Where to Start
It is critical to cover the basics. Most attacks and incidents can be prevented by taking simple steps to protect yourself and your data.
The first and best thing you can do to secure yourself and your data – secure your accounts with Multi Factor Authentication (MFA)
- At U of T, enroll in UTORMFA
- Guidance for your personal accounts
Increase awareness
- Introduction to Research Security (Government of Canada training)
- CyberSecurity for Researchers (Government of Canada training)
Create your own personal plan
- Security Planner (Originally built by Citizen Lab at U of T)
Have a plan for when things go wrong
- U of T Incident Response Plan
- Templates and toolkits for responding to a cyber incident
Work securely when remote or traveling
- U of T Remote Security Matters Information Page
- Safegaurding your data while traveling tip sheet
- U of T Remote Work Guidelines
Be vigilant about ransomware and phishing
For devices, at a minimum:
- Use supported versions of operating systems.
- Patch and update the operating system and software/applications with respect to
security vulnerabilities. - Have fully enabled, automatically updating anti-virus software for Windows computers
where possible. - Protect devices with a strong password and/or biometrics.
A Comprehensive Approach
If you are protecting more than yourself and your data, such as a research lab, it is important to implementation protections appropriate to the level of risk.
Cyber Security Framework
- Identify and manage security risk- know what you have, why you have it, and the risk
- Protect using reasonable and appropriate controls that directly mitigate risks
- Detect when things the protections fails
- Respond quickly to minimize impact
- Recover and get back to work
Resources and References
- Government of Canada Research Cyber Security and Policy Statements
- NIST Cyber Security Framework (CSF)
- Trust CI (NSF Center of Excellence) Cybersecurity Framework for Research
- U of T Baseline Information Security Standard (a version appropriate and tuned for research is in development)
- Center for Internet Security Critical Security Controls
Protocols, projects or collaborations with other countries
If you are working with people or data from other countries, you may have other obligations. Here are a few common ones:
- United States Cybersecurity Maturity Model Certification (CMMC)
- European Union: General Data Protection Regulation (GDPR)
Working with Service Providers
It is your responsibility to ensure Service Poviders meet the University standards and any contractual or sponsor obligations.
- Quick start assessment: Higher Education Community Vendor Assessment Toolkit (HECVAT)
Getting Help
- Contact your Faculty IT Help Desk
- Request a Security Assessment from the ITS Risk Assessment team (please submit early, lead time can be weeks to months depending on time of year)