Information Risk Categories

This page lists the Risk Categories of the Information Risk Self-Assessment. Click on a section to view the specific assessment questions in that area and references to U of T security controls. Further guidance, existing U of T resources, and links to industry best practices can also be found here.

A list of the priority questions for 2020/21 can be found here.

Each question in the assessment is scored using a Capability Maturity Model. Click here for descriptions of the CMM Scores.

• MANAGEMENT RISK

  MGT1 - Information Risk Management Program
  MGT1.1: Has the unit a) defined who is responsible for ensuring the Information Risk Management Program (IRMP) is carried out, and b) allocated funding to support the implementation of the IRMP?

  MGT2 - Compliance management
  MGT2.1: Has the unit's Information Risk Management Program (IRMP) been updated to address any issues identified in its most recent assessment or audit?

• BUSINESS RISK

  BUS1 - Finance system-related risk
  BUS1.1: Has a review of user roles and assignments been performed for all applicable financial systems to ensure that duties are correctly segregated?

  BUS1.2: Has Payment Card Industry-Data Security Standard (PCI-DSS) compliance been confirmed for all unit activities involving payment cards?

  BUS2 - Business continuity risk
  BUS2.1: Does the unit maintain an inventory of all mission critical systems and processes?

  BUS2.2: Has a business continuity plan been created for critical systems and processes?

  BUS2.3: Has the unit's continuity plan for each mission critical system / process been tested in the previous 24 months or according to the unit's planned testing schedule?

• PURCHASING RISK

  PUR1 - Contract management risk
  PUR1.1: Do unit acquisitions of technology-related software products and information services include security assessments and include contractual requirements for information security and the protection of privacy?

  PUR1.2: For unit purchases requiring third party access to data and/or network-access, does the unit ensure all access is approved for specific time periods, and documented, before access is granted?

• HUMAN RESOURCES RISK

  HR1 - Employment risk
  HR1.1: Does the unit ensure a) all new hires agree to institutional policies, and sign any required documents before they are given access to institutional data, and b) all employees with access to information classified as confidential or higher sign required documents according to an established schedule?

  HR1.2: Does a unit employee termination and transfer process exist, including review of and changes to employee access to institutional and unit-specific information systems?

• FACILITIES RISK

  FAC1 - Site-related physical risk
  FAC1.1: Is your unit building protected by physical access devices that record access to a central logging system?

  FAC1.2: In the event of physical access compromise, does your unit mandate appropriate updates to control mechanisms? (e.g. rekeying, auditing electronic entry access lists).

  FAC2 - Workspace-related physical risk
  FAC2.1: Have information assets in publicly-accessible workspaces (e.g. libraries / computer laboratories) been physically secured?

  FAC2.2: Have information assets in personal office cubicles / offices / protected laboratories been physically secured?

   

• LEGAL RISK

  LEG1 - Legal, regulatory, and contractual compliance risk
  LEG1.1: Has the unit reviewed and listed all regulatory, contractual and legal legislation that applies to the unit's business and research activities, and has a process been established to keep this data current?

• INSTITUTIONAL DATA RISK

  DAT1 - Administrative data-related risk
  DAT1.1: Has unit administrative data been classified according to the UofT's data classification?

  DAT1.2: Has data loss prevention (DLP) software been used to detect the presence of restricted institutional data stored on non-restricted information systems?

  DAT1.3 Has a unit records management review been performed?

  DAT2 - Administrative data access risk
  DAT2.1: Has institutional and unit administrative data been protected according to University and / or unit-specific policies to ensure that only authorized users have access?

  DAT 2.2: Does the unit have scheduled reviews of who or what has access to administrative data systems (e.g. ROSI, local unit databases), and are changes made as needed if personnel change between reviews?

   

• RESEARCH DATA RISK

  DAT3 - Research data-related risk
  DAT3.1: What percentage of the unit's researchers classify their data according to the UofT's data classification?

  DAT3.2: What percentage of the unit's researchers know the location of all their research data, including the data of their grad students and / or post-docs?

  DAT3.3: What percentage of the unit's researchers backup their research data, including the data of their grad students and / or post-docs?

• INFORMATION TECHNOLOGY RISK

  • IT1 - Disaster-related risk

    IT1.1: a) Have mission critical information systems and databases been backed up according to a backup plan; b) are backups being stored at a unit approved storage facility or storage facility approved by your responsible ITS department?

    IT1.2: a) Does the unit have a disaster recovery plan for each critical information system for which you are responsible, and if so b) has the disaster recovery plan been tested or exercised on a regular schedule?

