vcc.ca

Cyber Security Procedures

Procedures Number: 506
Procedures Effective Date: September 18, 2024
Approval Body: Board of Governors
Sponsor: President

Procedures


  1. VCC's Cyber Security Governance Framework (the Framework) consists of the following:

    1. Oversight Responsibilities

    2. Cyber Security Risk Management Program (the Program)

    3. Cyber Security Risk Exception Process

    4. Cyber Security Risk Register




A.  Oversight Responsibilities



  1. The VCC Board of Governors (the Board) is responsible for:

    1. Full oversight of the Framework, and delegates this authority to the Finance and Audit Committee. 

    2. Reviewing the Framework on an annual basis.

    3. Adopting an orientation program for new board members that outlines the Board's responsibilities of oversight of the Framework and Program.

    4. Adopting an annual development program for all board members that includes training and updates on cyber security risk management.



  2. The President is responsible for:

    1. Ongoing oversight of the Framework and Program. 



  3. The Chief Information Officer (the CIO) is responsible for:

    1. Establishing and managing the Cyber Security Standards and the Cyber Security Risk Exception process, and ensuring they are consistent with this Policy.

    2. Establishing and managing the VCC Cyber Security Risk Register, which contains all identified cyber security risks as well as the related mitigation strategies and plans.  

    3. Managing the Framework and Program through delegates.

    4. Appointing members to the Cyber Security Governance Working Group (CyberGWG).

    5. Providing an annual oversight report of the Framework and Program to the Board and President. 




B.  Cyber Security Risk Management Program


The Program consists of:



  1. VCC Cyber Security Standards (the Standards)

    1. The Standards cover all technical aspects of the cyber security risk management and establish mandatory baselines and controls for all VCC users, digital information, processes, and systems. The main goal of these baselines and controls is to protect confidentiality, integrity, privacy, and availability of all VCC cyber resources and assets.

    2. The Standards are defined, reviewed, and approved by the Cyber Security Governance Working Group (CyberGWG).



  2. Cyber Security Governance Working Group (CyberGWG)

    1. The CyberGWG is a high-level technical group delegated by the CIO to review and approve VCC's Cyber Security Standards (the Standards).

    2. Using an industry standard cyber security framework, the CyberGWG will assess on an annual basis the maturity of the Framework, Program and Standards. This assessment will be included in the oversight report provided by the CIO to the Board and President.



  3. Awareness and Training

    1. Training and awareness are part of the overall VCC onboarding process.

    2. Annual renewal of cyber security training is required by all employees.

    3.  Additional training may be required when new cyber security technology or processes are implemented.




C.  Cyber Security Risk Exception Process



  1. Depending on the use case, if a mandatory baseline cannot be met due to specific business and/or technical reasons, a Risk Exception request can be initiated for review and approval by the CIO or appointed delegates. 

  2. The CIO or appointed delegates review, assess and approve Risk Exception requests based on business justified violations of the Standards, through a dedicated process within the IT department. 

  3. Risk Exception requests must have a remediation plan and a defined timeline for aligning the corresponding cyber resources/assets/processes with the requirements of the violated Standards.

  4. When approving a specific Risk Exception request, the CIO or delegates can sometimes require a list of compensating controls to be applied during the Risk Exception timeline to manage the inherent risk. These compensating controls are mandatory for the team requesting the Exception.


D.  Cyber Security Risk Register



  1. The CIO, or delegates, manage VCC Cyber Security Risk Register by performing various assessment processes to identify significant cyber security risks for the College. These can be, but not limited to, technical vulnerabilities (both hardware and software), process weaknesses, deficiencies in user behaviour, awareness etc. 

  2. The Cyber Security Risk Register also contains the approved Risk Exception requests during their lifecycle, i.e. until they are remediated and closed.

  3. The Cyber Security Risk Register is the authoritative source of information representing the current cyber security risks for the College. 

  4. Items in the Cyber Security Risk Register must be prioritized by the CIO or appointed delegates, based on the assessed risk of each item. 

  5. The high-priority items of the Cyber Security Risk Register representing the most significant cyber security risks for the College are escalated to the institutional risk register as managed by the Department of Safety, Security, Risk and Privacy and are presented by the CIO in the oversight reports to the President and the Board of Governors.

See related policy 506
Broadway campus
1155 East Broadway
Vancouver, B.C. Canada
V5T 4V5 Downtown campus
250 West Pender Street
Vancouver, B.C. Canada
V6B 1S9
604.871.7000
vcc.ca
Generated at: 4:43 am on Nov. 22, 2024