This page lists each question in the IRSA. Further guidance, existing U of T resources, and links to industry best practices can be found here. These are provided for your reference and do not represent formal University of Toronto controls. As formal standards and controls are developed, the guidance will be updated.

Return to IRSA Home
Return to Information Risk Categories

MANAGEMENT RISK

MGT1 – Information Risk Management Program


MGT1.1
: Does your unit periodically assess the risks to your mission, operations, assets, and individuals, resulting from the collection and use of data assets and information systems?

— —

“Academic and administrative unit heads shall be responsible for assuring the protection of Digital Assets within their units in accordance with this Policy and associated Procedures and Standards…(and) develop an Information Risk Management Program appropriate to the circumstances of the unit, to be approved by the unit head.” – Policy on Information Security and the Protection of Digital Assets

An Information Risk Management Program includes:

  • assessment of your current risk
  • strategies and plans for prioritizing and reducing any risks identified in assessments
  • communicating your risks and plans to stakeholders
  • monitoring for impact to risk as circumstances change

For guidance on completing the Information Security Risk Self-Assessment, please visit our Training & Resources page.

In the first year of the assessment most units will score zero, since it will be the first year of assessment and developing their program.

— —

References

University of Toronto Policy on Information Security and the Protection of Digital Assets

UofT Information Security Standards

  • RA-1: Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of the University’s data

NIST Cybersecurity Framework mapping

  • ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
  • ID.GV-1: Organizational cybersecurity policy is established and communicated
  • ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
  • ID.RA-1: Asset vulnerabilities are identified and documented
  • ID.RA-3: Threats, both internal and external, are identified and documented
  • ID.RA-4: Potential business impacts and likelihoods are identified
  • ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
  • ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders
  • ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
  • ID.SC-2: Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process
  • RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks
  • ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated

MGT2 – Compliance Management


MGT2.1
: Has the unit’s Information Risk Management Program (IRMP) been updated to address any issues identified in its most recent assessment or audit?
— —

If your unit has undergone an internal Information Systems Audit or an external Information Security or Privacy Assessment, you may refer to any findings from those exercises as part of your response.

In the second year of the assessment you will have the results from the first year of the assessment to inform your response.

— —

References

UofT Information Security Standards

  • RA-3: Remediate vulnerabilities in accordance with risk assessments.

NIST Cybersecurity Framework mapping

  • ID.RA-6: Risk responses are identified and prioritized
  • PR.IP-7: Protection processes are improved
  • PR.IP-12: A vulnerability management plan is developed and implemented
  • RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks

BUSINESS RISK

BUS1 – Finance system-related risk


NOTE: BUS1.1 has been modified and moved to DAT2.3



BUS1.2
: Has Payment Card Industry – Data Security Standard (PCI-DSS) compliance been confirmed for all unit activities involving payment cards?
— —
PCI Security Standards Council – Assessing the Security of Your Cardholder Data

It is the responsibility of any units accepting payment through credit cards to ensure that they are in compliance with the Payment Card Industry – Data Security Standard (PCI-DSS).

Maintaining payment security is required for all organizations that store, process, or transmit cardholder data. The PCI-DSS sets the technical and operational requirements for organizations accepting or processing credit card payment transactions. The PCI Security Standards Council website contains guidance and resources for organizations that accept payment through Credit Cards, to help them assess their compliance with the standard.

BUS2 – Business Continuity risk


BUS2.1
: Does the unit maintain an inventory of all mission critical systems and processes?
— —
A comprehensive inventory of the essential systems and processes that support program or service delivery within your unit enables other management activities such as risk management and business continuity planning. Understanding your critical systems, processes, and dependencies will help you determine your unit’s tolerance for disruption, as well as the level of investment required to keep systems secure and operational.

If your unit does not yet have an inventory of critical systems and processes, you can start with documenting these items:

  • business priorities (critical business processes);
  • business dependencies (critical information resources, people, information systems, or other business processes);
  • maximum allowable disruption (how long can the unit operate without a given critical business process before suffering a significant consequence).


References

The U of T Business Continuity Planning website provides a BCP planning template that includes worksheets that will help you document important information about your critical systems.

References

NIST Cybersecurity Framework mapping

  • ID.AM-1: Physical devices and systems within the organization are inventoried
  • ID.AM-2: Software platforms and applications within the organization are inventoried
  • ID.AM-3: Organizational communication and data flows are mapped
  • ID.AM-4: External information systems are catalogued
  • ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
  • ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
  • ID.BE-4: Dependencies and critical functions for delivery of critical services are established

Information Risk Categories



BUS2.2
: Has a business continuity plan been created for critical systems and processes?
— —
A business continuity plan defines how an organization continues to operate after a disruptive event. It is distinct from an IT Disaster Recovery Plan (see IT1 – Disaster-related risk).

The intent of the question is help you understand whether you can carry on your business if one of your critical systems is not available.

U of T Business Continuity Planning

The purpose of a BCP is to facilitate the recovery and resumption of critical functions through the development of plans, procedures and provisions for alternate sites, personnel, resources, inter-operable communications and vital records/databases. This website provides templates and resources to help units develop their business continuity plans.

References

NIST Cybersecurity Framework mapping

  • ID.BE-1: The organization’s role in the supply chain is identified and communicated
  • ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)
  • ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers
  • PR.DS-4: Adequate capacity to ensure availability is maintained
  • PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
  • DE.AE-4: Impact of events is determined
  • RS.RP-1: Response plan is executed during or after an incident
  • RS.CO-1: Personnel know their roles and order of operations when a response is needed
  • RS.CO-3: Information is shared consistent with response plans
  • RS.CO-4: Coordination with stakeholders occurs consistent with response plan


BUS2.3
: Has the unit’s continuity plan for each mission critical system / process been tested in the previous 24 months or according to the unit’s planned testing schedule?
— —
This capability will help you understand if your business continuity plans are sufficient to mitigate the impacts of major operational disruptions. The tests could be table-top, or more complicated and help you understand whether you can carry on your business if one of your critical systems is not available. Test results should be reviewed, and corrective actions initiated, if required.

Resources are available at the U of T Business Continuity Planning website.

References

NIST Cybersecurity Framework mapping

  • RS.IM-1: Response plans incorporate lessons learned
  • RS.IM-2: Response strategies are updated
  • RC.IM-1: Recovery plans incorporate lessons learned
  • RC.IM-2: Recovery strategies are updated
  • RS.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams

PURCHASING RISK

PUR1 – Contract management risk


PUR1.1
: For units using third party software products or information services on-prem or in the cloud for Level 3 or Level 4 data, has: a) a risk assessment (privacy and threat) of the vendor been completed, and b) does the contract include measures to protect Level 3 and Level 4 data?

— —
If institutional data will be collected, processed or stored outside of University-controlled information systems, it is important to ensure that the vendor has taken adequate steps to secure and protect the institutional data that will be processed and / or stored on their systems. Reviewing contract or service agreements for appropriate language around data protection and privacy practices provides assurance that vendors will:

  • protect the data in their systems
  • handle the data according to relevant privacy legislation and according to unit and University objectives

The Information Security department provides assessment services and advice for units considering a purchase or acquisition of any software or application interacting with University institutional data.

