Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Runshaw College and the journey towards ISO 27001

174 views

Published on

A presentation by Alex Harding, IT manager, Runshaw College at the Jisc security conference 2019.

Published in: Technology
  • USA Today Has Proof That Lotto Is NOT Random ◆◆◆ http://t.cn/Airf5UFH
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Runshaw College and the journey towards ISO 27001

  1. 1. Our Journey Towards ISO27001! Alex Harding, IT Services Manager, Runshaw college
  2. 2. @RunshawSD@RunshawSD Our Journey Towards ISO27001! Alex Harding IT Services Manager Runshaw College
  3. 3. @RunshawSD Our Journey (nearly) to ISO27001! • Runshaw College • IT Services • FE Budgets • Information Security in FE • Timeline –Runshaw College’s Information Security Journey • Future Plans
  4. 4. @RunshawSD
  5. 5. @RunshawSD Two Campus College LEYLAND CHORLEY
  6. 6. @RunshawSD Map data ©2019 Google, GeoBasis-DE/BKG (©2009)
  7. 7. @RunshawSD Wigan West Lancs Southport Preston Blackburn Bolton Leyland Chorley Map data ©2019 Google, GeoBasis-DE/BKG (©2009)
  8. 8. @RunshawSD Student Numbers Established in 1974/1975 5000 students aged 16-19 1000 Adult FE learners 350+ Apprentices 120 Higher Education students c. 6500 “students” in total 2019/2020 450 students aged 16-19
  9. 9. @RunshawSD IT Services
  10. 10. @RunshawSD What Makes UsTick? • ITIL – V3 at Present • Service Desk Institute – On track for 3*Audit. • Agile – Scrum – Agile Service Management
  11. 11. @RunshawSD
  12. 12. @RunshawSD Cyber Security Budgets - Spare any change? Higher Education Further Education £2.80?
  13. 13. @RunshawSD Information Security in Further Education
  14. 14. @RunshawSD Information Security in FE • The education sector consistently falls within the top 5 sectors for the number of reported Information Security Incidents. (ICO 2019) • During 16/17 the sector saw a 40% increase in Info. Sec. incidents. (ICO 2019) • Lack of Awareness is identified as the highest risk for over 2/3rds of colleges. (Harding 2019)
  15. 15. @RunshawSD FE Sector –Top 5Threats Threat Results Rank Change Lack of Awareness 69.57% 1 ▬ Phishing/Social Engineering 56.52% 2 ▲ Ransomware/Malware 39.13% 3= ▼ External Attack 39.13% 3= ▲ Denial of Service 34.78% 4 ▬ • Results taken from a Survey of over 30 FE IT leaders based upon which threats are identified as High or Critical priority. • Rank/Change Comparisons to JISC Security Survey 2018
  16. 16. @RunshawSD England • September 2014 – Government announce that some contracts involving personal data may require Cyber Essentials Certification. • No mention in FE funding documentation. • June 2019 – Requirement to work towards ISO27001 Certification appeared in the FE funding guidance. • Proposed for 20/21. • September 2019 – This requirement has been removed though may return as a future requirement.
  17. 17. @RunshawSD Scotland! November 2017 Requirement for all Public Bodies: • by June 2018 – Join CISP – Deliver CyberAwareness/Training Package – Cyber Incident response plans. • by October 2018 – AchieveCyber Essentials Or – AchieveCyber Essentials Plus
  18. 18. @RunshawSD Current Progress - England • Cyber EssentialsCertification – 4% (JISC 2018) – 26% (Harding 2019) • Cyber Essentials Plus Certification – 0% (JISC 2018) – 4% (Harding 2019) 30% 😭No Response from DFE (Following FOI March 2019)
  19. 19. @RunshawSD How’s Scotland Done? Number CE CE Plus Percentage Colleges 26 8 4 46.15% Universities 15 3 6 60.00% Total 41 11 10 51.22% Data with thanks to the Scottish Government (Following FOI March 2019) 46% 😕
  20. 20. @RunshawSD Our Journey
  21. 21. @RunshawSD Timeline 2017 • Formal High-Level Information Security Policy Defined
