FIPPA / MFIPPA IT Controls Matrix (Free Download for Ontario Municipalities)
A control-by-control matrix Ontario municipalities can use to evidence the IT controls FIPPA, MFIPPA, and the Information and Privacy Commissioner of Ontario expect across council, public works, finance, transit, utilities, permits, and elections systems.
Built by Fusion Computing’s CISSP-led team. Mapped to FIPPA, MFIPPA, IPC Ontario guidance, CIS Controls v8.1, and the cyber-insurance baseline. Built for CAO, Clerk, and CFO use in council reporting.
Why this matrix exists
Ontario municipalities operate under two overlapping privacy regimes: the Freedom of Information and Protection of Privacy Act (FIPPA) for provincial institutions and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) for municipalities, school boards, police services boards, and conservation authorities. Both are administered by the Information and Privacy Commissioner of Ontario (IPC). Both place explicit duties on the institution to take reasonable security measures to protect personal information across every system the municipality operates.
Council reporting on cybersecurity has become a board-level discipline. CAOs and CFOs in Ontario municipalities are asked at every council meeting whether the IT controls are in place, whether the last backup was tested, whether the insurance is current, and whether the municipality has had any reportable incident. This matrix is the answer sheet, organized so it can be read into the council record and shared with the municipality’s IPC contact on request.
The regulatory floor for Ontario municipalities: MFIPPA defines personal information at section 2(1) and places explicit duties on Ontario municipal institutions — including municipalities, school boards, police services boards, and conservation authorities — to protect that information across the systems they operate. FIPPA imposes parallel obligations on provincial bodies. The Information and Privacy Commissioner of Ontario interprets these duties in its published orders, which consistently emphasize that “reasonable measures” means documented technical, physical, and administrative controls. The IPC publishes a library of public-sector privacy guidance and Privacy Breach Protocol resources referenced in IPC orders involving municipal data breaches. Sources: ipc.on.ca, ontario.ca/laws/mfippa, ontario.ca/laws/fippa.
The matrix (eight municipal control families)
1. Identity, access, and council systems
- Multi-factor authentication enforced on every staff account, every elected official, every contractor
- Conditional access policies block sign-ins from unmanaged devices and from non-Canadian IP ranges by default
- Role-based access to financial systems (Diamond, Vadim, GP) reviewed quarterly with documented sign-off
- Council member device program with documented separation of personal and municipal data
- Departing-staff and term-end-of-council offboarding runbook with audit-trail of revocations
2. Public works, transit, and operational technology
- SCADA / OT network segmentation from the corporate Microsoft 365 environment
- Documented inventory of OT devices (water-treatment PLCs, transit fareboxes, fleet telematics, signal controllers)
- Patch management cadence for OT separate from IT, with safety-impact-aware change control
- Vendor remote-access controls with named external technicians and time-bound credentials
- Incident-response runbook covering OT-specific scenarios (water supply, transit, emergency services)
3. FOI / records management
- Records-retention schedule applied to all electronic records via Purview labels or equivalent
- FOI request workflow documented from intake through release decision through publication
- Search tooling capable of locating records across email, file shares, SharePoint, and legacy systems
- Privacy-impact-assessment (PIA) template for new systems before procurement
- Council-record retention separate from general-staff retention where the policy distinguishes
4. Backup, recovery, and resilience
- Daily encrypted backup of all production systems with off-site storage in Canada
- Documented backup restore test performed at least quarterly
- Recovery Time Objective and Recovery Point Objective defined and communicated to CAO and Council
- Disaster recovery runbook covering an October-snowstorm scenario, a water-system attack, and a ransomware event
- Annual full-restore exercise with after-action notes filed
5. Cybersecurity baseline (CIS Controls v8.1 mapped)
- EDR on every municipal-managed device with active monitoring (IG2 baseline)
- Email security with DMARC, DKIM, SPF enforced on the municipal domain
- Phishing-simulation training run at least twice a year for all staff and council
- Vulnerability management cadence with documented monthly scan and 30-day patch SLA
- Incident response retainer with a CISSP-led external partner on call 24/7
6. Vendor and procurement controls
- Documented vendor inventory for every third party with municipal-data access
