SlideShare a Scribd company logo

The Road to Institutional Security Management

Download as PPTX, PDF
Peter Tinson
Peter Tinson

The document outlines a 4-stage roadmap for developing an Information Security Management System (ISMS) for educational institutions. Stage 1 involves understanding the organization, gaining leadership support, and setting policy. Stage 2 is planning, risk assessment, and control selection. Stage 3 is implementation, operation, and awareness building. Stage 4 is performance evaluation, incident response, and continual improvement. The toolkit provided includes guidance, examples, and tools to help institutions implement an effective ISMS.

Education
1 of 18
#THETA2017 This work is licensed under a Creative Commons Attribution 4.0 International License The Road to Institutional Information Security Management Peter Tinson UCISA
THETA Conference 9 May, Auckland In the beginning…
THETA Conference 9 May, Auckland Why do it • Cyber security became a hot topic • Survey identified • Main risk was reputational damage • Main threat was accidental loss of data • Main asset at risk teaching-related and HR data • “no simple answer to the challenge of developing effective IS” • “clear risk of developing overly bureaucratic systems”
THETA Conference 9 May, Auckland What it is • Good, actionable advice on information security management: • Advice • Real-world exemplar materials • Instructions on developing an Information Security Management System (ISMS) from where you are right now • Designed for educational institutions- but usable by anyone
THETA Conference 9 May, Auckland What it’s for • Becoming ISO/IEC 27001 certified • Showing good practice in information risk management (also known as cyber security) • Reducing or controlling the risk of embarrassing or damaging information security incidents
THETA Conference 9 May, Auckland Roadmap • Understand the organisation • Establish leadership and commitment • Gain initial top management support • Set policy/strategy • Define roles and responsibilities Stage 1 – Foundations [§1] What is information security? [§2] Information security governance [§3] Relationships between drivers [§8] Roles and competencies [§13] Policies • Define scope of activity • Define risk assessment methodology • Assess risk and establish risk treatment plan • Select controls • Define necessary resources • Deliver business case and review • Define competencies Stage 2 – Planning, Assessment and Evaluation [§4] Scoping [§5] Risk assessment [§6] Controls [§7] Information management [§8] Roles and competencies [§9] Awareness raising [§2] Information security governance
THETA Conference 9 May, Auckland Roadmap (continued) • Establish operational support (resource, competencies, awareness etc.) • Implement policies/controls and manage risk • Address communication and awareness building • Implement compliance checking vs regulations Stage 3 – Implementation, Support and Operation [§5] Risk assessment [§6] Controls [§8] Roles and competencies [§9] Awareness raising [§1] What is information security? • Measure and evaluate performance • Respond effectively to incidents and when things go wrong • Deliver continual improvement • Implement iterative risk assessment Stage 4 – Performance, Evaluation and Improvement [§10] Measurement [§11] When things go wrong: non-conformities and incidents [§12] Continual improvement [§5] Risk assessment
THETA Conference 9 May, Auckland Stage 1 – Foundation • Understand the organisational culture • Identify organisational drivers • Identify key points of control • Establish how risk is managed • Make initial contact with senior managers • Explain what the problem is • Provide outlines to them • Get top level policy approved
THETA Conference 9 May, Auckland Stage 2 – Planning, assessment and evaluation • Develop an information risk management model • This should be: • Congruent with existing risk management practices • Consistent with ISO 27001 • Easy to explain • Sanity checked by those on the front line • Measurable
THETA Conference 9 May, Auckland Stage 2 (continued) • Identify key people and get them onside • Promote it • Present to the right people once the appetite is there • Develop new/changed groups and functional areas
THETA Conference 9 May, Auckland Stage 3 – Implementation, support and operation • Programme/project management • Generate actual KPIs • Start new groups off strongly • Use existing reporting lines • Embed information risk management in standard operations
THETA Conference 9 May, Auckland Stage 4 – Performance evaluation and improvement • Audit – verify that controls are effective • Learn from incidents • Continual improvement • Make this part of a GRC structure
THETA Conference 9 May, Auckland Linking it all together • Developing an ISM Tool • Links the elements of the IS Management System • Provides a repository for all things IS
THETA Conference 9 May, Auckland Getting the message across • Toolkit includes case studies on awareness raising (both from Cardiff) • A number of institutions have carried out phishing exercises • Information Security Awareness training
THETA Conference 9 May, Auckland Information security awareness training
THETA Conference 9 May, Auckland Working with other organisations • Liaison with Jisc • use ISMT in training • developing (anti-)phishing service • Promote with non-IT associations in the UK • Promoted elsewhere – EDUCAUSE have recommended • Happy for ISMT to be used…
THETA Conference 9 May, Auckland Where we are in the UK
THETA Conference 9 May, Auckland Conclusion • It’s complicated – no silver bullet • Set of tools to assist (developed by the community for the community) • Toolkit recognised by Government agencies • Happy to talk further… • Email: execsec@ucisa.ac.uk • Twitter: @pat3460 • ISMT: www.ucisa.ac.uk/ismt • Information security awareness training: www.ucisa.ac.uk/infosectraining

