B.C. auditor-general hopes university cybersecurity audit sparks broad change

AG: Vancouver Island University issues should encourage institutions to assess cybersecurity

Wolf Depner
Aug 1, 2023 2:30 PM Aug 2, 2023 9:26 AM

A report assessing cybersecurity at a B.C. university could improve cybersecurity at all provincial post-secondary institutions and beyond.

At least that is the hope of Auditor-General Michael Pickup after presenting his audit of cybersecurity risk management at Vancouver Island University Tuesday (Aug. 1) at a news conference in the provincial legislature.

The audit 鈥� first of its kind since Pickup assumed his current role three years ago and the first involving a post-secondary institution in more than a decade 鈥� finds VIU鈥檚 board failed to oversee policies and strategies critical to protecting information systems and data.

Pickup said the audit did not consider the day-to-day technical issues of cybersecurity at the university, but rather the role of the university board, which according to the report, serves as 鈥渁 line of defence鈥� to protect the university and improve its response to cyber threats.

鈥淔or example, the board of governors can evaluate whether management has implemented strategies to mitigate risks to its technology infrastructure,鈥� it reads.

VIU has an enrollment of 12,000 students spread across four campuses and employs 1,500 faculty and staff.

As such, VIU represents only a small sample of the 25 publicly-funded post-secondary institutions in British Columbia and their nearly 180,000 full-time students in 2021-2022.

RELATED:

But if Pickup鈥檚 office only audited VIU because of its relative size, the implications of the audit promise to touch the other 24 post-secondary institutions as well, given the crucial and growing importance of IT in post-secondary learning and not just since the COVID-19 pandemic.

Accordingly, Pickup urged other post-secondary institutions to review his findings and the criteria it used.

鈥淲e can鈥檛 be everywhere auditing everything, but there is no reason why other organizations, universities (and) post-secondary institutions can鈥檛 pick this audit up and look at it and do some self-assessment,鈥� Pickup said.

According to the report, VIU鈥檚 board failed in three areas. First, the board lacks a training program in cybersecurity risk management to increase their subject knowledge in areas of risk, including cybersecurity risk.

鈥淏oard members need to have up-to-date knowledge of cybersecurity risk management to be effective in their oversight role,鈥� it reads.

Second, the board has updated its current risk management policy since 2012, so more than a decade ago, which may be nothing short of eternity in the world of IT.

鈥淒uring the audit period, the board of governors reviewed, but didn鈥檛 approve, an updated risk management policy,鈥� it reads.

Third, for most of the last fiscal year, the board of governors had not reviewed cybersecurity risk mitigation strategies, which include compliance with legal and regulatory requirements.

Pickup praised the board for adopting his office鈥檚 four recommendations, but noted his office will review their implementation.

He also expressed hope that the findings of the report will inform broader political changes with effects for cybersecurity at large.

Improving oversight of cybersecurity policies and strategies does not reduce risks to zero, he said.

鈥淏ut it should reduce the likelihood of a risk of bad things happening,鈥� he said. 鈥淪o you want to do all the appropriate things that one would expect.鈥�

READ ALSO:

sig code

About the Author: Wolf Depner

I joined the national team with Black Press Media in 2023 from the Peninsula News Review, where I had reported on Vancouver Island's Saanich Peninsula since 2019.

琉璃神社