This page lists each question in the IRSA. Further guidance, existing U of T resources, and links to industry best practices can be found here. These are provided for your reference and do not represent formal University of Toronto controls. As formal standards and controls are developed, the guidance will be updated.

Return to IRSA Home
Return to Information Risk Categories
2020/21 Priority Questions

MANAGEMENT RISK

MGT1 – Information Risk Management Program


MGT1.1
: Has the unit a) defined who is responsible for ensuring the Information Risk Management Program (IRMP) is carried out, and b) allocated funding to support the implementation of the IRMP?
— —

Resources:

University of Toronto Policy on Information Security and the Protection of Digital Assets

For guidance on completing the Information Security Risk Self-Assessment, please visit our Training & Resources page.

In the first year of the assessment most units will score zero, since it will be the first year addressing this risk.

MGT2 – Compliance Management


MGT2.1
: Has the unit’s Information Risk Management Program (IRMP) been updated to address any issues identified in its most recent assessment or audit?
— —

Resources:

If your unit has undergone an internal Information Systems Audit or an external Information Security or Privacy Assessment, you may refer to any findings from those exercises as part of your response.

In the second year of the assessment you will have the results from the first year of the assessment to inform your response.

BUSINESS RISK

BUS1 – Finance system-related risk


BUS1.1
: Has a review of user roles and assignments been performed for all applicable financial systems to ensure that duties are correctly segregated?
— —
U of T Finance Policies

The Financial Services department manages the policies and guidelines that units should follow for the appropriate financial segregation of duties. Different units will have different needs and constraints on the roles and duties required for effective financial management. The U of T Guide to Financial Management contains useful information for departments to evaluate their financial administration activities, and make improvements, where needed.



BUS1.2
: Has Payment Card Industry – Data Security Standard (PCI-DSS) compliance been confirmed for all unit activities involving payment cards?
— —
PCI Security Standards Council – Assessing the Security of Your Cardholder Data

It is the responsibility of any units accepting payment through credit cards to ensure that they are in compliance with the Payment Card Industry – Data Security Standard (PCI-DSS).

Maintaining payment security is required for all organizations that store, process, or transmit cardholder data. The PCI-DSS sets the technical and operational requirements for organizations accepting or processing credit card payment transactions. The PCI Security Standards Council website contains guidance and resources for organizations that accept payment through Credit Cards, to help them assess their compliance with the standard.

BUS2 – Business Continuity risk


BUS2.1
: Does the unit maintain an inventory of all mission critical systems and processes?
— —
A comprehensive inventory of the essential systems and processes that support program or service delivery within your unit enables other management activities such as risk management and business continuity planning. Understanding your critical systems, processes, and dependencies will help you determine your unit’s tolerance for disruption, as well as the level of investment required to keep systems secure and operational.

If your unit does not yet have an inventory of critical systems and processes, you can start with documenting these items:

  • business priorities (critical business processes);
  • business dependencies (critical information resources, people, information systems, or other business processes);
  • maximum allowable disruption (how long can the unit operate without a given critical business process before suffering a significant consequence).

References

U of T

The U of T Business Continuity Planning website provides a BCP planning template that includes worksheets that will help you document important information about your critical systems.

NIST Cybersecurity Framework

ID.AM-1: Physical devices and systems within the organization are inventoried
ID.AM-2: Software platforms and applications within the organization are inventoried
ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value.

NIST Special Publication 800-53

CM-8: Information System Component Inventory
CP-2: Contingency Plan

Information Risk Categories
2020/21 Priority Questions



BUS2.2
: Has a business continuity plan been created for critical systems and processes?
— —
A business continuity plan defines how an organization continues to operate after a disruptive event. It is distinct from an IT Disaster Recovery Plan (see IT1 – Disaster-related risk).

The intent of the question is help you understand whether you can carry on your business if one of your critical systems is not available.

U of T Business Continuity Planning

The purpose of a BCP is to facilitate the recovery and resumption of critical functions through the development of plans, procedures and provisions for alternate sites, personnel, resources, inter-operable communications and vital records/databases. This website provides templates and resources to help units develop their business continuity plans.



