You are now in the main content area

How to Set Up Minimum Cybersecurity Controls for Employees

With your help, TMU can minimize online threats.

Like many Canadian universities in recent years, TMU has experienced a dramatic increase in the volume of cyber attacks working to exploit its networks and systems. 

In response to increased attacks and the risks resulting from TMU’s hybrid work model, the university’s executive team has mandated a set of minimum cybersecurity controls to be universally implemented by employees.

This page provides background information and guidance on how to set up the minimum cybersecurity controls.

Background information

What are the requirements of minimum cybersecurity controls?

The minimum cybersecurity controls require all employees to:

  • Install and regularly update antimalware and endpoint detection and response software; and activate encryption on personal computers and mobile devices you use to access, process or store sensitive university data.

If you manage online services or servers, you are also required to:

  • Configure online campus and cloud services for use with two-factor authentication and the university's virtual private network.
  • Regularly maintain servers with security patching; install antimalware and endpoint detection and response software; and conduct vulnerability scanning.

Who needs to apply cybersecurity controls?

All employees play a role in the university’s core defences against cybersecurity attacks. You are required to set up minimum cybersecurity controls if you:

  • Use a personal computer or mobile device to access, process or store sensitive university information; or
  • Manage online campus or cloud services that are available via remote access; or
  • Manage a university server.

Find help and resources for applying cybersecurity controls if you are:

Guidance on setting up cybersecurity controls

Are you using a personal computer or mobile device to access, process or store sensitive university information?

Whether you are using a university-owned or personal computer, you’ll need to do two things:

  1. Use current and regularly-updated antimalware and endpoint detection and response software; and
  2. Make sure encryption is enabled.

To understand more about what is considered sensitive information, please visit the university’s resources on:

This type of software has evolved from antivirus software to include a more robust suite of security detection and response.

Personal computers

For personal computers, you have several options, including:

  • Microsoft Defender Antivirus, which is a built-in antivirus and antimalware solution available in computers running Windows 10 and Windows 11. To verify if the software is active on your PC, you can check the state of Microsoft Defender Antivirus on your device (external link) .
  • XProtect, which is a built-in antivirus and antimalware solution available in all macOS versions 10.6 and newer. Note that XProtect runs by default and will update automatically along with system data files and security updates—you will not need to activate or update it manually.
  • Sophos Home Commercial Edition (external link) , which is available to employees who sign up using their university email address.
University-owned computers

For university-owned computers, Sophos is recommended. If you received your computer through Computing and Communications Services (CCS), Sophos will have been installed on your behalf.

If your university-owned computer was purchased without assistance from CCS and you do not currently have Sophos installed, please visit the Security Software page and select the option for faculty/staff for assistance downloading Sophos.

Mobile devices

Sophos Home Commercial Edition (external link)  can be installed on personal mobile devices and is available to employees who sign up using their university email address.

Note that effective antimalware solutions may not be available for some popular mobile devices. In such cases, please minimize as much as possible the use of these devices to access sensitive university information.

Important: It is critical that you keep your encryption key in a safe and accessible place. Unlike passwords, encryption keys cannot be reset or recovered, and you will not be able to access your device or data if your key is lost or misplaced.

There is no remediation for lost or misplaced encryption keys.

What is encryption?

If your device is lost or stolen, encryption helps ensure private content is protected from unwanted visitors by scrambling the data on your device to become undecipherable. This helps ensure only you or someone who holds your encryption key will be able to access private data.

Start by backing up your computer or mobile device

Before setting up encryption, we recommend backing up your files to a personal cloud service or USB drive so it can be restored in the event of data loss. Find out how to:

Set up encryption once your backup is complete

Find help with:

Note for Microsoft Windows 10 Home users: Encryption is limited to a device-level encryption on computers running Microsoft Windows 10 Home. For assistance, please visit the how to activate device encryption on Windows 10 Home page (external link) .

Note for Mac users: Macs equipped with a T2 security chip automatically integrate encryption for both the software and hardware, and you will not need to take further action.

