If your unit handles any type of information or depends on data to deliver your programs and services, then the DAI-IRSA is relevant to the activities in your unit. Ensuring that the information in your unit is: accurate, available when needed, and accessible to only those who need it, will help you deliver your programs & services in a cost- and time-effective manner, while lowering the likelihood of disruptions due to security or privacy events.
The DAI-IRSA will help your unit identify those areas where action will result in effective information risk management. Review the priority questions for 2020/21 to learn more.
For the purposes of the DAI-IRSA, the definition of a unit is kept intentionally vague; units come in all shapes and sizes at the U of T. Some organizational units at U of T are large and may decide to conduct multiple assessments based on different organizing principles; for example, major programs or functional areas. Smaller units may only manage information risk in a few of the areas represented in the assessment and complete a subset of the questions for their area of responsibility.
You may decide partway through the assessment that a different organizing principle will work better. That’s OK. Inform the DAI-IRSA Team, and we can make the adjustments.
Regardless of size or complexity, the assessment will be a valuable tool for any unit wishing to understand their data assets and cybersecurity risks to make informed decisions.
Units should conduct their assessments on a regular cycle at a time that fits in with the cycle of their operations. Some units may want to align their assessment with the academic calendar, others may prefer to align it with the fiscal calendar. The assessment tool will continue to be available to update and the unit reports will continue to be updated throughout the year.
For 2020/21, we are asking that units start their Data Asset Inventories and respond to the priority questions of the Information Risk Self-Assessment by January 31, 2021. A snapshot of data collected will be taken at the end of January, so that it can be compiled for aggregate annual reports to the Information Security Council and sub-committees of Governing Council.
Scheduled workshops and training will be available November, December and January.
Units will be able to see the detailed results of their own assessments, and the aggregate results of other participating units across the University and by type of Unit (Academic, Administrative, or IT Services). These reports are for your unit’s use and allow you to compare yourself with peers and the university results as a whole.
At present de-identified results are shared with the Information Security Council. The intent of this sharing is so that trends supporting University-wide efforts and investments can be identified. At this time, the identity of individual units is not shared, and we will work with the community to establish appropriate guidelines about the extent of the detail to be shared among stakeholders.
The DAI-IRSA Program team, currently consisting of the: Chief Information Security Officer; Manager, Information Risk Management; and Information Risk Program Coordinator are able to access detailed results of the information risk assessments. Comments and descriptions recorded in your responses may be used to inform our efforts at improving the DAI-IRSA program and the Information Security program as a whole.
An independent evaluation of the results is not provided to units. The DAI-IRSA Team will review content as a way to evaluate whether the resources we provide need to be clarified or improved, and to provide advice to units, where requested. This is a self-assessment, intended to help you understand and actively manage your data governance and information risk responsibilities. Recording current and accurate data will help you get the most out of the assessment process and guidance is provided help you assess the activities in your unit.
Guidance for each question is available on the Information Risk Categories page of the IRSA website. The guidance will:
- prompt you to think about the processes you employ to manage information risk across a broad range of activities at the University
- provide any U of T resources available: these may include tools, services, policies or guidelines
- reference to relevant University of Toronto security controls and some common cybersecurity frameworks
Go to the training page for information on upcoming workshops and drop-in sessions.
If at any time you have a question about the assessment, please reach out us: IRSA Team.
Report data in the U of T Tableau server is updated once a week on Thursday AM by the DAI-IRSA Team. Any changes that were made to the data asset inventories or assessments in the REDCap survey tool in the prior week will be reflected then.
You can log in to your Unit assessment on REDCap at any time to review or modify your assessment. Changes will be reflected in the reports at the next report update.
Marking your forms as complete lets us know that you are finished with your assessment. You may continue to update the contents of your Asset Inventories and Information Risk Assessments after marking them as complete. If you would like us to lock your assessment for the year, so that no more changes can be made, please let us know.