ISC Risk, Compliance, Metrics and Reporting Working Group
Terms of reference
The Risk, Compliance, Metrics and Reporting Working Group is responsible for developing, through consultation with member stakeholders and their colleagues, an understanding of the information and metrics needed by decision makers to best support information security decisions made at the local, divisional and institutional level. Fundamentally, this involves determining what metrics, reports or other information should be collected, and by whom and to whom they should be shared. This work includes the development of contextual information to aid in the interpretation of data provided to decision makers.
The working group in the current term will focus on the collection of metrics and development of reporting and information resources for information security work at all levels of the institution. Members will:
- Identify and define stakeholder groups, their role in the provision of or accountability for information security and their associated information and reporting needs.
- Probe the information needs of various stakeholder groups at the University of Toronto and document what information (and in what format and frequency) would be needed for those individuals to make responsible, informed decisions in their role.
- Provide a proposed list of information to be collected, proposed sources for the information and distribution mechanisms and policies.
- Develop and make recommendations for areas of institutional risk requiring focused attention and investment.
- Provide ongoing feedback to the Data Asset Inventory and Information Risk Self-Assessment (DAI-IRSA) and other institutional risk management tools, processes and programs.
- Membership is comprised of individuals who engage in a broad range of decision-making and support activities with varied information needs and those with expertise in information security.
- Working group members will consult with local decision makers and their peers in representing and clarifying the information needs of various groups and roles.
- Members will seek input from the Information Security Council (ISC) on information needs and stakeholder group definitions.
- When the working group feels a natural ‘first pass’ of information needs can be produced, it will be forwarded to the ISC for endorsement before the working group moves forward on how the information may be collected and how it should be shared, and the tools and processes required to accomplish these goals.
Meetings are held every third Tuesday of the month, from 2 to 3:30 p.m. Upcoming meetings:
- April 18
- May 16
- June 20
- July 18
- Aug. 15
- Sept. 19
- Oct. 17
|Kalyani Khati (co-chair)||Associate Director, Information Security Strategic Initiatives, Information Technology Services|
|Paul Morrison (co-chair)||IT Director, Faculty of Kinesiology & Physical Education|
|Chris Brown||Associate Registrar, Special Projects & Director Academic Scheduling, Registrar’s Office, Faculty of Applied Science and Engineering|
|Steven Butterworth||PCS Manager, Department of Physics, Faculty of Arts & Science|
|Sheril Chacko||Senior Business Analyst, Information & Instructional Technology Services (IITS), U of T Scarborough|
|Anoop Kaur||Senior Auditor, Internal Audit|
|John Kerr||Director, Risk Management and Insurance, Finance|
|Lareza Lazuardi||Senior Manager, Applications & Development, Information and Instructional Technology (IIT), Faculty of Arts & Science|
|Sue McGlashan||Research Information Security Lead, Information Security, ITS|
|Akshat Mishra||Information Security Program Manager, IITS, U of T Mississauga|
|Serena Persaud||Chief Administrative Officer, Student Life|
|Danny Velev||Business Intelligence Solutions Architect, Division of University Advancement|
|Jeffrey Waldman||Manager, Institutional Data Governance, Institutional Research & Data Governance|