Enabled multi-factor authentication for 100 per cent of appointed staff, faculty, and librarians and 100 per cent of students

UTM deployed next generation anti-virus for 2,000 endpoints

UTSC improved its ransomware preparedness by documenting and testing its security incident response plan

90 per cent of target academic and administrative divisions completed the data inventory and risk self-assessment

Led a community-driven, tri-campus effort to define the information security strategy for the University

1. Remote work: Post pandemic, hybrid work is a reality of how we teach, learn, and research. This means people, devices, and data need protection wherever they are.
2. Ransomware: Risk of ransomware continues to rise with attackers becoming more sophisticated and targeting research and education institutions.
3. Fraud and phishing: Community members, specifically students, are frequently targeted in a range of fraud schemes through phishing and other means. Phishing continues to be one of the most effective methods to perpetrate data breaches.
4. Attacks targeted at researchers: Researchers are at risk from sophisticated attacks, espionage, and foreign interference activities. Geo-political tensions have further aggravated this risk.

5. Supply chain: We rely on third parties for many critical services, including hosting and processing of sensitive data. Security incidents or vulnerabilities impacting our suppliers put the University at risk.
6. Data governance: Copies of data in unknown or under-protected places increase the likelihood of data theft and inappropriate data exposure. This also increases the impact of ransomware attacks.
7. Compliance risks: The University is obligated to meet regulatory and contractual requirements such as the Payment Card Industry credit card protections. Expect increased requirements from research sponsors.
8. Denial-of-service attacks: The research and education sector in Canada has seen an increase in cyber attacks designed to cripple operations and impact availability of services.

The Office of the Chief Information Security Officer launched a tri-campus effort to build the information security strategy for U of T. The strategy aims to provide a shared direction and approach for shaping the evolution and growth of information security and privacy at the University.

A community-driven approach was followed involving extensive consultation with academic and administrative units across the University. Here are the themes and ideas that evolved from the consultation.

Ensure security and privacy is at the core of emerging technologies and new ways of teaching, learning, and working adopted by the University.

Enable structures to ensure scholars, researchers, academics, and staff feel safe when using University infrastructure, systems, and resources.

Strategically assess and manage risk to prevent security attacks and minimize their impact through timely detection and response.

Harness the power of partnerships to solve bigger and more complex challenges.

Increase in remote work and the heightened risk of ransomware attacks has amplified the need to protect endpoints such as servers and end user devices. Traditional anti-virus is no longer sufficient against sophisticated attacks and next-generation capability is needed for timely detection and response.

UTM successfully deployed next-generation anti-virus to over 2,000 endpoints and paved the way for adoption of the capability for the rest of the University. UTM is now an active partner in rolling out the capability at the institutional level, providing the benefit of its experience to accelerate the initiative.

“The next-generation anti-virus deployment at UTM has been a resounding success, providing unparalleled protection against malware and other security threats. The deployment has helped UTM to strengthen its security posture and has contributed significantly to the tri-campus initiative by providing a blueprint for endpoint security. It has demonstrated the potential for next-generation anti-virus solutions to enhance security in higher education. UTM is proud to be at the forefront of this critical technological advancement.”

Director, Information & Instructional Technology Services, UTM

The institutional rollout of next-generation endpoint protection, co-led by ITS Information Security and UTM, has garnered support from multiple units across the tri-campus community. So far, Arts and Science, UTSC, KPE, Pharmacy, Medicine, EIS, and Music have signed up for the pilot. At least 32 units have indicated interest to participate in phase two of the rollout commencing in May 2023.

We can proudly say that the entire University community, with a few exceptions, is now MFA-enabled — the single best protection against compromised accounts. It was a long and strenuous journey, but we are finally here, and most importantly — we did it together.

This has been a true tri-campus effort with the ITS Information Security team coordinating the deployment and divisions spearheading engagement and communication to faculty, librarians, staff, and students.

The Faculty of Kinesiology & Physical Education partnered with the ITS Information Security team to enhance access controls for various systems (both enterprise and local level) via the UTORGrouper service.

Key highlights:

• Enabled role-based access management for applications like SharePoint libraries, shared email addresses, and other local and enterprise-level applications
• Increased the efficiency and consistency of the onboarding and offboarding process
• Streamlined application access based on pre-defined roles and permissions

Student Life integrated more applications with their in-house identity system to streamline and improve their user onboarding and off boarding process.

