Information Security Council (ISC)
ISC terms of reference
The Information Security Council (ISC) is established in order to ensure broad consultation in planning and decision-making processes. The ISC will: assist in the review of envisioned and unanticipated risks to the university’s digital assets; ensure a robust and practiced process exists around incidence response; collaborate with the president or designate to initiate information security initiatives; ensure education of the university community on digital security best practices; oversee the development, recommendation and review of procedures, standards and guidelines for the protection of the university’s digital assets and ensure timely and accurate reporting on information security risks to the appropriate governing groups including the senior executive and the audit committee of governing council. The council will focus on transparency, awareness and educating the community as much as possible. Working groups will strive to run ideas by the community and solicit feedback.
- The broad purpose of the ISC is to provide guidance to the university in matters of information security in the context of the university’s, mission, objectives, and obligations.
- Act as a steering committee for the information security program, including a recommendation for the final resource allocation decisions for the annual security strategy plan.
- As per policy, ensure every academic and non-academic unit is appropriately covered by an information risk management plan.
- Establishing and maintaining effective lines of accountability, responsibility and authority for protecting information assets. This is typically achieved by reviewing and guiding division level information risk management plans.
- Establish, ensure and maintain accountability for protecting information resources.
- Regularly review threats to, and due diligence around (e.g. risk management plans) the protection of the university’s digital assets and monitor assurance.
- Mediate conflicting risk/security requirements.
- Collaborate with the CISO to undertake information security initiatives and educate the university community on digital security best practices.
- Oversee the development, recommendation and review of procedures, standards and guidelines for the protection of the university’s digital assets.
- Act as a steering committee for projects that require significant business unit involvement (for example, supporting the data access governance decisions required for implementing a data loss prevention capability).
- Tracking the progress of remediation on risk items (for example, audit report findings and risk register items).
- Reviewing security status metrics reporting, and requesting new metrics if required.
- Providing inputs and feedback to internal and external auditors on the type and level of assurance most needed during corresponding audit cycles.
- Providing a forum for the CISO to guide localized security efforts within individual business units via committee members.
- Acting as a mediation or arbitration forum for reconciling conflicting security requirements between different business units.
- Reviewing and approving or rejecting requests for policy exemptions from business units or projects.
- Chartering ad hoc projects to investigate and report back on topics of interest, for example, the security governance implications of cloud computing.
- Establishing working groups/sub committees, as required, to ensure broad consultation on initiatives.
The ISC is a committee established by the president or designate (VPUO), and will be co-chaired by a senior faculty member and the chief information security officer.
Members have been drawn from a list of nominations made in 2017. The working groups are augmented with subject matter expertise, specific to each working group.
The ISC will report regularly, through the VPUO, to the audit committee of the governing council and to senior decision making groups. In addition, materials related to the work of the ISC will be made accessible to the community, as appropriate. The CISO and CIO will also act as a conduit to the campus information technology council (if this were established), ensuring alignment and resourcing.
The ISC is expected to create standing and ad hoc sub-committees and or working groups on an as-needed basis.
The ISC will meet at least once in each of the fall, winter and spring terms and as necessary at the direction for the chairs. This will be reviewed on a yearly basis.
Terms for members is generally two years, with eligibility for renewal. Flexibility for leaves will be accommodated in an ad hoc fashion.
|The Edward S. Rogers Sr. Department of Electrical & Computer Engineering
|Information & Instructional Technology Services, UTM
|Department of Civil & Mineral Engineering
|Faculty of Information
|Freedom of Information and Protection of Privacy Office
|U of T Libraries
|Institute of Communication, Culture & Information Technology, UTM
|Information Technology Discovery Commons, Temerty Faculty of Medicine
|Internal Audit Department
|Department of Computer Science
|Mathematical And Computational Sciences, UTM
|Information & Instructional Technology Services, UTSC
|Marcelo Ponce Castro
|Department of Computer and Mathematical Sciences, UTSC
|Faculty of Information
|Faculty of Applied Science & Engineering
- Feb. 6, 2024 at 3 to 5 p.m.
- March 28, 2024 at 3 to 5 p.m.