Wednesday August 2, 2023 | VICTORIA, BC [Updated 7:35 am]
by Mary P Brooke | Island Social Trends
Yesterday the Office of the Auditor General seemed to come out swinging against Vancouver Island University (VIU), saying its board of governors “falls short in oversight of cybersecurity risk management”.
But when asked during the August 1 press conference, it turns out the nudge is about BC legislators perhaps taking a closer look at the risk management policies and practices at all post secondary institutions (PSIs) in BC, within the broadest context that “IT is such a fast-moving field”.
“This is a big province with a lot of organizations. We can’t be everywhere auditing everything. But there is no reason why other organizations — universities, post-secondary institutions — can’t pick this audit up and look at it and do some self-assessment with the criteria that are there. So I hope that will be one of the takeaways from this, is that people pick this audit up,” said BC Auditor General Michael Pickup.
It looks like this audit of VIU has picked up the beat on cyber security. According to the Office of the Auditor General — in providing a list of 11 audits around cyber security done in the past 14 years or more (2009 to 2023) — only an audit in 2010 covered post-secondary institutions.
Universities on the list:
VIU was chosen as a mid-size post-secondary institution (12,000 students and 1,500 faculty and staff), said Pickup, thinking that institutions larger, smaller and same-size might benefit from the analysis. Students, faculty and staff share personal information with the institution.
According to the Office of the Auditor General in email later, it turns out that the University of British Columbia (UBC) was audited over the past three years and that an audit at Simon Fraser University (SFU) will be starting this year. Those audits looked at “access, change management and passwords” but not cyber security more broadly.
MLAs can take leadership:
MLAs might want to form a committee to look further into this, the auditor general suggested, so that PSIs are making “informed decisions about cyber security risk”. That would include that new members of the governing board be provided information about oversight responsibilities during their orientation, and an annual training program to provide updates on areas of significant risk in cyber security.
“It’s important for boards to be up to speed in cyber security matters in order to fulfill their oversight role,” said Pickup. Regular reviews of risk management policy are part of that, otherwise policy can “quickly get out of date” which makes it harder to know who is responsible for what. “Overall it can weaken board accountability.”
Pickup said the role of his office is to foster questions that members of the legislative assembly might want to look at more closely. It would be “wonderful if it informs that type of discussion”, he said yesterday.
He also that the legislature’s accounts committee and also media might inquire further about cyber security being done at post-secondary institutions.
The BC Minister of Post-Secondary Education and Future Skills is former BC Finance Minister Selina Robinson.
Cyber attacks are common:
“Cyber attacks are common and they’re evolving,” Pickup said.
Ransomware, data breaches, and other threats can affect individual organizations in critical infrastructure,” he said, adding that it’s “a major challenge to protect information systems and data from such cyber attacks”.
“In the area of cyber security because it is so risky, because it is ever so changing, so impactful, you’ve got to do all you can reasonably be expected to do to help with the lines of defence.”
“Bad things can still happen here, even when you do all the right things. So you don’t want to be skipping some of the right things that should be done.” And if you don’t have the”
The National Cyber Threat Assessment, issued by the Canadian Centre for Cyber Security, says ransomware is a persistent threat, and Canada’s critical infrastructure is increasingly at risk from cyber threats.
BC post-secondary protections:
“BC universities depend on information technology whether for technology-based learning or the safety of personal information of students, faculty and staff,” the auditor general said.
“University managers must assess risk in developing a strategy to mitigate those risks. They must report on the status of risk assessments and mitigation strategies to their boards,” said Pickup.
“BC university boards, including the VIU board, play a critical role in ensuring management is protecting their institutions from the rise of ransomware and other cyber threats.”
“University boards oversee cybersecurity risk management and are expected to hold university management accountable for identifying and mitigating risks.”
Developing criteria and how to approach systems and situations is part of what can be done more deliberately.
Stronger oversight needed:
A new independent audit report from the Office of the Auditor General found deficiencies in the board’s training, and their oversight of policy and strategies that are critical to protecting VIU’s information systems and data.
In an audit done for the period April 1, 2022 through March 31, 2023, the Office of the Auditor General found the VIU board has defined roles and responsibilities for risk management, and it sets expectations of VIU’s management.
“However, the audit found three areas where the board has not provided oversight of VIU’s cybersecurity risk management practices,” it was stated in the news release:
- First, the board has not adequately overseen the university’s risk mitigation strategies. “Last year the VIU board only did a review at the end of the year. It should be done throughout the year – especially in a field that changes as quickly as information technology,” Pickup said.
- Second, the VIU board lacks training in cybersecurity risk management. VIU board members should receive cybersecurity risk management training when they join the board, and then annually.
- Third, the VIU board had not approved an updated risk management policy in over 10 years. “Outdated policies become ineffective and weaken accountability,” Pickup said.
VIU is on board for improvement:
VIU stores the personal information of 12,000 students and 1,500 faculty and staff who are located at its campuses in Nanaimo, Duncan, Parksville and Powell River. The 15-member board includes: eight members appointed by government; five members elected by faculty, staff and students; the university chancellor; and the university president.
“It is vital for VIU to do everything they can to protect their information in the IT systems that are so important to how the university functions,” said Pickup.
“VIU ranks cyber security among its top three risks. The good news is that the VIU board is doing some things to fulfill its oversight role,” he said. They have defined the role and responsibility for risk management and set out expectations of VIU management. “But overall we concluded that VIU ‘s board of governors has not provided oversight of the university cyber security risk management practices.”
The VIU board has accepted the report’s four recommendations focused on cybersecurity risk mitigation and responses, board training and development, and keeping policies updated. “This board recognizes that there are things that have to be done differently here,” said Pickup.
“I’m pleased that the VIU board has committed to acting on our recommendations and I hope other university boards can learn from our report,” Pickup said.
===== GOVERNMENT LINKS:
FULL REPORT: Board Oversight of Cybersecurity Risk Management at Vancouver Island University
SUMMARY: Audit at a Glance
VIDEO: BC Auditor General Michael A Pickup about the VIU Audit
===== ABOUT ISLAND SOCIAL TRENDS:
Island Social Trends has been covering news of the south Vancouver Island region since 2008, and more broadly across BC since 2020. News is posted for readable access at IslandSocialTrends.ca. Editor: Mary P Brooke, B.Sc., Cert PR. | Curated and more depth: SUBSCRIBE to PREMIUM ENEWS