Information security at University of East London: the benefits (and pitfalls) of a framework approach
Download as PPTX, PDF1 like1,705 views
The document discusses the benefits and challenges of implementing an information security framework at the University of East London (UEL). Previously, UEL had sensitive data across systems without consistent governance and no formal security strategy. The framework embeds governance, accountability, and protection controls. It allows UEL to systematically manage risk and align security with strategic goals. However, developing policies requires approvals and communication across all levels. While the framework provides benefits, full implementation remains an ongoing process that has faced some resistance.
Information security at University of East London: the benefits (and pitfalls) of a framework approach
- 1. Information security at University of East London: The benefits (and pitfalls) of a framework approach Craig Clark- Information Security and Compliance Manager Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 111/11/2016
- 2. » Involved in information security at UEL since 2014 – previous experience in facilities management and insurance sectors » Not a traditional techie – background in social engineering, forensic science and risk management » Mandate covers implementing a ‘security culture’ » Certified ISO27001 lead implementer and GDPR practitioner About me 11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 2
- 3. » Sensitive data across multiple systems with multiple owners » No consistent information governance methodology for classification and retention » ‘Best efforts’ approach from within IT but no formal information security strategy at vice chancellor and governor level » No full time post for information security » Fragmented approach information sharing The UEL information security quandary – Previously: 11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 3
- 4. » Embeds governance, responsibility and accountability values - protection at the front door » A ‘one stop shop’ for information security and governance » A mechanism to implement the CIA triad consistently across the institution » Allows for information security to align with strategic goals » The framework aligns with controls outlined for an ISO27001 ISMS » Allows for a systematic approach to risk What is an information security framework in a UEL context? 11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 4
- 5. 11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 5 Policy Signposting and awareness Procedures Processes Auditable evidence
- 6. Mandatory » Data protection/GDPR » Freedom of Information » Copyright » Intellectual Property » Janet network » Prevent » PCI-DSS Information security policy Supporting policies » Acceptable use » Antivirus and malware » Cloud services » Social media » Data retention » Data classification » Access management policy 11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 6
- 7. » Updated to reflect evolving risk landscape especially Prevent and GDPR » Modeled on Janet network/UCISA policies and toolkits » For UEL it requires backing at governor level – takes time to get through various committees » Needs Union involvement to feed in to disciplinary process for staff breaches » Communication and accountability across all levels is vital Policies 11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 7
- 8. » Multiple modes of delivery (intranet, internal communications, eLearning, workshops and Lynda.com) » Dedicated workshops tailored to business function (research, service desk etc) » Dedicated intranet site aimed at highlighting good information security practices at work and at home » Information security incorporated into risk management strategy and various sub-committees Signposting and awareness 11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 8
- 9. » Covers the who, what, where when and how » Many procedures and processes exist as ‘business as usual’ activities – but documentation is key to improve the amount of auditable evidence » Where processes and procedures are widely applicable they must be highly visible and people should be able to suggest improvements » Information sharing agreements and internal audit results should be held outside the affected department – ideally by governance Procedures and processes 11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 9
- 10. » Framework allows for increased output of auditable evidence » Several audit templates available » ICO has published high level audit areas » Cloud SecurityAlliance » GDPR likely to impact on evidence requirements Auditable evidence 11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 10
- 11. Conclusions » The framework is an evolving, flexible process » Final version will include new GDPR processes, policies and procedures » Buy in from the vice chancellor and governor has been vital » It’s a long road! » There has been resistance from some business units and academics but overall positive experience Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 11
- 12. Contact details C.Clark@uel.ac.uk twitter.com/cogitateclark LinkedIn: https://uk.linkedin.com/in/craig-clark-itil-cis-li-eu-gdpr-p-17480198 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 12