BUS2.3
: Has the unit’s continuity plan for each mission critical system / process been tested in the previous 24 months or according to the unit’s planned testing schedule?
— —
The tests could be table-top, or more complicated. The intent of the question is help you understand whether you can carry on your business if one of your critical systems is not available. Test results should be reviewed, and corrective actions initiated, if required.

Resources are available at the U of T Business Continuity Planning website.

PURCHASING RISK

PUR1 – Contract management risk


PUR1.1
: Do unit acquisitions of technology-related software products and information services include security assessments and include contractual requirements for information security and the protection of privacy?
— —
If institutional data will be collected, processed or stored outside of University-controlled information systems, it is important to ensure that the vendor has taken adequate steps to secure and protect the institutional data that will be processed and / or stored on their systems. Reviewing contract or service agreements for appropriate language around data protection and privacy practices provides assurance that vendors will:

  • protect the data in their systems
  • handle the data according to relevant privacy legislation and according to unit and University objectives

The Information Security department provides assessment services and advice for units considering a purchase or acquisition of any software or application interacting with University institutional data.

Information Risk Management Assessment for projects



PUR1.2
: For unit purchases requiring third party access to data and/or network-access, does the unit ensure all access is approved for specific time periods, and documented, before access is granted?
— —
From time to time, vendors may require that their employees have privileged access to university networks or data in order to fulfill their agreements. Third-party access to these assets can be managed by ensuring:

  • only authorized users have access;
  • their activities on institutional systems or networks can be monitored;
  • users only have access to the data and functions they need to perform the contracted tasks;
  • access is removed when it is no longer required.

References

NIST Cybersecurity Framework

PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties
PR.PT-3: Access to systems and assets is controlled, incorporating the principle of least functionality
ID.AM-3: Organizational communication and data flows are mapped
PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate
PR.DS-5: Protections against data leaks are implemented
PR.PT-4: Communications and control networks are protected
DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed

NIST Special Publication 800-171

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute.

NIST Special Publication 800-53

AC-3: Access Enforcement
AC-4: Information Flow Enforcement
AC-5: Separation of Duties
AC-6: Least Privilege

Information Risk Categories
2020/21 Priority Questions

HUMAN RESOURCES RISK

HR1 – Employment risk


HR1.1
: Does the unit ensure a) all new hires agree to institutional policies, and sign any required documents before they are given access to institutional data, and b) all employees with access to information classified as confidential or higher sign required documents according to an established schedule?
— —
U of T policies that are signed on accepting employment are found here: http://policies.hrandequity.utoronto.ca/. For some units, these policies will cover all of their needs, and HR would be their partner in managing this risk. Other units may have additional requirements, for example:

  • signing required documents on a periodic schedule;
  • additional agreements for sensitive information;
  • additional agreements for contract employees.

References

U of T

U of T HR & Equity: Policies and Guidelines

NIST Cybersecurity Framework

PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)

NIST Special Publication 800-171

3.9.1: Screen individuals prior to authorizing access to organizational systems

NIST Special Publication 800-53

PS-3: Personnel Screening


HR1.2: Does a unit employee termination and transfer process exist, including review and changes of employee access to institutional and unit-specific information systems?
— —
Termination procedures ensure that employees no longer have access to institutional data and that all copies are returned, when no longer required. Transfer procedures ensure that employees no longer have access to institutional data that is no longer required and that all copies are returned.

Components of a termination or transfer process may include:

  • Return physical access devices (keys, fobs)
  • Return equipment
  • Return physical files
  • Modify or delete information systems access (for unit systems, and inform centrally-managed services)

References

U of T

The following links describe how units can request access changes on centrally managed resources.

For other systems, ensure the managing unit is informed of access changes.

NIST Cybersecurity Framework

PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)

NIST Special Publication 800-171

3.9.2 Ensure that organizational systems containing institutional data are protected during and after personnel actions such as terminations and transfers.

NIST Special Publication 800-53

PS-4: Personnel Termination

Information Risk Categories
2020/21 Priority Questions


FACILITIES RISK

FAC1 – Site-related physical risk


FAC1.1
: Is your unit building protected by physical access devices that record access to a central logging system?
— —



FAC1.2
: In the event of physical access compromise, does your unit mandate appropriate updates to control mechanisms? (e.g. rekeying, auditing electronic entry access lists). Question to be discussed with stakeholders.

