University of Toronto Logo

Information + Technology Services

Small normal big

ISC Risk, Compliance, Metrics and Reporting (IRCMR) Working Group

Terms of Reference


The purpose of the ISC working groups is to develop a set of recommendations as outlined in their mandate and bring them forth to the Information Security Council.


Overall, develop an Information Security Risk Reporting Framework to:

  • Develop security status metrics and a reporting framework that will allow units to self-measure their performance against metrics.
  • Track the progress of remediation on risk items (for example, units reporting of progress against reporting framework, against risk register items; and from the findings of external (to unit) risk assessments and audit reports).
  • Provide feedback on the risk register.
  • Develop a framework for internal and external auditors on the type and level of assurance most needed during corresponding audit cycles.
  • Provide guidance to the campus Information Risk Assessment Process.


The IRCMR working group will seek input from key stakeholders, subject matter experts and other interested parties from divisional and central units within the campuses of the University during the development of this reporting framework.


Seeking input from stakeholders is important in developing an Information Security Risk Reporting Framework. This process will take time.


Name Group
Sue McGlashan (chair) Information Security Architect, ISEA, ITS
Paul Morrison IT Director, Faculty of Kinesiology & Physical Education
John Kerr Director, Department of Risk Management and Insurance
Andrew McHardy Manager, EASI, ITS
Linda Ye Senior Auditor, Information Systems
Steven Butterworth PCS Manager, Dept Physics, A&S
Susan Senese Chief Administrative Officer, University of Toronto Mississauga

The Latest News