Last updated: February 23, 2023
Essential Controls

Essential Controls- Administrative Head of Unit
/**/
table {
width: 100%;
border-collapse: collapse;
}
th {
background-color: #333;
color: #fff;
position: sticky;
top: 0;
z-index: 1;
}
th,
td {
padding: 10px;
text-align: left;
border: 1px solid #ccc;
}
/**/
//
var tableHead = document.querySelector("thead");
var tableOffset = tableHead.offsetTop;
function fixedTableHeader() {
if (window.pageYOffset >= tableOffset) {
tableHead.classList.add("fixed-header");
} else {
tableHead.classList.remove("fixed-header");
}
}
window.addEventListener("scroll", fixedTableHeader);
//
# | ISS & Section | Category | Topic | Control Statement | Reference Link |
---|---|---|---|---|---|
1 | U1 3.2 U7 6.1 |
Information Systems Inventory | Information Systems Inventory | U1 3.2 The Administrative Head of Unit is responsible for knowing the types of UBC Electronic Information under their control, its information security classification and where it is stored. In order to comply with our legal obligations, it is recommended that the Administrative Head of Unit keep an inventory of types of records that contain High Risk and/or Very High Risk Information. At a minimum, the inventory should contain the type of information, description and storage location. Refer to the sample inventory attached to this standard. This responsibility may be delegated to the Information Steward/Owner. U7 6.1 Central UBC IT support staff must maintain an inventory of UBC-owned laptops and desktops that they have deployed, including which Users these Devices are assigned to. All other University IT Support staff are recommended to maintain such inventories. |
Information Systems Inventory |
2 | M2 2.1 M3 3.2 M2 5.1 M3 6.1 |
Account & Permissions Management | Account & Permissions Management |
M2 2.1 Applications for User Accounts must be reviewed and approved by Information Steward/Owners and a record must be kept of all Users being granted these accounts and who provided authorization. This record must be retained for at least one year. M3 3.2 Unnamed Privileged Accounts may be shared between multiple Users. However, for all privileged account types, a single individual must be assigned with accountability for the security of the account. M2 5.1 Users’ access rights must be reviewed at regular intervals to ensure they remain aligned with current roles and responsibilities. The frequency of the review must be risk based (e.g. access rights to High or Very High Risk Information such as Personal Health Information should be reviewed more frequently than access rights to Medium Risk Information that may not do as much harm if exposed to unauthorized individuals). M3 6.1 Access to Privileged Accounts must be reviewed at an interval stipulated by the Technical Owner of the UBC System (in consultation with the Administrative Head of Unit), or at a minimum annually, to validate that they remain restricted to authorized personnel. Discrepancies must be reported in a in a timely manner to the Technical Owner for resolution. |
Account & Permissions Management |
3 | U7 2.1 | Backup | Backup |
U7 2.1 Any UBC Electronic Information stored on the Device must be regularly backed up to a secure location and checked periodically (preferably quarterly) to ensure the integrity and availability of the information such that it can be restored. See the Backup guideline. |
Backup |
4 | U4 1.2 SC14 6.1.6 U4 1.2 |
Incident Preparedness | Incident Reporting |
U4 1.2 Standards for Users to report any suspicious incidents relating to the security of UBC Electronic Information and Systems. University IT Support Staff (including both departmental IT and UBC IT staff) are responsible for handling security incidents in coordination with UBC Cybersecurity. SC14 6.1.6 ensuring that breaches and potential breaches of this policy occurring within their unit are resolved and/or referred to the CIO, as appropriate, and that where they are so referred, continuing to assist in the investigation, preserving evidence where required U4 2.1 Users must report the following information security incidents (if there is uncertainty whether a violation has occurred, Users must err on the side of caution and report the incident anyway):
|
Incident Reporting |
5 | SC14 6.1.8 SC14 6.1.7 |
Training & Awareness | Training |
SC14 6.1.8 working with UBC Information Technology to make training and other information and resources necessary to support this policy available to Users in their unit. SC14 6.1.7 ensuring that technical staff within their unit are aware of and adhere to this policy, and that they support University standards in the design, installation, maintenance, training, and use of UBC Electronic Information and Systems. |