FAC2 – Workspace-related physical risk


FAC2.1
: Have information assets in publicly-accessible work-spaces (e.g. libraries / computer laboratories) been physically secured?



FAC2.2
: Have information assets in personal office cubicles / offices / protected laboratories been physically secured?
— —
Information about what your unit means by a physical control would be appreciated in the comments.

Information Risk Categories
2020/21 Priority Questions

LEGAL RISK

LEG1 – Legal, regulatory and contractual compliance risk


LEG1.1
: Has the unit reviewed and listed all regulatory, contractual and legal legislation that applies to the unit’s business and research activities, and has a process been established to keep this data current?
— —
It is the responsibility of each unit to know which regulatory, contractual and legal legislation applies to the information that the unit works with.

Freedom of Information and Protection of Privacy Act (FIPPA) is an example of a provincial legislation that would apply to most units at the University. Units at the University with provision of healthcare components may be subject to Personal Health Information Protection Act (PHIPA).

The Freedom of Information and Protection of Privacy (FIPP) office provides guidance and resources to support University units’ understanding of, and compliance with, applicable privacy legislation.

INSTITUTIONAL DATA RISK

DAT1 – Administrative data-related risk


DAT1.1
: Has unit administrative data been classified according to the UofT’s data classification?
— —
Classifying the data that is collected, stored and processed within the unit is an important function of assessing information risk, and determining appropriate security measures for the systems that contain that data. The U of T Data Classification scheme takes into account the sensitivity of various data handled at U of T and the legal obligations for protection that apply. If your unit has not classified its administrative data, start with the critical information assets identified in BUS2.1 (Business Continuity Risk).

When responding to this question, refer to the data which your unit owns or has responsibility. For example, data in unit-managed file-shares, databases, or other applications. Data that your unit moves from centrally-managed systems to be stored on a unit-managed system should also be considered when responding to this question; security protections on the unit-managed systems are appropriate to the classification of the data it stores.

References

U of T

U of T Data Classification
Freedom of Information and Protection of Privacy Office

NIST Cybersecurity Framework

ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value
ID.RA-4: Potential business impacts and likelihoods are identified
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

NIST Special Publication 800-53:

RA-2: Security Categorization

Information Risk Categories
2020/21 Priority Questions



DAT1.2:
Has data loss prevention (DLP) software been used to detect the presence of restricted institutional data stored on non-restricted information systems?
— —
For most units, this question is not applicable yet. If you think this is important to your unit, please add comments. If you use DLP software, please add details.



DAT1.3
: Has a unit records management review been performed?
— —
A record is a document, data, or set of data that is created or received in the course of the unit’s operations that has content, structure, fixity, context, and is maintained as evidence of an organization’s activity. Institutional data may reside in university records, be used to produce university records, or may of itself be a university record.

References:

U of T
Information about the U of T File Plan and guidance on Records Management at U of T can be found at the UTARMS Website.

NIST Special Publication 800-53

SI-12: Information Handling and Retention

Information Risk Categories
2020/21 Priority Questions

DAT2 – Administrative data access risk

DAT2.1: Has institutional and unit administrative data been protected according to University and / or unit-specific policies to ensure that only authorized users have access?
— —
Managing user access includes ensuring that:

  • only authorized users have access;
  • users only have access to the data and functions they need to perform their work-related tasks;
  • authorized access is consistent with unit or University data policies;
  • access is removed when it is no longer required.

References:

NIST Cybersecurity Framework

PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties
PR.PT-3: Access to systems and assets is controlled, incorporating the principle of least functionality
ID.AM-3: Organizational communication and data flows are mapped
PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate
PR.DS-5: Protections against data leaks are implemented
PR.PT-4: Communications and control networks are protected
DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed

NIST Special Publication 800-171

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute.

NIST Special Publication 800-53

AC-3: Access Enforcement
AC-4: Information Flow Enforcement
AC-5: Separation of Duties
AC-6: Least Privilege


DAT2.2: Does the unit have scheduled reviews of who or what has access to administrative data systems (e.g. ROSI, local unit databases), and are changes made as needed if personnel change between reviews?
— —
Regularly reviewing who or what has access to information systems ensures that access is consistent with operational work requirements. Removing unnecessary access identified during reviews lowers the risks associated unauthorized access to institutional data.

