Main Nav

We are currently undertaking a major initiative to enhance our existing information security standards which will enable us to further align them with ISO 27005 and integrate additional security requirements which we feel reflect the current and foreseeable security risk landscape for the University and the higher education sector in general.

 

To facilitate a risk-based approach and ensure reasonable controls are required in the UBC standards, we have created a data classification scheme which comprises confidential, sensitive and public categories. Our legally protected personal information currently all falls under the confidential category, along with the PCI regulated data.  This category has the highest level of control requirements, which corresponds well to the Internet2 & HEISC Information Security Guide. 

 

One of the key challenges we are facing is ensuring that 'reasonable security measures' are implemented and given that there is a significant range of risk for different types of personal information (e.g. personal health information and employee SIN numbers could result in greater adverse consequences if stolen than a list of student names and numbers).  Therefore, we are trying to figure out the best way to further embed a risk based approach into protecting this personal information based on its sensitivity and quantity.  We are considering approaches that include applying a reasonable test to personal information so that if it is a small amount or of lower sensitivity then less control would be required -  but the practicality of embedding this into the standards in a simple user friendly manner is not so straightforward.

 

Therefore, we are hoping to hear from those of us who have also been challenged with these issues and have figured out a workable solution.

 

 

 

Larry

 

---

Larry Carson

Associate Director, Information Security Management

Information Technology | Engage. Envision. Enable.

The University of British Columbia

Tel: 604.822.0773 | Twitter: @L4rryC4rson

 

AttachmentSize
smime.p7s5.93 KB

Comments

We are currently undertaking a major initiative to enhance our existing information security standards which will enable us to further align them with ISO 27005 and integrate additional security requirements which we feel reflect the current and foreseeable security risk landscape for the University and the higher education sector in general.

 

To facilitate a risk-based approach and ensure reasonable controls are required in the UBC standards, we have created a data classification scheme which comprises confidential, sensitive and public categories. Our legally protected personal information currently all falls under the confidential category, along with the PCI regulated data.  This category has the highest level of control requirements, which corresponds well to the Internet2 & HEISC Information Security Guide. 

 

One of the key challenges we are facing is ensuring that 'reasonable security measures' are implemented and given that there is a significant range of risk for different types of personal information (e.g. personal health information and employee SIN numbers could result in greater adverse consequences if stolen than a list of student names and numbers).  Therefore, we are trying to figure out the best way to further embed a risk based approach into protecting this personal information based on its sensitivity and quantity.  We are considering approaches that include applying a reasonable test to personal information so that if it is a small amount or of lower sensitivity then less control would be required -  but the practicality of embedding this into the standards in a simple user friendly manner is not so straightforward.

 

Therefore, we are hoping to hear from those of us who have also been challenged with these issues and have figured out a workable solution.

 

 

 

Larry

 

---

Larry Carson

Associate Director, Information Security Management

Information Technology | Engage. Envision. Enable.

The University of British Columbia

Tel: 604.822.0773 | Twitter: @L4rryC4rson

 

Recommend

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.