The province’s auditor general is hoping recent findings at Vancouver Island University will prompt others to pay attention for cybersecurity.
The findings from an audit in July looked at cybersecurity management at the university, which has locations in Duncan, Nanaimo, Parksville and Powell River. It found that there were numerous gaps in its security, training and oversight policies, and various action steps need to be taken.
According to the office, the VIU board only did one review of its mitigation strategies at the end of last year. Auditor general Michael Pickup says this should be done throughout the year because cybersecurity is a constantly changing field.
The report also found the board is lacking in training from cybersecurity risk management, and they should receive annual training.
A third concern included an out-of-date risk management policy, which Pickup says become ineffective and weaken accountability.
VIU was the only university looked at in the audit, however, Pickup says there could be many concerns for student information security.
“Because it is so risky, because it is ever so changing, you have to do all you can reasonably be expected to do to help with the lines of defence,” said Pickup.
“Any of these things, it’s not sort of a direct one-to-one relationship between you didn’t do this, so therefore this exact cybersecurity issue or risk is going to increase. It’s more global.”
Pickup said, however, that he was pleased with VIU’s responses to action steps laid out following the report including:
- Ensure that governance and policy documents defining roles and responsibilities for cybersecurity risk management are reviewed and approved as scheduled
- Create an annual development program and ensure board members receive annual training on cybersecurity risk management
- Update the board orientation program to include information on the roles and responsibilities for oversight of cybersecurity risk management
- Review cybersecurity risk mitigation strategies annually
Pickup says the university accepted all the recommendations, and according to the report, it is working to update policies and operations.
He adds he hopes other universities will see the findings and make changes to their cybersecurity standards.
“For boards across the province, whether they are in post-secondary institutions or even other organizations, to have a look at this audit, the criteria we use are there, how we approach this is there and have a look to see how they are doing,” said Pickup.
“This is a big province with a lot of organizations, we can’t be everywhere auditing everything. But, there’s no reason why other organizations, universities, post-secondary institutions can’t pick this audit up and do some self-assessment.”
Pickup adds they will return to VIU in the future to see what changes they have been able to make.