Learn about our strategy

The University of Toronto’s Information Security strategy sets the mission, vision, goals, objectives and outcomes that will drive the information security priorities for the University over the next four years. It aims to enrich and support the University’s academic mission by enabling scholars, researchers, academics and staff.

The strategy was developed through a community-driven approach. This involved extensive consultation with academic and administrative units, and incorporates the voices of several community members. It was also influenced and shaped by the IT@UofT strategy and NIST Cyber Security Framework, along with the results of internal and external security assessments, the reality of the security threat landscape and advice from security experts.

By setting a shared direction for information security at the University, the strategy empowers units to identify their priorities, define and execute operational plans and measure progress over the next four years.

Topics on this page:



Enable world-class teaching, learning and research through information security leadership and services that empower people, adapt to risk and respond to the diverse needs of the University community.


  • Enable the mission of the University
  • Uphold privacy, openness and free inquiry
  • Deliver a world-class, exemplary information security program

Strategic objectives and outcomes

Secure University digital transformation

Ensuring security and privacy is at the core of emerging technologies and new ways of teaching, learning and working adopted by the University.


  • Seamless access to the digital university enabled through a single identity
  • Appropriate protections for our people, data and systems regardless of location
  • Innovative approaches to securing the next generation of digital solutions
  • Information Security regarded as an enabler of digital transformation and the University mission

Trustworthy teaching, learning and research

Enabling structures to ensure scholars, researchers, academics and staff feel safe when using University infrastructure, systems and resources.


  • An information security-aware culture
  • Accelerated adoption of privacy-conscious edtech solutions
  • Seamless information security support across the entire research lifecycle
  • Alignment with University data governance strategic outcomes

Resiliency through effective risk management

Strategically assessing and managing risk to prevent security attacks and minimize their impact through timely detection and response.


  • Risk management programs adopted by units and reviewed by the Information Security Council
  • Cyber incidents prevented or detected and responded to in a timely manner
  • Managed supply chain risk
  • Common framework to address regulatory and compliance obligations

Excellence through collaboration

Harnessing the power of partnerships to solve bigger and more complex challenges.


  • Normalized collaboration on cybersecurity across the University
  • Increased use of secure shared platforms, capabilities and methodologies
  • Experiential learning and career growth opportunities for students, faculty and staff
  • Strong sector partnership on shared opportunities and challenges

Office of the CISO focus areas for 2024-2025

  1. Transform identity at the University by kick-starting a multi-year effort to consolidate identities, enhance identity systems and streamline identity lifecycle management.
  1. Continue to make security learning available to more users across the community.
  1. Set the groundwork for secure data management by fostering efforts to implement data sensitivity labeling and develop more comprehensive data inventories, thus paving the way for secure adoption of AI.
  1. Enhance detection and response capabilities by expanding coverage of next-generation endpoint protection, maintaining investment in CanSSOC, upgrading threat analysis platform, increasing capacity for security event logging and automating alerts for rapid response.
  1. Continue to bolster U of T’s network security by offering firewall management as a service to the community.

Message from the Office of the CISO

The world is rapidly becoming a digital-first experience. At the University, this is reflected in our hybrid learning environments, course registration processes, real-time research collaboration across the world, and use of data to drive effective evidence-based decision making. Information and technology are at the core of almost everything we do today. It is therefore essential that we enable resilient ecosystems that ensure the security and safety of our people, data and systems, wherever they are.

Our vision is to work together, each of us doing our small part to help secure our ecosystem, so we can focus on what matters most: our learners, our scholars, our staff and the communities we are in. Our systems and workflows must not only meet discipline-specific needs but also have security and privacy embedded into their design. This, coupled with the influence of those who are best informed to make the right decisions, is how we will enable transformative education, innovative research and the University’s Three Priorities.

Our guiding principles2024-06-17T09:40:51-04:00
  • We celebrate diversity and create an inclusive environment.

  • We collaborate to build effective solutions.

  • We make iterative improvements that promote cultural change.

  • We deliver foundational services that are sustainable and can be re-used.

  • We empower and enable people to make informed choices.

  • We balance risk mitigations with privacy and academic freedom.

  • We have a bias for action to mitigate key security risks.

  • We stay informed and actively seek feedback to always improve.

Strategic initiatives

Discover further details about the security measures we’ve implemented to maintain safety and security at U of T.

Multi-factor authentication (MFA)2024-06-17T09:47:24-04:00
Person using UTORMFA on their mobile device.


Protect the University’s valuable information, digital assets and people against unauthorized access by requiring a second factor (like a mobile device or hardware token) to verify user identity.

UTORMFA is the U of T’s multi-factor authentication solution.


  1. Increase secure remote access to systems and data.
  2. Protect applications hosting sensitive data against unauthorized access.
  3. Meet the University’s Information Security Control Standard as endorsed by the Information Security Council.
  4. Protect user and admin accounts against compromise.
  5. Reduce risk of weak passwords being exploited by threat actors.
Research Information Security Program (RISP)2024-06-17T09:47:43-04:00
Picture of a person working at a computer.


