How to Set Up Minimum Cybersecurity Controls for Employees
Like many Canadian universities in recent years, TMU has experienced a dramatic increase in the volume of cyber attacks working to exploit its networks and systems.
In response to increased attacks and the risks resulting from thousands of faculty and staff working from home, the university’s executive team has mandated a set of minimum cybersecurity controls to be universally implemented by employees.
This page provides background information and guidance on how to set up the minimum cybersecurity controls.
Find help and resources for applying cybersecurity controls if you are:
- Using a personal computer or mobile device to access, process or store sensitive university information; or
- Managing online campus or cloud services that are available via remote access; or
- Managing a university server.
Are you using a personal computer or mobile device to access, process or store sensitive university information?
Whether you are using a university-owned or personal computer, you’ll need to do two things:
- Use current and regularly-updated antimalware and endpoint detection and response software; and
- Make sure encryption is enabled.
To understand more about what is considered sensitive information, please visit the university’s resources on:
This type of software has evolved from antivirus software to include a more robust suite of security detection and response.
For personal computers, you have several options, including:
- Microsoft Defender Antivirus, which is a built-in antivirus and antimalware solution available in computers running Windows 10 and Windows 11. To verify if the software is active on your PC, you can check the state of Microsoft Defender Antivirus on your device, external link.
- XProtect, which is a built-in antivirus and antimalware solution available in all macOS versions 10.6 and newer. Note that XProtect runs by default and will update automatically along with system data files and security updates—you will not need to enable or update it manually.
- Sophos Home Commercial Edition, external link, which is available to employees who sign up using their university email address.
For university-owned computers, Sophos is recommended. If you received your computer through Computing and Communications Services (CCS), Sophos will have been installed on your behalf.
If your university-owned computer was purchased without assistance from CCS and you do not currently have Sophos installed, please visit the Security Software page and select the option for faculty/staff for assistance downloading Sophos.
Sophos Home Commercial Edition, external link can be installed on personal mobile devices and is available to employees who sign up using their university email address.
Note that effective antimalware solutions may not be available for some popular mobile devices. In such cases, please minimize as much as possible the use of these devices to access sensitive university information.
Important: It is critical that you keep your encryption key in a safe and accessible place. Unlike passwords, encryption keys cannot be reset or recovered, and you will not be able to access your device or data if your key is lost or misplaced.
There is no remediation for lost or misplaced encryption keys.
What is encryption?
If your device is lost or stolen, encryption helps ensure private content is protected from unwanted visitors by scrambling the data on your device to become undecipherable. This helps ensure only you or someone who holds your encryption key will be able to access private data.
Start by backing up your computer or mobile device
Before setting up encryption, we recommend backing up your files to a personal cloud service or USB drive so it can be restored in the event of data loss. Find out how to:
- Back up and restore in Windows, external link
- Back up your Mac with Time Machine, external link
- Back up your Android phone, external link
- Back up your iPhone, external link
Set up encryption once your backup is complete
Find help with:
- Device encryption in Windows, external link
- Encrypting a Mac storage device, external link
- Encrypting your Android device, external link
- Encrypting your iPhone, external link
Note for Microsoft Windows 10 Home users: Encryption is limited to a device-level encryption on computers running Microsoft Windows 10 Home. For assistance, please visit the how to enable device encryption on Windows 10 Home page, external link.
Note for Mac users: Macs equipped with a T2 security chip automatically integrate encryption for both the software and hardware, and you will not need to take further action.
To verify whether your Mac has a T2 chip, please visit the Mac models with the Apple T2 security chip page, external link. If your Mac does not have a T2 chip, please refer back to the guidance on encrypting a Mac storage device, external link.
As an added security measure, all employees and students are required to use two-factor authentication (2FA) for remote logins to university technology resources.
To configure your online service to require two-factor authentication, please contact the CCS Help Desk.
Virtual private networks (VPNs) ensure a secure connection through which data can be exchanged between your online service and the end-user’s computer. It is required for accessing select systems and databases at the university.
To configure your online service to require use of the university’s VPN, RU-VPN2, please contact the CCS Help Desk.
There are three requirements that apply to all university servers regardless of whether they are hosted on campus or hosted remotely:
- All servers must be configured and regularly maintained to enhance server security. Once discovered, vulnerabilities must be eliminated promptly. If they cannot be eliminated via patching or other means, mitigation strategies must be developed and put in place.
- Antimalware and endpoint detection and response software approved by the university’s chief information security officer (CISO) must be installed on all university servers that access, process or store sensitive information as defined in the university’s Information Classification Standard and Handling Guidelines.
- Vulnerability scanning software must be installed on all university servers as part of a comprehensive vulnerability management process.
Computing and Communications Services (CCS) operates firewall services that include a remote access management component that forces web logins via its Central Authentication Service (CAS) before a connection can be made to a web server.
To configure your server to work with the university’s Central Authentication Service, please contact the CCS Help Desk.
If you have questions about implementing any of the three requirements on your servers, please contact the Computing and Communications Services Help Desk via the IT Help portal, email@example.com or 416-979-5000, ext. 556806.
For assistance with vulnerability scanning and management services, please contact Roland Chan, chief information security officer, at firstname.lastname@example.org.
All exceptions to the implementation of the security requirements listed here must be approved by the university’s chief information security officer (CISO). All exceptions must provide sufficient evidence to demonstrate an acceptable level of risk before an exception can be made.
- Antimalware and endpoint detection and response software: Such software both protects end-user devices from having malicious software installed or executed on a device, and detects and reports attempts to compromise the device.
It goes beyond traditional pattern-matching antivirus software in its ability to detect malicious software using static analysis, AI and other methods.
- Encryption: A process available on computers, mobile phones and other devices which is implemented to protect confidential data from being accessed by unauthorized people in case your device is ever hacked, lost, stolen or replaced.
- End-user devices: Desktop and laptop computers and mobile devices like tablets and smartphones that are physically accessed by individuals as opposed to servers which only provide network-accessible services.
- Malware: Software that is specifically designed to disrupt, damage or gain unauthorized access to an individual’s computer and/or personal device.
- Remote logins: When a person logs in to a university-hosted system from a network outside of the campus network or when anyone logs in to any cloud-hosted system.
- Virtual private networks (VPN): At TMU, VPN provides secure access to campus networks from the internet and allows people to work with on-campus resources as though they are present on campus.
The minimum security controls are consistent with the university’s existing cybersecurity policies and standards. In particular, you may wish to review the:
- Information Classification Standard and Handling Guidelines
- Network and Server Security Management Policy
- Information Protection and Access - Restricted Information Policy
- Acceptable Use of Information Technology Policy
Other relevant policies can be found on the University Administrative Policies site.