Information Security and the Protection of Digital Assets, Policy on [April 2, 2020]

University of Toronto Governing Council

Policy on Information Security and the Protection of Digital Assets

April 2, 2020

To request an official copy of this policy, contact:

The Office of the Governing Council
Room 106, Simcoe Hall 27 King’s College Circle University of Toronto Toronto, Ontario
M5S 1A1

Phone: 416-978-6576
Fax: 416-978-8182
E-mail: governing.council@utoronto.ca
Website: http://www.governingcouncil.utoronto.ca/

University of Toronto Policy on Information Security and the Protection of Digital Assets 

Revision: March 26, 2020

Statement of Intent

The University of Toronto adopts this Policy on Information Security and the Protection of Digital Assets as a measure to protect the privacy, confidentiality, authenticity and integrity, and availability of Digital Assets, including information systems that store, process or transmit data. This Policy applies to all academic and administrative units, third-party agents of the University, as well as any other University affiliate that is authorized to access institutional data, services and systems. 

All University of Toronto campuses, divisions, departments and other administrative or academic organizational units shall deploy and use IT systems and services in a manner consistent with the University’s research and teaching mission, while vigilantly mitigating security risks to Digital Assets, including data during storage, transit, use and disposal. It is the obligation of all University community members to protect information that is created by them and stored by the University and its authorized delegates to its defined principles and standards.  

Across the University, those charged with managing and securing Digital Assets shall operate in a manner that reduces and mitigates vulnerabilities by following Standards, Guidelines and Procedures for protecting the University’s Digital Assets. Facilities, services, and systems that operate at University-wide, divisional and departmental levels will meet these requirements. 

Administrative Authority

The President or designate (normally, the Chief Information Security Officer, CISO) shall have overarching responsibility for the protection of the University’s Digital Assets.  The President or designate (normally, the CISO) is authorized to approve Procedures and Standards and to promote Guidelines for the protection of the University’s Digital Assets.  

Academic and administrative unit heads shall be responsible for assuring the protection of Digital Assets within their units in accordance with this Policy and associated Procedures and Standards. 

In order to ensure broad consultation in planning and decision-making processes, an Information Security Council (ISC) will be established by the President or designate (normally, the CISO). The ISC will: assist in the review of envisioned and unanticipated risks to the University’s Digital Assets; collaborate with the President or designate (normally, the CISO) to initiate information security initiatives; educate the University community on digital security best practices; and develop and recommend Procedures, Standards and Guidelines for the protection of the University’s Digital Assets.  

In support of these shared responsibilities, each unit shall in consultation with the ITS Information Security department, and others as appropriate, develop an Information Risk Management Program appropriate to the circumstances of the unit, to be approved by the unit head. The President or designate (normally, the CISO), in collaboration with the ISC, will review such programs to ensure compliance with this Policy and associated Procedures and Standards. 

Procedures, Standards and Guidelines must be consistent with the University’s mission and purpose, as well as all relevant University Policies and Agreements, including those dealing with the protection of academic freedom. The President or designate (normally, the CISO) will provide regular updates to the ISC about progress in developing and implementing Procedures, Standards and Guidelines in support of this Policy. 

Governance Oversight

The President or designate (normally, the CISO) shall report annually to Governing Council via the Audit Committee and the Planning and Budget Committee. 

Emergency Authority

In the event of an emergency situation that threatens the University’s Digital Assets, the President or designate (normally, the CISO) shall have full authority to enact emergency response measures that shut down the risk or mitigate further damage to Digital Assets and protect the University community. Actions taken by the President or designate (normally, the CISO) under this Emergency Authority shall be reported to the Information Security Council and in the President or designate’s (normally, the CISO) annual report to Governing Council via the Audit Committee. Those affected by such actions under this Emergency Authority shall be notified as soon as practicable before or after such actions are taken. 

Publication

Procedures, Standards and Guidelines will be published and be readily available to members of the University community. 

Definitions

Digital Assets – Meant here as the collection of data, information systems, applications, and equipment that contain and process the intellectual property of the University and of the members of its community, and the mechanisms for storage, information processing, and distribution of these data. Digital Assets can include, among other things, information protected by academic freedom, personal information, proprietary information, and confidential information.  

Information Security Council (ISC) – The Information Security Council (ISC) is a committee established by the President or designate (normally, the CISO).  The ISC will be co-chaired by a senior faculty member and the Chief Information Security Officer.  The ISC will be comprised of technical, administrative and academic experts. 

Guidelines – Best practises and approaches to protecting Digital Assets. These are not mandated or prescriptive, but are meant to provide guidance to the community for implementing practises that mitigate risks. (For example, Guidelines on accessing U of T resources from an airport or other public Internet connection.) Guidelines will evolve over time. 

Procedures – Required practises for protecting Digital Assets as developed through input from the Information Security Council and approved by the President or designate (normally, the CISO). (For example, Procedures to be followed when disposing of computing devices.) Procedures will be developed and revised as appropriate over time. 

Standards – Standards set a baseline for Digital Asset protection. These Standards, developed through input from the Information Security Council and approved by the President or designate (normally, the CISO), are conceptual and may allow the deployment of different technologies and approaches to meet the Standard. (For example, “Encrypted files must minimally deploy a 256-bit key.” The encryption protocol is not mandated, just the level of protection.) Standards will be set and revised as appropriate over time.  

Approved by the Governing Council February 25, 2016.

Updated April 2, 2020.