Recommended

Collaborative Security: An approach to tackling Internet security issues
Collaborative Security: An approach to tackling Internet security issuesCollaborative Security: An approach to tackling Internet security issues
Collaborative Security: An approach to tackling Internet security issuesInternet Society
 
Cognizant EBA-ERSS
Cognizant EBA-ERSSCognizant EBA-ERSS
Cognizant EBA-ERSSNitin Sharma
 
IATI in Ireland
IATI in IrelandIATI in Ireland
IATI in IrelandRolf Kleef
 
Kinetik intro
Kinetik introKinetik intro
Kinetik introKinetik Solutions Ltd
 
ADA - CoretrustSeal webinar presentation
ADA - CoretrustSeal webinar presentation ADA - CoretrustSeal webinar presentation
ADA - CoretrustSeal webinar presentation ARDC
 
ICES advice and integrated ecosystem assessment expert groups
ICES advice and integrated ecosystem assessment expert groupsICES advice and integrated ecosystem assessment expert groups
ICES advice and integrated ecosystem assessment expert groupsMark Dickey-Collas
 
Csiro 20180313 tdr_ands_webinar-data access portal
Csiro 20180313 tdr_ands_webinar-data access portalCsiro 20180313 tdr_ands_webinar-data access portal
Csiro 20180313 tdr_ands_webinar-data access portalARDC
 
Overview: Information Management at ICARDA
Overview: Information Management at ICARDAOverview: Information Management at ICARDA
Overview: Information Management at ICARDACGIAR Research Program on Dryland Systems
 

Recommended

Collaborative Security: An approach to tackling Internet security issues
Collaborative Security: An approach to tackling Internet security issuesCollaborative Security: An approach to tackling Internet security issues
Collaborative Security: An approach to tackling Internet security issuesInternet Society
 
Cognizant EBA-ERSS
Cognizant EBA-ERSSCognizant EBA-ERSS
Cognizant EBA-ERSSNitin Sharma
 
IATI in Ireland
IATI in IrelandIATI in Ireland
IATI in IrelandRolf Kleef
 
Kinetik intro
Kinetik introKinetik intro
Kinetik introKinetik Solutions Ltd
 
ADA - CoretrustSeal webinar presentation
ADA - CoretrustSeal webinar presentation ADA - CoretrustSeal webinar presentation
ADA - CoretrustSeal webinar presentation ARDC
 
ICES advice and integrated ecosystem assessment expert groups
ICES advice and integrated ecosystem assessment expert groupsICES advice and integrated ecosystem assessment expert groups
ICES advice and integrated ecosystem assessment expert groupsMark Dickey-Collas
 
Csiro 20180313 tdr_ands_webinar-data access portal
Csiro 20180313 tdr_ands_webinar-data access portalCsiro 20180313 tdr_ands_webinar-data access portal
Csiro 20180313 tdr_ands_webinar-data access portalARDC
 
Overview: Information Management at ICARDA
Overview: Information Management at ICARDAOverview: Information Management at ICARDA
Overview: Information Management at ICARDACGIAR Research Program on Dryland Systems
 
Implementing Data Governance & ISMS in a University
Implementing Data Governance & ISMS in a UniversityImplementing Data Governance & ISMS in a University
Implementing Data Governance & ISMS in a UniversityKate Carruthers
 
PETRAS - Internet of Things Research Hub
PETRAS - Internet of Things Research HubPETRAS - Internet of Things Research Hub
PETRAS - Internet of Things Research HubEast Midlands Cyber Security Forum
 
Spreading and Deepening Lean across Healthcare
Spreading and Deepening Lean across HealthcareSpreading and Deepening Lean across Healthcare
Spreading and Deepening Lean across HealthcareLean Enterprise Academy
 
Open access and open data: international trends and strategic context
Open access and open data: international trends and strategic contextOpen access and open data: international trends and strategic context
Open access and open data: international trends and strategic contextCybera Inc.
 