“With the enhancements we made, the access request process for new joiners has become a simple and quick task. Our goal is to further streamline onboarding and offboarding by implementing and advancing our tools. We will also focus on building an information security awareness program for staff and faculty to enable more informed decisions.”

Associate Director, IT, Division of Student Life

“The guidelines serve as a high-level guide to assist U of T administrative staff in applying consistent approaches to the management of institutional data throughout their lifecycle. These guidelines aim to identify recommended institutional processes, tools, and available resources, along with clarifying key roles/responsibilities associated with the management of these data.”

Manager, Institutional Data Governance

ITS implemented critical security features to U of T’s institutional email and collaboration tools in M365 as part of the continuous improvement lifecycle required to maintain a trusted platform. These protections cover 100 per cent of active faculty, librarians, staff, and students who use M365.

• Reduction of malicious content via Safe Documents, Safe Attachments and Safe Links
• Anti-impersonation controls to highlight scam emails
• Detection of compromised accounts using Defender for Identity

The University of Toronto’s Tri-Campus Fraud Prevention Working group was established to address concerns about community members, specifically students, being targeted in a range of fraud schemes. Over the course of the past year, the working group has developed a comprehensive communications framework to disseminate prevention education, training and strategies to all members of the University community.

Sponsors are increasing research security requirements, affecting both researchers and supporting offices across the University of Toronto. The Research Information Security Program has partnered with the Office of the Vice-President of Research & Innovation and the Office of the Vice-President International to build a unified approach to support our scholars. These efforts include:

• Drafted easy-to-understand guidance documents and training resources to increase the autonomy of, and reduce burdens for, researchers
• Advised research-focused units on security and privacy protections
• Built relationships with researchers and support staff
• Worked on a framework for trusted digital research infrastructure

Pharmacy:

• Adopted the ITS vulnerability management tool which led to the identification and remediation of over 380 vulnerabilities.
• Successfully deployed ITS-supported next-generation anti-virus on servers, research workstations, and staff computers containing sensitive data as part of the institutional endpoint protection pilot.
• Migrated all shared data to the institutional M365 platform, bolstering staff and faculty resilience against ransomware and preparing for a migration to Azure Active Directory.
• Strengthened the security team by recruiting Manager of Information Systems Security with a dotted line to the CISO.

“Moving forward, the Faculty of Pharmacy aims to enhance information security in their research labs through security awareness campaigns, integration of UTORMFA for research personnel, and network segmentation and segregation.”

Director, Information and Learning Technology, Pharmacy

Department of Computer Science (Faculty of Arts and Science):

• Increased resilience to security attacks by documenting its Information Security Incident Response Plan.
• Protected its teaching lab workstations against password theft by implementing anti-keylogger protection.

“In 2023, we will test out our new incident response plan for effectiveness and accuracy. The work that we undertook has improved the department’s ability to address information security threats, providing a more secure environment for students, staff and faculty.”

Director, Information Technology, Department of Computer Science

University of Toronto, Mississauga:

• Implemented a vulnerability management program to regularly scan data center assets and mitigate risks from open vulnerabilities through a custom through a custom remediation workflow built into UTM’s service management system.
• Established a process, in collaboration with the procurement team, to include formal third-party risk assessments for all applications procured through an RFP process.
• Rolled out next-generation anti-virus solution across all their managed infrastructure, which is approximately 2,000 servers, laptops, and desktops.

“In 2023, UTM will focus on expanding the scope of its existing projects and introducing new initiatives to provide a safe and secure IT environment for its students, staff and faculty members.”

Information Security Program Manager, UTM

University of Toronto, Scarborough

• Developed an incident response plan and ran an in-house ransomware tabletop exercise, with plans to partner with Information Security to institutionally expand tabletop exercises in 2023.
• Completed third-party risk assessments enabling project teams to make more risk-informed decisions.
• Increased unit participation in the DAI-IRSA program, identifying risks and security process and technology gaps and focusing efforts to address them.

“The UTSC Information Security team has been using DAI-IRSA results to collaborate with participating units in reducing risk across UTSC and the wider University community.”

Information Security Analyst, UTSC

On Dec. 9, 2021, a new high risk security vulnerability called Log4j was uncovered. The vulnerability was ubiquitous and easy to exploit. Tackling this threat required the community to come together in new and innovative ways and that’s exactly what we did.

Steps taken to address log4j:

• Created tri-campus communication channels for collaboration on the response and sharing of threat intelligence and guidance.
• Proactively blocked suspicious network traffic.
• Shared indicators of compromise with other higher education institutions through CanSSOC and CIRA DNS shield.
• Continuously looked for signs of possible compromise.