Training |
6 | M1 1.1 | Training and Awareness | Variance | M1 1.1 In order to protect University information assets, the Chief Information Officer (CIO) has issued binding Information Security Standards. Academic and administrative units that wish to deviate from these Information Security Standards are required to request a variance from the CIO. |
Variance |
7 | U9 2.2 | Outsourcing and Service Provider Management | Privacy Impact Assessment | U9 2.2 In addition to the requirement to use the above checklist, a Privacy Impact Assessment (PIA) is required if Personal Information is involved. Please refer to the PIA Process Overview for more information. |
Privacy Impact Assessment |
8 | U9 5.1 | Outsourcing and Service Provider Management | Security & Confidentiality Agreement | U9 5.1 Service Providers must sign a Security and Confidentiality Agreement (SACA) prior to being granted access to Medium, High or Very High Risk Information. The Administrative Head of Unit may request the Office of the University Counsel to grant a waiver of the requirement for a SACA where the primary contract with the Service Provider contains equivalent privacy and security language. Doctors, lawyers, accountants, auditors, psychologists and other professionals who are bound by a duty of confidentiality do not need to sign a SACA. |
Security & Confidentiality Agreement |
9 | M8 2.1 M8 2.3 |
Log Management | Log Management |
M8 2.1 The following key activities must be logged:
M8 2.3 Logs provide valuable information that can be used to validate the integrity and confidentiality of UBC Electronic Information; to be effective, logs must be:
|
Log Management |
10 | U3 5.1 M6 5.1 M10 4.1 |
Payment Card Information Protection | Payment Card Industry-Data Security Standard(PCI-DSS) |
U3 5.1 Due to the sensitivity of Payment Card Industry (PCI) Information, it is subject to the following additional requirements:
M6 5.1 Users responsible for Merchant Systems must:
M10 4.1 University IT Support staff must configure Remote Access technologies, used in Merchant Systems, to automatically disconnect User sessions after a specific period of inactivity. 30 minutes is recommended. |
PCI-DSS |
11 | M11 5.1 | Development & Modification of Software Applications | Website Naming | M11 5.1 Web Applications used to conduct University Business must be provisioned within the ubc.ca domain name space, e.g. widget.ubc.ca, unless not technically possible. |
Website Naming |
Essential Controls- IT Representative
/**/
table {
width: 100%;
border-collapse: collapse;
}
th {
background-color: #333;
color: #fff;
position: sticky;
top: 0;
z-index: 1;
}
th,
td {
padding: 10px;
text-align: left;
border: 1px solid #ccc;
}
/**/
//
var tableHead = document.querySelector("thead");
var tableOffset = tableHead.offsetTop;
function fixedTableHeader() {
if (window.pageYOffset >= tableOffset) {
tableHead.classList.add("fixed-header");
} else {
tableHead.classList.remove("fixed-header");
}
}
window.addEventListener("scroll", fixedTableHeader);
//
# | ISS & Section | Category | Topic | Control Statement | Reference Link |
---|---|---|---|---|---|
1 | U1 3.2 U7 6.1 |
Information Systems Inventory | Information Systems Inventory |
U1 3.2 The Administrative Head of Unit is responsible for knowing the types of UBC Electronic Information under their control, its information security classification and where it is stored. In order to comply with our legal obligations, it is recommended that the Administrative Head of Unit keep an inventory of types of records that contain High Risk and/or Very High Risk Information. At a minimum, the inventory should contain the type of information, description and storage location. Refer to the sample inventory attached to this standard. This responsibility may be delegated to the Information Steward/Owner. U7 6.1 Central UBC IT support staff must maintain an inventory of UBC-owned laptops and desktops that they have deployed, including which Users these Devices are assigned to. All other University IT Support staff are recommended to maintain such inventories. |
Information Systems Inventory |
2 | SC14 6.1.8 SC14 6.1.7 |
Training & Awareness | Training |
SC14 6.1.8 working with UBC Information Technology to make training and other information and resources necessary to support this policy available to Users in their unit SC14 6.1.7 ensuring that technical staff within their unit are aware of and adhere to this policy, and that they support University standards in the design, installation, maintenance, training, and use of UBC Electronic Information and Systems |
Training |
3 | U3 5.1 M6 5.1 M10 4.1 |
Payment Card Information Protection | Payment Card Industry-Data Security Standard(PCI-DSS) |
