Development of new cybersecurity standards for servers
ISS developed new security standards that provide direction to IT administrators with respect to Internet-facing servers. The aim of these standards is to reduce the risk of the loss of confidentiality and integrity of data in Waterloo’s care; reduce the risks of outage caused by Internet threats via Internet-exposed hosts; and increase public and research sponsor confidence in the University’s security posture with respect to its Internet presence.
This work is increasingly important as Bill 194, Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024, has recently become law, setting a foundation to ensure that people, businesses and children have the right protections to safely participate and thrive in digital life. We expect regulations from the Government of Ontario to be released in the new year setting requirements and expectations surrounding protections of the University’s technology environment and data.
Other 2024 accomplishments
Some of the other great work from the past year
Mandatory cyber awareness training
Mandatory cyber awareness training programs for all University employees and researchers were developed and implemented in support of efforts to advance IT security measures to enhance protection against increasingly advanced security threats and vulnerabilities.
Cybersecurity guidelines for researchers
Development of a research data classification system based on risk with a standardized framework to classify research data, which will aid in ensuring the researcher has appropriate security controls in place in accordance to the risk level. Final process to be available in 2025.
Asset management
Tooling for data collection, aggregation and merging of IT Asset Management data has been developed in order to provide a comprehensive view of IT Assets on Campus. This initiative will enhance our security incident response by pre-collecting ownership and contact information ahead of incidents, linking fragmented data, and reduce or remove manually researching system ownership during an incident. This initiative will also be able to automate data collection from reliable data sources such as SentinelOne, Qualys Agents, and other authoritative sources to enhance the data available in asset inventories on campus.
Upcoming 2025 initiatives
A look at what we'll be working on in 2025
Major upgrades to Identity and Access Management system
Components of WatIAM will undergo significant upgrades to keep the system inline with the most current development roadmap and to maintain versioning support.
Updates to incident response plan
The University's incident response plans will be updated, including the development of playbooks for response and implementation of new standards.