OSU Big Data Conference, Oklahoma City
OSU Big Data Conference, Oklahoma CityOSU Big Data Conference, Oklahoma City
OSU Big Data Conference, Oklahoma CityDaniel Murray
 
Is this a Lean Process
Is this a Lean ProcessIs this a Lean Process
Is this a Lean ProcessLean Enterprise Academy
 
the_five_functions.pptx
the_five_functions.pptxthe_five_functions.pptx
the_five_functions.pptxssuser2428171
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingSwati Gupta
 
Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]Martin Lawrence
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirementshumanus2
 
PECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by KinvergPECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by KinvergKinverg
 
Cybersecurity strategy-brief-to-itc final-17_apr2015
Cybersecurity strategy-brief-to-itc final-17_apr2015Cybersecurity strategy-brief-to-itc final-17_apr2015
Cybersecurity strategy-brief-to-itc final-17_apr2015IT Strategy Group
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
Aegon hiek van der scheer
Aegon hiek van der scheerAegon hiek van der scheer
Aegon hiek van der scheerBigDataExpo
 
Implementation Network meeting presentations
Implementation Network meeting presentationsImplementation Network meeting presentations
Implementation Network meeting presentationsCentre for Effective Services
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
Protected Area Network Knowledge Management Framework (Needs Assessment and A...
Protected Area Network Knowledge Management Framework (Needs Assessment and A...Protected Area Network Knowledge Management Framework (Needs Assessment and A...
Protected Area Network Knowledge Management Framework (Needs Assessment and A...John Mauremootoo
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 

More Related Content

What's hot

Implementing Data Governance & ISMS in a University
Implementing Data Governance & ISMS in a UniversityImplementing Data Governance & ISMS in a University
Implementing Data Governance & ISMS in a UniversityKate Carruthers
 
Spreading and Deepening Lean across Healthcare
Spreading and Deepening Lean across HealthcareSpreading and Deepening Lean across Healthcare
Spreading and Deepening Lean across HealthcareLean Enterprise Academy
 
Open access and open data: international trends and strategic context
Open access and open data: international trends and strategic contextOpen access and open data: international trends and strategic context
Open access and open data: international trends and strategic contextCybera Inc.
 
OSU Big Data Conference, Oklahoma City
OSU Big Data Conference, Oklahoma CityOSU Big Data Conference, Oklahoma City
OSU Big Data Conference, Oklahoma CityDaniel Murray
 

What's hot (6)

Implementing Data Governance & ISMS in a University
Implementing Data Governance & ISMS in a UniversityImplementing Data Governance & ISMS in a University
Implementing Data Governance & ISMS in a University
 
PETRAS - Internet of Things Research Hub
PETRAS - Internet of Things Research HubPETRAS - Internet of Things Research Hub
PETRAS - Internet of Things Research Hub
 
Spreading and Deepening Lean across Healthcare
Spreading and Deepening Lean across HealthcareSpreading and Deepening Lean across Healthcare
Spreading and Deepening Lean across Healthcare
 
Open access and open data: international trends and strategic context
Open access and open data: international trends and strategic contextOpen access and open data: international trends and strategic context
Open access and open data: international trends and strategic context
 
OSU Big Data Conference, Oklahoma City
OSU Big Data Conference, Oklahoma CityOSU Big Data Conference, Oklahoma City
OSU Big Data Conference, Oklahoma City
 
Is this a Lean Process
Is this a Lean ProcessIs this a Lean Process
Is this a Lean Process
 

Similar to The Road to Institutional Security Management

the_five_functions.pptx
the_five_functions.pptxthe_five_functions.pptx
the_five_functions.pptxssuser2428171
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingSwati Gupta
 
Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]Martin Lawrence
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirementshumanus2
 
PECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by KinvergPECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by KinvergKinverg
 