Information Risk Management Assessment for projects

References

UofT Information Security Standards

  • RA-1: Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of the University’s data.
  • RA-3: Remediate vulnerabilities in accordance with risk assessments.

NIST Cybersecurity Framework mapping

  • ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
  • ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process
  • ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
  • ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations
  • PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity
  • PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity
  • DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events

 

  • ID.RA-1: Asset vulnerabilities are identified and documented
  • ID.RA-3: Threats, both internal and external, are identified and documented
  • ID.RA-4: Potential business impacts and likelihoods are identified
  • ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
  • RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks


PUR1.2
: For unit purchases requiring third party access to data and/or network-access, does the unit ensure all access is approved for specific time periods, and documented, before access is granted?
— —
From time to time, vendors may require that their employees have privileged access to university networks or data in order to fulfill their agreements. Third-party access to these assets can be managed by ensuring:

  • only authorized users have access;
  • their activities on institutional systems or networks can be monitored;
  • users only have access to the data and functions they need to perform the contracted tasks;
  • access is removed when it is no longer required.

References

UofT Information Security Standards

  • AC-1: Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
  • AC-2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.
  • AC-5: Employ the principle of least privilege, including for specific security functions and privileged accounts.
  • AC-12: Monitor and control remote access sessions.

NIST Cybersecurity Framework mapping

  • PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
  • PR.AC-3: Remote access is managed
  • PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties
  • PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
  • PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
  • DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events
  • DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed

Information Risk Categories

HUMAN RESOURCES RISK

HR1 – Employment risk


HR1.1
: Does the unit ensure a) all new hires agree to institutional policies, and sign any required documents before they are given access to institutional data, and b) all employees with access to information classified as confidential or higher sign required documents according to an established schedule?
— —
U of T policies that are signed on accepting employment are found here: http://policies.hrandequity.utoronto.ca/. For some units, policies referenced in the letter of offer will be sufficient. There is no institutional requirement for employees to sign additional documents on an established schedule; however, individual units or divisions may have implemented additional requirements. For example, additional agreements for sensitive information, critical information systems, privileged access, etc.

  • signing required documents on a periodic schedule;
  • additional agreements for sensitive information.

References

U of T HR & Equity: Policies and Guidelines

U of T – Information Security Standard

  • PS-2: Ensure that organizational systems containing institutional data are protected during and after personnel actions such as terminations and transfers.

NIST Cybersecurity Framework mapping

  • PR.AT-2: Privileged users understand their roles and responsibilities
  • PR.AT-4: Senior executives understand their roles and responsibilities
  • PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities
  • PR.DS-5: Protections against data leaks are implemented
  • PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)

 


HR1.2: Does a unit employee termination and transfer process exist, including review and changes of employee access to institutional and unit-specific information systems?
— —
Protecting University data during and after personnel actions may include returning system-related property and conducting exit interviews. System-related property includes hardware authentication tokens, identification cards, institutional or unit data existing on personal devices / accounts, keys, and building passes. Termination procedures ensure that employees no longer have access to institutional data and that all copies are returned, when no longer required. Transfer procedures ensure that employees no longer have access to institutional data that is no longer required and that all copies are returned.

Components of a termination or transfer process may include:

  • Return physical access devices (keys, fobs)
  • Return equipment
  • Return physical files
  • Modify or delete information systems access (for unit systems, and inform centrally-managed services)

Related Resources:

The following links describe how units can request access changes on centrally managed resources.

For other systems, ensure the managing unit is informed of access changes.

References

U of T – Information Security Standard

  • PS-2: Ensure that organizational systems containing institutional data are protected during and after personnel actions such as terminations and transfers.

NIST Cybersecurity Framework mapping

  • PR.DS-5: Protections against data leaks are implemented
  • PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)

 

Information Risk Categories


FACILITIES RISK

FAC1 – Site-related physical risk


FAC1.1
: Is physical access to organizational data, systems, equipment, and the respective operating environments limited to authorized individuals and is access monitored?
— —

Physical access control mechanisms could include issuing keys / fobs to authorized individuals, or employing supervised reception or front desk staff in areas where institutional or unit data assets are kept or accessed (physical or electronic copies).

References

UofT Information Security Standards

  • PP-1: Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

NIST Cybersecurity Framework mapping

  • PR.AC-2: Physical access to assets is managed and protected
  • DE.CM-2: The physical environment is monitored to detect potential cybersecurity events
  • RS.AN-1: Notifications from detection systems are investigated


FAC1.2
: Are physical access devices / systems controlled and managed (physical access devices include keys, locks, combinations, fob devices and card readers)?

— —

For example: are keys and combinations secured, device provision approved by the appropriate person, devices deactivated when lost or stolen, locks re-keyed when keys are lost or stolen?

References

UofT Information Security Standards

  • PP-5: Control and manage physical access devices.

NIST Cybersecurity Framework mapping

  • PR.AC-2: Physical access to assets is managed and protected
  • DE.CM-2: The physical environment is monitored to detect potential cybersecurity events
  • DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
  • DE.DP-3: Detection processes are tested

FAC2 – Workspace-related physical risk


FAC2.1
: Have information assets in publicly-accessible work-spaces (e.g. libraries / computer laboratories) been physically secured?

— —

Physical security measures could include locks on cabinets, cable locks on printers and workstations, USB port blocks.

References

UofT Information Security Standards

  • PP-1: Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

NIST Cybersecurity Framework mapping

  • PR.AC-2: Physical access to assets is managed and protected
  • PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met


FAC2.2
: Have information assets in personal office cubicles / offices / protected laboratories been physically secured?

— —

Physical security measures could include locks on office spaces, cabinets, cable locks on printers and workstations.

References

UofT Information Security Standards

  • PP-1: Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

NIST Cybersecurity Framework mapping

  • PR.AC-2: Physical access to assets is managed and protected
  • PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met

 

Information Risk Categories

LEGAL RISK

LEG1 – Legal, regulatory and contractual compliance risk


LEG1.1
: Has the unit reviewed and listed all regulatory, contractual and legal legislation that applies to the unit’s business and research activities, and has a process been established to keep this data current? Are these communicated to staff who need to know?
— —
It is the responsibility of each unit to know which regulatory, contractual and legal legislation applies to the information that the unit works with.

Freedom of Information and Protection of Privacy Act (FIPPA) is an example of a provincial legislation that would apply to most units at the University. Units at the University with provision of healthcare components may be subject to Personal Health Information Protection Act (PHIPA).

The Freedom of Information and Protection of Privacy (FIPP) office provides guidance and resources to support University units’ understanding of, and compliance with, applicable privacy legislation.

Other regulatory requirements may be limited to specific Faculties or Divisions, for example, regulations from professional associations or accreditation bodies.

