Terms of Referenceget help

Terms of reference for the Identity, Security, and Compliance (ISC) group of SFU IT Services.


Support the IT Services mission and the university's strategic vision by assisting the entire SFU community in the use of best practices for information security and identity management.


Enterprise identity management software was developed at SFU to support the migration to Unix in 1990.  Since that date, a combination of in-house developed and open-source software has been used to provide a centralized, comprehensive user identity.  As the identity management infrastructure expanded over the years, the number of staff involved has also grown.

Since that time, the de facto single point of contact for information security has rested within the SFU administrative unit responsible for the data communications network.  As in most other higher education institutions, this happened because of the unique position the data network holds in access control, visibility into information security incidents, and the public registration of network contact information.  Although responsible for network security, these staff had only an advisory role in other domains of information security which were the responsibility of different SFU staff or were not addressed consistently.

Contractual, legislative, and regulatory compliance have been dealt with largely on an ad hoc basis; formal assignment of ongoing responsibility has been uncommon.  In high-profile projects such as PCI-DSS compliance, typically a scratch team of subject matter experts were assembled under a project manager and senior-level leader or sponsor.

All of the staff involved with identity, security, and compliance have also had other responsibilities such as desktop support, network engineering, systems administration, or software development of unrelated applications.

As part of the general reorganization of SFU IT Services in November 2013, the Chief Information Officer created a new Identity, Security, and Compliance (ISC) group from IT Services staff involved with information security and identity management but formerly in separate units.  Discussions over the following months led to the creation of this Terms of Reference to record and communicate the responsibilities of the group, and to the appointment of the first Information Security Officer for the university in August 2014.

The reorganization and the SFU policy for the Fair Use of Information and Communications Technology (GP24) give the new ISC group a mandate in information security for the whole university, although not necessarily the responsibility or accountability for all aspects.  The standard definition of information security is protecting the confidentiality, integrity, and availability of information.  The domains of information security typically include risk management, access control, identity management, software development security, cryptography, physical security, network security, business continuity, disaster recovery, investigations, and compliance.  Some of these are out of scope for the ISC group, in particular where they are already the responsibility of other staff at the university, such as physical security, business continuity, and disaster recovery.


Best practices recommend developing a holistic risk-based security program, looking at the big picture of information security rather than only delivering piecemeal solutions.  Perfect security is impossible, especially when facing modern threats developed by highly skilled individuals working for well-funded organizations; we need to apply resources cost effectively and deliver the greatest value to the university.  By tying our risk management strategy in with the university risk management framework and understanding the risks that may prevent the university from achieving its strategic vision, we can focus the security program where we can make a difference.

Our approach will be three-fold:

  1. Consult with key stakeholders in education, research, and community engagement to understand how the ISC group can best contribute to the three goals of the university strategic vision: engaging students, engaging research, and engaging communities.
  2. Collaborate with other staff in IT Services and related university administrative units such as the Information & Privacy Officer, Copyright Officer, Campus Security, Risk Management, General Counsel, and Internal Auditor to attain synergy.
  3. Develop focused goals for identity management and information security for the whole university to efficiently and cost effectively manage risk.

Ideally, we will see the university community proactively engaged in information security.

Goals and Responsibilities

Centre of Excellence

  • Be the university's centre of expertise for information security and identity management.
  • Be consistently consulted by university staff and faculty with significant identity management and information security questions.
  • Assist the university community with the information security and identity management aspects of regulatory and legislative compliance.

Policy and Governance

  • Advocate for stronger university information security governance.
  • Advocate for stronger university identity management governance.
  • Write and enforce identity management and information security policies for the university.

Core Services

  • Provide identity and access management services to the university.
  • Continuously assess the university's information security risk.
  • Provide information security risk management advice.

Awareness and Education

  • Facilitate a culture of proactive information security engagement throughout the university community.
  • Champion a centralized, comprehensive user identity.
  • Provide information security awareness training and documentation.

Incident Response Lifecycle

  • Assist in the development of proactive information security measures.
  • Detect information security incidents affecting the university.
  • Be the central point of contact for university information security incidents and coordinate incident response.
  • Share and gather operational information security intelligence.