References:

U of T

The following links provide information on how units can request access changes to centrally managed resources.

For other systems, ensure the managing unit is informed of access changes.

NIST Cybersecurity Framework

PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties
PR.PT-3: Access to systems and assets is controlled, incorporating the principle of least functionality
ID.AM-3: Organizational communication and data flows are mapped
PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate
PR.DS-5: Protections against data leaks are implemented
PR.PT-4: Communications and control networks are protected
DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed

NIST Special Publication 800-171

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute.

NIST Special Publication 800-53

AC-6: Least Privilege

Information Risk Categories
2020/21 Priority Questions


DAT3 – Research data-related risk



It is not expected that units will know the precise answers to these questions at the time of their first assessment. Please answer based on what is currently known in the unit.



DAT3.1
: What percentage of the unit’s researchers classify their data according to the UofT’s data classification?
— —
Classifying the data that is collected, stored, and processed in the course of research-related activities is important to assessing the risks to that data, and determining appropriate security measures for the systems that contain that data. Level 4 data will require stronger protections over level 1 or 2 data.

Research data involving human subjects should also be classified according to the principles set out by the U of T Research Ethics Board, and protected according to the data management plan approved by the REB.

References:

U of T

U of T Data Classification
Freedom of Information and Protection of Privacy Office
U of T – Research Ethics Board
U of T Libraries – Research Data Management Guide

NIST Cybersecurity Framework

ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business (research) value
ID.RA-4: Potential business (research) impacts and likelihoods are identified
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

NIST Special Publication 800-53

RA-2: Security Categorization

Information Risk Categories
2020/21 Priority Questions


DAT3.2: What percentage of the unit’s researchers know the location of all their research data, including the data of their grad students and / or post-docs?
— —
It is important that researchers know the location of all their research data so that they can ensure the data is protected in all locations.

References

U of T

U of T Libraries – Research Data Management Guide

NIST Cybersecurity Framework

ID.AM-1: Physical devices and systems within the organization are inventoried
ID.AM-2: Software platforms and applications within the organization are inventoried
ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business (research) value

NIST Special Publication 800-53

CM-8: Information System Component Inventory

Information Risk Categories
2020/21 Priority Questions


DAT3.3: What percentage of the unit’s researchers backup their research data, including the data of their grad students and / or post-docs?
— —
Implementing a secure backup solution is one line of defence researchers can use to protect against the loss or corruption of their research data.

References

U of T

NIST Cybersecurity Framework

PR.IP-4: Backups of information are conducted, maintained, and tested periodically

NIST Special Publication 800-53

CP-9: Information System Backup

Information Risk Categories
2020/21 Priority Questions

INFORMATION TECHNOLOGY RISK

IT1 – Disaster-related risk


IT1.1
: a) Have unit information systems been backed up according to a backup plan; b) are backups being stored at a unit approved storage facility or storage facility approved by your responsible ITS department?
— —
Implementing a secure backup solution is one line of defence units can use to protect against the loss or corruption of data; for example, in the event of an accidental deletion, or if a device becomes infected with ransomware.

A typical backup plan defines:

  • systems and data that require backup copies
  • the frequency that copies should be made
  • location of the backup copies
  • schedule for testing or validating backups.

Ideally, one backup copy is stored off-site.

References

U of T

  • UTORecover is the professionally managed backup solution provided by Information Technology Services (ITS). It is available to any University faculty member or department.
  • Office 365 backs up data stored in emails, OneDrive, and SharePoint
  • Data in institutional administrative systems like AMS or ROSI is backed up according to their respective policies.

