IRSA 2020/21 Priority Questions

This page lists priority questions for the Information Risk Self-Assessment for the 2020/21 cycle. For 2020/21, units are asked to respond to these questions at a minimum; however, you are welcome to respond to any other questions in the framework as well. Click here for the complete list of questions in the IRSA framework.

Each question in the assessment is scored using a Capability Maturity Model. Click here for descriptions of the CMM Scores.

Click on a question to view further guidance, existing U of T resources and mapping to U of T Security Controls. Mapping to other common controls frameworks is also provided.

Business Continuity Risk

BUS2.1: Does the unit maintain an inventory of all mission critical systems and processes?

Employment Risk

HR1.1: Does the unit ensure a) all new hires agree to institutional policies, and sign any required documents before they are given access to institutional data, and b) all employees with access to information classified as confidential or higher sign required documents according to an established schedule?

HR1.2: Does a unit employee termination and transfer process exist, including review of and changes to employee access to institutional and unit-specific information systems?

Administrative data-related risk

DAT1.1: Has unit administrative data been classified according to the UofT's data classification?

DAT2.2: Does the unit have scheduled reviews of who or what has access to administrative data systems (e.g. ROSI, local unit databases), and are changes made as needed if personnel change between reviews?

Research data-related risk

DAT3.1: What percentage of the unit's researchers classify their data according to the UofT's data classification?

DAT3.2: What percentage of the unit's researchers know the location of all their research data, including the data of their grad students and / or post-docs?

DAT3.3: What percentage of the unit's researchers backup their research data, including the data of their grad students and / or post-docs?

Disaster-related risk

IT1.1: a) Have mission critical information systems and databases been backed up according to a backup plan; b) are backups being stored at a unit approved storage facility or storage facility approved by your responsible ITS department?

IT1.2: a) Does the unit have a disaster recovery plan for each critical information system for which they are responsible, and if so b) has the disaster recovery plan been tested or exercised on a regular schedule?

Server-related risk

IT4.1: a) Are security patches on unit server systems kept up-to-date? and b) Does unit server software and hardware get replaced when security patches and support are no longer available from the developer, vendor, or manufacturer?

IT4.2: Does the unit use a secure configuration for server systems?

IT4.3: Are logs on unit servers collected and managed such that they cannot be tampered with, and to the extent needed to enable monitoring, analysis, investigation, and reporting of unauthorized activities?

IT4.4: a) Are vulnerability scans carried out on all unit servers at least monthly and b) are the results reviewed and acted upon on a regular schedule?

Identity-related risk

IT5.1: Can each account be identified back to an individual for all accounts on information systems controlled by the unit?

IT5.2: Are users, devices and other assets authenticated (e.g. password management, multi-factor) commensurate with the risk of the transaction?

IT5.3: Does a unit administrative / privileged account list exist, for a) internal systems and b) vendor systems that are in use?

Web-related risk

IT13.3: a) Have unit web applications been scanned for vulnerabilities, and updated if high-level vulnerabilities found? and b) have external providers given results showing they have updated any high-level vulnerabilities found in their application?