Information Technology Services (ITS)

Policy on Information Security and the Protection of Digital Assets

The final Policy on Information Security and the Protection of Digital Assets is now available on the Governing Council website.

Download policy


This policy was approved in February 2016 and was recently updated and approved by Governing Council in April 2020. The Policy has been significantly informed by consultation and input from the UofT community.

The academic and administrative work of the University increasingly relies on services supported by IT systems, including the presentation and preservation of sensitive information. The number and sophistication of threats against such critical resources is increasing, from independent hackers, organized criminal enterprises, corporate interests, and government agencies. Attacks on university data and systems have occurred in the past and can be expected to happen again.

It is the responsibility of the University to address these risks while maintaining appropriate access to services and information. The goal should be to reduce the profile vulnerable to malicious attack or operational error by reducing as much as possible the number of systems being used to conduct the university’s academic and administrative business, and then protect the remaining profile through the highest quality of information security technology, services and practice.

The final copy of the Policy has been significantly informed by consultation and input from the University community. The Office of the CIO has sought input from divisional and departmental liaisons and standing consultative groups like the IT Priorities & Accountability Committee, the Process & Technology Committee, and the IT Leaders Forum, as well as other channels.  The Information Security and Enterprise Architecture team consulted across the University regarding the development of guidelines, standards and procedures to implement the policy requirements.

Policy Background

Risks to the University’s Digital Assets are proliferating and our community faces an expanding array of threats to information security from an increasingly connected world. Cyber security incidents and threats demonstrate a growing technical sophistication and acceleration that have substantially raised the risk profile of essential University information and technology systems. These risks are particularly significant since attacks come increasingly from organized criminal enterprises, corporate interests, or government agencies. Escalation of these risks seems likely as networks connect more types of devices that make more desirable
targets for malicious activities.

Learn more


Additional documents related to the initiative but not in the Policy are provided below:

If you have any questions, please contact ITS at, or call the Office of the CIO at 416-978-8385.