Exeter university ig manager presentation [1]
- 1. ‘What do you think are the key information security challenges facing universities and how would you address them?’ By Martin Lawrence
- 2. What is information security? Information security is the combination of technical and organisational measures deployed in an organisation that are designed to protect the confidentiality, availability and integrity of information assets.
- 3. “a body of knowledge that is organised and managed as a single entity and is of value to the university” University of Exeter Information Classification Policy What is an information asset
- 4. Why protect information assets? • Information assets are of value • Information assets are vital to the effective day- to-day running of the university • The university is also required by law to protect some information e.g. personal data – • Failure to protect personal data may lead to fines / law suits / reputational damage • Confidential data provided by third parties • Failure to uphold confidentiality may lead to law suits / reputational damage / loss of confidence
- 5. University security challenges • A dynamic organisation creating new information assets and with unique risks • Creating a security culture in a changing academic and business landscape which values information security and embeds this into existing processes • International working leading to cross boarder transfers of data • High value research data of significant national / international value that may be subjected to various internal and external threat actors
- 6. External information security threats • Commodity Threat Actors (Phishing / Scamming) • Advanced threat actors (national / industrial espionage) • “Hackivists” (seeking to do damage to the reputation of the University)
- 7. Managing information security risks My proposal for managing information security risks is to adopt the PDCA approach established as part of the ISO27001 security standard.
- 8. The Solution – PLAN • Identifying information assets and their associated risks • Assigning responsibilities for assets and associated information risks • Assess these risks against the context of the organisation and agreeing priorities • Agree what risks are acceptable, what can be transferred, which require mitigation and which require monitoring
- 9. The Solution – DO • Establish and implement an organisation wide information security policy • Establish a framework for investigating breaches of information security • Implementing appropriate controls that are proportionate to the level of risk identified • Create tailored guidance and training on how to implement these controls • Establish and implement a communications plan to deliver heightened awareness of information security good practice
- 10. The Solution – CHECK • Establishing effective oversight and reporting of information risks to senior management and risk owners • Review the effectiveness of controls over time • Review intelligence from security incidents and establish if any new risks have been identified or whether pre-existing risks need reviewing or escalating
- 11. The Solution – ACT • Amend processes or procedures in light of any vulnerabilities identified • Target communications, awareness exercises and training in response to any vulnerabilities identified • Re-assess information risks following information security incidents • Implement a revised risk treatment plan where appropriate
- 12. In Summary • Universities are a dynamic environment whose information risk profile are constantly changing • There needs to be a firm understanding of the nature of information risks and what these mean for the organisation • A dynamic approach needs to be taken to ensure that risks are identified, reviewed and proportional controls put in place • Risks and their associated controls need to be kept under constant review so as to ensure they remain fit for purpose for the organisation • Staff need to understand their role in creating a security conscious organisation
- 13. Thank you for your time Any questions?
Editor's Notes
- #2: 30 seconds max Introduce myself Read the heading and introduce the presentation
- #3: 1min max Read the definition Explain what an information asset is (university definition) Give examples of technical measure Give examples of organisational measures Explain that assets will often require a range of technical and organisational measures to protect them, depending on the nature of the risk
- #5: 1 minute max Read the slide Give examples of how information assets are used to run the university Expand on how research assets may impact on national policy makers – Strategy & Security Institute
- #6: 1 minute max I see a University as a dynamic organisation that is constantly evolving to meet the changing political and academic landscape This changing environment is likely to lead to difficulties in embedding a security conscious culture The nature of a university is such that it is likely to be constantly creating new information assets. Therefore identifying these assets and assessing the security threats these assets face, is going to be a constant concern. With the degree of high value research data held by the university there will be an increasing number of external threat actors operating to gain access to this data. Examples of such external threat actors include;
- #7: 30 seconds max Read the slide
- #8: 30 seconds max Read the slide
- #9: 1 minute max Read the slide Include understanding the heads of college have been assigned responsibility under the university’s existing policy
- #10: 1 minute max Read slide Expand on the University Information Security Policy
- #11: 1 minute max Read slide Expand on University Security Management Framework (VCEG – ISSG)
- #12: 30 Seconds max Read slide
- #13: 30 seconds max Read slide
- #14: Negligible