This page lists the Risk Categories of the Information Risk Self-Assessment. Click on a section to view the specific assessment questions in that area and references to U of T security controls. Further guidance, existing U of T resources, and links to industry best practices can also be found here.

Each question in the assessment is assessed using a scoring model. Click here for descriptions of the Scores.

MGT1 - Information Risk Management Program

MGT1.1: Does your unit periodically assess the risks to your mission, operations, assets, and individuals, resulting from the collection and use of data assets and information systems?

MGT1.2: What percent of your IT budget is spent on information security?

MGT1.3: What number of FTE are dedicated to Information Security (e.g. 0.5, 1.0, 5.0)?

MGT2 - Compliance management

MGT2.1: Has your unit's Information Risk Management Program (IRMP) been updated to address any issues identified in its most recent assessment or audit?

BUS1 - Finance system-related risk

NOTE: BUS1.1 has been modified and moved to DAT2.3

BUS1.2: Has Payment Card Industry-Data Security Standard (PCI-DSS) compliance been confirmed for all unit activities involving payment cards?

BUS2 - Business continuity risk

BUS2.1: Does the unit maintain an inventory of all mission critical systems and processes?

BUS2.2: Has a business continuity plan been created for critical systems and processes?

BUS2.3: Has the unit's continuity plan for each mission critical system / process been tested in the previous 24 months or according to the unit's planned testing schedule?

PUR1 - Contract management risk

PUR1.1: For units using third party software products or information services on-prem or in the cloud for Level 3 or Level 4 data, has: a) a risk assessment (privacy and threat) of the vendor been completed, and b) does the contract include measures to protect Level 3 and Level 4 data?

PUR1.2: For unit purchases requiring third party access to data and/or network-access, does the unit ensure all access is approved for specific time periods, and documented, before access is granted?

HR1 - Employment risk

HR1.1: Does the unit ensure a) all new hires agree to institutional policies, and sign any required documents (including unit or program-specfic policies) before they are given access to University data? and b) all employees with access to information classified as Level 3 or higher sign required documents according to an established schedule?

HR1.2: Are organizational systems containing the University's data protected during and after personnel actions such as terminations and transfers?

FAC1 - Site-related physical risk

FAC1.1: Is physical access to organizational data, systems, equipment, and the respective operating environments limited to authorized individuals and is access monitored?

FAC1.2: Are physical access devices / systems controlled and managed (physical access devices include keys, locks, combinations, fob devices and card readers)?

FAC2 - Workspace-related physical risk

FAC2.1: Have data assets and systems in publicly-accessible workspaces (e.g. libraries / computer laboratories) been physically secured?

FAC2.2: Have information assets in personal office cubicles / offices / protected laboratories been physically secured?

LEG1 - Legal, regulatory, and contractual compliance risk

LEG1.1: Has the unit reviewed and listed all regulatory, contractual and legal legislation that applies to the unit's business and research activities, and has a process been established to keep this data current? Are these communicated to staff who need to know?

DAT1 - Administrative data-related risk

DAT1.1: Has unit administrative data been classified according to the UofT's data classification?

DAT1.2: Does your unit employ technical or procedural mechanisms to prevent Level 3 or Level 4 data assets from being transferred to or stored on unauthorized  systems?

DAT1.3: Is your unit's records management policy reviewed and updated on a periodic basis?

DAT2 - Administrative data access risk

DAT2.1: Are there processes in place to ensure that only authorized users have access to institutional and unit administrative data assets and information systems?

DAT 2.2: Does the unit have scheduled reviews of who or what has access to administrative data systems (e.g. ROSI, local unit databases), and are changes made as needed if personnel change between reviews?

DAT2.3: Has a review of user roles and assignments been performed for access to all data assets and information systems under the control of your unit to ensure that duties are correctly separated?

DAT3 - Research data-related risk

It is not expected that units will know the precise answers to these questions at the time of their first assessment. Please answer based on what is currently known in the unit.

DAT3.1: What percentage of the unit's researchers classify their data according to the UofT's data classification?

DAT3.2: What percentage of the unit's researchers know the location of all their research data, including the data of their grad students and / or post-docs?

DAT3.3: What percentage of the unit's researchers backup their research data, including the data of their grad students and / or post-docs?

IT1 - Disaster-related risk

IT1.1: a) Have mission critical information systems and databases been backed up according to a backup plan; b) are backups being stored at a unit approved storage facility or storage facility approved by your responsible ITS department?

IT1.2: a) Does the unit have a disaster recovery plan for each critical information system for which you are responsible, and if so b) has the disaster recovery plan been tested or exercised on a regular schedule?

IT2 - Infrastructure-related risk

IT2.1: For information systems with Level 3 or Level 4 data, do physical access controls protect infrastructure locations?