NIST Cybersecurity Framework

PR.IP-4: Backups of information are conducted, maintained, and tested periodically

NIST Special Publication 800-53

CP-9: Information System Backup

Information Risk Categories
2020/21 Priority Questions


IT1.2: a) Does the unit have a disaster recovery plan for each critical information system for which they are responsible, and if so b) has the disaster recovery plan been tested or exercised on a regular schedule?
— —
A disaster recovery plan (or information contingency plan) is part of overall business continuity planning to ensure continuity of unit functions. Referring back to the data and systems identified in the Data Asset Inventory or in BUS2.1 (Business Continuity risk) or from other Business Continuity Planning documents, the disaster recovery plan may include:

  • IT recovery priorities and objectives;
  • IT recovery roles and responsibilities;
  • contact information for critical IT employees, departments, and/or vendors;
  • strategies to maintain or recover critical information resources and functions when:
    1. IT infrastructure location(s) (data centers, server rooms, or telecommunication wiring closets) are rendered unavailable/unusable for a period long enough to significantly impact essential business processes and functions;
    2. a significant disruption, compromise, or failure of an information system(s) needed to support essential business processes and functions;
    3. a number of IT employees are unavailable for a period long enough to significantly impact essential business processes and functions.

References

NIST Cybersecurity Framework

PR.IP-4: Backups of information are conducted, maintained, and tested periodically
PR.IP-10: Response and recovery plans are tested
RS.RP-1: Response plan is executed during or after an event
RC.RP-1: Recovery plan is executed during or after an event
RC.IM-1: Recovery plans incorporate lessons learned
RC.IM-2: Recovery strategies are updated

NIST Special Publication 800-53

CP-4: Contingency Plan Testing
CP-9: Information System Backup
CP-10: Information System Recovery and Reconstitution

Information Risk Categories
2020/21 Priority Questions

IT2 – Infrastructure-related risk


IT2.1
: For organizations with confidential, protected or off-line institutional and/or unit data, do physical access controls protect infrastructure locations?
— —
This question is related to IT infrastructure. IT systems may be in secure data centre locations, or they may be in smaller server rooms – is your infrastructure protected from unauthorized physical access?



IT2.2
: Are changes to infrastructure (e.g. server rooms, network closets) logged and kept up-to-date?
— —
If changes are to be made to physical infrastructure, are these planned, and are they tracked? The purpose of this question is to help a unit understand whether their method of managing infrastructure change exposes them to risk. Note. The existence of a log is a “proxy” to whether the process is managed.

Information Risk Categories
2020/21 Priority Questions

IT3 – Network-related risk


IT3.1
: Do unit diagrams or documentation exist for the unit’s network topology and interconnections?
— —



IT3.2
: For units with confidential and / or protected Institutional/unit data, are firewall rules reviewed on a regular schedule?



IT3.3
: Does an organizational/unit log management process exist for network devices?
— —
Are logs saved from network devices? Are the logs collected for analysis, and monitored for unusual activity?

IT4 – Server-related risk


IT4.1
: a) Are security patches on unit server systems kept up-to-date? and b) Does unit server software and hardware get replaced when security patches and support are no longer available from the developer, vendor, or manufacturer?
— —
Unpatched and out of date systems are a common mechanism of system compromise. Many of the recent breaches reported in the news have been the result of threat actors compromising out of date systems. Ensuring that operating system, software and firmware versions are still supported and security patches are still being released as needed, minimizes the number of vulnerabilities attackers can leverage to compromise a system.

Sometimes it is necessary to maintain a system for which patches are no longer being released or is at end of life (EOL). In this case, it is important to implement security controls that will compensate for any vulnerabilities that exist on the system. For example, implementing strict access controls, isolating the system in a controlled sub-network, so that it cannot reach other systems.

The common vulnerabilities and exposures database is a reference list of known vulnerabilities and exposures for OS, software and firmware vulnerabilities: https://cve.mitre.org/

References

U of T

The U of T Information Security department provides system and application vulnerability scanning services to units at the University.

Information Risk Categories
2020/21 Priority Questions



IT4.2: Does the unit use a secure configuration for server systems?
— —
Server systems include databases, web servers, etc. The secure configurations include removal of unnecessary services, blocking unnecessary ports, changing default passwords, etc. Secure configuration are consistently implemented across all servers managed by the unit. If an appliance is purchased and managed, the configuration is known, hardened if possible, and external controls put in place if there are gaps.

The Centre for Internet Security provides over 100 configuration guidelines, called CIS Benchmarks, for common operating systems, middleware, and public cloud providers. These are available for free, from https://learn.cisecurity.org/benchmarks and are a useful source of knowledge for getting started with secure configuration management.

