ISC Risk, Compliance, Metrics and Reporting Working Group

Terms of reference

Purpose

The Risk, Compliance, Metrics and Reporting Working Group is responsible for developing, through consultation with member stakeholders and their colleagues, an understanding of the information and metrics needed by decision makers to best support information security decisions made at the local, divisional and institutional level. Fundamentally, this involves determining what metrics, reports or other information should be collected, and by whom and to whom they should be shared. This work includes the development of contextual information to aid in the interpretation of data provided to decision makers.

Mandate

The working group in the current term will focus on the collection of metrics and development of reporting and information resources for information security work at all levels of the institution. Members will:

Identify and define stakeholder groups, their role in the provision of or accountability for information security and their associated information and reporting needs.
Probe the information needs of various stakeholder groups at the University of Toronto and document what information (and in what format and frequency) would be needed for those individuals to make responsible, informed decisions in their role.
Provide a proposed list of information to be collected, proposed sources for the information and distribution mechanisms and policies.
Develop and make recommendations for areas of institutional risk requiring focused attention and investment.
Provide ongoing feedback to the Data Asset Inventory and Information Risk Self-Assessment (DAI-IRSA) and other institutional risk management tools, processes and programs.

Process

Membership is comprised of individuals who engage in a broad range of decision-making and support activities with varied information needs and those with expertise in information security.
Working group members will consult with local decision makers and their peers in representing and clarifying the information needs of various groups and roles.
Members will seek input from the Information Security Council (ISC) on information needs and stakeholder group definitions.
When the working group feels a natural ‘first pass’ of information needs can be produced, it will be forwarded to the ISC for endorsement before the working group moves forward on how the information may be collected and how it should be shared, and the tools and processes required to accomplish these goals.

Timing

Meetings are held every third Tuesday of the month, from 2 to 3:30 p.m.

Membership

Name	Division/Department
Kalyani Khati (co-chair)	Associate Director, Information Security Strategic Initiatives, Information Technology Services
Paul Morrison (co-chair)	IT Director, Faculty of Kinesiology & Physical Education
Rishi Arora	Information Risk Program Coordinator, Information Risk, ITS
Chris Brown	Associate Registrar, Special Projects & Director Academic Scheduling, Registrar’s Office, Faculty of Applied Science and Engineering
Steven Butterworth	PCS Manager, Department of Physics, Faculty of Arts & Science
Sheril Chacko	Senior Business Analyst, Information & Instructional Technology Services, UTSC
Sandy Chang	Assistant Director, Health & Wellness Centre
André Greenidge	Senior Auditor – Information Systems, Internal Audit
John Kerr	Director, Risk Management and Insurance, Finance
Lareza Lazuardi	Senior Manager, Applications & Development, Information and Instructional Technology, Faculty of Arts & Science
Akshat Mishra	Information Security Program Manager, Information & Instructional Technology Services, UTM
Kanupriya Kejriwal	Information Risk Manager, Information Risk, ITS
Shakhawat Patwary	Senior Planning & Data Officer, Campus Planning and Analysis Office, UTSC
Serena Persaud	Chief Administrative Officer, Student Life
Danny Velev	Business Intelligence Solutions Architect, Division of University Advancement
Jeffrey Waldman	Manager, Institutional Data Governance, Institutional Research & Data Governance