• Released the University of Toronto’s Information Security Strategy.
• Deployed next generation endpoint protection for more than 10,000 endpoints across the tri-campus community.
• Onboarded over 7,000 staff and faculty onto the Security Awareness training platform.
• Security incident response tabletop exercises completed by seven academic and administrative divisions.

• Enhanced network security by upgrading University’s edge firewall.
• Published four new security guidelines including security guidelines on operational technology.
• Released official guidance on secure handling of Social Insurance Numbers.
• Expanded network scanning, resulting in an eightfold increase in institutional visibility into security vulnerabilities.

The institutional rollout of next-generation endpoint protection has garnered support from the community, with over 10,000 endpoints enrolled. This is a significant step towards bolstering the University’s defenses against sophisticated attacks and enhancing our capacity for timely detection and response.

This collaborative effort, co-led by University of Toronto Mississauga and ITS Information Security, spans all three campuses, with 40 participating units. Institutional funding and support have made it easier for units to adopt this capability.

Key benefits:

• Endpoint management: A single integrated view for managing endpoints and responding to alerts.
• Threat hunting: Incident investigation and identification of known or emerging threats.
• Vulnerability management: Visibility into endpoints running vulnerable applications.
• Live threat updates: Real-time enhancements to detection capabilities via live threat updates.

“The Faculty of Music was invited to participate in the pilot phase of the endpoint protection project. We had an incredibly positive experience. The next-gen anti-virus agents were easily deployed and had little to no impact on device performance, giving us the benefit of real-time threat detection and analysis.”

“In recent years, we’ve witnessed an increase in cyber attacks targeting educational institutions. In response, the Faculty of Applied Science and Engineering has adopted the institutional endpoint protection platform. The platform is not just another anti-virus solution; it’s a next-generation defense system designed to shield against a broad spectrum of cyber threats. The success of this initiative hinges on the collaborative teamwork and active engagement of all IT personnel across academic units. It embodies the essence of IT@UofT, while showcasing an excellent example of the Secure Together model, emphasizing that cyber security is a shared responsibility.”

Alex Tichine, Director, Information Technology, Faculty of Applied Science & Engineering, U of T

Robust network security provides the foundation for rapid digital transformation and hybrid work models. The unification and alignment of network security practices across the University is a key element of our strategy. By doing so, we aim to create common, cost-effective solutions that benefit everyone and ensure a secure and seamless experience for all. As we work towards this long-term goal, here are highlights of key accomplishments from this year:

• Secured VPN access through multi-factor authentication. This has drastically reduced unauthorized access while ensuring that community members have secure network access regardless of where they are.
• Upgraded admin VPN to optimize the service and make it more resilient to cyber attacks.
• Upgraded the University’s edge firewall to further enhance our network security, increase our resilience to denial-of-service attacks and enable common protections across the tri-campus community.

Core enterprise applications, which are integral to the University’s key business processes, are progressively leaning on cloud services. ITS has securely connected on-premises resources with the Microsoft Azure Cloud, offering a cost-effective, consistent and secure model to leverage cloud services across U of T. This has not only improved resilience of critical applications but also given community members access to enhanced business solutions such as PowerBI and Database-as-a-Service from wherever they are.

This year, U of T placed security awareness at center stage, launching a program to equip staff, librarians and faculty members with essential security knowledge. Co-led by UTSC and the ITS Information Security team, the Security Awareness and Training Program has achieved significant milestones.

Key accomplishments of the program:

1. Learning platform deployment: Established a user-friendly learning platform that is accessible to all enrolled users and leverages gamification to keep users engaged.
2. Curated learning content: Curated content, ensuring that platform users receive targeted guidance on security topics ranging from social engineering to data protection.
3. Phishing simulations: Launched monthly phishing simulations for all onboarded users, empowering participants to recognize and respond to phishing attempts.
4. Tailored spear-phishing campaigns: Ran customized spear-phishing simulations for senior executives who face targeted attacks.

“Understanding the importance of having a knowledgeable and empowered community, UTSC has put significant emphasis on enrollment in the Information Security Awareness and Training Program. As of early 2024, nearly 640 appointed staff have been enrolled; with work continuing to soon extend this training to non-appointed staff and then to faculty members.”

