Check with the National Vulnerability Database to determine the risk and proceed accordinglyRead More
Monthly scans of applications to check for issues and classify application. e.g.QualysRead More
Include security as a design requirement. Review all code and correct identified security flaws prior to deployment using tools like klokworks.Read more
Audit existing accounts and privileges quarterly. Enforce password complexity and change periodically(max. 6 months) with no repetitions in the past 5 changes
Backup application data at least weekly. Encrypt backup data in transit and at restRead more
Two-step authentication is required for all interactive user and administrator logins to Moderate and High Risk systems. e.g google autheticator , yubicoRead more
Forward logs to a remote log server. University Systems service is recommendedRead more
All administrative tasks to be done from a privileged work station dedicated for admin controlsRead more
Require a physical key to authenticate to systems with high risk such as financial information.
All high severity patches are to be applied within seven days of publish and other patches in 90 days. The patches and vulnerabilities are based on the National Vulnerability Database. This is required for endpoints with all risk types.Read Paper
The Endpoints must be configured with disk encryption to prevent the theft of data using hardware vulnerabilities.
Install configuration management tools to the endpoint to automatically update patches and updates to the endpoint.Read more
Maintain a list of network and node configuration information. Review and update the records every quarter.
Install antivirus and anti malware on all endpoints.eg. malwarebytes and aviraRead more
Backup user data daily. Encrypt and backup the data and keep it in transit and at rest.Read more
All Admin accounts can be accessed through the dedicated machines for admin tasks only. This gives a degree of control over the admin related tasks. It is a must for high risk endpoint.Read more
All administrative tasks to be done from a privileged work station dedicated for admin controls
Require employees to disable Bluetooth on endpoints with access to medium and high risk.
Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within 7 days of publish and all other security patches within 90 days.Read Paper
Perform monthly scan via Acunetix Web Vulnerability Scanner and Burp Suite. Remediate high severity within 7 days of discovery.
To maintain a backup service through Tivoli Storage Manager (TSM) system all 24 hours a day and 365 days a year. Encrypt the backup data in transit and at rest.Read more
Enable host-based Symantec Endpoint Protection (ESP) and permit the minimum necessary services.
Require two factor or multi-factor authentication for interactive user and administrative banner logins.Read more
Forward logs to a remote log server. University System service recommended.Read more
Attend at least one University of Victoria Information Security Advanced Workshop training course semi-annually.Read more
Implement PCI DSS, PIPEDA, FIPPA, and other security controls as applicable.
Use a supervised machine learning model to find out. In particular, a multiclass neural network can be trained to determine the probability that a given piece of data or service or unit is low, medium, or high risk. This is not meant to replace human judgement but to enhance it.
One such model is described in Fig. 1 below. Whether something is high or low or medium risk depends largely on the department that deals with it, whether there is more than one department involved, whether its disclosure would impact the organization in a negative manner, and so on. This information can be used to predict the probability that a given piece of data or service or unit is low, medium, or high risk.
Use a supervised machine learning model to find out. In particular, a binary linear classifier can be trained to determine the probability that a given event is an incident. This is not meant to replace human judgement but to enhance it.
This is better than having a database of incidents because as this database keeps growing then so would the computational needs to traverse it, and so time gets wasted. A pretrained machine learning model produces a result instantenously.
We are a team of information security professionals currently working on completing our Master of Engineering in Information Security and Telecommunications. This is our proposal for minimum security standards for the University of Victoria. We all contributed equally to this project. We all like Indian cousine even though not all of us are from India. Below is a selfie of us arranged in alphabetical order without actually trying to accomplish this because we're that cool. From left to right: Alice Irankunda, Aman Kaur, Ishu Tiwari, Marina Danchovsky Ibrishimova, Raghav Aridhasan.
1. Create fun posters, workshops and involve multidisciplinary UVic students
2. Reduce data risk classification from 4 to 3 simple categories: Low, Medium, High
3. Create a machine learning model for data risk classification.
4. Get a third party to asses current situation.
5. Replace library desks with ones that allow for more privacy
6. Require a physical key to authenticate to systems with high risk data:
7. Create a minimum standards website that is easily accessible and interactive for quick reference
 Uit.stanford.edu. (2018). Risk Classifications | University IT. [online] Available at: https://uit.stanford.edu/guide/riskclassifications [Accessed 9 Apr. 2018].
https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/policies-procedures/information-security-policy/isp.pdf. (2018). Retrieved 09 April 2018
 (2018). Uvic.ca, Retrieved 9 April 2018, from https://www.uvic.ca/universitysecretary/assets/docs/policies/IM7800.pdf
 Fusion. (2018). Business Impact Management Guide. [online] Available at: https://www.fusionrm.com/bim-guide?utm_source=ppc&utm_campaign=2018_02_bim_a&gclid=EAIaIQobChMIxLX9tYbz2wIVAtlkCh26FgsEEAAYASAAEgJw8_D_BwE [Accessed 20 Jun. 2018].
 Ben Seri and Gregory Vishnepolsky. (2017) The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks. http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper-1.pdf?t=1529966573964 [Accessed 20 Jun. 2018]
 www2.gov.bc.ca. (2018). Information Security Policy - Province of British Columbia. [online] Available at:https://www2.gov.bc.ca/gov/content/governments/services-for-government/policies-procedures/information-security-policy [Accessed 27 Jun. 2018].
 RSA fraud Report Q1 2018, [online] Available at: https://www.rsa.com/content/dam/premium/en/report/rsa-fraud-report-q1-2018.pdf [Accessed 20 Jun. 2018].
https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/ [Accessed 21 July. 2018]