ISC Risk, Compliance, Metrics and Reporting Working Group
Terms of reference
The Risk, Compliance, Metrics and Reporting Working Group is responsible for developing, through consultation with member stakeholders and their colleagues, an understanding of the information and metrics needed by decision makers to best support information security decisions made at the local, divisional and institutional level. Fundamentally, this involves determining what metrics, reports or other information should be collected, and by whom and to whom they should be shared. This work includes the development of contextual information to aid in the interpretation of data provided to decision makers.
The working group in the current term will focus on the collection of metrics and development of reporting and information resources for information security work at all levels of the institution. Members will:
- Identify and define stakeholder groups, their role in the provision of or accountability for information security and their associated information and reporting needs.
- Probe the information needs of various stakeholder groups at the University of Toronto and document what information (and in what format and frequency) would be needed for those individuals to make responsible, informed decisions in their role.
- Provide a proposed list of information to be collected, proposed sources for the information and distribution mechanisms and policies.
- Develop and make recommendations for areas of institutional risk requiring focused attention and investment.
- Provide ongoing feedback to the Data Asset Inventory and Information Risk Self-Assessment (DAI-IRSA) and other institutional risk management tools, processes and programs.
- Membership is comprised of individuals who engage in a broad range of decision-making and support activities with varied information needs and those with expertise in information security.
- Working group members will consult with local decision makers and their peers in representing and clarifying the information needs of various groups and roles.
- Members will seek input from the Information Security Council (ISC) on information needs and stakeholder group definitions.
- When the working group feels a natural ‘first pass’ of information needs can be produced, it will be forwarded to the ISC for endorsement before the working group moves forward on how the information may be collected and how it should be shared, and the tools and processes required to accomplish these goals.
Meetings are held every third Tuesday of the month, from 2 to 3:30 p.m.
|Kalyani Khati (co-chair)
|Associate Director, Information Security Strategic Initiatives, Information Technology Services
|Paul Morrison (co-chair)
|IT Director, Faculty of Kinesiology & Physical Education
|Information Risk Program Coordinator, Information Risk, ITS
|Associate Registrar, Special Projects & Director Academic Scheduling, Registrar’s Office, Faculty of Applied Science and Engineering
|PCS Manager, Department of Physics, Faculty of Arts & Science
|Senior Business Analyst, Information & Instructional Technology Services, UTSC
|Assistant Director, Health & Wellness Centre
|Senior Auditor – Information Systems, Internal Audit
|Director, Risk Management and Insurance, Finance
|Senior Manager, Applications & Development, Information and Instructional Technology, Faculty of Arts & Science
|Information Security Program Manager, Information & Instructional Technology Services, UTM
|Information Risk Manager, Information Risk, ITS
|Senior Planning & Data Officer, Campus Planning and Analysis Office, UTSC
|Chief Administrative Officer, Student Life
|Business Intelligence Solutions Architect, Division of University Advancement
|Manager, Institutional Data Governance, Institutional Research & Data Governance