Cybersecurity strategy-brief-to-itc final-17_apr2015
Cybersecurity strategy-brief-to-itc final-17_apr2015Cybersecurity strategy-brief-to-itc final-17_apr2015
Cybersecurity strategy-brief-to-itc final-17_apr2015IT Strategy Group
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
Aegon hiek van der scheer
Aegon hiek van der scheerAegon hiek van der scheer
Aegon hiek van der scheerBigDataExpo
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.pptHasnolAhmad2
 
Protected Area Network Knowledge Management Framework (Needs Assessment and A...
Protected Area Network Knowledge Management Framework (Needs Assessment and A...Protected Area Network Knowledge Management Framework (Needs Assessment and A...
Protected Area Network Knowledge Management Framework (Needs Assessment and A...John Mauremootoo
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 
You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentResilient Systems
 
Knowledge Management Australia 2015: The Discovery and Re-Discovery of Knowledge
Knowledge Management Australia 2015: The Discovery and Re-Discovery of KnowledgeKnowledge Management Australia 2015: The Discovery and Re-Discovery of Knowledge
Knowledge Management Australia 2015: The Discovery and Re-Discovery of KnowledgeArk Group Australia Pty Ltd
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKATHEESKUMAR S
 
Building an Effective Data Privacy Program – 6 Steps from TRUSTe
Building an Effective Data Privacy Program – 6 Steps from TRUSTeBuilding an Effective Data Privacy Program – 6 Steps from TRUSTe
Building an Effective Data Privacy Program – 6 Steps from TRUSTeTrustArc
 

Similar to The Road to Institutional Security Management (20)

the_five_functions.pptx
the_five_functions.pptxthe_five_functions.pptx
the_five_functions.pptx
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-trainingFissea09 mgupta-day3-panel process-program-build-effective-training
Fissea09 mgupta-day3-panel process-program-build-effective-training
 
Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
 
PECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by KinvergPECB Certified ISO 27001:2013 Lead Implementer by Kinverg
PECB Certified ISO 27001:2013 Lead Implementer by Kinverg
 
Cybersecurity strategy-brief-to-itc final-17_apr2015
Cybersecurity strategy-brief-to-itc final-17_apr2015Cybersecurity strategy-brief-to-itc final-17_apr2015
Cybersecurity strategy-brief-to-itc final-17_apr2015
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
Aegon hiek van der scheer
Aegon hiek van der scheerAegon hiek van der scheer
Aegon hiek van der scheer
 
Implementation Network meeting presentations
Implementation Network meeting presentationsImplementation Network meeting presentations
Implementation Network meeting presentations
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
Protected Area Network Knowledge Management Framework (Needs Assessment and A...
Protected Area Network Knowledge Management Framework (Needs Assessment and A...Protected Area Network Knowledge Management Framework (Needs Assessment and A...
Protected Area Network Knowledge Management Framework (Needs Assessment and A...
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The Incident
 
Knowledge Management Australia 2015: The Discovery and Re-Discovery of Knowledge
Knowledge Management Australia 2015: The Discovery and Re-Discovery of KnowledgeKnowledge Management Australia 2015: The Discovery and Re-Discovery of Knowledge
Knowledge Management Australia 2015: The Discovery and Re-Discovery of Knowledge
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Building an Effective Data Privacy Program – 6 Steps from TRUSTe
Building an Effective Data Privacy Program – 6 Steps from TRUSTeBuilding an Effective Data Privacy Program – 6 Steps from TRUSTe
Building an Effective Data Privacy Program – 6 Steps from TRUSTe
 

Recently uploaded

UChicago CMSC 23320 - The Best Commit Messages of 2024
UChicago CMSC 23320 - The Best Commit Messages of 2024UChicago CMSC 23320 - The Best Commit Messages of 2024
UChicago CMSC 23320 - The Best Commit Messages of 2024Borja Sotomayor
 
An Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge AppAn Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge AppCeline George
 
The Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDFThe Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDFVivekanand Anglo Vedic Academy
 
Observing-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptxObserving-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptxAdelaideRefugio
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsSandeep D Chaudhary
 
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading RoomSternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading RoomSean M. Fox
 
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...Nguyen Thanh Tu Collection
 
SPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code ExamplesSPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code ExamplesPeter Brusilovsky
 
Graduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptxGraduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptxneillewis46
 
ANTI PARKISON DRUGS.pptx
ANTI PARKISON DRUGS.pptxANTI PARKISON DRUGS.pptx
ANTI PARKISON DRUGS.pptxPoojaSen20
 
