Exeter university ig manager presentation [1]
-
Upload
martin-lawrence -
Category
Law
-
view
75 -
download
1
Transcript of Exeter university ig manager presentation [1]
‘What do you think are the key information security challenges
facing universities and how would you address them?’
By Martin Lawrence
What is information security?
Information security is the combination of technical and organisational measures deployed in an organisation that are designed to protect the confidentiality, availability and integrity of information assets.
“a body of knowledge that is organised and managed as a single entity and is of value
to the university”
University of Exeter Information Classification Policy
What is an information asset
Why protect information assets?• Information assets are of value• Information assets are vital to the effective day-
to-day running of the university• The university is also required by law to protect
some information e.g. personal data – • Failure to protect personal data may lead to fines
/ law suits / reputational damage• Confidential data provided by third parties• Failure to uphold confidentiality may lead to law
suits / reputational damage / loss of confidence
University security challenges
• A dynamic organisation creating new information assets and with unique risks
• Creating a security culture in a changing academic and business landscape which values information security and embeds this into existing processes
• International working leading to cross boarder transfers of data
• High value research data of significant national / international value that may be subjected to various internal and external threat actors
External information security threats
• Commodity Threat Actors (Phishing / Scamming)
• Advanced threat actors (national / industrial espionage)
• “Hackivists” (seeking to do damage to the reputation of the University)
Managing information security risks
My proposal for managing information security risks is to adopt the PDCA approach established as part of the
ISO27001 security standard.
The Solution – PLAN • Identifying information assets and their associated
risks• Assigning responsibilities for assets and associated
information risks• Assess these risks against the context of the
organisation and agreeing priorities • Agree what risks are acceptable, what can be
transferred, which require mitigation and which require monitoring
The Solution – DO • Establish and implement an organisation wide
information security policy• Establish a framework for investigating breaches
of information security• Implementing appropriate controls that are
proportionate to the level of risk identified• Create tailored guidance and training on how to
implement these controls• Establish and implement a communications plan
to deliver heightened awareness of information security good practice
The Solution – CHECK • Establishing effective oversight and reporting of
information risks to senior management and risk owners
• Review the effectiveness of controls over time• Review intelligence from security incidents and
establish if any new risks have been identified or whether pre-existing risks need reviewing or escalating
The Solution – ACT • Amend processes or procedures in light of any
vulnerabilities identified • Target communications, awareness exercises
and training in response to any vulnerabilities identified
• Re-assess information risks following information security incidents
• Implement a revised risk treatment plan where appropriate
In Summary • Universities are a dynamic environment whose
information risk profile are constantly changing• There needs to be a firm understanding of the nature of
information risks and what these mean for the organisation
• A dynamic approach needs to be taken to ensure that risks are identified, reviewed and proportional controls put in place
• Risks and their associated controls need to be kept under constant review so as to ensure they remain fit for purpose for the organisation
• Staff need to understand their role in creating a security conscious organisation
Thank you for your timeAny questions?