A report assessing cybersecurity at a B.C. university could improve cybersecurity at all provincial post-secondary institutions and beyond.

At least that is the hope of Auditor-General Michael Pickup after presenting his audit of cybersecurity risk management at Vancouver Island University Tuesday (Aug. 1) at a news conference in the provincial legislature.

The audit B次元官网网址� first of its kind since Pickup assumed his current role three years ago and the first involving a post-secondary institution in more than a decade B次元官网网址� finds VIUB次元官网网址檚 board failed to oversee policies and strategies critical to protecting information systems and data.

Pickup said the audit did not consider the day-to-day technical issues of cybersecurity at the university, but rather the role of the university board, which according to the report, serves as B次元官网网址渁 line of defenceB次元官网网址� to protect the university and improve its response to cyber threats.

B次元官网网址淔or example, the board of governors can evaluate whether management has implemented strategies to mitigate risks to its technology infrastructure,B次元官网网址� it reads.

VIU has an enrollment of 12,000 students spread across four campuses and employs 1,500 faculty and staff.

As such, VIU represents only a small sample of the 25 publicly-funded post-secondary institutions in British Columbia and their nearly 180,000 full-time students in 2021-2022.

RELATED:

But if PickupB次元官网网址檚 office only audited VIU because of its relative size, the implications of the audit promise to touch the other 24 post-secondary institutions as well, given the crucial and growing importance of IT in post-secondary learning and not just since the COVID-19 pandemic.

Accordingly, Pickup urged other post-secondary institutions to review his findings and the criteria it used.

B次元官网网址淲e canB次元官网网址檛 be everywhere auditing everything, but there is no reason why other organizations, universities (and) post-secondary institutions canB次元官网网址檛 pick this audit up and look at it and do some self-assessment,B次元官网网址� Pickup said.

According to the report, VIUB次元官网网址檚 board failed in three areas. First, the board lacks a training program in cybersecurity risk management to increase their subject knowledge in areas of risk, including cybersecurity risk.

B次元官网网址淏oard members need to have up-to-date knowledge of cybersecurity risk management to be effective in their oversight role,B次元官网网址� it reads.

Second, the board has updated its current risk management policy since 2012, so more than a decade ago, which may be nothing short of eternity in the world of IT.

B次元官网网址淒uring the audit period, the board of governors reviewed, but didnB次元官网网址檛 approve, an updated risk management policy,B次元官网网址� it reads.

Third, for most of the last fiscal year, the board of governors had not reviewed cybersecurity risk mitigation strategies, which include compliance with legal and regulatory requirements.

Pickup praised the board for adopting his officeB次元官网网址檚 four recommendations, but noted his office will review their implementation.

He also expressed hope that the findings of the report will inform broader political changes with effects for cybersecurity at large.

Improving oversight of cybersecurity policies and strategies does not reduce risks to zero, he said.

B次元官网网址淏ut it should reduce the likelihood of a risk of bad things happening,B次元官网网址� he said. B次元官网网址淪o you want to do all the appropriate things that one would expect.B次元官网网址�

READ ALSO:

sig code