  • IT2 - Infrastructure-related risk

    IT2.1: For organizations with confidential, protected or off-line institutional and/or unit data, do physical access controls protect infrastructure locations?

    IT2.2: Are changes to infrastructure (e.g. server rooms, network closets) logged and kept up-to-date?

  • IT3 - Network-related risk

    IT3.1: Do unit diagrams or documentation exist for the unit's network topology and interconnections?

    IT3.2: For units with confidential and / or protected Institutional/unit data, are firewall rules reviewed on a regular schedule?

    IT3.3: Does an organizational/unit log management process exist for network devices?

  • IT4 - Server-related risk

    IT4.1: a) Are security patches on unit server systems kept up-to-date? and b) Does unit server software and hardware get replaced when security patches and support are no longer available from the developer, vendor, or manufacturer?

    IT4.2: Does the unit use a secure configuration for server systems?

    IT4.3: Are logs on unit servers collected and managed such that they cannot be tampered with, and to the extent needed to enable monitoring, analysis, investigation, and reporting of unauthorized activities?

    IT4.4: a) Are vulnerability scans carried out on all unit servers at least monthly and b) are the results reviewed and acted upon on a regular schedule?

  • IT5 - Identity-related risk

    IT5.1: Can each account be identified back to an individual for all accounts on information systems controlled by the unit?

    IT5.2: Are users, devices and other assets authenticated (e.g. password management, multi-factor) commensurate with the risk of the transaction?

    IT5.3: Does a unit administrative account list exist, for a) internal systems and b) vendor systems that are in use?

  • IT6 - Malicious software risk

    IT6.1: Do unit information systems have a) anti-virus software installed and b) antivirus signatures checked and updated daily?

  • IT7 - Application-related risk

    IT7.1: For units that develop applications, have applications been tested to ensure that input is properly validated?

    IT7.2: For units that develop applications with confidential or protected institutional or unit data, do application developers receive secure coding training?

  • IT8 - Development process-related risk

    IT8.1: For units that develop applications, is a software development process used that includes information security?

    IT8.2: For units that develop applications, does a change management log exist for application-related changes?

  • IT9 - Vendor management risk

    IT9.1: For units using third party software products or information services on-prem or in the cloud for confidential or protected institutional or unit data, has: a) a risk assessment (privacy and threat) of the vendor been completed, and; b) does the contract include measures to protect confidential and protected data?

  • IT10 - Client-related risk

    IT10.1: Does the unit maintain a list of exceptions to controls for systems that they manage, and if such exceptions exist, a list of mitigating controls for the listed systems? e.g. systems no longer supported by the vendor, but must still be maintained.

    IT10.2: Does the unit use a secure configuration for client systems?

  • IT11 - Mobile worker-related risk

    IT11.1: For units with confidential or protected institutional or unit data, have mobile devices that access, process, store, or transmit this data been configured with a basic security configuration?

  • IT12 - Message service-related risk

    IT12.1: Have all organizational messaging services been equipped with anti-virus software to detect and block or remove malicious messages or attachments?

    IT12.2: For units with protected institutional / unit data, are messages containing restricted data encrypted in transit?

  • IT13 - Web-related risk

    IT13.1: For units with confidential or protected institutional / unit data, are associated organizational web applications hosted on separate systems from their databases or application servers?

    IT13.2: Have unit web applications been equipped with a secure session tracking mechanism to prevent session hijacking or other session based attacks?

    IT13.3: a) Have unit web applications been scanned for vulnerabilities, and updated if high-level vulnerabilities found? and b) have external providers given results showing they have updated any high-level vulnerabilities found in their application?

  • IT14 - Security incident-related risk

    IT14.1: Does a unit information security incident response plan exist?

    IT14.2: Has the unit's information security incident response plan been tested or exercised?

  • IT15 - Storage media-related risk

    IT15.1: For confidential, protected or off-line institutional / unit data, are all media destroyed using a secure destruction method as approved by the unit / by UofT?

    IT15.2: Do units ensure confidential or protected data kept on movable storage media (e.g. USB media) is kept on encrypted devices?

  • IT16 - User-related risk

    IT16.1: Does a unit information security awareness training program exist for all faculty, staff, student employees, contractors and volunteers?

  • IT17 - Information asset risk

    IT17.1 Does a unit information system asset inventory exist that includes technology and data assets?

  • IT18 - Software License risk

    IT18.1: a) Does a unit software inventory exist, b) does a unit software usage report exist, c) has the report been validated against the actual number of licenses purchased, and d) if there is a discrepancy, is action planned?