Return to FAQ List


1. My unit does not manage any Information Technology resources. Do I still need to conduct an assessment?

If your unit handles any type of information or depends on data to deliver your programs and services, then the IRSA is relevant to the activities in your unit. Ensuring that the information in your unit is: accurate, available when needed, and accessible to only those who need it, will help you deliver your programs & services in a cost-effective manner, while lowering the likelihood of disruptions due to security or privacy events.

The IRSA will help your unit identify those areas where action will result in effective information risk management. Review the priority questions for 2020/21.



2. What is a unit?

For the purposes of the IRSA, the definition of a unit is kept intentionally vague; units come in all shapes and sizes at the U of T. Some organizational units at U of T are large and may decide to conduct multiple assessments based on different organizing principles; for example, major programs or functional areas. Smaller units may only manage information risk in a few of the areas represented in the assessment.

You may decide partway through the assessment that a different organizing principle will work better. That’s OK. Inform the IRSA Team, and we can make the adjustments.

Regardless of size or complexity, the assessment will be a valuable tool for any unit wishing to understand their information and cybersecurity risks, and make informed decisions on how to manage their risk in these areas.



3. When does the assessment need to be completed?

Units should conduct their assessments on a regular cycle at a time that fits in with the cycle of their operations. Some units may want to align their assessment with the academic calendar, others may prefer to align it with the fiscal calendar. The assessment tool will continue to be available to update and the unit reports will continue to be updated throughout the year.

Scheduled workshops and training will be available November, December and January. A snapshot of data collected will be taken at the end of January, so that it can be compiled for aggregate annual reports to the Information Security Council and other University leadership groups.



4. Who will see the results of the assessment?

Units will be able to see the detailed results of their own assessments, and the aggregate results of other participating Units across the University and by type of Unit (Academic, Administrative, or IT Services). These reports are for your unit’s use and allow you to compare yourself with peers and the university results as a whole.

At present de-identified results are shared with the Information Security Council. The intent of this sharing is so that trends supporting University-wide efforts and investments can be identified. At this time, the identity of individual units is not shared, and we will work with the community to establish appropriate guidelines about the extent of the detail to be shared among stakeholders.

The IRSA Program team, currently consisting of the: Chief Information Security Officer; Manager, Information Risk Management; and Information Risk Program Coordinator are able to access detailed results of the assessments. Comments and descriptions may be used to inform our efforts at improving the IRSA program as a whole.



5. Will units be evaluated on the content, scores or plans recorded in their assessments?

This is a self-assessment, so units are asked to score how they think they are doing in managing information risk. Recording current and accurate data will help you get the most out of the assessment process and guidance is provided help you assess the activities in your unit. An independent evaluation of the results is not provided to units at present. The IRSA Team will review content as a way to evaluate whether the resources we provide need to be clarified or improved, and to provide advice to units, where requested.



6. I don’t know how to answer a question, where can I go for help?

Guidance for each question is available on the Information Risk Categories page of the IRSA website. The guidance will:

  • prompt you to think about the processes you employ to manage information risk
  • provide any U of T resources available: these may include tools, services, policies or guidelines
  • reference to relevant University of Toronto security controls and some common cybersecurity frameworks

Go to the training page for information on upcoming workshops and drop-in sessions.

If at any time you have a question about the assessment, please reach out us: IRSA Team.



7. How do I update the reports?

Report data in the U of T Tableau server is updated once a week on Thursday AM by the IRSA Team. Any changes that were made to the assessments in the REDCap survey tool in the prior week will be reflected then.



8. How do I update my responses?

You can log in to your Unit assessment on REDCap at any time to review or modify your assessment. Changes will be reflected in the reports at the next report update.



9. I’ve marked my assessment as complete, but now want to make changes. What do I do?

When all assessment forms are marked complete, the IRSA program team will send detailed and summary reports of your responses. Changes to the responses can be made regardless of the status of the completion flag; however, if you make changes after we have sent the reports, you will need to contact us for an updated document. If you would like us to lock your assessment for the year, so that no more changes can be made, please let us know.



10. I don’t have an EToken and cannot easily get one, how can I access the assessment tool?

An excel-based work-sheet is available for those who cannot easily obtain ETokens. Contact the IRSA Team to request a template worksheet. Please return your results so that they can be included in the reporting tool.

Return to FAQ List