U3 5.1 Due to the sensitivity of Payment Card Industry (PCI) Information, it is subject to the following additional requirements:
M6 5.1 Users responsible for Merchant Systems must:
M10 4.1 University IT Support staff must configure Remote Access technologies, used in Merchant Systems, to automatically disconnect User sessions after a specific period of inactivity. 30 minutes is recommended. |
PCI-DSS |
4 | U4 1.2 SC14 6.1.6 U4 1.2 |
Incident Preparedness | Incident Reporting |
U4 1.2 Standards for Users to report any suspicious incidents relating to the security of UBC Electronic Information and Systems. University IT Support Staff (including both departmental IT and UBC IT staff) are responsible for handling security incidents in coordination with UBC Cybersecurity. SC14 6.1.6 ensuring that breaches and potential breaches of this policy occurring within their unit are resolved and/or referred to the CIO, as appropriate, and that where they are so referred, continuing to assist in the investigation, preserving evidence where required U4 2.1 Users must report the following information security incidents (if there is uncertainty whether a violation has occurred, Users must err on the side of caution and report the incident anyway):
|
Incident Reporting |
5 | U5 3.1 | Device Encryption | Device Encryption |
U5 3.1 Encryption requirements apply to Devices, whether UBC-supplied or personally-owned, that are used to access UBC Electronic Information and Systems, or store UBC Electronic Information. For more information on Device Encryption requirements click here |
Device Encryption |
6 | U7 2.1 | Endpoint Detection & Response | Endpoint Detection & Response |
Computing Devices used for University Business must comply with the following electronic security requirements. Endpoint Detection and Response (EDR) Servers: EDR software approved by the CISO must be installed on all UBC-owned Servers. Workstation: EDR software approved by the CISO must be installed on all UBC-owned Workstations, where technically possible. On Computing Devices not required to have EDR, install up-to-date anti-malware and spyware cleaning software (except for smartphones and tablets that do not offer this feature) and configure it to update at least once per day. See the UBC IT Malware Protection page. |
Endpoint Detection Response |
7 | U7 2.1 | Firewall Management | DNS Firewall Management |
Computing Devices used for University Business must comply with the following electronic security requirements. Automatic Blocking of Malicious Websites Servers: Servers on-premises and in the cloud (Infrastructure as a Service) must be protected by a DNS firewall. It is recommended that Servers on-premises use UBC Domain Name Servers, which make use of DNS firewall protection. Workstation: UBC-owned Devices that access, process or store Medium, High or Very High Risk Information must be protected by a DNS firewall. It is recommended that on-premises Devices use UBC Domain Name Servers, which make use of DNS firewall protection. For all other Devices, a DNS firewall is recommended. |
DNS Firewall Management |
8 | U7 2.1 | Firewall Management | Network Firewall Architecture | Firewalls: Install and configure firewalls (except for tablets and smartphones that do not offer this feature). |
Network Firewall Architecture |
9 | M5 6.2 | Firewall Management | Network Firewall Rules | M5 6.2 Firewalls are only as effective as their Access Control List (ACL) rule set, which determines how traffic is blocked or passed. Firewall ACL rule sets must be configured as follows:
|
Network Firewall Rules |
10 | U7 2.1 | Patch & Vulnerability Management | Supported System | U7 2.1 U7 2.1 The Device must run a version of its operating system for which security updates continue to be produced and are available. If this is not possible, see the Vulnerability Management standard for compensating controls. If the Device is University-owned, software updates must not be impeded, and no unauthorized changes may be made to the Device. |
Supported System |
11 | M5 2.1 | Patch & Vulnerability Management | Vulnerability Notification Service | M5 2.1 University IT Support Staff are responsible for subscribing to the Appropriate Notification Services to ensure they are aware of new vulnerabilities and corresponding patches as soon as they are available. |
Vulnerability Notification Service |
12 | M5 2.5 | Patch & Vulnerability Management | Patching Cadence | M5 2.5 Unpatched software is frequently exploited by malicious individuals to access information or resources. To mitigate this threat, vendor provided patches for UBC Systems (e.g. operating systems, applications, databases, etc.) must be patched, with service outages where required, in accordance with Severity Ratings for Vulnerabilities (CVSS) or as defined by the vendors or other third parties as follows:
