Skip to navigation content (Press Enter).

pylon on road

Risk Management

Information Technology Risk Management is concerned with the identification, assessment and prioritization of Information Technology risk so that appropriate mitigating strategies can be determined and controls applied to reduce the probability and or impact to an actively accepted level based on the risk appetite of the organization.

The primary categories of Information Technology risk that have been identified by Enterprise Risk Management at McMaster University are Information Security and Technology risk. Information security risk relates to the principles of confidentiality and integrity of information and the systems that support them. Technology risk relates to the principle of availability of technology and its ability to provide information and services when required.

Technology risk can be directly linked to Disaster Recovery Planning and Business Continuity Planning activities.

Information Security Risk...

That the University does not provide appropriate security controls to protect information in a manner that limits unauthorized or accidental disclosure, access, modification or destruction thus exposing the University to an increased potential damage and inability to achieve its strategies and objectives.

- McMaster Enterprise Risk Management

Technology Risk...

That the University does not renew or maintain adequate or common systems and networks and is not sufficiently leveraging advancements in technology thus impacting the ability to achieve the University's strategic priorities and objectives.

- McMaster Enterprise Risk Management

Risk Management Framework...

The Information Technology risk management process is based on the McMaster University Enterprise Risk Management framework which describes the process as:

risk management framework diagram
  1. Determining the context of the risk management activity
  2. Assessing the risk through the identification of threats, the analysis of the likelihood and impact, and the evaluation of existing controls and determination of mitigating strategies to reduce risk
  3. Approving and implementing the controls to treat or mitigate the risks identified
  4. Monitoring the implemented controls to ascertain if risk is reduced to expected level
  5. Communicating the effectiveness of the mitigating strategies in reducing risk to the appropriate oversight individual or committee

Principles of Information Technology Security...

CONFIDENTIALITY - Information is disclosed to only those who have the right to know

INTEGRITY - Information is protected against unauthorized or accidental modification

AVAILABILITY - Information is available and usable when required by authorized individuals

Influencing Factors...

FIPPA - Freedom of Information and Protection of Privacy Act - McMaster FIPPA information FIPPA is a legislated act detailing the requirements of organizations to maintain accurate records of, provide access to, and protect from unauthorized disclosure of personal information.

PHIPA - Personal Health Information Protection Act PHIPA is a legislated act, similar in principle to FIPPA, that includes health information of the individual.

PCI-DSS – Payment Card Industry Data Security Standard - McMaster Payment Card information PCI compliance is concerned with the protection of credit card information for the prevention of credit card fraud.

Forward with Integrity A letter from the President outlining the priorities and principles he believes will best help shape the University's development.

Vision 20/20 Provides strategic direction for technology supporting McMaster's Academic, Research and Administrative mission


*IT Governance Institute, COBIT 4.1, USA, 2007

*IT Governance Institute, COBIT Security Baseline, 2nd Edition, USA, 2007

*International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), Information technology — Security techniques — Code of practice for information security management, ISO/IEC 27002:2005, Switzerland, 2008

*Pritam Bankar, Sharad Verma, COBIT Focus Vol.2. - Mapping PCI DSS v2.0 With COBIT 4.1, April 2011

*IT Governance Institute, COBIT 5 - Enabling Processes, USA, 2012

*IT Governance Institute, Aligning COBIT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit, USA, 2008

Service Bulletins

Citrix Receiver Client Update

UTS asks Citrix users to upgrade Citrix Receiver Client to the most current version by February 28, 2017. See UTS Citrix website for installation and removal information.

Mosaic Upgraded Interface

Service Desk

Client Self Service:
Hours: Monday - Friday
8:30 am - 4:30 pm
Phone: 905-525-9140 x24357 (2HELP)
Location: Main Campus BSB Rm. 245
Service Catalogue:

Great Idea Site

Great Idea