References

NIST Cybersecurity Framework mapping

  • ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

INSTITUTIONAL DATA RISK

DAT1 – Administrative data-related risk


DAT1.1
: Has unit administrative data been classified according to the UofT’s data classification?
— —
Classifying the data that is collected, stored and processed within the unit is an important function of assessing information risk, and determining appropriate security measures for the systems that contain that data. The U of T Data Classification scheme takes into account the sensitivity of various data handled at U of T and the legal obligations for protection that apply. If your unit has not classified its administrative data, start with the critical information assets identified in BUS2.1 (Business Continuity Risk).

When responding to this question, refer to the data which your unit owns or has responsibility. For example, data in unit-managed file-shares, databases, or other applications. Data that your unit moves from centrally-managed systems to be stored on a unit-managed system should also be considered when responding to this question; security protections on the unit-managed systems are appropriate to the classification of the data it stores.

References

U of T Data Classification
Freedom of Information and Protection of Privacy Office
SharePoint Online Rules for Use – provides recommendations and guidelines for use of data in SharePoint Online, mapped to the U of T Data Classification

NIST Cybersecurity Framework mapping

  • ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value
  • ID.RA-4: Potential business impacts and likelihoods are identified
  • ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

Information Risk Categories



DAT1.2:
Does your unit employ technical or procedural mechanisms to prevent Level 3 or Level 4 data assets from being transferred to or stored on unauthorized systems?
— —
Procedural mechanisms may include unit policies or guidelines that prevent data users from transmitting information to unsecured systems (e.g. personal email, un-encrypted USB). Technical mechanisms could include data loss prevention software, preventing local syncing or downloading of certain data assets or sensitive data types.

References

UofT Information Security Standards

  • AC-3: Control the flow of the University’s data in accordance with approved authorizations.

NIST Cybersecurity Framework mapping

  • ID. AM-3: Organizational communication and data flows are mapped
  • PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)
  • PR.DS-5: Protections against data leaks are implemented
  • PR.PT-4: Communications and control networks are protected
  • DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed


DAT1.3
: Has a unit records management review been performed?
— —
A record is a document, data, or set of data that is created or received in the course of the unit’s operations that has content, structure, fixity, context, and is maintained as evidence of an organization’s activity. Institutional data may reside in university records, be used to produce university records, or may of itself be a university record.

Having a records management plan or policy that includes data retention, archiving and disposal requirements is a key activity in minimizing your unit’s exposure to a security event. Disposing of data when they are no longer required for:

  • the purpose they were collected
  • unit or University policy, or
  • compliance with regulation

reduces the impact of security events involving those data.

References

NIST Cybersecurity Framework mapping

  • AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
  • IP-6: Data is destroyed according to policy

Information Risk Categories

DAT2 – Administrative data access risk

DAT2.1: Are there processes in place to ensure that only authorized users have access to institutional and unit administrative data assets and information systems?
— —

Access to data and functions should be minimized to only those data and functions users need to carry out their duties at the University. Typically the person accountable for the data asset ensures that appropriate data access approval processes are in place. Managers and other privileged users of data assets and systems ensure that the approval processes are enforced when provisioning access.

Managing user access includes ensuring that:

  • only authorized users have access;
  • users only have access to the data and functions they need to perform their work-related tasks;
  • authorized access is consistent with unit or University data policies;
  • access is removed when it is no longer required.

References:

UofT Information Security Standards

  • AC-1: Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
  • AC-2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.
  • AT-3: Provide security awareness training on recognizing and reporting potential indicators of insider threat.

NIST Cybersecurity Framework mapping

  • PR.AC-3: Remote access is managed
  • PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties
  • PR.DS-5: Protections against data leaks are implemented

DAT2.2: Does the unit have scheduled reviews of who or what has access to administrative data systems (e.g. ROSI, local unit databases), and are changes made as needed if personnel change between reviews?
— —
The roles and responsibilities of those who have access to data asset systems will change over time. It is important that reviews are carried out to ensure that only authorized users have access to data assets. Regularly reviewing who or what has access to information systems ensures that access is consistent with operational work requirements. Removing unnecessary access identified during reviews lowers the risks associated unauthorized access to institutional data.

References:

The following links provide information on how units can request access changes to centrally managed resources.

For other systems, ensure the managing unit is informed of access changes.

UofT Information Security Standards

  • AC-1: Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
  • AC-2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.

NIST Cybersecurity Framework mapping

  • PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
  • PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties
  • DE.CM-3: Personnel activity is monitored

DAT2.3: Has a review of user roles and assignments been performed for access to all data assets and information systems under the control of your unit to ensure that duties are correctly separated?
— —
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties is important for financial systems, as well as in those contexts where security or high-risk functions should be separated from standard operating activities.

References

UofT Information Security Standards

  • AC-5: Employ the principle of least privilege, including for specific security functions and privileged accounts.
  • AC-6: Use non-privileged accounts or roles when accessing non-security functions.
  • AC-7: Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

NIST Cybersecurity Framework mapping

  • PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties

 

Information Risk Categories


DAT3 – Research data-related risk



It is not expected that units will know the precise answers to these questions at the time of their first assessment. Please answer based on what is currently known in the unit.



DAT3.1
: What percentage of your researchers have been informed and educated about the U of T Data Classification, and have put it into practice?
— —
Classifying the data that is collected, stored, and processed in the course of research-related activities is important to assessing the risks to that data, and determining appropriate security measures for the systems that contain that data. Level 4 data will require stronger protections over level 1 or 2 data.

Research data involving human subjects should also be classified according to the principles set out by the U of T Research Ethics Board, and protected according to the data management plan approved by the REB.

References:

U of T Data Classification
Freedom of Information and Protection of Privacy Office
U of T – Research Ethics Board
U of T Libraries – Research Data Management Guide

NIST Cybersecurity Framework mapping

  • ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business (research) value
  • ID.RA-4: Potential business (research) impacts and likelihoods are identified
  • ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

Information Risk Categories


DAT3.2: What percentage of the unit’s researchers know the location of all their research data, including the data of their grad students and / or post-docs?
— —
Knowing where research data is stored and with whom it is shared is essential to ensuring that all data is appropriately protected and backed up in all locations.

References

NIST Cybersecurity Framework mapping

  • ID.AM-1: Physical devices and systems within the organization are inventoried
  • ID.AM-2: Software platforms and applications within the organization are inventoried
  • ID.AM-3: Organizational communication and data flows are mapped
  • ID.AM-4: External information systems are catalogued
  • ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value

Information Risk Categories


DAT3.3: What percentage of the unit’s researchers backup their research data, including the data of their grad students and / or post-docs?
— —
Implementing a secure backup solution is one line of defence units and researchers can use to protect against the loss or corruption of data; for example, in the event of an accidental deletion, or if a device becomes infected with ransomware.