References

NIST Cybersecurity Framework

PR.DS-7: The development and testing environment(s) are separate from the production environment
PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained
PR.PT-3: Access to systems and assets is controlled, incorporating the principle of least functionality
DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed

NIST Special Publication 800-171

3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems.
3.4.6
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

NIST Special Publication 800-53

CM-2: Baseline Configuration
CM-6: Configuration Settings
CM-7: Least Functionality

Information Risk Categories
2020/21 Priority Questions



IT4.3: Are logs on unit servers collected and managed such that they cannot be tampered with, and to the extent needed to enable monitoring, analysis, investigation, and reporting of unauthorized activities?
— —

A well-managed event logging and monitoring process will reduce the impact of unauthorized activities on unit servers by enabling timely and effective investigation of system security events.

Logs can contain a wide variety of information on the events occurring within systems and networks. For servers, logs from security software, operating systems, and applications can be collected, monitored and analyzed to provide useful information when investigating security events or other problems on the server. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage.

For units handling personal health information, starting in March 2019 health information custodians will be required to provide the Ontario Privacy Commissioner with an annual report on privacy breaches occurring during the previous calendar year. Logging, audit and reporting capabilities are an important component to meeting this requirement: https://www.ipc.on.ca/health-organizations/report-a-privacy-breach/

References

NIST Cybersecurity Framework

PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
DE.CM-1: The network is monitored to detect potential cybersecurity events
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed

NIST Special Publication 800-171

3.1.7: Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
3.3.2: Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.
3.12.1: Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

NIST Special Publication 800-53

AC-6(9): Least Privilege | Auditing use of privileged functions
AU-2: Audit Events
AU-3: Content of Audit Records
AU-12: Audit Generation
CA-7: Continuous Monitoring

Information Risk Categories
2020/21 Priority Questions



IT4.4: a) Are vulnerability scans carried out on all unit servers at least monthly and b) are the results reviewed and acted upon on a regular schedule?
— —

Fixing vulnerabilities identified during a scan reduces the likelihood of threat actors leveraging vulnerabilities to compromise server(s).

The results of a network vulnerability scan typically provide:

  • basic inventory information about the devices connected to the scoped address space;
  • lists any vulnerabilities found based on standard sources of known vulnerabilities;
  • scores vulnerabilities based on a standard scoring system.

U of T Information Security provides Network Vulnerability scanning service that tests every connected device on a network, and attempts to identify potential security issues. Network administrators can review scan results and act to remediate any identified vulnerabilities.

NOTE: a network scan is different from a web-application vulnerability scan, which crawls a specific web application to identify web-specific vulnerabilities. See IT13.3 – Web-application risk for information on web application vulnerability scanning.

References

U of T

U of T Network Vulnerability Scanning Service

NIST Cybersecurity Framework

ID.RA-1: Asset vulnerabilities are identified and documented
PR.IP-12: A vulnerability management plan is developed and implemented
DE.CM-8: Vulnerability scans are performed
DE.DP-4: Event detection information is communicated to appropriate parties
DE.DP-5: Detection processes are continuously improved
RS.CO-3: Information is shared consistent with response plans
RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks

NIST Special Publication 800-171

3.11.2: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
3.11.3: Remediate vulnerabilities in accordance with risk assessments.

NIST Special Publication 800-53

RA-5: Vulnerability Scanning

Information Risk Categories
2020/21 Priority Questions

IT5 – Identity-related risk


IT5.1
: Can each account be identified back to an individual for all accounts on information systems controlled by the unit?
— —
Ensuring accounts can be identified back to an individual enables a number of other activities. For example, knowing which accounts to de-provision when staff leave, ensuring appropriate access controls are applied, or when investigating malicious activity on an information system.

Other accounts that may be considered for this question include accounts on external services such as social media, mass mailing, event management, analytics, on-line purchasing platforms, etc.

If users are accessing information systems using the U of T web-login, or single sign on (SSO) solution, they are uniquely identified by their UTORID.