Romel Sargezi, Information Security Analyst, UTSC, U of T

The Information Security team has curated a collection of concise guides addressing common cyber security queries. These resources provide actionable steps on various security topics to all U of T community members, ranging from researchers to staff and curious learners.

Led by the Information Security team, experts from across the University are working together to develop a framework to evaluate research infrastructure against the University’s Information Security Control Standard.

For researchers who opt to use these vetted systems, interactions with sponsors, data providers and research ethics boards will be streamlined, allowing them to focus on their core research activities.

“The context of scholarly activity at U of T has has expanded rapidly over the last 10 years. The emergence of new technology has increased the capacity to access sensitive data from multiple devices, and thus brought forward new considerations for how sensitive data should be protected. In parallel, new models of data sharing have emerged which extend beyond the traditional boundaries of data access restriction within a laboratory or network of collaborators. U of T’s Research Information Security Program has developed resources to support faculty, staff and trainees as they engage in their scholarly activity.”

Dr. Karl Zabjek, Associate Professor, Department of Physical Therapy, U of T and Affiliate Scientist, KITE Research Institute, University Health Network

Effective vulnerability management is critical to a strong information security program, particularly as the number of compromises via known vulnerabilities are on the rise. The ITS Information Security team has enhanced the institutional vulnerability management service, offering deeper insights into security vulnerabilities within our environment. In the past year, institutional visibility into security vulnerabilities has increased eightfold.

Key highlights of the improvements:

1. Expanded scanning coverage: Extended network and web application scanning capabilities, providing a more comprehensive view of security vulnerabilities.
2. User-friendly portal: Provided units with access to an intuitive portal to review vulnerability scan results and take informed actions.
3. Vulnerability rating system: Introduced a rating system to streamline remediation efforts by prioritizing vulnerabilities based on their severity, allowing teams to focus on critical issues first.
4. Automated progress tracking: Enabled automated reporting system to keep stakeholders informed of ongoing remediation efforts.

The office of the CISO launched a campaign to bolster unit-level preparedness against ransomware attacks, focusing on greater adoption of ransomware-resilient backups, endpoint protection, ransomware playbooks and tabletop exercises.

• Building a community of ransomware responders: Fostered collaboration across divisions by creating a community of ransomware responders responsible for driving preparedness efforts at the divisional level.
• Guidance and tool support: Provided support for divisional contacts through guidance and practical tools to implement best practices and enhance readiness.
• Metrics-driven progress tracking: Collected relevant data to measure progress against key focus areas and guide continuous improvement.
• Tabletop exercises for real-world scenarios: Ran third-party facilitated security incident tabletop exercises for five divisions to validate and reinforce ransomware preparedness. Additionally, conducted a business continuity tabletop exercise, attended by leaders from various shared services units, to assess our institutional preparedness.

“The institutional Business Continuity Working Group partnered with the Information Security team on a tabletop exercise in December 2023. The team provided leadership and guidance as they navigated the working group through an information security issue. The scenario and the discussion that followed was invaluable. We are delighted to be partnering with Information Security again on a similar tabletop in June 2024, this time to include tri-campus academic and shared services divisional representatives.”

Elizabeth Cragg, Director, Office of the Vice President, Operations & Real Estate Partnerships, U of T

The Information Security team has continued to build upon established risk management practices. This includes enhancements to the Data Asset Inventory-Information Risk Self-Assessment program with new guidance for completing the data asset inventory, managing data assets and identifying critical digital assets.

The office of the CISO released guidance for units to mature their risk management programs. This included tools and templates to build key components such as risk registers, risk acceptance processes and clearly defined risk management roles and responsibilities.

“It’s amazing to see the growth of information risk management at the University with tools like the DAI-IRSA. There is plenty of room to improve and I’m looking forward to the evolution of Information Risk Management Programs over the next five years.”

Jeff Waldman, Manager, Institutional Data Governance, U of T

The office of the CISO launched a campaign to bolster unit-level preparedness against ransomware attacks, focusing on greater adoption of ransomware-resilient backups, endpoint protection, ransomware playbooks and tabletop exercises.