Increase research productivity by providing security advice, assistance and services directly to scholars, in joint support with VPRI and libraries.


  1. Provide security framework and reviews for large research projects such as those using big data.
  2. Guidance for researchers to meet funding requirements that include information security frameworks and controls.
  3. Offer pre-vetted systems for research teams such as HPC, compute and storage systems.
  4. Build resources for self-help.
  5. Conduct research information risk assessments to address risks to research data.
Security Awareness and Training Program (SATP)2024-06-17T09:47:01-04:00
Person engaging in a security awareness training program.


Build a culture of security at the University, equipping staff, faculty, librarians, students and our community with knowledge, practices and technologies needed to protect themselves and the University against security threats.


  1. Educate users about security threats, good security practices and U of T security standards and guidelines.
  2. Make security learning accessible to all users.
  3. Offer curated training content for specific roles.
  4. Enable users to test their security knowledge.
  5. Gauge security awareness levels of the community to provide targeted training.
  6. Periodically update training content to keep it current and relevant.
Endpoint Protection Program (EPP)2024-06-17T09:50:30-04:00
Person using a mobile devices with security features enabled.


Secure endpoints (i.e., workstations, laptops, mobile devices, servers) and associated data against advanced security threats.


  1. Increase user trust that their devices are safe to use.
  2. Reduce duplicate anti-virus spend across divisions.
  3. Provide consistent baseline protection for all endpoints with advanced protection available for high-risk use cases.
  4. Alert on suspicious activities and reduce time to prevent or respond.
  5. Identify and respond to threats that are not detected by traditional anti-virus solutions.
  6. Reduce use of unsecured personal devices.
Vulnerability Management Program (VMP)2024-06-17T09:51:42-04:00
A mobile device with a graph displayed on the screen.


Manage risk to critical assets by proactively identifying and remediating security vulnerabilities.


  1. Improve visibility into security vulnerabilities.
  2. Enable better prioritization of vulnerabilities.
  3. Minimize attack surface.
  4. Improve rate of vulnerability remediation.
  5. Track and report vulnerability remediation.
Identity modernization2024-06-17T09:52:55-04:00
Login screen displayed on a computer.


Drive strategic reinvestment in people, process and technology to modernize and enable Identity-as-a-Service for U of T.


  1. Build foundational capability for divisions to manage their own identity needs and reduce duplication.
  2. Securely manage user identity from on-boarding through off-boarding or perpetual relationship.
  3. Enhance user experience by streamlining process for getting access.
  4. Provide self-service capabilities such as password reset and new access requests.
  5. Enable fine-grained access decisions based on risk.
Advanced Threat Protection (ATP)2024-06-17T09:53:56-04:00
Person using a computer with security features enabled.


Implement critical security features for U of T institutional email and collaboration tools in Office 365.


  1. Increase trust and use of O365 to maximize institutional investments.
  2. Safeguard emails against malware and viruses, including “zero-day” threats.
  3. Check incoming messages for indicators that a message might be a phishing attempt.
  4. Detect and block files that are identified as malicious.
  5. Enforce data-specific security policies.
  6. Generate real-time reports to decrease time to detect and respond to threats and attacks.
Timely detection & response2024-06-17T09:54:39-04:00
Person reading a graph on the screen.


Detect and respond to security threats in a timely manner to minimize their impact on the University.


  1. Enhance security events monitoring at the institutional and unit level.
  2. Enable individual units to expand their monitoring capabilities.
  3. Analyze security events and logs to proactively identify threat patterns.
  4. Respond to identified threats to remove or contain them in a timely manner.
Adaptive network security2024-06-17T09:55:59-04:00
Person using a laptop computer to interact with technologies


Expand and improve cloud and edge services for the University to support digital transformation and hybrid work model.


  1. Enhance cloud security by standardizing firewall technologies in the cloud.
  2. Offer self-service capabilities to create and deliver firewall changes.
  3. Expand capacity of edge infrastructure to accommodate increased demand for edge services.
  4. Enhance cloud security service by bringing more cloud security architecture resources to support cloud growth.
Security program enhancement and resiliency2024-06-17T09:56:35-04:00
A group of people collaborating in a meeting.


Strengthen the institutional information security program through foundational changes and added support.


  1. Improve delivery of security services.
  2. Enhance visibility into risk for more informed decision-making.
  3. Increase support for units to manage their security risk.
  4. Improve execution efficiency of security strategic initiatives.
Icon for the strategy resource hub

Information Security resource hub

The Office of the CISO has created tools and guidance to help units drive their specific priorities within our strategic framework. Learn about upcoming initiatives, available resources, and how you can support these efforts.

Annual reports

Annual report: May 2023 – April 2024

Our accomplishments include the increased adoption of next-generation endpoint protection and enhancement of our ability to proactively identify, track and report security vulnerabilities.

Cover of the 2023 annual report

Annual report: May 2022 – April 2023

In this report, we have highlighted the great work that is happening both at the institutional level and within divisions.

Go to Top