bound by a duty of confidentiality do not need to sign a SACA. |
|||||
| U9 2.2 In addition to the requirement to use the above checklist, a Privacy Impact Assessment (PIA) is required if Personal Information is involved. Please refer to the PIA Process Overview for more information. |
|||||
M3 3.2 |
M2 2.1 Applications for User Accounts must be reviewed and approved by Information Steward/Owners and a record must be kept of all Users being granted these accounts and who provided authorization. This record must be retained for at least one year. M3 3.2 Unnamed Privileged Accounts may be shared between multiple Users. However, for all privileged account types, a single individual must be assigned with accountability for the security of the account. |
||||
M3 6.1 |
M2 5.1 Users’ access rights must be reviewed at regular intervals to ensure they remain aligned with current roles and responsibilities. The frequency of the review must be risk based (e.g. access rights to High or Very High Risk Information such as Personal Health Information should be reviewed more frequently than access rights to Medium Risk Information that may not do as much harm if exposed to unauthorized individuals). M3 6.1 Access to Privileged Accounts must be reviewed at an interval stipulated by the Technical Owner of the UBC System (in consultation with the Administrative Head of Unit), or at a minimum annually, to validate that they remain restricted to authorized personnel. Discrepancies must be reported in a in a timely manner to the Technical Owner for resolution. |
||||
| M4 2.6 Default vendor passwords must be changed following the installation of systems or software. |
|||||
| M4 3.2 Authentication systems for User Accounts must be adequately protected from password cracking using at least one of the following methods:
|
|||||
| M4 3.3 Authentication systems must not store account passwords in clear text. Where possible, passwords should be stored using a strong cryptographic hash and salted. |
|||||
M7 4.1 |
M7 2.4 Whenever a password or passphrase is used as an encryption key (”Key”), it must follow the standards defined in the Passphrase and Password Protection standard, which details strong password/passphrase construction. Keys that are compromised (e.g. lost or stolen) must be reported immediately in accordance with the Reporting Information Security Incidents standard. The Key must be revoked or destroyed and a new key generated. Key re-assignments require re-encryption of the data. M7 4.1 For encryption to be effective, encryption Keys must be protected against unauthorized disclosure, misuse, alteration or loss. In order to reduce the risk of loss or exposure of Keys, it is recommended that all Key management processes be performed with automated software. A Key management plan must also be in place that covers the following process areas: |
||||
| M7 2.6.4 X.509 certificates may be purchased under the University’s Enterprise account, via security@ubc.ca. |
|||||
| M7 2.6 The following requirements apply to X.509 certificates:
|
|||||
| M8 2.1 The following key activities must be logged:
|
|||||
| M8 2.3 Logs provide valuable information that can be used to validate the integrity and confidentiality of UBC Electronic Information; to be effective, logs must be:
|
|||||
| M9 1.3 The University has a responsibility to protect High and Very High Risk Information from unauthorized viewing and use. In particular, the BC Freedom of Information and Protection of Privacy Act (FIPPA)[1] and Policy GA4, Records Management[2] require public bodies to implement reasonable and appropriate security arrangements for the protection of Personal Information (in both electronic and paper format). Therefore, servers containing significant quantities of High or Very High Risk Information must be hosted in UBC Datacentres or in third party servers that have an equivalent level of security to this standard. Where appropriate, Low and Medium Risk Information may also be hosted in UBC Datacentres. |
|||||
| M10 3.1 Secure transmission of Medium, High or Very High Risk Information must comply with the following requirements:
|
|||||
| M10 3.4.2 remote access servers (e.g. terminal server, VDI, Remote Access Gateways, etc.) must be located in the DMZ and use strong encryption for server-to-User transmissions, e.g. RDP with Network Level Authentication, SSH with AES-256 bit encryption, etc.; |
|||||
| M10 3.4.3 host desktops, laptops or servers not located in the DMZ must be remotely accessed via a Remote Access Gateway, VPN or SSH |
|||||
| M10 3.4.1 Multi-Factor Authentication (MFA) must be used; |
|||||
| U7 5.2 Users must not run Server applications on desktops or laptops (e.g. web or FTP Servers) that are Internet-facing. Exceptions may be approved by the Administrative Head of Unit, in consultation with University IT Support Staff, provided that compensating controls are put in place to control security risks. |
|||||
| M11 2.1 Prior to storing or accessing UBC Electronic Information, complete a Software Application Security Checklist for all new or substantially modified applications that store or access Medium, High or Very High Risk Information. |
|||||
| M11 5.1 Web Applications used to conduct University Business must be provisioned within the ubc.ca domain name space, e.g. widget.ubc.ca, unless not technically possible. |