References

UofT Information Security Standards

  • IR-1: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

NIST Cybersecurity Framework mapping

  • PR.IP-4: Backups of information are conducted, maintained, and tested periodically
  • PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
  • RC.RP-1: Recovery plan is executed during or after a cybersecurity incident

 

Information Risk Categories

INFORMATION TECHNOLOGY RISK

IT1 – Disaster-related risk


IT1.1
: a) Have mission critical information systems and databases been backed up according to a backup plan; b) are backups being stored at a unit approved storage facility or storage facility approved by your responsible ITS department?
— —
Implementing a secure backup solution is one line of defence units can use to protect against the loss or corruption of data; for example, in the event of an accidental deletion, or if a device becomes infected with ransomware.

A typical backup plan defines:

  • systems and data that require backup copies
  • the frequency that copies should be made
  • location of the backup copies
  • schedule for testing or validating backups.

Ideally, one backup copy is stored off-site.

References

UofT Information Security Standards

  • IR-1: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

NIST Cybersecurity Framework mapping

  • PR.IP-4: Backups of information are conducted, maintained, and tested periodically
  • PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
  • RC.RP-1: Recovery plan is executed during or after a cybersecurity incident

 

Information Risk Categories


IT1.2: a) Does the unit have a disaster recovery plan for each critical information system for which they are responsible, and if so b) has the disaster recovery plan been tested or exercised on a regular schedule?
— —
A disaster recovery plan (or information contingency plan) is part of overall business continuity planning to ensure continuity of unit functions. Referring back to the data and systems identified in the Data Asset Inventory or in BUS2.1 (Business Continuity risk) or from other Business Continuity Planning documents, the disaster recovery plan may include:

  • IT recovery priorities and objectives;
  • IT recovery roles and responsibilities;
  • contact information for critical IT employees, departments, and/or vendors;
  • strategies to maintain or recover critical information resources and functions when:
    1. IT infrastructure location(s) (data centers, server rooms, or telecommunication wiring closets) are rendered unavailable/unusable for a period long enough to significantly impact essential business processes and functions;
    2. a significant disruption, compromise, or failure of an information system(s) needed to support essential business processes and functions occurs (e.g. critical data corruption or loss, ransomware event, network disruptions);
    3. a number of IT employees are unavailable for a period long enough to significantly impact essential business processes and functions.

References

UofT Information Security Standards

  • IR-1: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
  • IR-3: Test the organizational incident response capability.

NIST Cybersecurity Framework mapping

  • ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers
  • PR.IP-4: Backups of information are conducted, maintained, and tested periodically
  • PR.IP-10: Response and recovery plans are tested
  • PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations
  • DE.AE-4: Impact of events is determined
  • RC.RP-1: Recovery plan is executed during or after a cybersecurity incident
  • RC.IM-1: Recovery plans incorporate lessons learned
  • RC.IM-2: Recovery strategies are updated
  • RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams

Information Risk Categories

IT2 – Infrastructure-related risk


IT2.1
: For information systems with Level 3 or Level 4 data, do physical access controls protect infrastructure locations?
— —
Physically securing information systems may include placing technology assets in locked rooms or other secured areas and allowing access to authorized individuals only; placing assets in locations that can be monitored by University personnel may also be considered an access control. Physical access controls to support infrastructure include locked wiring closets & server rooms; disconnected or locked spare jacks; protection of cabling by conduit or cable trays; and wiretapping sensors.

This question is related to IT infrastructure, specifically. See FAC2 for activities relating to protecting physical access to data assets.

References

UofT Information Security Standards

  • PP-1: Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

NIST Cybersecurity Framework mapping

  • PR.AC-2: Physical access to assets is managed and protected
  • PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
  • DE.CM-2: The physical environment is monitored to detect potential cybersecurity events
  • DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
  • RS.AN-1: Notifications from detection systems are investigated
  • RS.CO-3: Information is shared consistent with response plans


IT2.2
: Do change management logs exist for infrastructure-related changes the unit is responsible for? (e.g. changes to server rooms, wiring closets, drop locations, cabling, etc.)
— —
If changes are to be made to physical infrastructure, are these planned, and are they tracked? The purpose of this question is to help you understand whether your method of managing infrastructure change exposes you to risk. Uncontrolled, unmonitored changes may expose networks or information systems to unintended, unauthorized access or modification. A controlled and effective change management process requires a comprehensive and accurate inventory of the information systems/components. Changes to this inventory should be logged, monitored, and information retained.

References

UofT Information Security Standards

  • CM-4: Analyze the security impact of changes prior to implementation.

NIST Cybersecurity Framework mapping

  • PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
  • PR.IP-3: Configuration change control processes are in place

Information Risk Categories

IT3 – Network-related risk


IT3.1
: Do unit diagrams or documentation exist for the unit’s network topology and interconnections?
— —

Up to date asset inventories, network diagrams and data flow diagrams ensure that the flow of data is tracked throughout your network and infrastructure. This allows you to understand:

  • where access privileges and restrictions need to be applied
  • where encryption needs to be applied to protect communications and data

And will help you to articulate:

  • security policies, architecture, and control requirements as foundations for design to mitigate risk
  • templates that include security requirements for upgrading existing, and implementing new, resources and infrastructure
  • incorporate security requirements into the software development lifecycle
  • layered security protections to reduce susceptibility to disruptions, hazards, and threats

References

UofT Information Security Standards

  • SCP-2: Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

NIST Cybersecurity Framework mapping

  • ID.AM-3: Organizational communication and data flows are mapped
  • PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)
  • PR.PT-4: Communications and control networks are protected


IT3.2
: Does the unit have a process to review and approve firewall changes on networks? And are unit-controlled firewall rules reviewed on a regular schedule?
— —

Firewall rules should be reviewed on a regular basis to ensure that:

  • All access is denied by default
  • All allowed access should be as specific as possible
  • Access that is no longer needed is revoked

Regular review of access and firewall rules should be conducted to ensure that all acces is authorized.

If your firewalls are managed outside of your department, please select “University Partner” and the unit responsible for your departmental firewall management.

References

UofT Information Security Standards

  • SCP-1: Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
  • CM-4: Analyze the security impact of changes prior to implementation.
  • CM-7: Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

NIST Cybersecurity Framework mapping

  • PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)
  • PR.DS-5: Protections against data leaks are implemented
  • PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
  • PR.IP-3: Configuration change control processes are in place
  • PR.PT-4: Communications and control networks are protected
  • DE.CM-1: The network is monitored to detect potential cybersecurity events


IT3.3
: For units that manage network devices (firewalls, routers, switches, etc.), are logs collected and managed to enable monitoring, analysis, investigation, and reporting of unauthorized activities? Are the integrity of logs and the log management processes protected?
— —
Traffic logs should be collected and monitored for abnormal events. These events should create alerts to administrators. Alerts should be investigated for unauthorized access and abnormal patterns. Logs should also be backed up and stored in a secondary, secure location to ensure they are not tampered with.

Creating audit logs and monitoring procedures enables incident or intrustion detection, as well as facilitates investigation during a security event or incident.

Securing access to the logs, ensures the logs cannot be tampered with in order to cover-up malicious activity.