To verify whether your Mac has a T2 chip, please visit the Mac models with the Apple T2 security chip page (external link) . If your Mac does not have a T2 chip, please refer back to the guidance on encrypting a Mac storage device (external link) .

If you require further assistance with security software installations on university-owned devices, please contact the Computing and Communications Services Help Desk via the IT Help portal, help@torontomu.ca or 416-979-5000, ext. 556806.

Are you managing online campus or cloud services that are available via remote access?

There are several security controls that should be in place for online services you manage and make available from an off-campus location.

As an added security measure, all employees and students are required to use two-factor authentication (2FA) for remote logins to university technology resources.

To configure your online service to require two-factor authentication, please contact the CCS Help Desk.

Virtual private networks (VPNs) ensure a secure connection through which data can be exchanged between your online service and the end-user’s computer. It is required for accessing select systems and databases at the university.

To configure your online service to require use of the university’s VPN, TMU-VPN, please contact the CCS Help Desk.

If you require assistance with configuring services for use with two-factor authentication or VPN, please contact the Computing and Communications Services Help Desk via the IT Help portal, help@torontomu.ca or 416-979-5000, ext. 556806.

Are you managing university servers?

There are three requirements that apply to all university servers regardless of whether they are hosted on campus or hosted remotely:

  1. All servers must be configured and regularly maintained to enhance server security. Once discovered, vulnerabilities must be eliminated promptly. If they cannot be eliminated via patching or other means, mitigation strategies must be developed and put in place.
  2. Antimalware and endpoint detection and response software approved by the university’s chief information security officer (CISO) must be installed on all university servers that access, process or store sensitive information as defined in the university’s Information Classification Standard and Handling Guidelines.
  3. Vulnerability scanning software must be installed on all university servers as part of a comprehensive vulnerability management process.

Computing and Communications Services (CCS) operates firewall services that include a remote access management component that forces web logins via its Central Authentication Service (CAS) before a connection can be made to a web server.

To configure your server to work with the university’s Central Authentication Service, please contact the CCS Help Desk.

If you have questions about implementing any of the three requirements on your servers, please contact the Computing and Communications Services Help Desk via the IT Help portal, help@torontomu.ca or 416-979-5000, ext. 556806.

For assistance with vulnerability scanning and management services, please contact Wura Bamgbose, chief information security officer, at ciso@torontomu.ca.

Additional information

All exceptions to the implementation of the security requirements listed here must be approved by the university’s chief information security officer (CISO). All exceptions must provide sufficient evidence to demonstrate an acceptable level of risk before an exception can be made.

  1. Antimalware and endpoint detection and response software: Such software both protects end-user devices from having malicious software installed or executed on a device, and detects and reports attempts to compromise the device.

    It goes beyond traditional pattern-matching antivirus software in its ability to detect malicious software using static analysis, AI and other methods.
  2. Encryption: A process available on computers, mobile phones and other devices which is implemented to protect confidential data from being accessed by unauthorized people in case your device is ever hacked, lost, stolen or replaced.
  3. End-user devices: Desktop and laptop computers and mobile devices like tablets and smartphones that are physically accessed by individuals as opposed to servers which only provide network-accessible services.
  4. Malware: Software that is specifically designed to disrupt, damage or gain unauthorized access to an individual’s computer and/or personal device.
  5. Remote logins: When a person logs in to a university-hosted system from a network outside of the campus network or when anyone logs in to any cloud-hosted system.
  6. Virtual private networks (VPN): At TMU, VPN provides secure access to campus networks from the internet and allows people to work with on-campus resources as though they are present on campus.

The minimum security controls are consistent with the university’s existing cybersecurity policies and standards. In particular, you may wish to review the:

  1. Information Classification Standard and Handling Guidelines
  2. Network and Server Security Management Policy
  3. Information Protection and Access - Restricted Information Policy
  4. Acceptable Use of Information Technology Policy

Other relevant policies can be found on the University Administrative Policies site.

Online security vulnerabilities year-over-year: A visualization

Source: The National Institute of Standards and Technology (external link) 

Explore More