The Planning and Budget Committee (PBC) meeting on February 25 discussed updates to U of T’s Policy on Information Security and the Protection of Digital Assets.
This policy — which was approved by the Governing Council in 2016 — protects and upholds the confidentiality of U of T’s digital assets, as well as the systems that aid in transmitting, storing, and administering this data. All three campuses are required to utilize and implement the information technology systems that best protect their digital assets.
What updates have been made?
The most prominent update in the policy is a change in wording — any use of the term “President or Delegate” is to be rewritten as “President or Designate (normally, the Chief Information Security Officer).” According to Chief Information Security Officer Isaac Straley, the reasoning behind this change was the creation of his position: a senior leader responsible for managing the portfolio.
The term ‘policy’ in the definitions section was also further clarified to refer to the Information Security Council co-chairs: a senior faculty member, and the director of the Information Technology Services Information Security Department.
These changes still need to be approved by two governing bodies before the updates take effect. The Governing Council is expected to review and amend the policy on April 2, and new guidelines are expected to be put in place in the fall, according to Straley.
Why are these updates important?
In an email to The Varsity, Straley also noted that these updates shouldn’t impact U of T students and faculty directly. He also explained that the main objective of the edits was to clearly define the responsibilities of each role.
The reasoning behind this clarification was to improve security and strengthen the council’s ability to “make more informed decisions as a result of the new role and council, reflecting the needs of the community.”
What is the relevance of this policy to the U of T community?
The policy defines terms such as ‘digital assets’ and ‘guidelines,’ but what do these terms imply for someone accessing information or using online systems on a U of T campus?
“Digital assets can be just about anything that has data or is connected to a network. That could include research information and institutional information,” explained Straley.
Digital assets can also include student laptops, as well as the infrastructure that supports their e-learning platforms such as Quercus. It is important for U of T students to keep in mind that their personal behaviour online is not mutually exclusive from the protection of U of T’s institutional assets.
“Personal exposure impacts professional lives,” Straley wrote. “We want students to have a safe online experience.”
How can you protect your digital assets?
Members of the U of T community can access Security Matters, a U of T website dedicated to cyber security education.
Users can read blogs about protecting themselves from phishing attacks, relevant cyber threat trends, and social media best practices. Individuals can also submit reports of fraudulent incidents and receive guidance about steps that they can take if they are a victim of a phishing attack.
Straley urged members of the U of T community to use multi-factor authentication for accounts that require a login. This authentication entails the use of two different log-in methods — for example, one using a token that is texted, and another using a password.
He also stressed the importance of regularly updating any information systems that you may be using. Vulnerable systems are exposed to threats of being broken into. “Everyone is at risk of that,” Straley noted. “Protect your logins and protect your systems.”