<div class="fusion-layout-column fusion_builder_column fusion-builder-column-29 fusion_builder_column_1_2 1_2 fusion-flex-column card-blue-outline" style="--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.84%;--awb-margin-bottom-large:0px;--awb-spacing-left-large:0px;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;" data-scroll-devices="small-visibility,medium-visibility,large-visibility"> <div class="fusion-layout-column fusion_builder_column_inner fusion-builder-nested-column-7 fusion_builder_column_inner_2_3 2_3 fusion-flex-column" style="--awb-bg-size:cover;--awb-width-large:66.666666666667%;--awb-margin-top-large:0px;--awb-spacing-right-large:2.88%;--awb-margin-bottom-large:0px;--awb-spacing-left-large:2.88%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;" data-scroll-devices="small-visibility,medium-visibility,large-visibility"> SAT-Tabletops-as-a Service project The SAT-Tabletops project aims to enhance cyber security incident preparedness by simplifying the execution of tabletop exercises across various units. These exercises are vital in enabling our community to handle potential cyber security incidents effectively. View project <div class="fusion-layout-column fusion_builder_column_inner fusion-builder-nested-column-8 fusion_builder_column_inner_1_3 1_3 fusion-flex-column fusion-flex-align-self-stretch" style="--awb-bg-size:cover;--awb-width-large:33.333333333333%;--awb-margin-top-large:0px;--awb-spacing-right-large:5.76%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:5.76%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;" data-scroll-devices="small-visibility,medium-visibility,large-visibility"> <div class="fusion-image-element " style="text-align:center;--awb-max-width:150px;--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);"> <img loading="lazy" decoding="async" width="435" height="435" src="https://security.utoronto.ca/wp-content/uploads/2024/05/icon-tabletop-ex.png" alt class="img-responsive wp-image-6958" srcset="https://security.utoronto.ca/wp-content/uploads/2024/05/icon-tabletop-ex-200x200.png 200w, https://security.utoronto.ca/wp-content/uploads/2024/05/icon-tabletop-ex-400x400.png 400w, https://security.utoronto.ca/wp-content/uploads/2024/05/icon-tabletop-ex.png 435w" sizes="auto, (max-width: 1200px) 100vw, (max-width: 640px) 100vw, 400px" />

Security Awareness and Training Program (SATP) - Information Security at University of Toronto

About the program

The Security Awareness and Training Program (SATP) aims to build a culture of security at the University by equipping our community with knowledge, practices and technologies needed to protect themselves and U of T against information security threats.

Why SATP?

During our consultation with the wider University community over the summer and fall of 2022, many stakeholders expressed a strong interest in prioritizing a security awareness and training initiative. They requested that this be implemented as soon as possible.

The commonly understood value of having a security awareness and training program is to address the many human-related factors that are a source of security risk. Because there are no one-stop technological solutions to address cyber security threats, it is essential to have people be part of the solution when it comes to securing our University. Preserving the reputation of our University is essential, and this cannot be achieved without protecting all non-public information from loss and unintentional disclosure.

It is also part of U of T’s security standards to have security awareness and training. For more information, refer to the U of T Information and Security Standard.

The SATP consists of multiple projects such as the Security Awareness and Training – Foundations (SATF) project.

Objectives

Provide fundamental security awareness: Provide periodic fundamental security training to all staff, librarians, faculty and students and run periodic phishing simulations.
Provide role-based security training: Offer targeted security training to individuals based on their roles (e.g., application developers, IT admins, researchers etc.).
Develop security skills: Provide opportunities to develop security skillset for IT staff.

Guiding principles

We foster an environment of positive learning.
We offer security awareness and training on a risk-based approach.
We leverage a culture of collaboration to iterate and continuously improve.

What to know about the program?

Questions related to Security Awareness and Training can be directed to: security.training@utoronto.ca.

News and updates

Jan. 28, 2025: Enhance your privacy skills with new training modules
Oct. 3, 2024: Spotlight on Security Awareness and Training

Related services

Tabletops as a service

Online information security incident response training available to all U of T groups and departments.

Related projects

View a list of projects that fall under the Security Awareness and Training Program.

Current projects

SAT Foundations project

The SAT – Foundations sets the foundation for the overall SATP. The goal of the project is to provide U of T staff, librarians and faculty with baseline training to help improve their knowledge about essential information security topics and threats.