If the network devices for your department are managed by another unit, please select “University Partner” and the unit responsible for managing your network.

References

UofT Information Security Standards

  • AA-1: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
  • AA-3: Review and update logged events.
  • AA-4: Alert in the event of an audit logging process failure.
  • AA-5: Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
  • AA-6: Provide audit record reduction and report generation to support on-demand analysis and reporting.
  • AA-7: Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
  • AA-8: Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
  • AA-9: Limit management of audit logging functionality to a subset of privileged users.
  • IR-1: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

NIST Cybersecurity Framework mapping

  • PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
  • DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed
  • DE.AE-2: Detected events are analyzed to understand attack targets and methods
  • DE.AE-3: Event data are collected and correlated from multiple sources and sensors
  • DE.AE-5: Incident alert thresholds are established
  • DE.CM-1: The network is monitored to detect potential cybersecurity events
  • DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
  • DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability
  • DE.DP-2: Detection activities comply with all applicable requirements
  • DE.DP-4: Event detection information is communicated
  • DE.DP-5: Detection processes are continuously improved
  • RS.CO-2: Incidents are reported consistent with established criteria
  • RS.AN-1: Notifications from detection systems are investigated

IT4 – Server-related risk


IT4.1
: a) Are security patches on unit server systems kept up-to-date? and b) Does unit server software and hardware get replaced when security patches and support are no longer available from the developer, vendor, or manufacturer?
— —
Unpatched and out of date systems are a common mechanism of system compromise. Many of the recent breaches reported in the news have been the result of threat actors compromising out of date systems. Ensuring that operating system, software and firmware versions are still supported and security patches are still being released as needed, minimizes the number of vulnerabilities attackers can leverage to compromise a system. This is a first line of defence against ransomware and other risks.

Sometimes it is necessary to maintain a system for which patches are no longer being released or is at end of life (EOL). In this case, it is important to implement security controls that will compensate for any vulnerabilities that exist on the system. For example, implementing strict access controls, isolating the system in a controlled sub-network, so that it cannot reach other systems.

The common vulnerabilities and exposures database is a reference list of known vulnerabilities and exposures for OS, software and firmware vulnerabilities: https://cve.mitre.org/

References

UofT Information Security Standards

  • M-1: Perform maintenance on organizational systems
  • M-2: Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance
  • SII-1: Identify, report, and correct system flaws in a timely manner
  • SA-2: Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

NIST Cybersecurity Framework mapping

  • ID.GV-4: Governance and risk management processes address cybersecurity risks
  • ID.RA-1: Asset vulnerabilities are identified and documented
  • PR.IP-2: A System Development Life Cycle to manage systems is implemented
  • PR.IP-12: A vulnerability management plan is developed and implemented
  • PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools
  • PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
  • RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks

 

Information Risk Categories



IT4.2: Does the unit use a secure configuration for server systems?
— —
Server systems include databases, web servers, etc. The secure configurations include removal of unnecessary services, blocking unnecessary ports, changing default passwords, etc. Secure configurations are consistently implemented across all servers managed by the unit. If an appliance is purchased and managed, the configuration is known, hardened if possible, and external controls put in place if there are gaps.

The Centre for Internet Security provides over 100 configuration guidelines, called CIS Benchmarks, for common operating systems, middleware, and public cloud providers. These are available for free, from https://learn.cisecurity.org/benchmarks and are a useful source of knowledge for getting started with secure configuration management.

References

UofT Information Security Standards

  • CM-7: Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
  • CM-8: Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

NIST Cybersecurity Framework

  • PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained
  • PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
  • PR.DS-1: Data-at-rest is protected
  • PR.DS-2: Data-in-transit is protected

Information Risk Categories



IT4.3: Are logs on unit servers collected and managed such that they cannot be tampered with, and to the extent needed to enable monitoring, analysis, investigation, and reporting of unauthorized activities?
— —

A well-managed event logging and monitoring process will reduce the impact of unauthorized activities on unit servers by enabling timely and effective investigation of system security events.

Logs can contain a wide variety of information on the events occurring within systems and networks. For servers, logs from security software, operating systems, and applications can be collected, monitored and analyzed to provide useful information when investigating security events or other problems on the server. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage.

For units handling personal health information, starting in March 2019 health information custodians will be required to provide the Ontario Privacy Commissioner with an annual report on privacy breaches occurring during the previous calendar year. Logging, audit and reporting capabilities are an important component to meeting this requirement: https://www.ipc.on.ca/health-organizations/report-a-privacy-breach/

References

UofT Information Security Standards

  • AA-1: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
  • AA-3: Review and update logged events.
  • AA-4: Alert in the event of an audit logging process failure.
  • AA-5: Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
  • AA-6: Provide audit record reduction and report generation to support on-demand analysis and reporting.
  • AA-7: Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
  • AA-8: Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
  • AA-9: Limit management of audit logging functionality to a subset of privileged users.
  • IR-1: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

NIST Cybersecurity Framework mapping

  • PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
  • DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed
  • DE.AE-2: Detected events are analyzed to understand attack targets and methods
  • DE.AE-3: Event data are collected and correlated from multiple sources and sensors
  • DE.AE-5: Incident alert thresholds are established
  • DE.CM-1: The network is monitored to detect potential cybersecurity events
  • DE.CM-5: Unauthorized mobile code is detected
  • DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
  • DE.DP-4: Event detection information is communicated
  • RS.CO-2: Incidents are reported consistent with established criteria
  • RS.AN-1: Notifications from detection systems are investigated

 

Information Risk Categories



IT4.4: a) Are vulnerability scans carried out on all unit servers at least monthly and b) are the results reviewed and acted upon on a regular schedule?
— —

Fixing vulnerabilities identified during a scan reduces the likelihood of threat actors leveraging vulnerabilities to compromise server(s).

The results of a network vulnerability scan typically provide:

  • basic inventory information about the devices connected to the scoped address space;
  • lists any vulnerabilities found based on standard sources of known vulnerabilities;
  • scores vulnerabilities based on a standard scoring system.

U of T Information Security provides Network Vulnerability scanning service that tests every connected device on a network, and attempts to identify potential security issues. Network administrators can review scan results and act to remediate any identified vulnerabilities.

NOTE: a network scan is different from a web-application vulnerability scan, which crawls a specific web application to identify web-specific vulnerabilities. See IT13.3 – Web-application risk for information on web application vulnerability scanning.

References

Information Security Service Request Update

UofT Information Security Standards

  • RA-2: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
  • RA-3: Remediate vulnerabilities in accordance with risk assessments.

NIST Cybersecurity Framework

  • ID.RA-1: Asset vulnerabilities are identified and documented
  • PR.IP-12: A vulnerability management plan is developed and implemented
  • DE.CM-8: Vulnerability scans are performed
  • DE.DP-4: Event detection information is communicated to appropriate parties
  • RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks

 

Information Risk Categories

IT5 – Identity-related risk


IT5.1
: Can each account be identified back to an individual for all accounts on information systems controlled by the unit?
— —
Typically, individual identifiers are the user names (logins) associated with the system accounts assigned to those individuals. Systems processing or storing Level 3 or Level 4 data should employ unique identification of individuals in group accounts and accountability of individual activity.

