Security overview at Lancaster University
-
Upload
lancaster-university-library -
Category
Technology
-
view
582 -
download
0
Transcript of Security overview at Lancaster University
Summary
• External Requirements
– Cyber Essentials Plus
– IG Toolkit
– ISO 27001
• Information Classification
– Personal and Sensitive personal
• Information Transfer/Storage/Disposal
• Questions
External Requirements
Research grants are now frequently requiring external accreditation:
• Cyber Essentials
• Information Governance (IG) Toolkit
• ISO27001
Cyber Essentials Plus
Cyber Essentials is a basic scheme developed by Government and industry to address IT security.
• Launched in 2014
• LU certified in January 2017
• Mainly focused on the endpoint (desktop/laptop)
• Required by large number of government bodies
• Research Councils UK looking at this as a requirement
• Windows 10
• No admin rights on desktops
IG Toolkit
IG Toolkit used by NHS to assess how organisation process and handle information covering personal data.
• More mature and granular
• Policy driven
• Less specific around technical detail
• Achieved in past on small scale
• Looking at how we can expand this
ISO 27001
ISO27001:2013 is a specification for an information security management system (ISMS)
• Very mature
• Policy heavy
• Very hard to get at organisation level
• No current offering, but a number of our policies align with the standard
University Policy: Information Classification
Ordinary
• Information that has no constraints on its publication
• Available to all including external parties
Confidential
• Information of internal interest or being prepared for publication
• Recipients may forward to others within the control of University, e.g. confidentiality agreement
Restricted
• Information which is for circulation to named recipients only
Personal
• Protected by law
• Access should be by relevant staff only
• The information can be circulated to named recipients only
Personal and Sensitive personal
• Personal data means data which relate to a living individual who can be identified by the data
• Sensitive personal data means personal data consisting of information as to
• Racial or ethnic origin
• Political opinions, religious beliefs or other of similar nature
• Physical or mental health
• Sexual life
• Any offences
Storage
Where can data be stored
• Laptops and Desktops (encrypted with physical security)
• Central file store (correctly permissioned)
• Cloud – Box (Not Dropbox)
• Printed copies – physically secured
• Memory cards, external disks etc are not advised
http://www.lancaster.ac.uk/iss/security/advice