The program

Information Security at the University of Toronto is a risk management program designed to protect people, data and University digital assets, and is built on shared risk management responsibility between the chief information security officer, unit heads, faculty and all individuals. Service delivery and operational responsibility is shared stewardship with campus, divisional, departmental, and academic IT, Information Technology Services and others.

The program prioritizes shared areas of focus, largely informed by:

  1. Academic, functional and operational outcomes: Inputs include the mission of the University, campus and divisional strategic plans, departmental goals, etc.
  2. High impact current and emerging risks: Inputs include security assessments, government threat reports, CanSSOC guidance, etc.
  3. Alignment with University information security standards and regulatory and legal requirements: Inputs include the U of T minimum information security standard, FIPPA, PHIPA, PCI-DSS, HIPAA, etc.

The program is governed by the Information Security Council.

U of T Information Security Program Overview
The diagram shows the overview of the Information Security Program. There are five elements in the program:

  • Identify outcomes and risks
  • Protect against security threats
  • Detect security issues as quickly as possible
  • Respond timely to limit impact
  • Recover and get back to teaching and research

They protect people, data and systems against security threats.

Our goals:

  • Enable mission of the University
  • Increase user trust institutional systems
  • Reduce security risk and increase maturity
  • Empower divisions, units and scholars

Current objectives:

  • Increase support for research
  • Educate and empower
  • Mitigate risk of remote work
  • Move to “Zero Trust”

Guiding principles:

  • Make iterative improvements that promote cultural change
  • Deliver foundational services that are sustainable and can be re-used

Institutional alignment

IT@UofT

The University’s IT@UofT strategic plan focuses and guides efforts to support the U of T’s academic mission through information technology services, informing the vision, framework and initiatives, both within the ITS division and across the University.

The information security program aligns with and supports the IT@UofT shared approach.

Data governance

U of T’s Institutional Data Strategy (IDS) articulates University’s data and analytics priorities. Initiatives under the umbrella of the IDS will be tied to improving institutional performance and outcomes (e.g., student success, research productivity, operational excellence), while incrementally introducing new data technologies, processes and/or policies to support those initiatives.

The information security program aligns with and supports the shared data governance strategy.

FIPP Office

The Freedom of Information and Protection of Privacy (FIPP) Office oversees and supports access protection of privacy at the University, by:

  • Protecting the personal privacy of students, faculty and staff
  • Processing access requests
  • Leading and fostering excellent access and privacy practice

The information security program aligns with and supports the FIPP Office.

More information

Icon showing information security: two hands cradling a green shield with a white checkmark.

Information Security Council

The Information Security Council (ISC) provides broad consultation in planning and decision-making processes as it relates to information security at U of T.

Icon showing information security: two hands cradling a green shield with a white checkmark.
Icon showing a computer surrounded by a shield, an envelope, a gear and a pencil.

Tri-campus team

The tri-campus Information Security team is a distributed, collaborative team comprised of experts across many disciplines  working together to provide a safe and secure environment for the entire U of T community.

Icon showing a computer surrounded by a shield, an envelope, a gear and a pencil.
Icon of a contract with a pen and signature.

Office of the CISO

The chief information security officer (CISO) is responsible for providing strategic leadership and oversight of the University’s information security and privacy programs.

Icon of a contract with a pen and signature.
Icon of a contract with a pen and signature.

ITS security team

The ITS Information Security and Enterprise Architecture (ISEA) team provides or functionally owns shared services in incident response, remote access, network security, risk assessment, security architecture and identity management.

Icon of a contract with a pen and signature.