vcc.ca
Cyber Security Policy
Context and Purpose
Vancouver Community College (VCC; the College) acknowledges that cyber risks represent strategic enterprise risks for the organization, and that it has legislative, financial, and legal obligations as a public institution to manage these risks in a systematic and consistent manner.
This policy establishes a Cyber Security Governance Framework (the Framework) which includes roles, authorities, responsibilities, and procedures for implementing and managing the College's Cyber Security Risk Management Program (the Program) and Cyber Security Standards (the Standards), and the corresponding oversight of the Framework with the goal of achieving Program maturity and cyber resilience.
Scope and Limits
This policy applies to all users of VCC's digital information resources and all processes, systems, applications, involving VCC's digital information, whether internal or external (hosted by third parties).
Principles
- The College is committed to protecting all VCC digital information assets and resources through a Framework that implements regular cyber risk assessments, identification of risk mitigation strategies, and institutional oversight.
- The College will adhere to all relevant laws and regulations governing cyber security risk management of public institutions in British Columbia.
- VCC will, to the best of its abilities, follow established best practices in cyber security.
- VCC recognizes that not all risks can or should be fully mitigated or avoided.
- The Framework is designed to identify, evaluate, treat, report on, and monitor key risks at the College.
- The VCC Board of Governors, President and Chief Information Officer are responsible for full oversight of the Framework.
- Violations of this Policy may result in restrictions on IT network, application, or service access in addition to administrative and/or disciplinary actions outlined in the other relevant College policies.
- VCC will follow a standardized approach to managing and mitigating cyber security risk by implementing a cyber incident response plan.
Definitions
- Availability
- Information or information systems being accessible and usable on demand to support business functions.
- Confidentiality
- Information is not made available or disclosed to unauthorized individuals, entities, or processes.
- Control
- Any policy, processes, practice, or other action that may be used to modify or manage cyber security risk.
- Cyber Incident
- A single or a series of unwanted or unexpected events that threaten privacy or cyber security, i.e. the confidentiality, integrity and/or availability of cyber resources and assets.
- Cyber Resilience
- A dimension of cyber risk management, representing the ability of systems and organizations to develop and execute long-term strategies to withstand cyber events; an organization's ability to sustainably maintain, build and deliver intended business outcomes despite adverse cyber events.
- Cyber Risk
- Probable loss event that materializes when a cyber threat affects an asset of value and results in a material impact on an organization. Cyber risk can be measured as the probable frequency and the probable impact of a material loss event.
- Cyber Security
- The set of activities that protect networks, devices and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity and availability of information and proper delivery of services.
- Cyber Threat
- Potential cause of an unwanted cyber incident, which may result in harm to a system or organization.
- Integrity
- The characteristic of information being accurate and complete and the preservation of accuracy and completeness by protecting the information from unauthorized, unanticipated, or unintentional modification.
Related Resources
VCC Policies
Other Resources
College and Institute Act, RSBC 1996, c 52
Financial Information Act, RSBC 1996, c 140
Freedom of Information and Protection of Privacy Act, RSBC 1996, c 165
Personal Information Protection Act, SBC 2003, c 63