AV天堂

Skip to main content
People Departments Maps Buildings Rooms A-Z
University
of Victoria
Apply Library
Sign in Online tools Sign out
Information security

Security consultation

Our Information Security (InfoSec) team is available for security consultations. Many UVic processes require security consultations. Many consultations are informal and brief and can take place over email, Teams chat or a video or voice call. Some large projects and processes require a formal information security review process like a security threat and risk assessment (STRA). We can help you determine what's required for your initiative and how to get started.

If you're managing projects or technology procurements, we encourage you to reach out to us early in the process. We can help you estimate how complex the security considerations will be for your project and may have information about products that have good security practices or have known problems.

We regularly consult on projects related to:

  • technology procurement
  • new system or process implementation
  • software development

Details

Type
Consultation, business process
For
Employees (usually project managers)
Cost
Free

Consultation process

All security reviews begin with a consultation. We offer consultations for all types of projects, including building new software, implementing new systems and buying technology.

Security review is a catch-all term for any type of information security consultation.

Sometimes a security review can be as simple as an informal conversation. More complex ones can include in-depth research and a full security threat and risk assessment or privacy impact assessment.

We'll help you figure out the type of security review needed for your project.

The length of a security review depends on the complexity of your project. The main contributing factors are:

  • intended user base
  • type of data being accessed or stored
  • information about a vendor's security compliance certifications

Our information security standards are a set of guidelines we use to manage UVic's digital infrastructure. They're designed to ensure confidentiality, integrity and availability of university information. These standards are reviewed and updated regularly.

UVic employees can see our .

How it works

  1. You book a consultation and explain your project or technology procurement.
  2. We meet with you and ask follow-up questions to determine the type of security review you need.
  3. We help you complete the security review needed for your project.

Types of security reviews

The most common types of security reviews at UVic are vendor reviews, privacy impact assessments (PIAs), and security threat and risk assessments (STRAs). These are not the only kinds of security reviews that we do.

Vendor reviews are often connected with technical approval as part of UVic's purchasing process. It typically involves gathering information from vendors about their compliance with information security standards.

Some of the questions we'll ask during a vendor review include:

  • Who will be using this software?
  • What type of data will be accessed or stored in this software?
  • Does the vendor have a SOC II Type 2 certification?

You don't need to know all the answers to our questions to start a security review consultation. It may take longer to complete, but we can guide you through the process.

Privacy impact assessments (PIAs) are usually done in partnership with the UVic Privacy Office.

A PIA is a risk management review process used to identify and manage privacy risks. PIAs help us determine what information we collect, access and store during projects and service operation. PIAs help us protect personal information for all UVic users.

We can guide you through the PIA process for technology related projects and services.

Why do we need PIAs?

PIAs are for all public bodies under BC's Freedom of Information and Protection of Privacy Act (FIPPA). We conduct PIAs for new or substantially modified projects, services or activities that support UVic business.

Security threat and risk assessments (STRAs) are the most formal type of security review and usually takes the longest to complete.

An STRA is used to determine whether computing devices and software applications meet UVic's security standards.

An STRA can be part of a project, a major system or software application deployment, or an operational process. You can also request one-time or scheduled automated scans.

We usually test against a development or pre-production version of your service to minimize user disruption.

How it works

Once you contact us, we start with a consultation to determine if you need a STRA or another type of security review.

If you need a STRA, we will:

  • develop an assessment scope, plan and schedule
  • conduct the assessment, which includes:
    • reviewing security plans, documentation and controls
    • vulnerability scans
    • performing threat analysis
    • identifying risks
  • make risk mitigation recommendations
  • provide a report with results and recommendations.

If you'd like to request an STRA or discuss whether your project needs one, book a consultation with us.

Book a consultation

Contact us to request a consultation by email or book an appointment to talk to someone.

Book a consultation