Approach

The University of Toronto Policy on Information Security and the Protection of Digital Assets was adopted as measure to protect the privacy, confidentiality, integrity, and availability of Digital Assets, including information systems that store, process or transmit data. It defines guidelines as best practises and approaches to protecting Digital Assets.

The guidelines in these pages are developed to protect digital assests managed by the Information Technology Systems department at the University of Toronto. Others departments within the University are free to use them.

There are guidelines for six control areas in the security zone.  They are as follows:

Identifier Control Area
ICP Information Classification and Protection
APS Application Security
IAM Identity and Access Management
OPS Operational Security
IFS Infrastructure Security
CRP Cryptography

 

Within each guideline is a collection of recommended security controls, each uniquely identified. Each security control is assigned a control rating for each classification of data, illustrating whether the control is appropriate. The classification of data is provided in more detail in the Information Classification and Protection guideline, but a summary is provided in the table below.

Classification Definition
Restricted Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University, its stakeholders or its affiliates. In some cases, unauthorized disclosure or loss of this data would require the University to notify the affected individual and provincial authorities. The University would have a contractual, legal, or regulatory obligation to safeguard this data in the most stringent manner; examples are data protected by PHIPA or by PCI-DSS, SIN numbers.
Confidential Data should be classified as Confidential when the unauthorized disclosure, alteration or destruction of that data could adversely affect individuals, the business of the University or its affiliates. Confidential data includes data protected by provincial or federal privacy regulations, as well as for example data protected by confidentiality agreements.
Public Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the University and its affiliates. Examples of Public data include press releases, course information and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.

 

The control ratings are defined as follows.

Control Rating Definition
Optional The security control is optional for the designated classification of data. This does not imply that the control should not be implemented. Business units that would like to go above and beyond baseline requirements are encouraged to evaluate all controls for appropriateness.
Recommended The security control is recommended for the designated classification of data but is not required due to limitations in available technology or because the control could potentially place an undue burden on a business unit to implement. Business units should document their justification for not implementing a ‘Recommended’ security control and whether or not a compensating control has been implemented.
Required The security control is required for the designated classification of data. In situations where a ‘Required’ security control cannot be implemented, the Procedure for Policy Exception Handling should be followed. This process allows for a more formalized tracking and approval of security risks across the University.

The guidelines reflects a common set of controls that are appropriate across ITS. It is important to note that additional or more specific security controls may be required based on individual business requirements (e.g. contractual and/or regulatory obligations). Many Industry business practices and regulatory requirements have been considered in the development of the guidelines; however, it may not be comprehensive in certain situations. Business units using these guidelinesshould consider mapping contractual and/or regulatory obligations to the guideline to ensure there are no gaps in their own controls.