• Automated SharePoint access synchronization: Developed an automated process to synchronize SharePoint access, ensuring user permissions remain up-to-date and aligned with organizational roles. Solution will be deployed in 2024.
• Enhancing web application security: Exploring the use of web application scanners during software development and as part of periodic security reviews.

• Risk management program: Formalized UTM’s risk management program by leveraging a customized solution for efficient risk identification, mitigation and tracking.
• Automated patch management: Deployed automated patch management solution, thus reducing time and effort for applying security updates.
• Incident response: Developed an Incident Response standard and refined it through a third-party led ransomware tabletop exercise.

“University of Toronto Mississauga is committed to enhancing its security maturity. Key future initiatives include formalizing asset management and access controls, implementing centralized security logging and monitoring, encouraging departmental participation in the annual Data Asset Inventory and Information Risk Self-Assessment cycle, and enrolling all staff and faculty in the institutional security awareness program.”

Akshat Mishra, Information Security Program Manager, UTM

• DAI-IRSA for UTL digital assets: Participated in DAI-IRSA to assess and manage security risks to UTL.
• Endpoint protection: Deployed next-generation endpoint protection to over 1,000 UTL servers and staff workstations as part of the institutional initiative.
• Secure storage: Conducting gap analysis to enhance U of T Dataverse’s ability to securely manage Level 3 and 4 research data.
• Security awareness training: Successfully onboarded users to the institutional security awareness training platform with 256 users having completed the training.

“I am immensely proud of the strides we have made in enhancing our security. Our team’s dedication and expertise have not only ensured the safety of our digital assets but also fostered a culture of security awareness and vigilance. It is also important to recognize the fantastic initiatives spearheaded by the CISO’s office. Their visionary projects and collaborative efforts have significantly benefitted our operations, reinforced our security posture, and guided our strategic approach. As we move into the next year, we are committed to building on this momentum, continuing to innovate and improve our security measures to meet evolving challenges.”

Amaz Taufique, Manager, Enterprise Infrastructure and Staff Technology, UTL

• Web application firewall: Deployed a high-availability firewall to protect web applications against malicious attacks.
• Endpoint protection: Implemented next-generation endpoint protection solution as part of the institutional rollout.
• Security awareness and training: Onboarded users to the institutional security awareness training platform, with training completed by 78 per cent of participants.

“From re-building our entire VLAN infrastructure, to implementing next-gen endpoint protection, adding web-application firewall capabilities, rolling out a faculty-wide cyber security training program, and setting the groundwork for transitioning to a fully-managed digital asset infrastructure and role-based access with real time HR updates, our incredible partnership with IS, and the other teams in ITS has tangibly showcased that working together as IT@UofT professionals we can make significant leaps in protecting our people and systems and a real difference. I’m truly humbled by what this partnership has already achieved and looking forward to the future as we work towards being Secure Together.”

Dimitris Keramidas, Director, Information Technology Temerty Faculty of Medicine, U of T

• Endpoint protection: Deployed next-generation endpoint protection on 138 endpoints as part of the institutional rollout and built capability to respond to alerts in a timely manner.
• Asset and data inventory: Building an inventory of data, hardware and software for improved management of assets and data.

“In 2024, we will collaborate with ITS to implement Intune. We will also initiate a project to isolate different subnets using Virtual LANs to prevent spread of malware. All personal devices will be required to use the guest Wi-Fi network to enhance security.”

Byron Qu, Manager, Information Security, Leslie Dan Faculty of Pharmacy, U of T

The Research Information Security Program, under the umbrella of Information Security, and the Research Security team, operating within the Office of the Vice-President of Research and Innovation, have collaborated with other University partners on initiatives to secure and facilitate research. Key among them is the supply chain risk management initiative. The enactment of the U.S. National Defense Authorization Act, Section 889 has acted as a catalyst for the creation of a supply chain risk assessment methodology. This methodology enables more risk-informed procurement decisions by assessing both information security and geo-political risks associated with third-party relationships.

“The Research Security Team and the Research Information Security Program maintain a close and collaborative relationship that yields several effective outcomes: geopolitical risk analysis as part of large institutional procurement; awareness among the research community about requirements for information security and research security in grant applications; and support for researchers regarding security-related inquiries.”

Paul Jarrett, Director, Research Security, U of T