References

U of T

UTORAuth & UTORID

NIST Cybersecurity Framework

PR.AC-1: Identities and credentials are managed for authorized devices and users
PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties
PR.DS-5: Protections against data leaks are implemented
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events

NIST Special Publication 800-171

3.1.1: Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
3.1.2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.
3.1.5: Employ the principle of least privilege, including for specific security functions and privileged accounts.
3.5.1: Identify system users, processes acting on behalf of users, and devices.
3.5.2: Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
3.5.5: Prevent reuse of identifiers for a defined period.

NIST Special Publication 800-53

AC-2: Account Management
AC-6: Least Privilege
IA-4: Identifier Management

Information Risk Categories
2020/21 Priority Questions



IT5.2: Are users, devices and other assets authenticated (e.g. password management, multi-factor) commensurate with the risk of the transaction?
— —
Higher-assurance authentication is used when the impacts of compromised confidentiality, integrity or availability could result in adverse effects on operations, assets, or individuals. For example, a compromise of an account that accesses a large number of records containing personal information would have a more severe impact than the compromise of an account that can access a single record of personal information.

The University password policy lays out the minimum requirements for password length and complexity. This policy is enforced on all accounts that make use of the University’s web-login or single sign-on (SSO). To provide higher assurance to those accounts that access higher-risk data, Etoken is used to provide a second factor, when authenticating users accessing the data.

References

U of T
UTORid Password Policy
EToken Services
NIST Cybersecurity Framework

PR.AC-1: Identities and credentials are managed for authorized devices and users
PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties
PR.DS-5: Protections against data leaks are implemented
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events

NIST Special Publication 800-171

3.1.1: Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
3.1.2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.
3.1.5: Employ the principle of least privilege, including for specific security functions and privileged accounts.
3.5.1: Identify system users, processes acting on behalf of users, and devices.
3.5.2: Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
3.5.5: Prevent reuse of identifiers for a defined period.

NIST Special Publication 800-53

AC-2: Account Management
AC-6: Least Privilege
IA-4: Identifier Management

Information Risk Categories
2020/21 Priority Questions



IT5.3: Does a unit administrative / privileged account list exist, for a) internal systems and b) vendor systems that are in use?
— —
Maintaining an account list supports other activities such as de-provisioning when staff no longer need access to an information system. This is especially important for accounts that have privileged access to systems where unauthorized access could lead to compromises of confidentiality, availability or integrity of the system.

References

U of T
UTORid Password Policy
EToken Services

NIST Cybersecurity Framework

PR.AC-1: Identities and credentials are managed for authorized devices and users
PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties
PR.DS-5: Protections against data leaks are implemented
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events

NIST Special Publication 800-171

3.1.1: Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
3.1.2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.
3.1.5: Employ the principle of least privilege, including for specific security functions and privileged accounts.
3.5.1: Identify system users, processes acting on behalf of users, and devices.
3.5.2: Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
3.5.5: Prevent reuse of identifiers for a defined period.

NIST Special Publication 800-53

AC-2: Account Management
AC-6: Least Privilege
IA-4: Identifier Management

Information Risk Categories
2020/21 Priority Questions

IT6 – Malicious software risk


IT6.1
: Do unit information systems have a) anti-virus software installed and b) antivirus signatures checked and updated daily?
— —
If your unit has other mitigations in place and are willing to share to others please add them in the comments. e.g. has the unit implemented software whitelisting mechanism to prevent malicious programs from running?

Information Risk Categories
2020/21 Priority Questions

IT7 – Application-related risk


IT7.1
: For organizations that develop applications, have applications been tested to ensure that input is properly validated?



IT7.2
: For units that develop applications with confidential or protected institutional or unit data, do application developers receive secure coding training?

IT8 – Development process-related risk


IT8.1
: For units that develop applications, is a software development process used that includes information security?



IT8.2
: For units that develop applications, does a change management log exist for application-related changes?

Information Risk Categories
2020/21 Priority Questions

IT9 – Vendor management risk


IT9.1
: For units using third party software products or information services on-prem or in the cloud for confidential or protected institutional or unit data, has:
a) a risk assessment (privacy and threat) of the vendor been completed, and
b) does the contract include measures to protect confidential and protected data?
— —
U of T Information Risk Management Assessments

IT10 – Client-related risk


IT10.1
: Does the unit maintain a list of exceptions to controls for systems that they manage, and if such exceptions exist, a list of mitigating controls for the listed systems? e.g. systems no longer supported by the vendor and must still be maintained.