MOOD STABLIZERS DRUGS.pptx
MOOD STABLIZERS DRUGS.pptxMOOD STABLIZERS DRUGS.pptx
MOOD STABLIZERS DRUGS.pptxPoojaSen20
 
How to Manage Website in Odoo 17 Studio App.pptx
How to Manage Website in Odoo 17 Studio App.pptxHow to Manage Website in Odoo 17 Studio App.pptx
How to Manage Website in Odoo 17 Studio App.pptxCeline George
 
Basic Civil Engineering notes on Transportation Engineering & Modes of Transport
Basic Civil Engineering notes on Transportation Engineering & Modes of TransportBasic Civil Engineering notes on Transportation Engineering & Modes of Transport
Basic Civil Engineering notes on Transportation Engineering & Modes of TransportDenish Jangid
 
Spring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community PartnershipsSpring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community Partnershipsexpandedwebsite
 
Trauma-Informed Leadership - Five Practical Principles
Trauma-Informed Leadership - Five Practical PrinciplesTrauma-Informed Leadership - Five Practical Principles
Trauma-Informed Leadership - Five Practical PrinciplesPooky Knightsmith
 
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文中 央社
 
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdfFICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdfPondicherry University
 
How to Send Pro Forma Invoice to Your Customers in Odoo 17
How to Send Pro Forma Invoice to Your Customers in Odoo 17How to Send Pro Forma Invoice to Your Customers in Odoo 17
How to Send Pro Forma Invoice to Your Customers in Odoo 17Celine George
 

Recently uploaded (20)

UChicago CMSC 23320 - The Best Commit Messages of 2024
UChicago CMSC 23320 - The Best Commit Messages of 2024UChicago CMSC 23320 - The Best Commit Messages of 2024
UChicago CMSC 23320 - The Best Commit Messages of 2024
 
An Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge AppAn Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge App
 
The Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDFThe Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDF
 
Observing-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptxObserving-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptx
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & Systems
 
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading RoomSternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
 
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
 
SPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code ExamplesSPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code Examples
 
Graduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptxGraduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptx
 
ANTI PARKISON DRUGS.pptx
ANTI PARKISON DRUGS.pptxANTI PARKISON DRUGS.pptx
ANTI PARKISON DRUGS.pptx
 
MOOD STABLIZERS DRUGS.pptx
MOOD STABLIZERS DRUGS.pptxMOOD STABLIZERS DRUGS.pptx
MOOD STABLIZERS DRUGS.pptx
 
How to Manage Website in Odoo 17 Studio App.pptx
How to Manage Website in Odoo 17 Studio App.pptxHow to Manage Website in Odoo 17 Studio App.pptx
How to Manage Website in Odoo 17 Studio App.pptx
 
Basic Civil Engineering notes on Transportation Engineering & Modes of Transport
Basic Civil Engineering notes on Transportation Engineering & Modes of TransportBasic Civil Engineering notes on Transportation Engineering & Modes of Transport
Basic Civil Engineering notes on Transportation Engineering & Modes of Transport
 
Spring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community PartnershipsSpring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community Partnerships
 
VAMOS CUIDAR DO NOSSO PLANETA! .
VAMOS CUIDAR DO NOSSO PLANETA! .VAMOS CUIDAR DO NOSSO PLANETA! .
VAMOS CUIDAR DO NOSSO PLANETA! .
 
ESSENTIAL of (CS/IT/IS) class 07 (Networks)
ESSENTIAL of (CS/IT/IS) class 07 (Networks)ESSENTIAL of (CS/IT/IS) class 07 (Networks)
ESSENTIAL of (CS/IT/IS) class 07 (Networks)
 
Trauma-Informed Leadership - Five Practical Principles
Trauma-Informed Leadership - Five Practical PrinciplesTrauma-Informed Leadership - Five Practical Principles
Trauma-Informed Leadership - Five Practical Principles
 
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
 
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdfFICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
 
How to Send Pro Forma Invoice to Your Customers in Odoo 17
How to Send Pro Forma Invoice to Your Customers in Odoo 17How to Send Pro Forma Invoice to Your Customers in Odoo 17
How to Send Pro Forma Invoice to Your Customers in Odoo 17
 

