Information Technology Services (ITS)

ISC Risk, Compliance, Metrics and Reporting (IRCMR) Working Group

Terms of Reference


The purpose of the ISC working groups is to develop a set of recommendations as outlined in their mandate and bring them forth to the Information Security Council.


Overall, develop an Information Security Risk Reporting Framework to:

  • Develop security status metrics and a reporting framework that will allow units to self-measure their performance against metrics.
  • Track the progress of remediation on risk items (for example, units reporting of progress against reporting framework, against risk register items; and from the findings of external (to unit) risk assessments and audit reports).
  • Provide feedback on the risk register.
  • Develop a framework for internal and external auditors on the type and level of assurance most needed during corresponding audit cycles.
  • Provide guidance to the campus Information Risk Assessment Process.


The IRCMR working group will seek input from key stakeholders, subject matter experts and other interested parties from divisional and central units within the campuses of the University during the development of this reporting framework.


Seeking input from stakeholders is important in developing an Information Security Risk Reporting Framework. This process will take time.


Name Group
Sue McGlashan (chair) Information Risk Manager, IS, ITS
Steven Butterworth PCS Manager, Dept Physics, A&S
John Kerr Director, Department of Risk Management and Insurance
Serena Persaud CAO, Student Life
Paul Morrison IT Director, Faculty of Kinesiology & Physical Education
Jeffrey Waldman Manager, Institutional Data Governance, Institutional Research & Data Governance
Robin Wilcoxen Information Risk Program Coordinator
Linda Ye Senior Auditor, Information Systems