This page lists the Risk Categories of the Information Risk Self-Assessment. Click on a section to view the specific assessment questions in that area and references to U of T security controls. Further guidance, existing U of T resources, and links to industry best practices can also be found here.
A list of the priority questions for 2020/21 can be found here.
Each question in the assessment is scored using a Capability Maturity Model. Click here for descriptions of the CMM Scores.
-
MGT1 - Information Risk Management Program
MGT1.1: Has the unit a) defined who is responsible for ensuring the Information Risk Management Program (IRMP) is carried out, and b) allocated funding to support the implementation of the IRMP?MGT2 - Compliance management
MGT2.1: Has the unit's Information Risk Management Program (IRMP) been updated to address any issues identified in its most recent assessment or audit? -
BUS1 - Finance system-related risk
BUS1.1: Has a review of user roles and assignments been performed for all applicable financial systems to ensure that duties are correctly segregated?BUS2 - Business continuity risk
BUS2.1: Does the unit maintain an inventory of all mission critical systems and processes?BUS2.2: Has a business continuity plan been created for critical systems and processes?
-
-
-
FAC1 - Site-related physical risk
FAC1.1: Is your unit building protected by physical access devices that record access to a central logging system?FAC2 - Workspace-related physical risk
FAC2.1: Have information assets in publicly-accessible workspaces (e.g. libraries / computer laboratories) been physically secured? -
LEG1 - Legal, regulatory, and contractual compliance risk
LEG1.1: Has the unit reviewed and listed all regulatory, contractual and legal legislation that applies to the unit's business and research activities, and has a process been established to keep this data current? -
DAT1 - Administrative data-related risk
DAT1.1: Has unit administrative data been classified according to the UofT's data classification?DAT1.3 Has a unit records management review been performed?
DAT2 - Administrative data access risk
DAT2.1: Has institutional and unit administrative data been protected according to University and / or unit-specific policies to ensure that only authorized users have access? -
DAT3 - Research data-related risk
DAT3.1: What percentage of the unit's researchers classify their data according to the UofT's data classification? -
-