Minimum Cybersecurity Controls

During 2020 there was a dramatic increase in the volume and impact of cyber attacks against universities. Government agencies, such as the Canadian Centre for Cyber Security also report that attackers have been working to exploit the impact of the COVID-19 pandemic. Successful attacks against universities have shown that traditional anti-virus and blocking techniques are not enough to protect university information and systems.

To respond to the increased risk of attacks, combined with the risk resulting from thousands of faculty and staff working from home, TMU’s executive is mandating a set of minimum cybersecurity controls be universally implemented in the following three areas:

1. Remote access to campus and cloud services
2. Improved security of TMU servers
3. Improved security of end-user devices

These are only a minimum set of controls. All TMU employees including researchers, employees handling sensitive information, and instructors should be aware of TMU’s cybersecurity policies and implement additional controls and processes to protect themselves and the sensitive information they access. For more information on cybersecurity at TMU please visit torontomu.ca/cybersecurity.

Remote access to TMU Campus and Cloud Services

1. All remote logins to TMU technology resources will require two-factor authentication (2FA). While all employees are already required to use 2FA, not all students must use 2FA. We anticipate that all students will be using 2FA by the winter of 2022. Allowances may be made to allow those students to continue some remote access to Web applications without using 2FA until winter 2022. See the section on limitations and exceptions below.

TMU Servers 

The following requirements apply to servers regardless of if they are hosted on campus or are hosted remotely:

1. All servers must be configured and regularly maintained to enhance server security. Once discovered, vulnerabilities must be eliminated promptly. If they cannot be eliminated via patching or other means, mitigation strategies must be developed and put in place.
2. Anti-malware and Endpoint Detection and Response software approved by TMU’s Chief Information Security Officer (CISO) must be installed on all TMU servers that access, process, or store sensitive information as defined in TMU’s Information Classification Standard and Handling Guidelines. 
3. Vulnerability scanning software must be installed on all TMU servers as part of a comprehensive vulnerability management process.
   

End-User Devices

These requirements apply to all TMU employees:

1. Anti-malware and Endpoint Detection and Response software approved by TMU’s CISO must be installed on all TMU-owned or operated end-user devices (computers and mobile devices) that access, process, or store sensitive information as defined in TMU’s Information Classification Standard and Handling Guidelines. 
2. Encryption must be enabled on all TMU and personally-owned end-user devices accessing sensitive data on TMU’s systems and services.
3. Current anti-malware software must be installed and regularly updated on all personally owned end-user devices used for accessing TMU systems and information.

In some cases effective anti-malware solutions may not be available for popular mobile devices. In this case please minimize as much as possible the use of these devices to access sensitive TMU information. 

Limitations and Exceptions

All exceptions to the implementation of the security requirements listed here must be approved by TMU’s CISO. All exceptions must provide sufficient evidence to demonstrate an acceptable level of risk before an exception can be made.

Timeline

These new security requirements take effect immediately, however, due to the increased workload on IT providers and the TMU community during the pandemic, a compliance target date of May 1, 2022 has been set.

Assistance and available services that may help

Computing and communications services (CCS) provides support and services that may assist you in complying with the minimum security controls.

Remote access to campus and cloud services

VPN services  - CCS offers both an employee and student VPN service. For more information please contact: Roland Chan at ciso@torontomu.ca

CAS single-sign-on service - please contact: Clara Guo at cguo@torontomu.ca

CCS operates firewall services that include a remote access management component that forces Web logins via CAS before a connection can be made to a Web server. For more information on this service please contact: help@torontomu.ca.

Improved security of TMU servers

Vulnerability scanning and management service - please contact: Roland Chan  ciso@torontomu.ca

Improved security of end-user devices

Information about downloading security software, including anti-malware software, for TMU owned computers is available on the Security Software page.

The same page has information regarding freely available security software for personally owned devices. 

Information on encrypting your devices is available at:

• Encrypt your PC (external link) 
• Encrypt your Mac (external link) 
• Encrypt your Android (external link) 
• Encrypt your iPhone (external link) 

For assistance in other areas please contact the CCS helpdesk at help@torontomu.ca.

Definitions

1. CISO: Chief Information Security Officer.
2. Encryption: a process available on computers, mobile phones and other devices which is implemented to protect confidential data from being accessed by unauthorized people in case your device is ever hacked, lost, stoled or replaced.
3. Malware: software that is specifically designed to disrupt, damage or gain unauthorized access to an individual’s computer and/or personal device.
4. VPN, or Virtual Private Networks at TMU provides secure access to campus networks from the Internet and allows people to work with on-campus resources as though they are present on campus.
5. Remote logins are when a person logs into a TMU hosted system from a network outside TMU’s campus network or when anyone logs into any cloud-hosted system. 
6. End-user devices are devices, such as desktop and laptop computers and mobile devices like tablets and smartphones, that are physically accessed by individuals as opposed to servers which only provide network accessible services.
7. Anti-malware and Endpoint Detection and Response software both protects end-user devices from having malicious software installed or executed on a device and detects and reports attempts to compromise the device. It goes beyond traditional pattern-matching antivirus software in its ability to detect malicious software using static analysis, AI, and other methods.

References

The minimum security controls are consistent with TMU’s existing cybersecurity policies and standards. In particular please see the:

1. Information Classification Standard and Handling Guidelines
2. Network and Server Security Management Policy
3. Information Protection and Access - Restricted Information
4. Acceptable Use of Information Technology

Other relevant policies may be found found on the University Administrative Policies site.

Please visit the how to set up minimum cybersecurity controls for employees page for assistance implementing cybersecurity controls.