IT10.2
: Does the unit use a secure configuration for client systems?

IT11 – Mobile-worker related risk


IT11.1
: For units with confidential or protected institutional or unit data, have mobile devices that access, process, store, or transmit this data been configured with a basic security configuration?
— —
Laptops, smart phones, and tablets that interact with with institutional data may pose a risk.

Information Risk Categories
2020/21 Priority Questions

IT12 – Message service-related risk


IT12.1
: Have all organizational messaging services been equipped with anti-virus software to detect and block or remove malicious messages or attachments?
— —
For most units at the University, messaging services are handled by the Office 365 services; EASI would be considered University Partners in managing this risk.



IT12.2
: For units with protected institutional / unit data, are messages containing restricted data encrypted in transit?

IT13 – Web-related risk


IT13.1
: For units with confidential or protected institutional / unit data, are associated organizational web applications hosted on separate systems from their databases or application servers?



IT13.2
: Have unit web applications been equipped with a secure session tracking mechanism to prevent session hijacking or other session based attacks?



IT13.3: a) Have unit web applications been scanned for vulnerabilities, and updated if high-level vulnerabilities found? and b) have external providers given results showing they have updated any high-level vulnerabilities found in their application?
— —

Fixing vulnerabilities identified during a scan reduces the likelihood of threat actors exploiting vulnerabilities to compromise server(s).

Web application vulnerability scans crawl a web application from a starting URL and examine every linked node for potential vulnerabilities. This provides a deeper examination of the target web application than a network scan (IT4.4 – Server-related risk). Typically, web applications are scanned periodically and whenever there are major upgrades to the application. Any vulnerabilities identified are assessed and mitigated according to the risk(s) they pose.

If your unit collects, stores or processes institutional data on web applications managed outside of your unit (either by another U of T unit or third-party vendor), results showing that they have addressed any high-level vulnerabilities found in their scans can be requested. This is a standard component of the project-based risk assessments carried out at the University.

The University Information Security department offers Web Application Vulnerability Scanning to units at the University who would like to have the web applications they manage scanned for vulnerabilities, for a cost recovery fee. If you would like to arrange for a scan, please contact the Information Risk Management team at ITS – Information Security.

References:

U of T

Information Risk Management – Information Security

NIST Cybersecurity Framework

ID.RA-1: Asset vulnerabilities are identified and documented
PR.IP-12: A vulnerability management plan is developed and implemented
DE.CM-8: Vulnerability scans are performed
DE.DP-4: Event detection information is communicated to appropriate parties
DE.DP-5: Detection processes are continuously improved
RS.CO-3: Information is shared consistent with response plans
RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks

NIST Special Publication 800-171

3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
3.11.3 Remediate vulnerabilities in accordance with risk assessments.

NIST Special Publication 800-53

RA-5: Vulnerability Scanning

Information Risk Categories
2020/21 Priority Questions

IT14 – Security incident-related risk


IT14.1
: Does a unit information security incident response plan exist? Feedback appreciated. We might prefer an institutional response plan, with a question related to how the unit uses this. To be updated once Incident Response group has completed work.



IT14.2
: Has the unit’s information security incident response plan been tested or exercised?

IT15 – Storage media-related risk


IT15.1
: For confidential, protected or off-line institutional / unit data, are all media destroyed using a secure destruction method as approved by the unit / by UofT?



IT15.2
: Do units ensure confidential or protected data kept on movable storage media (e.g. USB media; external hard drives) is kept on encrypted devices?

Information Risk Categories
2020/21 Priority Questions

IT16 – User-related risk


IT16.1
: Does a unit information security awareness training program exist for all faculty, staff, student employees, contractors and volunteers?

https://securitymatters.utoronto.ca

IT17 – Information asset risk


IT17.1
: Does a unit information system asset inventory exist that includes technology and data assets?

IT18 – Software License risk


IT18.1
: a) Does a unit software inventory exist, b) does a unit software usage report exist, c) has the report been validated against the actual number of licenses purchased, and d) if there is a discrepancy, is action planned?

Information Risk Categories
2020/21 Priority Questions