|
Patching Cadence |
13 | M5 3.3 | Patch & Vulnerability Management | Vulnerability Scanning(New Systems) | M5 3.3 University IT Support Staff have the responsibility to obtain a vulnerability scan for all new or substantially modified Internet-facing servers and applications attached to the UBC network prior to going into production. Any detected vulnerabilities must be resolved in accordance with their severity, as outlined in section 2.5 above; rescans are required until passing results are obtained. |
Vulnerability Scanning(New Systems) |
14 | M5 3.4 | Patch & Vulnerability Management | Vulnerability Scanning (Ongoing) | M5 3.4 University IT Support Staff must not block UBC’s Vulnerability Scanners. |
Vulnerability Scanning (Ongoing) |
15 | U7 2.1 | Backup | Backup | U7 2.1 Any UBC Electronic Information stored on the Device must be regularly backed up to a secure location and checked periodically (preferably quarterly) to ensure the integrity and availability of the information such that it can be restored. See the Backup guideline. |
Backup |
16 | U9 5.1 | Outsourcing & Service Provider Management | Security & Confidentiality Agreement | U9 2.1 Before Service Providers provision software applications or are granted access to UBC Electronic Information and Systems, information security risks must be assessed and managed using the Service Provider Security Checklist. U9 5.1 Service Providers must sign a Security and Confidentiality Agreement (SACA) prior to being granted access to Medium, High or Very High Risk Information. The Administrative Head of Unit may request the Office of the University Counsel to grant a waiver of the requirement for a SACA where the primary contract with the Service Provider contains equivalent privacy and security language. Doctors, lawyers, accountants, auditors, psychologists and other professionals who are bound by a duty of confidentiality do not need to sign a SACA. |
Security & Confidentiality Agreement |
17 | U9 2.2 | Outsourcing & Service Provider Management | Privacy Impact Assessment | U9 2.2 In addition to the requirement to use the above checklist, a Privacy Impact Assessment (PIA) is required if Personal Information is involved. Please refer to the PIA Process Overview for more information. |
Privacy Impact Assessment |
18 | M2 2.1 M3 3.2 |
Account & Permissions Management | Account & Permissions Approval | M2 2.1 Applications for User Accounts must be reviewed and approved by Information Steward/Owners and a record must be kept of all Users being granted these accounts and who provided authorization. This record must be retained for at least one year. M3 3.2 Unnamed Privileged Accounts may be shared between multiple Users. However, for all privileged account types, a single individual must be assigned with accountability for the security of the account. |
Account & Permissions Approval |
19 | M2 5.1 M3 6.1 |
Account & Permissions Management | Account & Permissions Review | M2 5.1 Users’ access rights must be reviewed at regular intervals to ensure they remain aligned with current roles and responsibilities. The frequency of the review must be risk based (e.g. access rights to High or Very High Risk Information such as Personal Health Information should be reviewed more frequently than access rights to Medium Risk Information that may not do as much harm if exposed to unauthorized individuals). M3 6.1 Access to Privileged Accounts must be reviewed at an interval stipulated by the Technical Owner of the UBC System (in consultation with the Administrative Head of Unit), or at a minimum annually, to validate that they remain restricted to authorized personnel. Discrepancies must be reported in a in a timely manner to the Technical Owner for resolution. |
Account & Permissions Review |
20 | M4 2.6 | Account & Permissions Management | Changing Default Passwords | M4 2.6 Default vendor passwords must be changed following the installation of systems or software. |
Changing Default Passwords |
21 | M4 3.2 | Account & Permissions Management | Securing Authentication Systems | M4 3.2 Authentication systems for User Accounts must be adequately protected from password cracking using at least one of the following methods:
|
Securing Authentication Systems |
22 | M4 3.3 | Account & Permissions Management | Protecting Stored Passwords | M4 3.3 Authentication systems must not store account passwords in clear text. Where possible, passwords should be stored using a strong cryptographic hash and salted. |
Protecting Stored Passwords |
23 | M7 2.4 M7 4.1 |