View project

Past projectsJaqueline Tong2025-01-16T15:13:19-05:00

Past projects

SAT-Tabletops-as-a Service project

The SAT-Tabletops project aims to enhance cyber security incident preparedness by simplifying the execution of tabletop exercises across various units. These exercises are vital in enabling our community to handle potential cyber security incidents effectively.

View project

Resources

View a list of projects and services that fall under the Security Awareness and Training Program.

Guidelines for phishing simulations

DO	DO NOT
Inform users & IT support groups prior to running phishing simulations	Phish without informing users
Provide information and details on how to recognize phishing to users	Penalize, sanction or criticize users in any way because they fall for phishing attacks or simulations
Provide short and clear instructions on “How” to report suspicious emails	Provide multiple options or conflicting information on how to report phishing
Thank users for reporting phishing
Craft phish that are relevant to the employee and their role	Send only to select groups or individuals
Randomize phishing simulations	Send the same phish to all U of T users
Phish employees on different days and at different times with different phish, ideally specific to their role	Send campaigns outside of the individuals working hours
Engage in conversation with those that are struggling to detect phishes. Discuss with them, and peers that understand the job role if appropriate, and ask them what additional resources would be useful
Run phishing simulations on a monthly basis	Run phishing simulations only once a year (that would be too infrequent) Run phishing simulations every week (that would be overwhelming for users)
Review the phishing email by the Communications team prior to its sending	Collect information (e.g. usernames, passwords) or use lures relating to monetary reward or appreciation
	Collect personal information

Essential security and privacy baseline modules

Topic	Learning Outcomes Framework
Phishing	Identify what phishing is Identify a phish in the real world Classify the types of phishing and media used by phishing attacks (smishing, vishing, etc.), and how to identify phishing Report phishes Locate U of T documentation related to phishing
Social engineering	Describe social engineering concisely and in plain language Locate U of T documentation related to social engineering fraud
Passwords management	Apply good practices for constructing passwords Manage passwords securely with the proper tools Describe what MFA is and its importance Locate University documentation for password management, password best practices and MFA
Types of malware and best practices	Describe the diversity of the malware landscape and how it impacts a user’s data and system Apply best practices in day-to-day activities to mitigate the risk of a malware infection Describe the first steps to take in case of ransomware infection Report suspected malware infection
Security best practices	Describe best practices to ensure a safe and secure environment at home and work for digital security and physical security Apply best practices in day-to-day life in the office and when working remotely
U of T Data Classification Standard	Describe the four levels of data classification at U of T Identify examples of data types for staff, librarians, and faculty Locate University documentation related to data classification on U of T’s websites Identify the point of contact for data classification questions and issues
Privacy	Describe fundamental and core concepts of privacy. Describe what personal information is and good practices to protect it Apply data hygiene principles such as collection, storage, retention, deletion, etc. Identify the point of contact for FIPPO to address privacy questions and issues
Remote work	Describe core best practices to follow to ensure a safe and secure environment when working remotely Apply security behaviour that is compliant with U of T remote working guidelines Describe how to report lost or stolen devices and other suspected incidences Locate University documentation related to remote working best practices
U of T policies, standards and guidelines	Locate the University’s security policies, standards, and guidelines Restate who authorizes and governs information security at the University Consult the domains of the security standard for guidance on specific security topics Interpret and summarize certain controls within the security standard that apply to daily use of devices and data Apply controls to protect data adequately based on its classification level and where applicable
Reporting security incidents	Locate where to report security incidents at U of T when suspicious activity is detected Give examples of security incidents that should be reported Locate where to report safety incidents to the campus police Locate where to report fraud
Risk management basics	Recognize what software is authorized at U of T for the storage and processing of data Identify the risk associated with using certain software Summarize the rationale for a risk-based approach to security
Information security incidents in higher ed	Identify the rationale that a threat actor would use for targeting university staff and faculty Recognize the likelihood of a security incident targeting the University Demonstrate an understanding of the impact of previous incidents in higher ed

ImmersiveLabs

Students and U of T community members looking for practical security training to enhance their security skills through hands-on lab exercises, can register for free, to the ImmersiveLabs resources.

Contact

Questions related to Security Awareness and Training can be directed to Kalyani Khati, Associate Director, Strategic Initiatives <kalyani.khati@utoronto.ca>.