CSP - AHoU - Review Controls

U1 3.2
The Administrative Head of Unit is responsible for knowing the types of UBC Electronic Information under their control, its information security classification and where it is stored. In order to comply with our legal obligations, it is recommended that the Administrative Head of Unit keep an inventory of types of records that contain High Risk and/or Very High Risk Information. At a minimum, the inventory should contain the type of information, description and storage location. Refer to the sample inventory attached to this standard. This responsibility may be delegated to the Information Steward/Owner.

U7 6.1
Central UBC IT support staff must maintain an inventory of UBC-owned laptops and desktops that they have deployed, including which Users these Devices are assigned to. All other University IT Support staff are recommended to maintain such inventories.

M2 2.1
Applications for User Accounts must be reviewed and approved by Information Steward/Owners and a record must be kept of all Users being granted these accounts and who provided authorization. This record must be retained for at least one year.

M3 3.2
Unnamed Privileged Accounts may be shared between multiple Users. However, for all privileged account types, a single individual must be assigned with accountability for the security of the account.

M2 5.1
Users’ access rights must be reviewed at regular intervals to ensure they remain aligned with current roles and responsibilities. The frequency of the review must be risk-based (e.g. access rights to High or Very High-Risk Information such as Personal Health Information should be reviewed more frequently than access rights to Medium Risk Information that may not do as much harm if exposed to unauthorized individuals).

M3 6.1
Access to Privileged Accounts must be reviewed at an interval stipulated by the Technical Owner of the UBC System (in consultation with the Administrative Head of Unit), or at a minimum annually, to validate that they remain restricted to authorized personnel. Discrepancies must be reported in a in a timely manner to the Technical Owner for resolution.

U4 1.2
Standards for Users to report any suspicious incidents relating to the security of UBC Electronic Information and Systems. University IT Support Staff (including both departmental IT and UBC IT staff) are responsible for handling security incidents in coordination with UBC Cybersecurity.

SC14 6.1.6
ensuring that breaches and potential breaches of this policy occurring within their unit are resolved and/or referred to the CIO, as appropriate, and that where they are so referred, continuing to assist in the investigation, preserving evidence where required

U4 2.1
Users must report the following information security incidents (if there is uncertainty about whether a violation has occurred, Users must err on the side of caution and report the incident anyway):
 

• all violations of Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems; examples include but are not limited to:
• use of UBC computing facilities to commit illegal acts;
• unsolicited or spam email originating from UBC sources;
• unauthorized access, use, alteration or destruction of UBC Electronic Information or UBC Systems, including but not limited to: software, computing equipment, Merchant Systems, network equipment and services;
• theft of any UBC Electronic Information whether it be via electronic means or physical theft of any Device containing this information; and
• loss or theft of any Multi-Factor Authentication Device (MFA Device).
• unauthorized wireless access points discovered in either merchant areas or areas accessing, transmitting or storing UBC Electronic Information; and
• use of Malicious Code, which may show up as unexplained behaviour on desktops, laptops or servers such as webpages opening by themselves, new files or folders appearing on the local hard drive, and lockouts of user accounts.

SC14 6.1.8
working with UBC Information Technology to make training and other information and resources necessary to support this policy available to Users in their unit.

SC14 6.1.7
ensuring that technical staff within their unit are aware of and adhere to this policy, and that they support University standards in the design, installation, maintenance, training, and use of UBC Electronic Information and Systems.

M8 2.1
The following key activities must be logged:
2.1.1 User login, logout and access to a resource;
2.1.2 action performed by the User and the time it was performed; and
2.1.3 where feasible, any access to, or modification of, records.

M8 2.3
Logs provide valuable information that can be used to validate the integrity and confidentiality of UBC Electronic Information; to be effective, logs must be:
2.3.1 retained for at least 90 days (except for ERP logs, which must be retained for at least 365 days) and regularly backed up whenever possible, preferably to offsite secure storage;
2.3.2 retrievable in a timely manner if they are required for analysis; and
2.3.3 protected against unauthorized access and modification, preferably by locating them on a separate server outside the Demilitarized Zone (DMZ), such as a Database Server protected by a firewall, and restricting access as necessary; no one should be able to change or delete log information.

U3 5.1
Due to the sensitivity of Payment Card Industry (PCI) Information, it is subject to the following additional requirements:

• PCI Information must only be stored in approved Merchant Systems;
• PCI Information must never be transmitted via email or instant messaging systems. This activity is prohibited;
• PCI Information must never be transmitted unencrypted by any of the other above methods;
• media containing PCI Information must be sent by secured courier or other delivery method that can be accurately tracked; and
• management must approve the transfer of PCI Information from a secured area.

M6 5.1
Users responsible for Merchant Systems must:

• ensure that a perimeter firewall is in place between any Wi-Fi network and Merchant Systems processing Payment Card Industry (PCI) Information. These firewalls must be configured to deny or control any traffic from the Wi-Fi environment to Merchant Systems;
• test for the presence of unauthorized WAPs on a quarterly basis. Note: Methods that may be used in the process include, but are not limited to, Wi-Fi network scans, physical/logical inspections of system components and infrastructure, network access control NAC), or Wi-Fi IDS/IPS; and
• report any unauthorized WAPs as a security incident, in compliance with the Reporting Information Security Incidents standard.

M10 4.1
University IT Support staff must configure Remote Access technologies, used in Merchant Systems, to automatically disconnect User sessions after a specific period of inactivity. 30 minutes is recommended.