Vancouver Island University is falling short in managing cybersecurity, an audit by the province’s auditor general has found.
In a press release issued Tuesday, Aug. 1, the B.C. Office of the Auditor General stated that VIU’s board of governors “needs to improve its oversight of the university’s cybersecurity risk management practices” with deficiencies in the board’s training and policy and strategy oversight, something the report said are vital safeguards for the post-secondary institution’s systems and data.
Boards manage cybersecurity by holding universities responsible for identifying and mitigating risks, the press release said.
In addition to not sufficiently managing risk mitigation strategies, the audit found VIU’s board lacked training in cybersecurity risk management. Board members should be trained in cybersecurity risk management first when they join the board, and every year thereafter.
“The board doesn’t have a development program to increase their subject matter knowledge in areas of risk, including cybersecurity risk, to assist them in their oversight responsibilities,” the audit stated.
The board had not approved an updated risk management policy in more than 10 years, with the last one approved in 2012. Further, “for most of the last fiscal year, the board of governors had not reviewed cybersecurity risk mitigation strategies which include compliance with legal and regulatory requirements,” noted the audit.
The auditor general recommends VIU ensure that rules and documentation describing cybersecurity risk management are examined and approved as scheduled. Designing a yearly development program and making sure board members undergo yearly training on cybersecurity risk management, amending board orientation to include rules and responsibilities on cybersecurity risk management oversight and review of strategies throughout the year were other recommendations.
At a press conference today, Michael Pickup, B.C.’s auditor general said VIU’s board has accepted recommendations by the report and he is pleased that it will act on the recommendations. In addition, he hopes other universities can learn from the report.
Pickup noted that cyberattacks are becoming commonplace and are always changing and growing and institutions like VIU play an important role in protecting themselves against ransomware and the like. Auditors did not examine the university’s network infrastructure.
“The audit objective really was whether the board was providing oversight of cybersecurity risk management practices,” he said. “So it was really focused on whether the board was doing what they ought to be doing as one component of this. It wasn’t actually in there trying to test systems, trying to test controls over cybersecurity. We are looking at that big picture.”
VIU was chosen for the audit based on its size.
“Rather than picking, for example, the smallest organization in the province or the largest organization in the province, we thought we would get something of the typical size … to get into organizations where we may not have been, and to remind people that it is possible that we will come and do an audit,” said Pickup.
In a statement, VIU reiterated that it accepts the findings.
“VIU’s board of governors has accepted and is working on implementing the auditor general’s four recommendations. VIU’s board appreciates [the] review and hopes the information in the report will benefit governance at other post-secondary institutions,” the statement noted.
VIU has approximately 12,000 students and 1,500 faculty and staff at campuses in Nanaimo, Duncan, Parksville and Powell River.
The audit took place between April 1, 2022 and March 31, 2023.