As a result of the effort, the tri-campus team identified and protected devices that were being targeted by threat actors using the Log4j vulnerability. This shared effort was recognized and won the 2022 Exemplary U of T Ambassador Award.

The enactment of the U.S. National Defense Authorization Act (NDAA), Section 889, paved the way for increasing supply chain risk management, empowering information security experts to better advise on risks when purchasing equipment and services. It also highlighted the importance of the university network as a shared strategic asset requiring more common practices and management.

The University depends on a collaborative approach for risk management. We continue to find better ways for distributed teams to align and deliver.

• Shared governance with the Information Security Council: The ISC, with strong representation from faculty, librarians, and students, ensures the CISO and unit heads are accountable to properly prioritize risks and mitigations.
• Shared leadership: Divisional representatives are stakeholders in decision-making processes for key security initiatives.
• Engagement on security matters: The community frequently comes together to discuss security matters through forums such as the Tri-Campus Security group, Active Directory Security Forum, and Coffee with the CISO.

“I joined U of T two years ago and was encouraged to attend the weekly Tri-Campus Security meetings. This is where I was introduced to several security topics such as MFA and vulnerability management. The interactive discussions provided insights for my own projects and allowed me to connect with subject matter experts on multiple topics. These meetings opened my eyes to the importance of information security and led to my transition to the role of Information Security Manager at Pharmacy.”

Manager, Information Security, Pharmacy

We have continued to build strong partnerships across the sector and contributed to addressing shared security challenges.

• We have supported the ongoing evolution of CanSSOC and its integration with CANARIE to build a national approach to cyber security that benefits the whole sector.
• The CISO represented U of T on the Broader Public Sector cyber security expert panel. The panel provided recommendations to improve cyber resilience which were fully accepted by the government.
• We partnered with the Ontario Ministry of Public and Business Service to host a student-centric event to promote cyber security careers.

“U of T is a key partner to CanSSOC, a collaborative cyber security initiative that’s building a trusted community to detect and respond to cyber security threats facing Canada’s research and academic institutions. Working together, we are driven by a common vision to strengthen the cyber security capacity, capability, and maturity of the sector.”

Senior Director, CanSSOC Services, CANARIE

The Office of the CISO provided support for a student-led capture the flag event to teach cyber security skills to students. This was a collaboration between U of T’s capture the flag team, the Google Developer Student Clubs, and Mathematical and Computational Sciences Society, with support from other partners including Information Security.

“This was one of the most exceptional and memorable experiences I’ve had. The challenge required a unique combination of technical skills and critical thinking that kept me engaged and challenged throughout the entire experience. The fact that the challenge was based on real-world scenarios made it all the more immersive and enjoyable.”

• 23 unique cybersecurity challenges based on real scenarios
• Massive turnout of 57 teams and 134 players
• Over 20 per cent first-time participants

U of T and McMaster met with key stakeholders from research intensive universities who agreed on the principle to support one another
in meeting information security requirements, while retaining their competitive edge. This led to the creation of the CUCCIO Research Information Security Special Interest Group (SIG) representing 10 Canadian research-intensive universities. The group met for the first time in January 2022 and took the following steps:

• Discussed unique security concerns faced by researchers and how Canadian institutions can collaborate on safeguarding research
• Initiated sharing of in-house information security resources to reduce the burden on individual institutions

Our shared vision is to expand our strong foundation to navigate ever-changing risk, enable digital transformation, and support tri-campus units as they focus on discipline-specific priorities.

The risk continues to change at an unprecedented rate and there is still a lot to do. Progress requires collaboration, hard work, transparency, and a genuine desire to see the best for the University.

Information security work does not happen in a vacuum – IT staff must keep the lights on and continue to deliver new features, all while trying to increase trust and resiliency of digital platforms. Yet, the work goes beyond IT. Everyone helps ensure the security of our data and the safety of our community – from being vigilant to phishing messages, to updating devices, and handling data thoughtfully.

Looking ahead, we have many exciting improvements planned to ensure that, as we increase our security posture, we also enable the mission of the University. Some of these improvements will be to tri-campus, institutional services and platforms. But much of the work will happen within divisions, departments, and research labs as they are best positioned to understand what is needed and what works.

Great information security is not technical or transactional, it is transformational.

Office of the Chief Information Security Officer
University of Toronto
Simcoe Hall
27 King’s College Circle, Room 5E
Toronto, ON M5S 1A1, Canada