Information Technology Services (ITS)
Information Security Council (ISC)
ISC Terms of Reference
The information security council (ISC) is established in order to ensure broad consultation in planning and decision-making processes. The ISC will: assist in the review of envisioned and unanticipated risks to the university’s digital assets; ensure a robust and practiced process exists around incidence response; collaborate with the president or designate to initiate information security initiatives; ensure education of the university community on digital security best practices; oversee the development, recommendation and review of procedures, standards and guidelines for the protection of the university’s digital assets and ensure timely and accurate reporting on information security risks to the appropriate governing groups including the senior executive and the audit committee of governing council. The council will focus on transparency, awareness and educating the community as much as possible. Working groups will strive to run ideas by the community and solicit feedback.
- The broad purpose of the ISC is to provide guidance to the university in matters of information security in the context of the university’s, mission, objectives, and obligations.
- Act as a steering committee for the information security program, including a recommendation for the final resource allocation decisions for the annual security strategy plan.
- As per policy, ensure every academic and non-academic unit is appropriately covered by an information risk management plan.
- Establishing and maintaining effective lines of accountability, responsibility and authority for protecting information assets. This is typically achieved by reviewing and guiding division level information risk management plans.
- Establish, ensure and maintain accountability for protecting information resources.
- Regularly review threats to, and due diligence around (e.g. risk management plans) the protection of the university’s digital assets and monitor assurance.
- Mediate conflicting risk/security requirements.
- Collaborate with the CISO to undertake information security initiatives and educate the university community on digital security best practices.
- Oversee the development, recommendation and review of procedures, standards and guidelines for the protection of the university’s digital assets.
- Act as a steering committee for projects that require significant business unit involvement (for example, supporting the data access governance decisions required for implementing a data loss prevention capability).
- Tracking the progress of remediation on risk items (for example, audit report findings and risk register items).
- Reviewing security status metrics reporting, and requesting new metrics if required.
- Providing inputs and feedback to internal and external auditors on the type and level of assurance most needed during corresponding audit cycles.
- Providing a forum for the CISO to guide localized security efforts within individual business units via committee members.
- Acting as a mediation or arbitration forum for reconciling conflicting security requirements between different business units.
- Reviewing and approving or rejecting requests for policy exemptions from business units or projects.
- Chartering ad hoc projects to investigate and report back on topics of interest, for example, the security governance implications of cloud computing.
- Establishing working groups/sub committees, as required, to ensure broad consultation on initiatives.
The ISC is a committee established by the president or designate (VPUO), and will be co-chaired by a senior faculty member and the chief information security officer.
Members have been drawn from a list of nominations made in 2017. The working groups are augmented with subject matter expertise, specific to each working group.
The ISC will report regularly, through the VPUO, to the audit committee of the governing council and to senior decision making groups. In addition, materials related to the work of the ISC will be made accessible to the community, as appropriate. The CISO and CIO will also act as a conduit to the campus information technology council (if this were established), ensuring alignment and resourcing.
The ISC is expected to create standing and ad hoc sub-committees and or working groups on an as-needed basis.
The ISC will meet at least once in each of the fall, winter and spring terms and as necessary at the direction for the chairs. This will be reviewed on a yearly basis.
Terms for members is generally two years, with eligibility for renewal. Flexibility for leaves will be accommodated in an ad hoc fashion.
|Eyal de Lara||Member||Dept. of Computer Science||Faculty|
|Tero Karppi||Member||The Institute of Communication, Culture, Information, and Technology||Faculty|
|David Lie||Member||Department of Electrical & Computer Engineering (ECE)||Faculty|
|Andrew Petersen||Member||Mathematical And Computational Sciences, UTM||Faculty|
|Leslie Shade||Member||Faculty of Information||Faculty|
|Zoran Piljevic||Member||Information & Instructional Technology Services, UTSC||Faculty|
|Luke Barber||Member||UTM FM&P and I&ITS||Faculty|
|Dimitris Keramidas||Member||Information Technology Discovery Commons
The Temerty Faculty of Medicine
|Aidan Mitchell-Boudreau||Member||Ethics, Society and Law - Trinity College||Student|
|Rohith Sothilingam||Member||Faculty of Information||Student|
ISC Meeting Minutes
Information Security Council Meeting
- January 31, 2022 (PDF)
- December 10, 2021 (PDF)
- April 28, 2021 (PDF)
- March 3, 2021 (PDF)
- September 23, 2020 (PDF)
- July 30, 2020 (PDF)
- May 29, 2020 (PDF)
- January 17, 2020 (PDF)
- September 9, 2019 (PDF)
- April 30, 2019 (PDF)
- January 17, 2019 (PDF)
- October 24, 2018 (PDF)
- June 29, 2018 (PDF)
- February 5, 2018 (PDF)
- Incident Response Planning
- Procedures, Standards and Guidelines
- Education & Awareness
- Risk, Compliance, Metrics and Reporting
ISC Supporting Materials
- Academic Technology Reference Group (ATRG)
- Enterprise IT Update Committee (EITU)
- Advisory Committee on Enterprise Information Technology (ACE-IT)
- Faculty & Staff e-Communications Consultation
- Student e-Communications Consultation
- Information Security Council (ISC)
- Information Security Council working groups: call for members
- Information Security Council: Call for Applications and Nominations
- ISC Research Working Group
- ISC Risk, Compliance, Metrics and Reporting (IRCMR) Working Group
- ISC Education & Awareness Working Group
- ISC Procedures, Standards and Guidelines Working Group
- ISC Incident Response Planning Working Group
- Toolbox End-User Support Team (T.E.S.T.)
- Next Generation Enterprise Web Services Advisory Group