Return to FAQ List

1. My unit does not manage any Information Technology resources. Would this still be a useful tool?

If your unit handles any type of information or depends on data to deliver your programs and services, then the DAI-IRSA is relevant to the activities in your unit. Ensuring that the information in your unit is: accurate, available when needed, and accessible to only those who need it, will help you deliver your programs & services in a cost- and time-effective manner, while lowering the likelihood of disruptions due to security or privacy events.

The DAI-IRSA will help your unit identify those areas where action will result in effective information risk management. Review the Data Asset and IRSA Categories for more information.

2. What is a unit?

For the purposes of the DAI-IRSA, the definition of a unit is kept intentionally vague; units come in all shapes and sizes at the U of T. Some organizational units at U of T are large and may decide to conduct multiple assessments based on different organizing principles; for example, major programs or functional areas. Smaller units may only manage information risk in a few of the areas represented in the assessment and complete a subset of the questions for their area of responsibility.

You may decide partway through the assessment that a different organizing principle will work better. That’s OK. Inform the DAI-IRSA Team, and we can make the adjustments.

Regardless of size or complexity, the assessment will be a valuable tool for any unit wishing to understand their data assets and cybersecurity risks to make informed decisions.

3. When does the assessment need to be completed?

Units should conduct their assessments on a regular cycle at a time that fits in with the cycle of their operations. It is your responsibility to ensure that your inventories and self-assessments are updated once per year, by January 31, each year.  A snapshot of data collected will be taken at the end of January, so that it can be compiled for aggregate annual reports to the Information Security Council and sub-committees of Governing Council.

Some units may want to align their assessment with the academic calendar, others may prefer to align it with the fiscal calendar. The assessment tool will continue to be available to update and the unit and divisional reports will continue to be updated throughout the year.

4. Who will see the results of the assessment?

Units will be able to see the detailed results of their own assessments, and the aggregate results of other participating units across the University and by type of Unit (Academic, Administrative, or IT Services). These reports are for your unit’s use and allow you to compare yourself with peers and the university results as a whole.

Divisions will be provided with a summary scorecard for the division which will include participation statuses and aggregate, summary information from across all participating units in the division. Please go to the Reports section of this website to see an example.

Per the Policy on Information Security and Protection of Digital Assets, resulting information risk management programs are shared with the Information Security Council. The intent of this sharing is so that trends supporting University-wide efforts and investments can be identified. At this time, detailed results are not shared outside of the Council, and we will work with the community to establish appropriate guidelines about the extent of the detail to be shared among stakeholders.

The DAI-IRSA Program team are able to access detailed results of the information risk assessments. Comments and descriptions recorded in your responses will be used to inform our efforts at improving the DAI-IRSA program and the Information Security program as a whole.

5. Will units be evaluated on the content, scores or plans recorded in their assessments?

An independent evaluation of the results is not provided to units. The DAI-IRSA Team will review content as a way to evaluate whether the resources we provide need to be clarified or improved, and to provide advice to units, where requested. This is a self-assessment, intended to help you understand and actively manage your data governance and information risk responsibilities. Recording current and accurate data will help you get the most out of the assessment process and guidance is provided to help you gauge where you are in developing your information risk management program.

6. I don’t know how to answer a question, where can I go for help?

Guidance for each question is available on the IRSA Questions & Guidance page of this website. The guidance will:

  • prompt you to think about the processes you employ to manage information risk across a broad range of activities at the University
  • provide any U of T resources available: these may include tools, services, policies or guidelines
  • reference to relevant University of Toronto security controls and NIST Cybersecurity Framework

If at any time you have a question about the assessment, please reach out to us: DAI-IRSA Team.

7. How do I update the reports?

Report data in the U of T Tableau server is updated once a week on Thursday AM by the DAI-IRSA Team. Any changes that were made to the data asset inventories or assessments in the REDCap survey tool in the prior week will be reflected then. If you think your survey responses are not reflected in the Tableau reports, please reach out to us: DAI-IRSA Team.

8. How do I update my responses?

You can log in to your Unit assessment on REDCap at any time to review or modify your assessment. Changes will be reflected in the reports at the next report update.

9. I’ve marked my assessment as complete, but now want to make changes. What do I do?

Marking your forms as complete lets us know that you are finished with your assessment, and informs our participation tracking. You may continue to update the contents of your inventories and self-assessment after marking them as complete. If you would like us to lock your assessment for the year, so that no more changes can be made, please let us know.

10. Units in my division have completed all the questions in the IRSA, but our divisional reports say that it is incomplete or that they have only completed the DAI. What can I do?

There are two forms to complete in the IRSA: Management questions and IT questions. Ensure both forms are marked as complete in REDCap. The status drop-down can be found at the very bottom of each survey form and make sure to save the changes before exiting the form. The changes will be reflected the next time the reports are refreshed on Thursday AM.

Return to FAQ List