IT2.2: Do change management logs exist for infrastructure-related changes the unit is responsible for? (e.g. changes to server rooms, wiring closets, drop locations, cabling, etc.)

IT3 - Network-related risk

IT3.1: Do unit diagrams or documentation exist for the unit's network topology and interconnections?

IT3.2: Does the unit have a process to review and approve firewall changes on networks? And are unit-controlled firewall rules reviewed on a regular schedule?

IT3.3: For units that manage network devices (firewalls, routers, switches, etc.), are logs collected and managed to enable monitoring, analysis, investigation, and reporting of unauthorized activities? Are the integrity of logs and the log management processes protected?

IT4 - Server-related risk

IT4.1: For units that manage server systems: a) Are security patches kept up-to-date? and b) Does software and hardware get replaced when security patches and support are no longer available from the developer, vendor, or manufacturer?

IT4.2: Does the unit use a secure configuration for server systems?

IT4.3: For units that manage server systems, are logs collected and managed to enable monitoring, analysis, investigation, and reporting of unauthorized activities? Are the integrity of logs and the log management processes protected?

IT4.4: a) Are vulnerability scans carried out on all unit servers at least monthly and b) are the results reviewed and acted upon on a regular schedule?

IT5 - Identity-related risk

IT5.1: Can each account be identified back to an individual for all accounts on information systems controlled by the unit?

IT5.2: Are users, devices and other assets authenticated (e.g. password management, multi-factor) commensurate with the risk of the transaction?

IT5.3: Does your unit employ the principle of least privilege when granting access, including for specific security functions and privileged accounts?

IT5.4: Does your unit have mechanisms in place to provide additional protections for privileged accounts?

IT6 - Malicious software risk

IT6.1: Do all unit information systems (mobile, client and server systems) have end-point protection commensurate with the risk profile of the system?

IT7 - Application-related risk

IT7.1: For units that develop applications, are there processes in place to ensure that common vulnerabilities have been identified and remediated prior to deployment?

IT7.2: For units that develop applications interacting with Level 3 or Level 4 data, do application developers receive secure coding training?

IT8 - Development process-related risk

IT8.1: For units that develop applications, does your unit employ a secure software development process?

IT8.2: For units that develop applications, does a change management log exist for application-related changes?

In 2021/22 this question has been merged with PUR1.1

IT10 - Client-related risk

IT10.1: For units that manage client systems (desktops, laptops): a) Are security patches kept up-to-date? and b) Does software and hardware get replaced when security patches and support are no longer available from the developer, vendor, or manufacturer?

IT10.2: Does the unit use a secure configuration for client systems (laptops, desktops)?

IT11 - Mobile worker-related risk

IT11.1: For units managing Level 3 or Level 4 data, have mobile devices that access, process, store, or transmit these data been configured with a basic security configuration?

IT11.2: Have all staff, contractors and volunteers accessing Level 3 or Level 4 unit data remotely (e.g. from their homes, at alternative worksites, when travelling, etc.) been informed of the UofT Remote Work Guidelines?

IT12 - Message service-related risk

IT12.1: For units managing their own email or messaging services (separate from the University M365 offering), are those services equipped with anti-virus software to detect and block or remove malicious messages or attachments?

IT12.2: Are messages (email, chat) containing Level 3 or Level 4 data encrypted in transit?

IT13 - Web-related risk

IT13.1: For units that manage their own web applications that collect, process or store Level 3 or Level 4 data, are application servers and databases separated using firewalls or other access control policies?

IT13.2: Have unit web applications been equipped with a secure session tracking mechanism to prevent session hijacking or other session based attacks?

IT13.3: a) Have unit web applications been scanned for vulnerabilities, and updated if high-level vulnerabilities found? and b) have external providers given results showing they have updated any high-level vulnerabilities found in their application?

IT14 - Security incident-related risk

IT14.1: Has the unit established an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities?

IT14.2: How many information security incidents did your unit experience in the past 12 months? This value will not be included in the overall risk score.

IT14.3: Has the unit's information security incident response plan been tested or exercised?

IT15 - Storage media-related risk

IT15.1: Are all system media containing Level 3 or Level 4 data (hard drives, removable devices, mobile devices) sanitized or destroyed before disposal or release for reuse?

IT15.2: Are all Level 3 or Level 4 data kept on removable / mobile storage media (e.g. USB media, mobile devices, laptops) encrypted?

IT16 - User-related risk

IT16.1: Does a unit information security awareness training program exist for all faculty, staff, student employees, contractors and volunteers?

IT17 - Information asset risk

IT17.1: Does a unit information system asset inventory exist that includes information systems and data assets? And is this maintained?

IT18 - Software License risk

IT18.1: Does a unit software inventory exist, that includes all software installed on unit-managed end-points? If so, is the inventory maintained and kept up-to-date?