Minimum Cybersecurity Controls

Over the past decade, Canada’s postsecondary education sector has experienced a dramatic increase in the volume and impact of cyber attacks targeted academic institutions. Successful attacks against universities have shown that traditional anti-virus and blocking techniques are not enough to protect university information and systems.

To respond to the increased risk of attacks, combined with new cybersecurity risks associated with hybrid work, TMU’s executive has mandated a set of minimum cybersecurity controls universally implemented in the following three areas:

1. Remote access to campus and cloud services
2. Improved security of TMU servers
3. Improved security of end-user devices

These are only a minimum set of controls. All TMU employees including researchers, employees handling sensitive information, and instructors should be aware of TMU’s cybersecurity policies and implement additional controls and processes to protect themselves and the sensitive information they access. For more information on cybersecurity at TMU please visit torontomu.ca/cybersecurity.

Remote access to TMU Campus and Cloud Services

All remote logins to TMU technology resources require that community members have two-factor authentication (2FA) enabled.

TMU Servers 

The following requirements apply to servers regardless of if they are hosted on campus or are hosted remotely:

1. All servers must be configured and regularly maintained to enhance server security. Once discovered, vulnerabilities must be eliminated promptly. If they cannot be eliminated via patching or other means, mitigation strategies must be developed and put in place.
2. Anti-malware and Endpoint Detection and Response software approved by TMU’s Chief Information Security Officer (CISO) must be installed on all TMU servers that access, process, or store sensitive information as defined in TMU’s Information Classification Standard and Handling Guidelines. 
3. Vulnerability scanning software must be installed on all TMU servers as part of a comprehensive vulnerability management process.
   

End-User Devices

These requirements apply to all TMU employees:

1. Anti-malware and Endpoint Detection and Response software approved by TMU’s CISO must be installed on all TMU-owned or operated end-user devices (computers and mobile devices) that access, process, or store sensitive information as defined in TMU’s Information Classification Standard and Handling Guidelines. 
2. Encryption must be enabled on all TMU and personally-owned end-user devices accessing sensitive data on TMU’s systems and services.
3. Current anti-malware software must be installed and regularly updated on all personally owned end-user devices used for accessing TMU systems and information.

In some cases effective anti-malware solutions may not be available for popular mobile devices. In this case please minimize as much as possible the use of these devices to access sensitive TMU information. 

Limitations and Exceptions

All exceptions to the implementation of the security requirements listed here must be approved by TMU’s CISO. All exceptions must provide sufficient evidence to demonstrate an acceptable level of risk before an exception can be made.

Assistance and available services that may help

Computing and Communications Services (CCS) provides support and services that may assist you in complying with the minimum security controls.

Remote access to campus and cloud services

VPN services - CCS offers both an employee and student VPN service. For more information please contact: Wura Bamgbose at ciso@torontomu.ca.

CAS single-sign-on service - please contact: Clara Guo at cguo@torontomu.ca.

CCS operates firewall services that include a remote access management component that forces web logins via CAS before a connection can be made to a web server. For more information on this service, please contact: help@torontomu.ca.

Improved security of TMU servers

Vulnerability scanning and management service - please contact: Wura Bamgbose ciso@torontomu.ca.

Improved security of end-user devices

Information about downloading security software, including anti-malware software, for TMU owned computers is available on the Security Software page.

The same page has information regarding freely available security software for personally owned devices. 

Information on encrypting your devices is available at:

• Encrypt your PC (external link) 
• Encrypt your Mac (external link) 
• Encrypt your Android (external link) 
• Encrypt your iPhone (external link) 

For assistance in other areas please contact the CCS Help Desk at help@torontomu.ca.

Definitions

1. CISO: Chief Information Security Officer.
2. Encryption: a process available on computers, mobile phones and other devices which is implemented to protect confidential data from being accessed by unauthorized people in case your device is ever hacked, lost, stoled or replaced.
3. Malware: software that is specifically designed to disrupt, damage or gain unauthorized access to an individual’s computer and/or personal device.
4. VPN, or Virtual Private Networks at TMU provides secure access to campus networks from the Internet and allows people to work with on-campus resources as though they are present on campus.
5. Remote logins are when a person logs into a TMU hosted system from a network outside TMU’s campus network or when anyone logs into any cloud-hosted system. 
6. End-user devices are devices, such as desktop and laptop computers and mobile devices like tablets and smartphones, that are physically accessed by individuals as opposed to servers which only provide network accessible services.
7. Anti-malware and endpoint detection and response software both protects end-user devices from having malicious software installed or executed on a device and detects and reports attempts to compromise the device. It goes beyond traditional pattern-matching antivirus software in its ability to detect malicious software using static analysis, AI, and other methods.

References

The minimum security controls are consistent with TMU’s existing cybersecurity policies and standards. In particular please see the:

1. Information Classification Standard and Handling Guidelines
2. Network and Server Security Management Policy
3. Privacy and Access to Information Policy
4. Acceptable Use of Information Technology

Other relevant policies may be found found on the University Administrative Policies site.

Please visit the how to set up minimum cybersecurity controls for employees page for assistance implementing cybersecurity controls.