‘What do you think are the key information security challenges

facing universities and how would you address them?’

By Martin Lawrence

What is information security?

Information security is the combination of technical and organisational measures deployed in an organisation that are designed to protect the confidentiality, availability and integrity of information assets.

“a body of knowledge that is organised and managed as a single entity and is of value

to the university”

University of Exeter Information Classification Policy

What is an information asset

Why protect information assets?• Information assets are of value• Information assets are vital to the effective day-

to-day running of the university• The university is also required by law to protect

some information e.g. personal data – • Failure to protect personal data may lead to fines

/ law suits / reputational damage• Confidential data provided by third parties• Failure to uphold confidentiality may lead to law

suits / reputational damage / loss of confidence

University security challenges

• A dynamic organisation creating new information assets and with unique risks

• Creating a security culture in a changing academic and business landscape which values information security and embeds this into existing processes

• International working leading to cross boarder transfers of data

• High value research data of significant national / international value that may be subjected to various internal and external threat actors

External information security threats

• Commodity Threat Actors (Phishing / Scamming)

• Advanced threat actors (national / industrial espionage)

• “Hackivists” (seeking to do damage to the reputation of the University)

Managing information security risks

My proposal for managing information security risks is to adopt the PDCA approach established as part of the

ISO27001 security standard.

The Solution – PLAN • Identifying information assets and their associated

risks• Assigning responsibilities for assets and associated

information risks• Assess these risks against the context of the

organisation and agreeing priorities • Agree what risks are acceptable, what can be

transferred, which require mitigation and which require monitoring

The Solution – DO • Establish and implement an organisation wide

information security policy• Establish a framework for investigating breaches

of information security• Implementing appropriate controls that are

proportionate to the level of risk identified• Create tailored guidance and training on how to

implement these controls• Establish and implement a communications plan

to deliver heightened awareness of information security good practice

The Solution – CHECK • Establishing effective oversight and reporting of

information risks to senior management and risk owners

• Review the effectiveness of controls over time• Review intelligence from security incidents and

establish if any new risks have been identified or whether pre-existing risks need reviewing or escalating

The Solution – ACT • Amend processes or procedures in light of any

vulnerabilities identified • Target communications, awareness exercises

and training in response to any vulnerabilities identified

• Re-assess information risks following information security incidents

• Implement a revised risk treatment plan where appropriate

In Summary • Universities are a dynamic environment whose

information risk profile are constantly changing• There needs to be a firm understanding of the nature of

information risks and what these mean for the organisation

• A dynamic approach needs to be taken to ensure that risks are identified, reviewed and proportional controls put in place

• Risks and their associated controls need to be kept under constant review so as to ensure they remain fit for purpose for the organisation

• Staff need to understand their role in creating a security conscious organisation

Thank you for your timeAny questions?