The document outlines a 4-stage roadmap for developing an Information Security Management System (ISMS) for educational institutions. Stage 1 involves understanding the organization, gaining leadership support, and setting policy. Stage 2 is planning, risk assessment, and control selection. Stage 3 is implementation, operation, and awareness building. Stage 4 is performance evaluation, incident response, and continual improvement. The toolkit provided includes guidance, examples, and tools to help institutions implement an effective ISMS.
How to Send Pro Forma Invoice to Your Customers in Odoo 17
The Road to Institutional Security Management
1. #THETA2017
This work is licensed under a Creative Commons Attribution 4.0 International License
The Road to Institutional
Information Security
Management
Peter Tinson
UCISA
3. THETA Conference
9 May, Auckland
Why do it
• Cyber security became a hot topic
• Survey identified
• Main risk was reputational damage
• Main threat was accidental loss of data
• Main asset at risk teaching-related and HR data
• “no simple answer to the challenge of developing effective IS”
• “clear risk of developing overly bureaucratic systems”
4. THETA Conference
9 May, Auckland
What it is
• Good, actionable advice on information security management:
• Advice
• Real-world exemplar materials
• Instructions on developing an Information Security Management
System (ISMS) from where you are right now
• Designed for educational institutions- but usable by anyone
5. THETA Conference
9 May, Auckland
What it’s for
• Becoming ISO/IEC 27001 certified
• Showing good practice in information risk management (also
known as cyber security)
• Reducing or controlling the risk of embarrassing or damaging
information security incidents
6. THETA Conference
9 May, Auckland
Roadmap
• Understand the organisation
• Establish leadership and commitment
• Gain initial top management support
• Set policy/strategy
• Define roles and responsibilities
Stage 1 – Foundations
[§1] What is information
security?
[§2] Information security
governance
[§3] Relationships between
drivers
[§8] Roles and competencies
[§13] Policies
• Define scope of activity
• Define risk assessment methodology
• Assess risk and establish risk treatment plan
• Select controls
• Define necessary resources
• Deliver business case and review
• Define competencies
Stage 2 – Planning, Assessment
and Evaluation
[§4] Scoping
[§5] Risk assessment
[§6] Controls
[§7] Information
management
[§8] Roles and competencies
[§9] Awareness raising
[§2] Information security
governance
7. THETA Conference
9 May, Auckland
Roadmap (continued)
• Establish operational support (resource,
competencies, awareness etc.)
• Implement policies/controls and manage risk
• Address communication and awareness building
• Implement compliance checking vs regulations
Stage 3 – Implementation, Support
and Operation
[§5] Risk assessment
[§6] Controls
[§8] Roles and competencies
[§9] Awareness raising
[§1] What is information
security?
• Measure and evaluate performance
• Respond effectively to incidents and when things go
wrong
• Deliver continual improvement
• Implement iterative risk assessment
Stage 4 – Performance, Evaluation
and Improvement
[§10] Measurement
[§11] When things go wrong:
non-conformities and
incidents
[§12] Continual improvement
[§5] Risk assessment
8. THETA Conference
9 May, Auckland
Stage 1 – Foundation
• Understand the organisational culture
• Identify organisational drivers
• Identify key points of control
• Establish how risk is managed
• Make initial contact with senior managers
• Explain what the problem is
• Provide outlines to them
• Get top level policy approved
9. THETA Conference
9 May, Auckland
Stage 2 – Planning, assessment and evaluation
• Develop an information risk management model
• This should be:
• Congruent with existing risk management practices
• Consistent with ISO 27001
• Easy to explain
• Sanity checked by those on the front line
• Measurable
10. THETA Conference
9 May, Auckland
Stage 2 (continued)
• Identify key people and get them onside
• Promote it
• Present to the right people once the appetite is there
• Develop new/changed groups and functional areas
11. THETA Conference
9 May, Auckland
Stage 3 – Implementation, support and operation
• Programme/project management
• Generate actual KPIs
• Start new groups off strongly
• Use existing reporting lines
• Embed information risk management in standard operations
12. THETA Conference
9 May, Auckland
Stage 4 – Performance evaluation and improvement
• Audit – verify that controls are effective
• Learn from incidents
• Continual improvement
• Make this part of a GRC structure
13. THETA Conference
9 May, Auckland
Linking it all together
• Developing an ISM Tool
• Links the elements of the IS Management System
• Provides a repository for all things IS
14. THETA Conference
9 May, Auckland
Getting the message across
• Toolkit includes case studies on awareness raising (both from
Cardiff)
• A number of institutions have carried out phishing exercises
• Information Security Awareness training
16. THETA Conference
9 May, Auckland
Working with other organisations
• Liaison with Jisc
• use ISMT in training
• developing (anti-)phishing service
• Promote with non-IT associations in the UK
• Promoted elsewhere – EDUCAUSE have recommended
• Happy for ISMT to be used…
18. THETA Conference
9 May, Auckland
Conclusion
• It’s complicated – no silver bullet
• Set of tools to assist (developed by the community for the
community)
• Toolkit recognised by Government agencies
• Happy to talk further…
• Email: execsec@ucisa.ac.uk
• Twitter: @pat3460
• ISMT: www.ucisa.ac.uk/ismt
• Information security awareness training:
www.ucisa.ac.uk/infosectraining
Editor's Notes
Who I am, what UCISA is.
Outline UCISA’s work on information security – multi-strand approach
Starting point – Information Security Management Toolkit
Background. 2005 – auditors started to take an interest
Developed the IST – set of template policies which took the then standard and applied a level of proportionality to them. Initial application of risk to IS policies
Following the release of a new version of the ISO standard, we took the opportunity to review the approach we had taken. We recognised that policies on their own don’t deliver effective information security and that it’s an institutional problem and not an IT problem. Consequently we decided to focus on the management of information security – the Information Security Management Toolkit was conceived.
Development – one lead author, five sets of institutional contributions
Government had spent a year focussing on businesses to help them protect their intellectual property (recognising that commercial theft was an issue). Then turned focus onto universities. Highlighted cyber essentials and 20 steps to cyber security. IT largely compliant but not the university as a whole. Helped demonstrate need for university policies (supported by senior management), link to risk
Survey carried out by Universities UK – idea was that senior management completed the survey. In practice around 50% did – the remainder got their CIO to complete it…
Toolkit is based on a road map – idea is that, depending on your institutional maturity, you can join the road at any point…
There are four stages – Foundation, Planning, Implementation and Review
Governance, risk and compliance….
Notes: The tool accompanying this publication allows an organisation to build an Information Security Management System, providing an environment to store, manage, correlate and track the components that make up an ISMS and enabling the relationships between those components to be clear and understood. It is designed so that organisations can either use parts in isolation or the whole system as a comprehensive ISMS
Developed from a UCISA Award for Excellence winner
Procured on behalf of the sector
Freely available to full UCISA members