VIU board failed in oversight of cybersecurity management says auditor general

Auditor General Michael Pickup said Vancouver Island University’s board of governors failed to provide proper oversight of the university’s cybersecurity practices in a report released on Tuesday. Undated file photo provided by the Office of the Auditor General of British Columbia.

Vancouver Island University’s board of governors failed to provide oversight of the university’s cybersecurity policies according to a new report by B.C’s Auditor General Michael Pickup on Tuesday.

With 12,000 students and 1,500 faculty and staff Pickup said it is vital for VIU to do everything it can to protect their information.

“We concluded that the VIU board of governors has not provided oversight of the university’s cybersecurity risk management practices,” said Pickup

The report made three key findings:

  • The board established oversight roles and responsibilities, but policies were out of date.

  • The board training on how to oversee cybersecurity risk management was inadequate.

  • A risk management framework was developed, but the board did not review the mitigation strategies until the end of the last fiscal year.

Vancouver Island University said in a statement that “VIU’s board of governors has accepted and is working on implementing the auditor general’s four recommendations.”

Those four recommendations are to:

  • Ensure that governance and policy documents defining roles and responsibilities for cybersecurity risk management are reviewed and approved as scheduled.

  • Create an annual development program and ensure board members receive annual training on cybersecurity risk management to support them in their oversight role.

  • Update the board orientation program to include information on the roles and responsibilities for oversight of cybersecurity risk management.

  • Review cybersecurity risk mitigation strategies annually.

The auditor general said he is pleased that VIU is working on addressing the shortcomings the audit found and will be following up to make sure that work is completed.

Pickup says that VIU was chosen for the audit because it is a similar size to other postsecondary institutions in the province. He hopes that the report will prompt other universities and public sector organizations to take a look at their own cybersecurity oversight policies.

“The area of cybersecurity, because it is so risky, because it is ever so changing, it is so impactful, you’ve got to do all you can reasonably be expected to do to help with the lines of defense,” he said. “Board oversight and governance of cybersecurity is one of those lines of defense.”


Funding Note: This story was produced with funding support from the Local Journalism Initiative, administered by the Community Radio Fund of Canada.