Ensuring accounts can be identified back to an individual enables a number of other activities. For example, knowing which accounts to de-provision when staff leave, ensuring appropriate access controls are applied, or when investigating malicious activity on an information system.

Other accounts that may be considered for this question include accounts on external services such as social media, mass mailing, event management, analytics, on-line purchasing platforms, etc.

If users are accessing information systems using the U of T web-login, or single sign on (SSO) solution, they are uniquely identified by their UTORID.

References

UTORAuth & UTORID

UofT Information Security Standards

  • AC-1: Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

NIST Cybersecurity Framework

  • PR.AC-1: Identities and credentials are managed for authorized devices and users
  • PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions

 

Information Risk Categories



IT5.2: Are users, devices and other assets authenticated (e.g. password management, multi-factor) commensurate with the risk of the transaction?
— —
In general, those accounts that have access to the personal information of others or those accounts that have administrative access to servers / hosts containing Level 3 or Level 4 data must be protected with a multi-factor authentication mechanism, or have compensating controls in place.

Higher-assurance authentication is used when the impacts of compromised confidentiality, integrity or availability could result in adverse effects on operations, assets, or individuals. For example, a compromise of an account that accesses a large number of records containing personal information would have a more severe impact than the compromise of an account that can access a single record of personal information.

The University password policy lays out the minimum requirements for password length and complexity. This policy is enforced on all accounts that make use of the University’s web-login or single sign-on (SSO). The University provides two methods for higher-assurance authentication for cases where higher-risk data are accessed: UTORMFA should be used in most cases to provide a second factor when authenticating users accessing high-risk data.

References

UofT Information Security Standards

  • AC-1: Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
  • AC-2: Limit system access to the types of transactions and functions that authorized users are permitted to execute

NIST Cybersecurity Framework

  • PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

Information Risk Categories



IT5.3: Does your unit employ the principle of least privilege when granting access, including for specific security functions and privileged accounts?
— —
In general those accounts that have access / control over Level 3 or Level 4 data assets, or have administrative access to servers or network devices are considered privileged accounts. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions.

References

UofT Information Security Standards

  • AC-5: Employ the principle of least privilege, including for specific security functions and privileged accounts.
  • AC-6: Use non-privileged accounts or roles when accessing nonsecurity functions.
  • AC-7: Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

NIST Cybersecurity Framework

  • PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
  • PR.DS-5: Protections against data leaks are implemented

IT5.4: Does your unit have mechanisms in place to provide additional protections for privileged accounts?
— —
In general those accounts that have access / control over Level 3 or Level 4 data assets, or have administrative access to servers or network devices are considered privileged accounts. These accounts are higher risk targets and have the potential for much greater impact to your unit and the institution should they be compromised.

References

UofT Information Security Standards

  • AC-5: Employ the principle of least privilege, including for specific security functions and privileged accounts.
  • AC-6: Use non-privileged accounts or roles when accessing nonsecurity functions.
  • AC-7: Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

NIST Cybersecurity Framework

  • PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
  • PR.DS-5: Protections against data leaks are implemented

 

Information Risk Categories

IT6 – Malicious software risk


IT6.1
: Do all unit information systems (mobile, client and server systems) have end-point protection commensurate with the risk profile of the system?
— —

Basic end-point protection may include anti-virus or anti-malware, or next generation capabilities such as behavioural analysis and/or machine learning capabilities. More enhanced protections will include features that provide central management, network protection and advanced server support.

If your unit has other mitigations in place and are willing to share to others you may reference these in the survey comments. e.g. software allow-listing.

References

UofT Information Security Standards

  • SII-2: Provide protection from malicious code at designated locations within organizational systems.
  • SII-3: Monitor system security alerts and advisories and take action in response.
  • SII-4: Update malicious code protection mechanisms when new releases are available.

NIST Cybersecurity Framework mapping

  • ID.RA-1: Asset vulnerabilities are identified and documented
  • ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources
  • ID.RA-3: Threats, both internal and external, are identified and documented
  • PR.IP-12: A vulnerability management plan is developed and implemented
  • DE.CM-4: Malicious code is detected
  • DE.CM-5: Unauthorized mobile code is detected

Information Risk Categories

IT7 – Application-related risk


IT7.1
: For units that develop applications, are there processes in place to ensure that common vulnerabilities have been identified and remediated prior to deployment?
— —

Application of systems security engineering concepts and principles during the application development process helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility, earlier in the development process to disruptions, hazards, and threats. Example methods may include:

  • code review to identify common vulnerabilities (e.g. OWASP Top 10, CWE/SANS Top 25)
  • application security testing (static, dynamic, interactive)

References

UofT Information Security Standards

  • SCP-2: Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

NIST Cybersecurity Framework mapping

  • PR.IP-2: A System Development Life Cycle to manage systems is implemented


IT7.2
: For units that develop applications interacting with Level 3 or Level 4 data, do application developers receive secure coding training?
— —
Secure coding training is targeted training for developers where they can learn to develop safer and high-quality code. These trainings help developers to think about threats, defenses, vulnerabilities and security testing as they write code for an application.

References

UofT Information Security Standards

  • AT-1: Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
  • AT-2: Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.

NIST Cybersecurity Framework mapping

  • PR.AT-2: Privileged users understand their roles and responsibilities
  • PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities

IT8 – Development process-related risk


IT8.1
: For units that develop applications, does your unit employ a secure software development process?
— —
Development teams should incorporate security engineering practices and processes into their development lifecycle to ensure that production ready applications are not only functional, but securely built. This means incorporating security-based requirements into the documentation and software development process from design to deploy.

References



IT8.2
: For units that develop applications, does a change management log exist for application-related changes?
— —
Change management in application development involves tracking and managing changes to artifacts such as code and requirements. Change management is essential to minimizing disruptions and risks related to change.

Depending on the criticality of the application and sensitivity of the data impacted, application change management considers:

  • The types of changes to applications or the software development process that are subject to change management
  • Evaluation of the proposed changes with explicit consideration of the security impact
  • Approvals and implementation of only approved changes
  • Testing of approved changes before implementation in production environments
  • Code review processes (see IT7.1)
  • Documentation of change management decisions and retention of change management records
  • For critical applications, change advisory boards (or similar governance bodies) that include development, project management, security, infrastructure and / or user group representation, as needed.

References

UofT Information Security Standards

  • CM-4: Analyze the security impact of changes prior to implementation.

NIST Cybersecurity Framework mapping

  • PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
  • PR.IP-3: Configuration change control processes are in place

Information Risk Categories

IT9 – Vendor management risk

This section has been merged with PUR1.1

IT10 – Client-related risk


IT10.1
: For units that manage client systems (desktops, laptops): a) Are security patches kept up-to-date? and b) Does software and hardware get replaced when security patches and support are no longer available from the developer, vendor, or manufacturer?
— —
Ensuring that operating system, software and firmware versions are still supported and security patches are still being released as needed, minimizes the number of vulnerabilities attackers can leverage to compromise a system. This is a first line of defence against ransomware and other risks from malware.

