Multi-factor authentication (MFA)

Protect the University’s valuable information, digital assets and people against unauthorized access by requiring a second factor (like a mobile device or hardware token) to verify user identity.

UTORMFA is the University of Toronto’s multi-factor authentication solution.


  1. Increase secure remote access to systems and data.
  2. Protect applications hosting sensitive data against unauthorized access.
  3. Meet the University’s Information Security Control Standard as endorsed by the Information Security Council.
  4. Protect user and admin accounts against compromise.
  5. Reduce risk of weak passwords being exploited by threat actors.

Visit the UTORMFA project website for more details.

Person using UTORMFA on their mobile device.

Research Information Security Program (RISP)

Increase research productivity by providing security advice, assistance and services directly to scholars, in joint support with VPRI and libraries.


  1. Provide security framework and reviews for large research projects such as those using big data.
  2. Guidance for researchers to meet funding requirements that include information security frameworks and controls.
  3. Offer pre-vetted systems for research teams such as HPC, compute and storage systems.
  4. Build resources for self-help.
  5. Conduct Research Information Risk Assessments to address risks to research data.

Visit the Research Information Security Program webpage for more details.

Picture of a person working at a computer.

Security Awareness and Training Program (SATP)

Build a culture of security at the University, equipping staff, faculty, librarians, students and our community with knowledge, practices and technologies needed to protect themselves and the University against security threats.


  1. Educate users about security threats, good security practices and U of T security standards and guidelines.
  2. Make security learning accessible to all users.
  3. Offer curated training content for specific roles.
  4. Enable users to test their security knowledge.
  5. Gauge security awareness levels of the community to provide targeted training.
  6. Periodically update training content to keep it current and relevant.

Visit the Security Awareness and Training Program for more details.

Person engaging in a security awareness training program.

Endpoint Protection Program (EPP)

Secure endpoints (i.e., workstations, laptops, mobile devices, servers) and associated data against advanced security threats.


  1. Increase user trust that their devices are safe to use.
  2. Reduce duplicate anti-virus spend across divisions.
  3. Provide consistent baseline protection for all endpoints with advanced protection available for high-risk use cases.
  4. Alert on suspicious activities and reduce time to prevent or respond.
  5. Identify and respond to threats that are not detected by traditional anti-virus solutions.
  6. Reduce use of unsecured personal devices.

Visit the Endpoint Protection webpage for more details.

Person using a mobile devices with security features enabled.

Vulnerability Management Program (VMP)

Manage risk to critical assets by proactively identifying and remediating security vulnerabilities.


  1. Improve visibility into security vulnerabilities.
  2. Enable better prioritization of vulnerabilities.
  3. Minimize attack surface.
  4. Improve rate of vulnerability remediation.
  5. Track and report vulnerability remediation.
A mobile device with a graph displayed on the screen.

Identity modernization

Drive strategic reinvestment in people, process and technology to modernize and enable Identity-as-a-Service for U of T.


  1. Build foundational capability for divisions to manage their own identity needs and reduce duplication.
  2. Securely manage user identity from on-boarding through off-boarding or perpetual relationship.
  3. Enhance user experience by streamlining process for getting access.
  4. Provide self-service capabilities such as password reset and new access requests.
  5. Enable fine-grained access decisions based on risk.
Login screen displayed on a computer.

Advanced Threat Protection (ATP)

Implement critical security features for U of T institutional email and collaboration tools in Office 365.


  1. Increase trust and use of O365 to maximize institutional investments.
  2. Safeguard emails against malware and viruses, including “zero-day” threats.
  3. Check incoming messages for indicators that a message might be a phishing attempt.
  4. Detect and block files that are identified as malicious.
  5. Enforce data-specific security policies.
  6. Generate real-time reports to decrease time to detect and respond to threats and attacks.

Visit the Advanced Threat Protection website for more details.

Person using a computer with security features enabled.

Timely detection & response

Detect and respond to security threats in a timely manner to minimize their impact on the University.


  1. Enhance security events monitoring at the institutional and unit level.
  2. Enable individual units to expand their monitoring capabilities.
  3. Analyze security events and logs to proactively identify threat patterns.
  4. Respond to identified threats to remove or contain them in a timely manner.
Person reading a graph on the screen.

Adaptive network security

Expand and improve cloud and edge services for the University to support digital transformation and hybrid work model.


  1. Enhance cloud security by standardizing firewall technologies in the cloud.
  2. Offer self-service capabilities to create and deliver firewall changes.
  3. Expand capacity of edge infrastructure to accommodate increased demand for edge services.
  4. Enhance cloud security service by bringing more cloud security architecture resources to support cloud growth.
Person using a laptop computer to interact with technologies

Security program enhancement and resiliency

Strengthen the institutional information security program through foundational changes and added support.


  1. Improve delivery of security services.
  2. Enhance visibility into risk for more informed decision-making.
  3. Increase support for units to manage their security risk.
  4. Improve execution efficiency of security strategic initiatives.
A group of people collaborating in a meeting.