Information Risk Categories | Information Security and Enterprise Architecture

This page lists the Risk Categories of the Information Risk Self-Assessment. Click on a section to view the specific assessment questions in that area and references to U of T security controls. Further guidance, existing U of T resources, and links to industry best practices can also be found here.

A list of the priority questions for 2020/21 can be found here.

MGT1 - Information Risk Management Program
MGT1.1: Has the unit a) defined who is responsible for ensuring the Information Risk Management Program (IRMP) is carried out, and b) allocated funding to support the implementation of the IRMP?

MGT2 - Compliance management
MGT2.1: Has the unit's Information Risk Management Program (IRMP) been updated to address any issues identified in its most recent assessment or audit?
BUS1 - Finance system-related risk
BUS1.1: Has a review of user roles and assignments been performed for all applicable financial systems to ensure that duties are correctly segregated?

BUS1.2: Has Payment Card Industry-Data Security Standard (PCI-DSS) compliance been confirmed for all unit activities involving payment cards?

BUS2 - Business continuity risk
BUS2.1: Does the unit maintain an inventory of all mission critical systems and processes?

BUS2.2: Has a business continuity plan been created for critical systems and processes?

BUS2.3: Has the unit's continuity plan for each mission critical system / process been tested in the previous 24 months or according to the unit's planned testing schedule?
PUR1 - Contract management risk
PUR1.1: Do unit acquisitions of technology-related software products and information services include security assessments and include contractual requirements for information security and the protection of privacy?

PUR1.2: For unit purchases requiring third party access to data and/or network-access, does the unit ensure all access is approved for specific time periods, and documented, before access is granted?
HR1 - Employment risk
HR1.1: Does the unit ensure a) all new hires agree to institutional policies, and sign any required documents before they are given access to institutional data, and b) all employees with access to information classified as confidential or higher sign required documents according to an established schedule?

HR1.2: Does a unit employee termination and transfer process exist, including review of and changes to employee access to institutional and unit-specific information systems?
FAC1 - Site-related physical risk
FAC1.1: Is your unit building protected by physical access devices that record access to a central logging system?

FAC1.2: In the event of physical access compromise, does your unit mandate appropriate updates to control mechanisms? (e.g. rekeying, auditing electronic entry access lists).

FAC2 - Workspace-related physical risk
FAC2.1: Have information assets in publicly-accessible workspaces (e.g. libraries / computer laboratories) been physically secured?

FAC2.2: Have information assets in personal office cubicles / offices / protected laboratories been physically secured?
LEG1 - Legal, regulatory, and contractual compliance risk
LEG1.1: Has the unit reviewed and listed all regulatory, contractual and legal legislation that applies to the unit's business and research activities, and has a process been established to keep this data current?
DAT1 - Administrative data-related risk
DAT1.1: Has unit administrative data been classified according to the UofT's data classification?

DAT1.2: Has data loss prevention (DLP) software been used to detect the presence of restricted institutional data stored on non-restricted information systems?

DAT1.3 Has a unit records management review been performed?

DAT2 - Administrative data access risk
DAT2.1: Has institutional and unit administrative data been protected according to University and / or unit-specific policies to ensure that only authorized users have access?

DAT 2.2: Does the unit have scheduled reviews of who or what has access to administrative data systems (e.g. ROSI, local unit databases), and are changes made as needed if personnel change between reviews?
DAT3 - Research data-related risk
DAT3.1: What percentage of the unit's researchers classify their data according to the UofT's data classification?

DAT3.2: What percentage of the unit's researchers know the location of all their research data, including the data of their grad students and / or post-docs?

DAT3.3: What percentage of the unit's researchers backup their research data, including the data of their grad students and / or post-docs?
- IT1.1: a) Have mission critical information systems and databases been backed up according to a backup plan; b) are backups being stored at a unit approved storage facility or storage facility approved by your responsible ITS department?
  