Cryptographic Controls | Encryption Key Management | M7 2.4 Whenever a password or passphrase is used as an encryption key (”Key”), it must follow the standards defined in the Passphrase and Password Protection standard, which details strong password/passphrase construction. Keys that are compromised (e.g. lost or stolen) must be reported immediately in accordance with the Reporting Information Security Incidents standard. The Key must be revoked or destroyed and a new key generated. Key re-assignments require re-encryption of the data. M7 4.1 For encryption to be effective, encryption Keys must be protected against unauthorized disclosure, misuse, alteration or loss. In order to reduce the risk of loss or exposure of Keys, it is recommended that all Key management processes be performed with automated software. A Key management plan must also be in place that covers the following process areas: |
Encryption Key Management |
24 | M7 2.6.4 | Cryptographic Controls | Cryptographic Controls (Procurement of Certificates) | M7 2.6.4 X.509 certificates may be purchased under the University’s Enterprise account, via security@ubc.ca. |
Cryptographic Controls (Procurement of Certificates) |
25 | M7 2.6 | Cryptographic Controls | Cryptographic Controls (Certificates) | M7 2.6 The following requirements apply to X.509 certificates:
|
Cryptographic Controls (Certificates) |
26 | M8 2.1 | Log Management | Logging Key Activities | M8 2.1 The following key activities must be logged:
|
Logging Key Activities |
27 | M8 2.3 | Log Management | Log Retention and Protection | M8 2.3 Logs provide valuable information that can be used to validate the integrity and confidentiality of UBC Electronic Information; to be effective, logs must be:
|
Log Retention and Protection |
28 | M9 1.3 | Physical Security | Physical Security (Server Rooms) | M9 1.3 The University has a responsibility to protect High and Very High Risk Information from unauthorized viewing and use. In particular, the BC Freedom of Information and Protection of Privacy Act (FIPPA)[1] and Policy GA4, Records Management[2] require public bodies to implement reasonable and appropriate security arrangements for the protection of Personal Information (in both electronic and paper format). Therefore, servers containing significant quantities of High or Very High Risk Information must be hosted in UBC Datacentres or in third party servers that have an equivalent level of security to this standard. Where appropriate, Low and Medium Risk Information may also be hosted in UBC Datacentres. |
Physical Security (Server Rooms) |
29 | M10 3.1 | Internet-Facing Systems & Services | Secure Transmission | M10 3.1 Secure transmission of Medium, High or Very High Risk Information must comply with the following requirements:
|
Secure Transmission |
30 | M10 3.4.2 | Internet-Facing Systems & Services | Demilitarized Zones (DMZ) - Inclusion | M10 3.4.2 remote access servers (e.g. terminal server, VDI, Remote Access Gateways, etc.) must be located in the DMZ and use strong encryption for server-to-User transmissions, e.g. RDP with Network Level Authentication, SSH with AES-256 bit encryption, etc.; |
Demilitarized Zones (DMZ) - Inclusion |
31 | M10 3.4.3 | Internet-Facing Systems & Services | Demilitarized Zones (DMZ) - Exclusion | M10 3.4.3 host desktops, laptops or servers not located in the DMZ must be remotely accessed via a Remote Access Gateway, VPN or SSH |
Demilitarized Zones (DMZ) - Exclusion |
32 | M10 3.4.1 | Internet-Facing Systems & Services | Multi-Factor Authentication for Remote Access | M10 3.4.1 Multi-Factor Authentication (MFA) must be used; |
Multi-Factor Authentication for Remote Access |
33 | U7 5.2 | Internet-Facing Systems & Services | Secure Internet Facing Devices | U7 5.2 Users must not run Server applications on desktops or laptops (e.g. web or FTP Servers) that are Internet-facing. Exceptions may be approved by the Administrative Head of Unit, in consultation with University IT Support Staff, provided that compensating controls are put in place to control security risks. |
Secure Internet Facing Devices |
34 | M11 2.1 | Development & Modification of Software Applications | Software Application Security Checklist | M11 2.1 Prior to storing or accessing UBC Electronic Information, complete a Software Application Security Checklist for all new or substantially modified applications that store or access Medium, High or Very High Risk Information. |
Software Application Security Checklist |
35 | M11 5.1 | Development & Modification of Software Applications | Website Naming | M11 5.1 Web Applications used to conduct University Business must be provisioned within the ubc.ca domain name space, e.g. widget.ubc.ca, unless not technically possible. |
Website Naming |