Members of ITS’s Information Security team took to the stage at the IT@UofT conference on May 6 to discuss the Data Asset Inventory and Information Risk Management (DAI-IRSA) program, along with Chief Administrative Officers (CAOs) and IT leaders from across U of T’s faculties and campuses. Together, the panel shared strategies for implementing the program within their respective units, using Data Asset Inventories, analyzing the outcomes of the Information Risk Self-Assessments and engaging leadership risk management discussions.

Titled “Learning from each other: Insights to action in DAI-IRSA,” the session featured:

• Andrew Arifuzzaman, CAO, Office of Business, Operations and Strategic Affairs, U of T Scarborough
• Adrian Balaura, Director, Technology Services, Faculty of Law
• Sebastian Bisciglia, Director, Information and Learning Technology, Faculty of Music
• Maya Churbaji, CAO, Leslie Dan Faculty of Pharmacy
• Kiren Handa, Executive Director, Institutional Research & Data Governance
• Gina John, CAO, Faculty of Law
• Kanupriya Kejriwal, Manager, Information Security Risk, ITS
• Zoran Piljevic, Senior Director, Technology and Business Transformation, U of T Scarborough

The panelists began by sharing different approaches for engaging stakeholders and implementing the DAI-IRSA program within units. Clear communication and education were emphasized across the board.

Bisciglia highlighted how the Faculty of Music leveraged the Data Asset Inventory (DAI) to actively engage their data trustees and raise awareness about their roles and responsibilities in data stewardship. By implementing the DAI in an Excel spreadsheet format this year, data trustees found it easier to familiarize themselves with their data assets and inventory them effectively.

He remarks, “In my experience the DAI-IRSA is not just a compliance exercise, it’s an opportunity for holistic reflection with many potential benefits—from motivating creativity when addressing specific gaps to shaping strategic priorities.”

Describing the “re-baselining” strategy implemented at the Faculty of Law, Balaura weighed in on his experience. As it was his first time completing the DAI-IRSA for the faculty, the results differed from those of the previous year. To ensure transparency and effectively communicate the reasons behind this shift, Balaura and John presented the changes in the risk profile to their leadership through an iterative process. This approach fostered ongoing dialogue and helped leadership understand the new perspective introduced by the updated assessment.

“As a new leader to the university and the Faculty of Law, the DAI-IRSA exercise was invaluable in helping me quickly understand our data and information security posture,” reflects Balaura . “The comprehensive risk assessment provided a detailed picture of our strengths and areas for improvement, enabling me to make informed decisions and build a roadmap for the Law IT team.”

At UTSC, Piljevic described a campus-wide, centrally supported model led by their Information Security team. This approach emphasized ongoing engagement and support with departments to ensure the DAI-IRSA was completed successfully. He also emphasized that their risk mitigation activities were an ongoing effort, “The process doesn’t end with a sign-off—it’s a year-round effort.”

Despite differences in approach, the panel agreed that the DAI-IRSA program delivers significant value. It helps uncover hidden and known risks, informs investment and resource priorities and strengthens collaboration.

These insights have already driven meaningful action such as implementing server backups and upgrading systems in response to risks like aging infrastructure. The panelists highlighted that the DAI-IRSA program is not just a compliance activity, but a strategic tool for managing digital assets, aligning IT strategy with risk tolerance and accelerating planning efforts.

The discussion underscored that DAI-IRSA is not a one-time initiative but a continuous cycle of discovery, assessment and action. Building on this approach, UTSC has formalized a risk acceptance program with regular reviews and clear escalation paths for unacceptable risks. Meanwhile, the Faculty of Law highlighted the importance of aligning data handling practices with retention policies and operational realities, particularly in large programs and clinics.

To support continuous improvement, panelists advocated for centralized solutions to address common challenges across units. They also recommended simplifying the language used in the DAI-IRSA program to better engage faculty and staff—shifting away from technical jargon toward more accessible, relatable messaging.

Ultimately, the panel concluded that DAI-IRSA is more than a framework—it can be a catalyst for cultural change, strategic alignment and institutional resilience. As faculties continue to mature in their information management practices, collaboration and shared learning will be critical to success. And most importantly, leadership support and clear mandates are essential: risk ownership must be defined, and decision-makers must be empowered to act.