Sometimes it is necessary to maintain a system for which patches are no longer being released or is at end of life (EOL). In this case, it is important to implement security controls that will compensate for any vulnerabilities that exist on the system. For example, implementing strict access controls, isolating the system in a controlled sub-network, or leveraging virtualization.

References

UofT Information Security Standards

  • M-1: Perform maintenance on organizational systems
  • M-2: Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
  • SII-1: Identify, report, and correct system flaws in a timely manner.
  • SA-2: Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

NIST Cybersecurity Framework mapping

  • ID.RA-1: Asset vulnerabilities are identified and documented
  • PR.IP-12: A vulnerability management plan is developed and implemented
  • ID.GV-4: Governance and risk management processes address cybersecurity risks


IT10.2
: Does the unit use a secure configuration for client systems (laptops, desktops)?
— —

Secure configuration ensures that only those functions needed for users to carry out their work are enabled. This reduces the likelihood that a vulnerability in an uneeded function can be used to compromise the system
For example:

  1. Non-essential programs, functions, ports, protocols and services are restricted, disabled or prevented from use.
  2. Deny-by-exception or allow-by-exception policies are employed to control which software programs are authorized to execute on server systems

The Centre for Internet Security provides over 100 configuration guidelines – called CIS Benchmarks – for common operating systems, middleware, applications, and public cloud providers. These are available for free from https://learn.cisecurity.org/benchmarks and are a useful resource for getting started with establishing secure baseline configurations.

References

UofT Information Security Standards

  • CM-7: Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
  • CM-8: Apply deny-by-exception policy to prevent the use of unauthorized software or deny-all, permit-by-exception policy to allow the execution of authorized software.

NIST Cybersecurity Framework mapping

  • PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained
  • PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
  • PR.DS-1: Data-at-rest is protected
  • PR.DS-2: Data-in-transit is protected

IT11 – Mobile-worker related risk


IT11.1
: For units managing Level 3 or Level 4 data, have mobile devices that access, process, store, or transmit these data been configured with a basic security configuration?
— —
Secure configuration lowers the risk that mobile device will be used to gain unauthorized access to data, steal credentials or take over an account. Review the U of T Remote work guidelines for protecting devices. For users of UTORMFA, the Duo app has a security checklist feature that can be used to check basic security on mobile devices.

References

References

UofT Information Security Standards

  • CM-7: Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
  • CM-8: Apply deny-by-exception policy to prevent the use of unauthorized software or deny-all, permit-by-exception policy to allow the execution of authorized software.

NIST Cybersecurity Framework mapping

  • PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained
  • PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
  • PR.DS-1: Data-at-rest is protected
  • PR.DS-2: Data-in-transit is protected

IT11.2: Have all staff, contractors and volunteers accessing Level 3 or Level 4 unit data remotely (e.g. from their homes, at alternative worksites, when travelling, etc.) been informed of the UofT Remote Work Guidelines?

References

UofT Information Security Standards

  • AT-1: Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

NIST Cybersecurity Framework mapping

  • PR.AT-1: All users are informed and trained

Information Risk Categories

IT12 – Message service-related risk


IT12.1
: For units managing their own email or messaging services (separate from the University M365 offering), are those services equipped with anti-virus software to detect and block or remove malicious messages or attachments?
— —

Messaging services include email and instant messaging (e.g. MSTeams, Slack).

For those units that manage their own email and / or messaging services (either on-prem or through a non-M365 vendor), ensure that those services have enabled capabilities to:

  • Perform real-time scans of all new messages and attachments
  • Block, quarantine or remove identified malware
  • Block attachments with known harmful extensions
  • Check and update anti-virus signatures daily
  • Check and update anti-virus scanning engine weekly

If your unit only uses messaging services available through the UofT M365 service, EASI would be your partner in managing this risk.

References

UofT Information Security Standards

  • SII-2: Provide protection from malicious code at designated locations within organizational systems.
  • SII-3: Monitor system security alerts and advisories and take action in response.
  • SII-4: Update malicious code protection mechanisms when new releases are available.

NIST Cybersecurity Framework mapping

  • ID.RA-1: Asset vulnerabilities are identified and documented
  • ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources
  • ID.RA-3: Threats, both internal and external, are identified and documented
  • PR.IP-12: A vulnerability management plan is developed and implemented
  • DE.CM-4: Malicious code is detected
  • DE.CM-5: Unauthorized mobile code is detected


IT12.2
: Are messages (email, chat) containing Level 3 or Level 4 data encrypted in transit?

References:

UofT Information Security Standards

  • SCP-8: Implement cryptographic mechanisms to prevent unauthorized disclosure of the University’s data during transmission unless otherwise protected by alternative physical safeguards.

NIST Cybersecurity Framework mapping

  • PR.DS-2: Data-in-transit is protected
  • PR.DS-5: Protections against data leaks are implemented

IT13 – Web-related risk


IT13.1
: For units with confidential or protected institutional / unit data, are associated organizational web applications hosted on separate systems from their databases or application servers?
— —
This is a defence in depth strategy. Should malicious access or compromise occur on a server that hosts both the application and the database, it should be assumed that the attacker has access to, and can modify, the data in that database.

References

UofT Information Security Standards

  • SCP-1: Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
  • SCP-2: Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

NIST Cybersecurity Framework mapping

  • AM-3: Organizational communication and data flows are mapped
  • AC-5: Network integrity is protected (e.g., network segregation, network segmentation)
  • DS-5: Protections against data leaks are implemented
  • PT-4: Communications and control networks are protected
  • CM-1: The network is monitored to detect potential cybersecurity events


IT13.2
: Have unit web applications been equipped with a secure session tracking mechanism to prevent session hijacking or other session based attacks?
— —
User sessions should be unique and random (unguessable). This protects against many of the more common attacks and vulnerabilities, including “person in the middle” attacks, session hijacking (user impersonation) and data insertion.

References

UofT Information Security Standards

  • SCP-15: Protect the authenticity of communications sessions.
  • IA-4: Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.

NIST Cybersecurity Framework mapping

  • PT-4: Communications and control networks are protected
  • AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
  • AC-6: Identities are proofed and bound to credentials and asserted in interactions
  • AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)


IT13.3: a) Have unit web applications been scanned for vulnerabilities, and updated if high-level vulnerabilities found? and b) have external providers given results showing they have updated any high-level vulnerabilities found in their application?
— —

Fixing vulnerabilities identified during a scan reduces the likelihood of threat actors exploiting vulnerabilities to compromise server(s).

Web application vulnerability scans crawl a web application from a starting URL and examine every linked node for potential vulnerabilities. This provides a deeper examination of the target web application than a network scan (IT4.4 – Server-related risk). Typically, web applications are scanned periodically and whenever there are major upgrades to the application. Any vulnerabilities identified are assessed and mitigated according to the risk(s) they pose.