  IT1.2: a) Does the unit have a disaster recovery plan for each critical information system for which you are responsible, and if so b) has the disaster recovery plan been tested or exercised on a regular schedule?
- IT2.1: For organizations with confidential, protected or off-line institutional and/or unit data, do physical access controls protect infrastructure locations?
  
  IT2.2: Are changes to infrastructure (e.g. server rooms, network closets) logged and kept up-to-date?
- IT3.1: Do unit diagrams or documentation exist for the unit's network topology and interconnections?
  
  IT3.2: For units with confidential and / or protected Institutional/unit data, are firewall rules reviewed on a regular schedule?
  
  IT3.3: Does an organizational/unit log management process exist for network devices?
- IT4.1: a) Are security patches on unit server systems kept up-to-date? and b) Does unit server software and hardware get replaced when security patches and support are no longer available from the developer, vendor, or manufacturer?
  
  IT4.2: Does the unit use a secure configuration for server systems?
  
  IT4.3: Are logs on unit servers collected and managed such that they cannot be tampered with, and to the extent needed to enable monitoring, analysis, investigation, and reporting of unauthorized activities?
  
  IT4.4: a) Are vulnerability scans carried out on all unit servers at least monthly and b) are the results reviewed and acted upon on a regular schedule?
- IT5.1: Can each account be identified back to an individual for all accounts on information systems controlled by the unit?
  
  IT5.2: Are users, devices and other assets authenticated (e.g. password management, multi-factor) commensurate with the risk of the transaction?
  
  IT5.3: Does a unit administrative account list exist, for a) internal systems and b) vendor systems that are in use?
- IT6.1: Do unit information systems have a) anti-virus software installed and b) antivirus signatures checked and updated daily?
- IT7.1: For units that develop applications, have applications been tested to ensure that input is properly validated?
  
  IT7.2: For units that develop applications with confidential or protected institutional or unit data, do application developers receive secure coding training?
- IT8.1: For units that develop applications, is a software development process used that includes information security?
  
  IT8.2: For units that develop applications, does a change management log exist for application-related changes?
- IT9.1: For units using third party software products or information services on-prem or in the cloud for confidential or protected institutional or unit data, has: a) a risk assessment (privacy and threat) of the vendor been completed, and; b) does the contract include measures to protect confidential and protected data?
- IT10.1: Does the unit maintain a list of exceptions to controls for systems that they manage, and if such exceptions exist, a list of mitigating controls for the listed systems? e.g. systems no longer supported by the vendor, but must still be maintained.
  
  IT10.2: Does the unit use a secure configuration for client systems?
- IT11.1: For units with confidential or protected institutional or unit data, have mobile devices that access, process, store, or transmit this data been configured with a basic security configuration?
- IT12.1: Have all organizational messaging services been equipped with anti-virus software to detect and block or remove malicious messages or attachments?
  
  IT12.2: For units with protected institutional / unit data, are messages containing restricted data encrypted in transit?
- IT13.1: For units with confidential or protected institutional / unit data, are associated organizational web applications hosted on separate systems from their databases or application servers?
  
  IT13.2: Have unit web applications been equipped with a secure session tracking mechanism to prevent session hijacking or other session based attacks?
  
  IT13.3: a) Have unit web applications been scanned for vulnerabilities, and updated if high-level vulnerabilities found? and b) have external providers given results showing they have updated any high-level vulnerabilities found in their application?
- IT14.1: Does a unit information security incident response plan exist?
  
  IT14.2: Has the unit's information security incident response plan been tested or exercised?
- IT15.1: For confidential, protected or off-line institutional / unit data, are all media destroyed using a secure destruction method as approved by the unit / by UofT?
  
  IT15.2: Do units ensure confidential or protected data kept on movable storage media (e.g. USB media) is kept on encrypted devices?
- IT16.1: Does a unit information security awareness training program exist for all faculty, staff, student employees, contractors and volunteers?
- IT17.1 Does a unit information system asset inventory exist that includes technology and data assets?
- IT18.1: a) Does a unit software inventory exist, b) does a unit software usage report exist, c) has the report been validated against the actual number of licenses purchased, and d) if there is a discrepancy, is action planned?