Since 1987, the Canadian Association of University Business Officers (CAUBO) has celebrated excellence in higher education administration through its Quality and Productivity (Q&P) Awards, often referred to as the “Oscars of the higher education field”! This year, UBC's PrISM Compliance Support Program (CSP) received a Q&P Award for its outstanding contribution to cybersecurity compliance and safety. The PrISM CSP is a collaboration involving Safety & Risk Services, the Office of the University Counsel, the Office of the CIO, and UBC IT.
The CSP team's shared goal is to protect UBC’s information and systems, which is crucial for fulfilling the university’s vision, purpose, and values. By partnering across the university, the CSP helps units identify and meet their information security responsibilities, collectively safeguarding the UBC community from major privacy or information security breaches.
To gain insights into the program's success and future direction, we spoke with the Privacy and Information Security Management team — Michael Lonsdale-Eccles and Thais Ramos. Read this Q&A to discover their perspectives and the next steps for the Compliance Support Program.
Q: What makes the Compliance Support Program stand out and what contributed to winning this award?
Michael: Our program is pioneering in higher education, addressing an urgent need in cybersecurity and risk. It's a significant change management initiative, and what sets it apart is its structured, repeatable process. We've developed a wealth of supporting content—including resources on the Privacy Matters website, training sessions, templates and guides—to make it as straightforward as possible for everyone involved, especially Administrative Heads of Units and the IT support community. Importantly, we have strong backing from our leadership, which has been instrumental to our success. This support has helped us implement the program effectively and achieve our goals.
Another reason that Compliance Support was selected is it is a necessary and timely program that has helped address a critical need in our community. Cybersecurity is a pressing issue, and our comprehensive and collective approach has proven effective.
While we are not alone in this endeavour — other institutions are also exploring similar programs — ours has gained considerable interest from the higher education community. We frequently receive inquiries from other universities looking to replicate our model.
Lastly, our broad reach within the UBC community has been a major success. We've managed to engage a wide array of stakeholders, raise awareness and foster a culture of cybersecurity across the university.
Q: How will the program engage with the UBC community in the coming months?
Thais: For the remainder of 2024, CSP will complete its comprehensive assessment across all UBC units, delivering consolidated reports and a high-level dashboard to university executives. Leaders are eager to see the results. Next, we’ll monitor and follow up on identified gaps, ensuring key controls are in place and develop strategies for engaging with research. The assessment process will be cyclical, likely every two to three years. Next year, we'll focus on assurance, remediation and research. While some gaps, like endpoint detection and response (EDR), are straightforward, others are more complex and require detailed planning.
Q: What specific challenges did the Compliance Support Program address at UBC?
Michael: While there’s knowledge of Information Security Standards (ISS), broad adoption has lagged in recent years. The CSP has been crucial in clarifying accountability, raising awareness of these standards, and providing support to help units comply with the information security requirements. This compliance is not just a formality—it’s essential for protecting UBC’s information and systems and upholding the UBC value of accountability.
Q: Can you share a success story or example where the Compliance Support Program significantly improved security at UBC?
Thais: One notable success is our collaboration with the Faculty of Medicine (FoM). We developed strong partnerships with their governance and cybersecurity teams, creating a seamless process that integrated our program with their existing efforts. They initiated the first engagement and delivery, and we followed up with assessments and recommendations to close security gaps. Then they assisted the units in implementing action plans to close those gaps. It was true synergy!
It was a very thorough one-year plan, with effective change management, clear communication, and strong leadership support from the Dean. Some strategic opportunities discovered not only enhanced security but also improved efficiencies. The complexity of the Faculty of Medicine—with its clinics, hospitals, schools, and collaborations with health authorities—made this a challenging but rewarding experience.
Key to success was their allocation of resources, forming a dedicated team, and establishing a governance committee involving critical stakeholders in IT governance decisions due to the high-risk nature of their sensitive information. The leadership fully supported these efforts, dedicating time to making informed decisions. Although smaller units might not need a full IT governance committee, for larger, more complex departments, we encourage our community to consider it.
Q: How does the Compliance Support Program align with UBC’s overall strategic goals?
Michael: Great question, the Compliance Support Program closely aligns with UBC's strategic value of accountability. Securing all UBC’s assets is fundamental to upholding this commitment. Within UBC's strategic plan, accountability means taking personal and public responsibility for our actions and commitments, ensuring we fulfill our promises to the community. The CSP directly supports this value by implementing robust information security practices, thereby safeguarding UBC’s pursuit of excellence in research, learning, and engagement.
Q: Who at UBC is part of the achievement?
Michael: Everyone at UBC has contributed to this collective achievement. The success of this program is a testament to the collective effort, bolstered by strong support from UBC's leadership, PrISM executives, and the dedicated teams involved in its development, such as Prism SRS, cybersecurity, VPFO operational excellence team, and university counsel. Most importantly, our clients across UBC have played a pivotal role by embracing their responsibilities and actioning plans to further secure their environment.
Q: Any closing thoughts or reflections?
Thais: In summary, the Compliance Support Program at UBC represents our proactive approach to cybersecurity and information governance. Through collaboration, innovation, and strong leadership, we are setting new standards in higher education. Looking ahead, our focus remains on enhancing security measures, fostering accountability, and continuing to drive positive change across our UBC community. We appreciate the opportunity to share our achievements and are committed to safeguarding UBC's mission and values.