If your unit collects, stores or processes institutional data on web applications managed outside of your unit (either by another U of T unit or third-party vendor), results showing that they have addressed any high-level vulnerabilities found in their scans can be requested. This is a standard component of the project-based risk assessments carried out at the University.

The University Information Security department offers Web Application Vulnerability Scanning to units at the University who would like to have the web applications they manage scanned for vulnerabilities, for a cost recovery fee. If you would like to arrange for a scan, please contact the Information Risk Management team at ITS – Information Security.

References:

UofT Information Security Standards

  • RA-2: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
  • RA-3: Remediate vulnerabilities in accordance with risk assessments.

NIST Cybersecurity Framework

  • ID.RA-1: Asset vulnerabilities are identified and documented
  • PR.IP-12: A vulnerability management plan is developed and implemented
  • DE.CM-8: Vulnerability scans are performed
  • DE.DP-4: Event detection information is communicated to appropriate parties
  • RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks

 

Information Risk Categories

IT14 – Security incident-related risk


IT14.1
: Has the unit established an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities?
— —
Information Security Incident response is a vital component of adequate information and cyber risk management. The UofT Incident Response Plan provides guidance for managing incident response with the primary objective to contain and mitigate the risks and issues associated with computer security incidents.

References:

UofT Information Security Standards

  • IR-1: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
  • IR-2: Track, document, and report incidents to appropriate organizational officials and/or authorities.

NIST Cybersecurity Framework

  • PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
  • DE.AE-2: Detected events are analyzed to understand attack targets and methods
  • DE.AE-4: Impact of events is determined
  • DE.AE-5: Incident alert thresholds are established
  • RS.RP-1: Response plan is executed during or after an incident
  • RS.CO-2: Incidents are reported consistent with established criteria
  • RS.CO-4: Coordination with stakeholders occurs consistent with response plans
  • RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness
  • RS.AN-1: Notifications from detection systems are investigated
  • RS.AN-2: The impact of the incident is understood
  • RS.AN-3: Forensics are performed
  • RS.AN-4: Incidents are categorized consistent with response plans
  • RS.MI-1: Incidents are contained
  • RS.MI-2: Incidents are mitigated
  • RS.IM-1: Response plans incorporate lessons learned
  • RS.RP-1: Recovery plan is executed during or after a cybersecurity incident
  • RS.IM-1: Recovery plans incorporate lessons learned
  • RS.IM-2: Recovery strategies are updated
  • RS.CO-1: Personnel know their roles and order of operations when a response is needed
  • RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams

IT14.2: How many information security incidents did your unit experience in the past 12 months?
— —
This value will not be included in the overall risk score. Tracking the change in the number of security incidents your unit experiences over time can be a useful metric in understanding the effectiveness and impact of your improvement initiatives. Combined with other measures from your incident response, this measure can provide valuable insight into where to focus your information security efforts.



IT14.3
: Has the unit’s information security incident response plan been tested or exercised?

Testing your incident response plan will help you and your team members identify gaps in your existing plans and be prepared to make better, more conscious and deliberate decisions when they are called on to respond to incidents.

References:

UofT Information Security Standards

  • IR-3: Test the organizational incident response capability.

NIST Cybersecurity Framework

  • PR.IP-10: Response and recovery plans are tested
  • RS.CO-1: Personnel know their roles and order of operations when a response is needed

IT15 – Storage media-related risk


IT15.1
: Are all system media containing Level 3 or Level 4 data (hard drives, removable devices, mobile devices) sanitized or destroyed before disposal or release for reuse?

Data stored on media can remain on that media even after a standard delete action. Sanitizing before reuse or secure destruction of media will prevent unauthorized data disclosure.

This question refers to all media, digital and non-digital that are subject to disposal or re-use, whether or not the media is considered removable. Examples include media found in scanners, printers, notebook computers, workstations, network components and mobile devices. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Sanitization processes removes information from the media such that the information cannot be retrieve or reconstructed

References

UofT Information Security Standards

  • MP-3: Sanitize or destroy system media containing the University’s data before disposal or release for reuse.

NIST Cybersecurity Framework

  • PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
  • PR.IP-6: Data is destroyed according to policy
  • PR.PT-2: Removable media is protected and its use restricted according to policy

 



IT15.2
: Are all Level 3 or Level 4 data kept on removable / mobile storage media (e.g. USB media, mobile devices, laptops) encrypted?

Lost or stolen removable system media is a common vector for unauthorized data disclosure. Ensuring these devices are protected with strong encryption will protect the data stored on those devices.

This question applies to mobile computing and communications devices with information storage capability (e.g., notebooks/ laptop computers, personal digital assistants, cell/smart phones, digital cameras and audio recording devices) that are transported outside of University-controlled areas. Telephone systems are also considered information systems and may have the capability to store information on internal media (e.g., on voicemail).

References

UofT Information Security Standards

  • MP-6: Implement cryptographic mechanisms to protect the confidentiality of the University’s data stored on digital media during transport unless otherwise protected by alternative physical safeguards.

NIST Cybersecurity Framework

  • PR.DS-1: Data-at-rest is protected
  • PR.PT-2: Removable media is protected and its use restricted according to policy

Information Risk Categories

IT16 – User-related risk


IT16.1
: Does a unit information security awareness training program exist for all faculty, staff, student employees, contractors and volunteers?

Security awareness training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Such training may include policies, procedures, and tools. Techniques can include formal training, security reminders (email advisories or notices), displaying logon screen messages, displaying security awareness posters, and conducting information security awareness events.

References

UofT Information Security Standards

  • AT-1: Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
  • AT-2: Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
  • AT-3: Provide security awareness training on recognizing and reporting potential indicators of insider threat.

NIST Cybersecurity Framework mapping

  • PR.AT-1: All users are informed and trained
  • PR.AT-2: Privileged users understand their roles and responsibilities
  • PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
  • PR.AT-4: Senior executives understand their roles and responsibilities

 

IT17 – Information asset risk


IT17.1
: Does a unit information system asset inventory exist that includes information systems and data assets? And is this maintained?

A comprehensive inventory that supports both information systems and data assets allows you to determine whether your information security requirements cover all data and information systems your unit manages. “You can’t protect what you don’t know you have.” You may use your unit’s data asset inventory to help inform your response.

References

NIST Cybersecurity Framework mapping

  • ID.AM-1: Physical devices and systems within the organization are inventoried
  • ID.AM-4: External information systems are catalogued
  • ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
  • RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)

IT18 – Software License risk


IT18.1
: Does a unit software inventory exist, that includes all software installed on unit-managed end-points? If so, is the inventory maintained and kept up-to-date?

Your software inventory list will support assessment of your unit’s exposure to known and emerging software vulnerabilities.

References

NIST Cybersecurity Framework mapping

  • ID.AM-2: Software platforms and applications within the organization are inventoried
  • RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)

Information Risk Categories