Implementing Data Governance & ISMS in a University
1 like622 views
This document discusses implementing data governance and an information security management system (ISMS) at the University of New South Wales (UNSW) in Australia. It explores the unique challenges of securing an institution with over 50,000 students and diverse research. Key steps taken include establishing data ownership and classification, implementing an ISMS framework, and building security awareness across the university community through collaborative forums. The goal is to standardize cybersecurity processes while incrementally strengthening protections for the university's data assets and systems.
Implementing Data Governance & ISMS in a University
- 1. Case study: Implementing Data Governance and ISMS at UNSW Kate Carruthers Version 1.0 March 2017 Classification: PUBLIC
- 2. This case study covers the complexities of implementing data & information governance and an information & security management system as part of a broader cybersecurity framework at an institution like UNSW Australia. It explores some of the unique challenges of securing an institution that has over 50,000 students and which undertakes research that ranges from open data to personally identifying patient information. 16/08/2017 Data & Information Governance Office 1
- 3. Fast facts 16/08/2017 Data & Information Governance Office 2
- 4. The Group of Eight (Go8) is a coalition of leading Australian universities, intensive in research and comprehensive in general and professional education. The Global Alliance of Technological Universities is a network of the world’s top technological universities APRU is a network of 45 premier research universities from 16 economies around the Pacific Rim. Universitas 21 is the leading global network of research-intensive universities. The PLuS (Phoenix London Sydney) Alliance combines the strengths of three leading research universities on three continents to develop innovative solutions to these challenges in global health, social justice and sustainability while progressing the responsible innovation of advanced technologies Alliances 16/08/2017 Data & Information Governance Office 3
- 5. 16/08/2017 Data & Information Governance Office 4
- 6. Diverse user community 16/08/2017 Data & Information Governance Office 5
- 7. 3 realms of data 16/08/2017 Data & Information Governance Office 6 Learning & Teaching Research Administrative Enterprise systems Local Faculty-based systems Systems of record Learning Management Lecture recording MOOCs Research data Publications
- 8. Cultural issues Academic freedom Inventing the future We know what we’re doing I’ve got a PhD and you don’t 16/08/2017 Data & Information Governance Office 7
- 9. 16/08/2017 Data & Information Governance Office 8 Cybersecurity and enterprise risk management are a key focus for Council and Management Data & information governance are a key foundation for cybersecurity Cybersecurity and enterprise risk management are a key focus for Council and Management
- 10. Data & information governance are a key foundation for cybersecurity Management 16/08/2017 Data & Information Governance Office 9 Data & information governance are a key foundation for cybersecurity
- 11. 16/08/2017 Data & Information Governance Office 10
- 12. 16/08/2017 Data & Information Governance Office 11
- 13. 16/08/2017 Data & Information Governance Office 12
- 14. Responses to the hack War room Perimeter defences Visibility at Council level Risk register Appointment of dedicated Info Sec resources 16/08/2017 Data & Information Governance Office 13
- 15. Threats 1. Phishing, Whaling/Spear Phishing 2. Ransomware 3. DDOS/Zombie botnet armies 4. Big data 5. Ignorance 16/08/2017 Data & Information Governance Office 14
- 16. 16/08/2017 Data & Information Governance Office 15
- 17. Work plan 16/08/2017 Data & Information Governance Office 16 Setup policy framework Re-establish Data Governance Committees Establish Data Ownership structure Identify ‘Crown Jewels’ Implement Data Classification Implement System Classification Implement ISMS Implement Business Glossary Tool Implement Data Quality Process Implement Internal Data Sharing Agreements Implement Reference Data Management Implement Master Data Management Done PlannedKey: In progress
- 18. The 4 dimensions Framework: • provides enterprise wide roles and responsibilities to be accountable for decisions related to data assets • establishes policies & procedures to manage the data assets • provides diverse tools for managing operational data tasks UNSW Data Governance Framework focuses on the oversight, guidance and quality of enterprise data assets enabled through People, Policies, Procedures and Tools Policies are high level statements that provide context for strategic decisions relating to the data assets People are members of UNSW governance bodies, which hold the authority for decision relating to data assets Tools are pre-prepared objects that support people carrying out procedures Procedures are specific instructions designed to ensure policy is followed and outcomes are measurable Workflow for Approval Checklists Issues Register Data Profiling Data Sharing Data Reporting Regulatory Compliance Data Asset Prioritisation Data Exchange Agreements Data Process Flow Data Integration Data Security Strategic Drivers Dimensions Enterprise Oversight of Data Enterprise Guidance on Data Enterprise Quality of Data Performance Metrics Policies Procedures Tools Data Executives Data Owners Data Stewards People Data Creators/ Data Specialists 1 2 3 4 16/08/2017 Data & Information Governance Office 17
- 19. Alignment - Legal, Privacy, IT & Info Sec Mar-2017 Data & Information Governance 18 Information literacy Data driven improvements Policies & Standards Information Quality Privacy, Compliance, Security Architecture, Integration Establish Decision Rights Stewardship Assess Risk & Define Controls Consistent Data Definitions Adapted from University of Wisconsin Data Governance Framework
- 20. Fundamentals Data ownership Data classification Data handling guidelines ISMS Standards 16/08/2017 Data & Information Governance Office 19 Boundaries between Data Governance & IT teams – collaboration is critical
- 21. Data Classification 16/08/2017 Data & Information Governance Office 5 Data Classification Example Data Types Highly Sensitive Data subject to regulatory control Medical Children & Young persons Credit Card Research Data (containing personal medical data) Sensitive Student and Staff HR data Organisational financial data Exam material Exam Results Research Data (containing personal data) Private Business unit process and procedure Unpublished Intellectual property ICT system design & configuration information Public Faculty and staff directory information Course catalogues Published research data
- 22. Data classification process 16/08/2017 Data & Information Governance Office 21 Apply the controls Apply data classification to the Information Asset Assess data risks Identify the Information Assets Identify the Data Owner
- 23. ISMS 16/08/2017 Data & Information Governance Office 22 UNSW Faculties/Divisions/Affiliates Critical Apps Critical Apps Critical Apps Critical Apps CMDB Cloud/Internet Faculty Security Forums
- 24. Security approach Data Collection & Validation or Verification Reporting of potential threats/risks and compliance – e.g. Heat maps to Security Forums in each Faculty Risk Workshops Mitigation action plans Ongoing Compliance Maintenance Process 16/08/2017 Data & Information Governance Office 23 Goal: Standardisation of cyber security management processes across UNSW
- 25. 16/08/2017 Data & Information Governance Office 24
- 26. What we’ve learned so far 1. Methodically build up info sec layers 2. Every day do one thing better 3. Data governance matters 4. Info sec is a team sport 16/08/2017 Data & Information Governance Office 25
- 27. Thank you Kate Carruthers k.carruthers@unsw.edu.au 16/08/2017 Data & Information Governance Office 26