Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Information security at University of East London: the benefits (and pitfalls) of a framework approach
1. Information security at University of East London:
The benefits (and pitfalls) of a framework approach
Craig Clark- Information Security and Compliance Manager
Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 111/11/2016
2. » Involved in information security at UEL since 2014 – previous experience in facilities
management and insurance sectors
» Not a traditional techie – background in social engineering, forensic science and
risk management
» Mandate covers implementing a ‘security culture’
» Certified ISO27001 lead implementer and GDPR practitioner
About me
11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 2
3. » Sensitive data across multiple systems with multiple owners
» No consistent information governance methodology for classification and retention
» ‘Best efforts’ approach from within IT but no formal information security strategy at vice
chancellor and governor level
» No full time post for information security
» Fragmented approach information sharing
The UEL information security quandary – Previously:
11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 3
4. » Embeds governance, responsibility and accountability values - protection at the front door
» A ‘one stop shop’ for information security and governance
» A mechanism to implement the CIA triad consistently across the institution
» Allows for information security to align with strategic goals
» The framework aligns with controls outlined for an ISO27001 ISMS
» Allows for a systematic approach to risk
What is an information security framework in a UEL context?
11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 4
5. 11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 5
Policy
Signposting
and awareness
Procedures
Processes
Auditable evidence
6. Mandatory
» Data protection/GDPR
» Freedom of Information
» Copyright
» Intellectual Property
» Janet network
» Prevent
» PCI-DSS
Information security policy
Supporting policies
» Acceptable use
» Antivirus and malware
» Cloud services
» Social media
» Data retention
» Data classification
» Access management policy
11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 6
7. » Updated to reflect evolving risk landscape especially Prevent and GDPR
» Modeled on Janet network/UCISA policies and toolkits
» For UEL it requires backing at governor level – takes time to get through
various committees
» Needs Union involvement to feed in to disciplinary process for staff breaches
» Communication and accountability across all levels is vital
Policies
11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 7
8. » Multiple modes of delivery (intranet, internal communications, eLearning, workshops and
Lynda.com)
» Dedicated workshops tailored to business function (research, service desk etc)
» Dedicated intranet site aimed at highlighting good information security practices at work
and at home
» Information security incorporated into risk management strategy and various
sub-committees
Signposting and awareness
11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 8
9. » Covers the who, what, where when and how
» Many procedures and processes exist as ‘business as usual’ activities – but documentation
is key to improve the amount of auditable evidence
» Where processes and procedures are widely applicable they must be highly visible and
people should be able to suggest improvements
» Information sharing agreements and internal audit results should be held outside the
affected department – ideally by governance
Procedures and processes
11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 9
10. » Framework allows for increased output of auditable evidence
» Several audit templates available
» ICO has published high level audit areas
» Cloud SecurityAlliance
» GDPR likely to impact on evidence requirements
Auditable evidence
11/11/2016 Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 10
11. Conclusions
» The framework is an evolving, flexible process
» Final version will include new GDPR processes, policies and procedures
» Buy in from the vice chancellor and governor has been vital
» It’s a long road!
» There has been resistance from some business units and academics but overall positive
experience
Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 11