  22. 22. @RunshawSD High Level Information Security Policy • Outlines our commitment to achieve and maintain: – Cyber Essentials by 2018. – Cyber Essentials Plus as soon as is practicable. • Moving forward the College will develop an Information Security Management System as per ISO27001. • The College will consider certification of the ISMS by external audit against the ISO27001 standard. 2017
  23. 23. @RunshawSD Timeline 2017 • Formal High-Level Information Security Policy Defined 2018 • Achieved Cyber Essentials Certification • PenetrationTesting Carried Out (Inc. Phishing)
  24. 24. @RunshawSD Cyber Essentials • Simple, Cost Effective & Basic. (HM Gov 2014) • Five Key Control Areas. • Certification achieved by self-declaration questionnaire. • Some certification bodies may carry out an external vulnerability scan. • Findings/Improvements – Authored Password Policy – 1WarningArea – Multi Factor Authentication 2018 Boundary Firewalls & Gateways Secure Configuration Access Control Malware Protection Patch Management
  25. 25. @RunshawSD PenetrationTesting • After a short tender process, JISC were selected: – External vulnerability scanning. – On-site testing ofWi-Fi and PC Builds. – Covert attempts to breach security. • New for 2018 – Phishing simulation. • To assess the risk posed by a well crafted Phishing attempt. • Not to catch people out  • Agreement with our Governors – Testing to be carried out on a biennial basis. 2018
  26. 26. @RunshawSD Phishing Simulation 2018
  27. 27. @RunshawSD Timeline 2017 • Formal High-Level Information Security Policy Defined 2018 • Achieved Cyber Essentials Certification • PenetrationTesting Carried Out (Inc. Phishing) 2019 • Achieved Cyber Essentials Plus Certification • Information Security Risk Assessment Policy Defined • Information Security Risk Assessment Commenced
  28. 28. @RunshawSD Boundary Firewalls & Gateways Secure Configuration Access Control Malware Protection Patch Management Cyber Essentials Plus • Same Five Key Control Areas, plus: – On site assessments – Internal vulnerability scans – Review of physical security • Findings/Improvements – Legacy OS withVulnerabilities (Windows 2003). – Older, vulnerable versions of: • Adobe Reader • Adobe Flash Player • Firefox – Execution of downloaded files. – 1WarningArea – Multi Factor Authentication 2019
  29. 29. @RunshawSD Risk Assessment Policy • College Risk Appetite = LOW • Risks will be: – Identified – Analysed – Evaluated – Treated (to LOW) or Accepted (if LOW) • Treatment Options: – Avoid – Transfer – Mitigate – Accept • Resultant Risks: – >Low – Require SMT Sign-Off 2019
  30. 30. @RunshawSD Threat Analysis • Started out with a Rich Picture (Checkland 1990) • Diagram features an overview of: – The College's network. – Datacentres. – Power protection. – Threat Actors. – Example attack vectors. – General notes/queries. 2019
  31. 31. @RunshawSD Risk Assessment • Risk Assessment carried out within our ITSMTool (Jira). • Risks can be linked to: – Services & Assets. – Threats. – Control Areas (CE & ISO27002). – Mitigations. • Impact & Likelihood input: – Risk Level calculated. – Risk Treatment suggestion added. • Residual Impact & Likelihood Input – Resultant Risk Level calculated. 2019
  32. 32. @RunshawSD Prioritsation of Mitigations • MoSCoW Method used to prioritise Risks and required mitigations. • Risk score used to define Risk, and subsequent treatment suggestion. • (New) Mitigations are being worked in Score order (High to Low). • Over 200 Risks Identified. – Approx ¾ have existing mitigations MoSCoW -> (Agile Business Consortium, 2014) 2019
  33. 33. @RunshawSD The Future?
  34. 34. @RunshawSD The Future 2019 • Risk Assessment & Gap Analysis Completion 2020 • Cyber Essentials Plus Certification (JISC) • Additional Mitigations Defined & Policies Authored • PenetrationTesting (JISC) THEN • ISO27001 Audit????
  35. 35. @RunshawSD Thank you Alex Harding IT services, print shop and facilities manager Runshaw college

×