University of Toronto Logo

Information + Technology Services

Small normal big

Information Security Council (ISC)

ISC Member Information


ISC Announcements

ISC Terms of Reference

Introduction

 
The information security council (ISC) is established in order to ensure broad consultation in planning and decision-making processes. The ISC will: assist in the review of envisioned and unanticipated risks to the university’s digital assets; ensure a robust and practiced process exists around incidence response; collaborate with the president or designate to initiate information security initiatives; ensure education of the university community on digital security best practices; oversee the development, recommendation and review of procedures, standards and guidelines for the protection of the university’s digital assets and ensure timely and accurate reporting on information security risks to the appropriate governing groups including the senior executive and the audit committee of governing council. The council will focus on transparency, awareness and educating the community as much as possible. Working groups will strive to run ideas by the community and solicit feedback.

Objectives
  • The broad purpose of the ISC is to provide guidance to the university in matters of information security in the context of the university’s, mission, objectives, and obligations.
  • Act as a steering committee for the information security program, including a recommendation for the final resource allocation decisions for the annual security strategy plan.
  • As per policy, ensure every academic and non-academic unit is appropriately covered by an information risk management plan.
  • Establishing and maintaining effective lines of accountability, responsibility and authority for protecting information assets. This is typically achieved by reviewing and guiding division level information risk management plans.
  • Establish, ensure and maintain accountability for protecting information resources.
  • Regularly review threats to, and due diligence around (e.g. risk management plans) the protection of the university’s digital assets and monitor assurance.
  • Mediate conflicting risk/security requirements.
  • Collaborate with the President or designate to undertake information security initiatives and educate the university community on digital security best practices.
  • Oversee the development, recommendation and review of procedures, standards and guidelines for the protection of the university’s digital assets.
  • Act as a steering committee for projects that require significant business unit involvement (for example, supporting the data access governance decisions required for implementing a data loss prevention capability).
  • Tracking the progress of remediation on risk items (for example, audit report findings and risk register items).
  • Reviewing security status metrics reporting, and requesting new metrics if required.
  • Providing inputs and feedback to internal and external auditors on the type and level of assurance most needed during corresponding audit cycles.
  • Providing a forum for the CISO to guide localized security efforts within individual business units via committee members.
  • Acting as a mediation or arbitration forum for reconciling conflicting security requirements between different business units.
  • Reviewing and approving or rejecting requests for policy exemptions from business units or projects.
  • Chartering ad hoc projects to investigate and report back on topics of interest, for example, the security governance implications of cloud computing.
  • Establishing working groups/sub committees, as required, to ensure broad consultation on initiatives.
Membership

 
The ISC is a committee established by the president or designate (VPUO), and will be co-chaired by a senior faculty member and the chief information security officer.

Members have been drawn from a list of nominations made in 2017. The working groups are augmented with subject matter expertise, specific to each working group.

Governance

 
The ISC will report regularly, through the VPUO, to the audit committee of the governing council and to senior decision making groups. In addition, materials related to the work of the ISC will be made accessible to the community, as appropriate. The CISO and CIO will also act as a conduit to the campus information technology council (if this were established), ensuring alignment and resourcing.

Structure

 
The ISC is expected to create standing and ad hoc sub-committees and or working groups on an as-needed basis.

The ISC will meet at least once in each of the fall, winter and spring terms and as necessary at the direction for the chairs. This will be reviewed on a yearly basis.

Terms for members is generally two years, with eligibility for renewal. Flexibility for leaves will be accommodated in an ad hoc fashion.

Members

 

Name Role Unit Status
Ron Deibert Co-Chair Political Science Faculty
Isaac Straley Co-Chair ITS Staff
Sam Chan Member Medicine – IT Director Staff
Leslie Shade Member I-School Faculty
Sian Meikle Member Library Faculty
Deepa Kundur Member Engineering Science Faculty
Michael Stumm Member ECE Faculty
Zoran Piljevic Member UTSC – IT Director Staff
Rafael Eskenazi Member Privacy Office Staff
Heidi Bohaker Member History Faculty
C. J. Woodford Member Physics Grad Student
Bo Wandschneider Ex-officio ITS Staff

ISC Meeting Minutes

Working Groups

ISC Supporting Materials

Coming Soon

Coming soon