Personal Information Risk

RMS partners with units to educate and raise awareness of key privacy and information security risks that are relevant to the unit and the University overall. Additionally, we facilitate the assessment of identified risks and provide support to units to help reduce these risks, as necessary. Our approach is outlined below.

Personal Information Risk

What is RMS’ approach to Personal Information?

In most cases, the team follows a standardized approach:

Step 1

  • Performing Personal Information (PI) data mapping, at the category or unit level, to determine what PI repositories exist, and which ones present the highest-risk.

Step 2

  • Identifying opportunities to stop collecting high-risk PI, and any other PI if it is not necessary to support the unit’s activities. Additionally, we explore ways to reduce the need to download PI from source systems and store it on mobile devices.

Step 3

  • Partnering with units to perform PI risk assessments to determine if PI is handled in a secure manner. Current risk assessments include:
    • Operational Risk Assessment (ORA) – a management tool to assess at the department / unit level the risks associated with end-user handling of PI;
    • User Risk Assessment (URA) – an end-user tool built to support the ORA and provide an educational tool that any employee can use to familiarize themselves with key privacy and information security requirements; and,
    • Application Risk Assessment (ARA) – a technical tool for IT personnel to assess the level of risk associated with the technical requirements defined in the Information Security Standards.

Step 4

  • Following up with units semi-annually to obtain a progress report and provide any additional support that may be required.

^ Back to Top

What are RMS’ key deliverables?

  1. A simple, practical action plan to reduce key risks and gaps with the Privacy  and Paper Security Fact Sheets and Information Security Standards, and a unit heat map, to enable units to prioritize their individual actions based on the level of risk they are currently exposed to.
  2. Our work significantly informs other Privacy and Information Security Initiatives including:
    • Updates to the Information Security Standards – we provide feedback to UBC IT on areas that units are struggling to comply with and the reasons why.
    • Privacy & Information Security Training and Awareness – we provide common risk areas (identified during our risk assessment activities), to ensure these are addressed in a manner that helps educate employee’s on their responsibilities.

^ Back to Top