2022 Council Briefing: Technology & Cybersecurity Standardization

The City of Toronto offers multiple services over the internet and is expanding its technology landscape to residents, businesses, and visitors. The City’s Technology Services Division (TSD), and Office of Chief Information Security Officer (OCISO) are enhancing cybersecurity and implementing a standardized approach for the design and delivery of information technology (IT) solutions to provide enhanced and secure experiences for residents, businesses, visitors, and City staff.

Current Status

The approach will first focus on standardizing processes and applications within City divisions, before extending to agencies and corporations.

The following steps have been taken:

  • Standardized TSD Service Intake process for City-wide requests
  • Established a TSD Enterprise Architecture Review Board for proposed technology solutions
  • The OCISO has developed Cybersecurity Governance framework for City divisions, agencies, and corporations and is working with stakeholders to ensure standardized cyber security metrics

More changes are planned, such as:

  • Standardization of City IT policies and procedures
  • Standardization of IT roles and responsibilities across Divisional IT teams
  • Operationalization of the Cyber Security Governance Framework, with focus on critical infrastructure divisions with Operational technology (OT) systems
  • Preparation and maintenance of application inventory

Background & Context

Cyberattacks can have devastating effects, resulting in an inability to deliver critical services, stolen personal data, financial losses, risk of legal lawsuits and reputational damage. To improve cybersecurity considerably, the City must change in three key areas:

  1. Human Behaviour (as it relates to cybersecurity threats);
  2. Technical Fixes; and
  3. Culture Shift.

In 2019, City Council adopted AU4.1: Cyber Safety: A Robust Cybersecurity Program Needed to Mitigate Current and Emerging Threats. City Council directed the Chief Technology Officer to take an expanded City-wide role and mandate to provide support, oversight and direction on standards, practices and policies to all City Divisions and certain agencies and corporations. The City has rolled out mandatory cyber security awareness training to help City staff recognize and report cyber threats and learn how to safely use the City’s IT systems and assets. In addition, the City has implemented enhanced password rules and will continue to proactively run vulnerability assessments, penetration testing and threat risk assessment services to identify and manage cyber risks. TSD conducted Disaster Recovery (DR) activities to assess current gaps and standardize DR services.

TSD and the OCISO meet with select City agencies and corporations to discuss best practices relating to technology and cyber security standardization.

Equity, Diversity & Inclusion

The use of data and technology has equity implications predominantly associated with:

  • lack of access to the internet and internet-enabled devices (referred to as the digital divide);
  • not fully understanding and/or addressing users’ accessibility needs; and
  • the potential for automated decisions and processes to perpetuate bias and discrimination.

Technology and Cybersecurity Standardization is aligned with the City’s Digital Infrastructure Strategic Framework (DISF), which establishes guidelines that foster digital inclusion and integrates digital equity considerations into the decision-making process. The DISF includes an Equity and Inclusion Principle, supports the City of Toronto Data for Equity Strategy, and directs the City to use Digital Infrastructure to create and sustain equity and inclusion.

Key Contact

Renee Laforet
Interim Chief Technology Officer
Renee.Laforet@toronto.ca, 416-397-0500

Abiodun Morolari
Chief Information Security Officer
Abiodun.Morolari@toronto.ca, 416-396-4693