- SOC 2 (or equivalent) attestation on file for primary financial software, payroll, HR systems
- Procurement bylaw cyber-controls clause included in every RFP touching municipal data
- Data Processing Agreement on file for every cloud vendor handling personal information
- Annual vendor review cycle with named responsible staff member
7. Council reporting and council-relations
- Quarterly CISO-style council briefing on cybersecurity posture (open or in-camera per municipal practice)
- Annual cybersecurity-tabletop exercise with named participants and an after-action report
- Incident-disclosure protocol distinguishing internal-only, council-notification, and public-disclosure triggers
- Cyber-insurance policy on file with the municipality’s required limits and an answered baseline-controls questionnaire
- Pre-prepared council-record incident statement (not built mid-incident)
8. AI tooling and citizen-facing systems
- Microsoft Copilot tenant-scoped, with sensitivity-label-aware retrieval blocking citizen-PII surfacing
- Consumer ChatGPT and Gemini blocked at the network and identity layer for municipal-managed devices
- Written AI use policy signed by all staff with consent to audit logging
- Citizen-facing AI tools (chatbots on the municipal website, voice IVR) with PIA on file
- IPC-aligned answer to “is AI used to make decisions affecting citizens” readily available
How to use this matrix
Three audiences. CAO uses it for the council brief: which controls are in place, which are partially in place, which are gaps. Clerk uses it as the FOI / records-management reference: where the controls live across the eight families. CFO uses it for the insurance renewal: every line item maps to a question the underwriter asks.
Run the matrix once a quarter. Each row gets a status (in place, partial, gap), a named owner, and a target date for closing any gap. The council brief becomes a status-of-each-family one-pager. The clerk’s FOI binder becomes the reference index. The CFO’s insurance renewal becomes a packet, not a panic.
Fusion Computing supplies the line-by-line evidence packet for our municipal clients and refreshes it at each quarterly business review. See our IT services for Ontario municipalities hub for the full operating scope.
Frequently asked questions
Is this matrix a substitute for FIPPA / MFIPPA legal interpretation?
No. It is a practitioner-built IT controls inventory designed to help a municipality demonstrate the “reasonable measures” standard that FIPPA / MFIPPA establish. For the underlying legal texts and authoritative interpretations, see the Ontario statutes (FIPPA RSO 1990, c F.31; MFIPPA RSO 1990, c M.56) and the published IPC orders. Fusion does not provide legal advice. Your municipal solicitor and the IPC remain responsible for interpretation.
How is this different from the CIS Controls v8.1 framework?
CIS Controls v8.1 is the underlying cybersecurity-controls framework, organized by control function (inventory, configuration, access, etc.) and implementation group. The FIPPA / MFIPPA IT Controls Matrix is organized by municipal-operational function (council, public works, FOI, council reporting, etc.) so a CAO and a CFO can read it without needing to translate from cybersecurity vocabulary. Family 5 of the matrix maps to the CIS Controls v8.1 IG2 baseline; the other seven families add municipal-specific scope.
Does this apply to school boards, police services boards, and conservation authorities?
Yes. MFIPPA applies to municipalities, school boards, police services boards, conservation authorities, and other local institutions defined in the Act. The matrix structure is identical; the staff roles change (Director of Education instead of CAO, Chief instead of head, etc.) and Family 2 (OT) becomes more or less relevant depending on the institution’s operational profile.
Our municipality is too small to staff a full security team. Does this still apply?
Yes, and most controls scale down. A 25-staff rural municipality can implement MFA, EDR, encrypted backups with tested restore, written AI policy, and a quarterly access review without a dedicated security team. The controls that require staffing (24/7 monitoring, tabletop exercises, vCISO touchpoints) are typically the ones an outsourced IT partner supplies. Fusion’s municipal program scales from villages of 5,000 to mid-tier cities.
Does Fusion supply this evidence matrix for municipal clients?
Yes. For Fusion-managed municipal clients, we maintain the line-by-line evidence packet against each control family, refreshed at each quarterly business review and on-demand for council briefings, IPC inquiries, or insurance renewals. The packet includes Fusion’s own SOC 2 status and a documented data-flow diagram covering our administrative access to municipal systems.
Get the PDF version
Want the printable PDF for CAO / Clerk / CFO use in council reporting? Book a 30-minute walk-through and we’ll send it after the call along with a gap analysis on your current setup.