The Road to Institutional Security Management

  • 1. #THETA2017 This work is licensed under a Creative Commons Attribution 4.0 International License The Road to Institutional Information Security Management Peter Tinson UCISA
  • 2. THETA Conference 9 May, Auckland In the beginning…
  • 3. THETA Conference 9 May, Auckland Why do it • Cyber security became a hot topic • Survey identified • Main risk was reputational damage • Main threat was accidental loss of data • Main asset at risk teaching-related and HR data • “no simple answer to the challenge of developing effective IS” • “clear risk of developing overly bureaucratic systems”
  • 4. THETA Conference 9 May, Auckland What it is • Good, actionable advice on information security management: • Advice • Real-world exemplar materials • Instructions on developing an Information Security Management System (ISMS) from where you are right now • Designed for educational institutions- but usable by anyone
  • 5. THETA Conference 9 May, Auckland What it’s for • Becoming ISO/IEC 27001 certified • Showing good practice in information risk management (also known as cyber security) • Reducing or controlling the risk of embarrassing or damaging information security incidents
  • 6. THETA Conference 9 May, Auckland Roadmap • Understand the organisation • Establish leadership and commitment • Gain initial top management support • Set policy/strategy • Define roles and responsibilities Stage 1 – Foundations [§1] What is information security? [§2] Information security governance [§3] Relationships between drivers [§8] Roles and competencies [§13] Policies • Define scope of activity • Define risk assessment methodology • Assess risk and establish risk treatment plan • Select controls • Define necessary resources • Deliver business case and review • Define competencies Stage 2 – Planning, Assessment and Evaluation [§4] Scoping [§5] Risk assessment [§6] Controls [§7] Information management [§8] Roles and competencies [§9] Awareness raising [§2] Information security governance
  • 7. THETA Conference 9 May, Auckland Roadmap (continued) • Establish operational support (resource, competencies, awareness etc.) • Implement policies/controls and manage risk • Address communication and awareness building • Implement compliance checking vs regulations Stage 3 – Implementation, Support and Operation [§5] Risk assessment [§6] Controls [§8] Roles and competencies [§9] Awareness raising [§1] What is information security? • Measure and evaluate performance • Respond effectively to incidents and when things go wrong • Deliver continual improvement • Implement iterative risk assessment Stage 4 – Performance, Evaluation and Improvement [§10] Measurement [§11] When things go wrong: non-conformities and incidents [§12] Continual improvement [§5] Risk assessment
  • 8. THETA Conference 9 May, Auckland Stage 1 – Foundation • Understand the organisational culture • Identify organisational drivers • Identify key points of control • Establish how risk is managed • Make initial contact with senior managers • Explain what the problem is • Provide outlines to them • Get top level policy approved
  • 9. THETA Conference 9 May, Auckland Stage 2 – Planning, assessment and evaluation • Develop an information risk management model • This should be: • Congruent with existing risk management practices • Consistent with ISO 27001 • Easy to explain • Sanity checked by those on the front line • Measurable
  • 10. THETA Conference 9 May, Auckland Stage 2 (continued) • Identify key people and get them onside • Promote it • Present to the right people once the appetite is there • Develop new/changed groups and functional areas
  • 11. THETA Conference 9 May, Auckland Stage 3 – Implementation, support and operation • Programme/project management • Generate actual KPIs • Start new groups off strongly • Use existing reporting lines • Embed information risk management in standard operations
  • 12. THETA Conference 9 May, Auckland Stage 4 – Performance evaluation and improvement • Audit – verify that controls are effective • Learn from incidents • Continual improvement • Make this part of a GRC structure
  • 13. THETA Conference 9 May, Auckland Linking it all together • Developing an ISM Tool • Links the elements of the IS Management System • Provides a repository for all things IS
  • 14. THETA Conference 9 May, Auckland Getting the message across • Toolkit includes case studies on awareness raising (both from Cardiff) • A number of institutions have carried out phishing exercises • Information Security Awareness training
  • 15. THETA Conference 9 May, Auckland Information security awareness training
  • 16. THETA Conference 9 May, Auckland Working with other organisations • Liaison with Jisc • use ISMT in training • developing (anti-)phishing service • Promote with non-IT associations in the UK • Promoted elsewhere – EDUCAUSE have recommended • Happy for ISMT to be used…
  • 17. THETA Conference 9 May, Auckland Where we are in the UK
  • 18. THETA Conference 9 May, Auckland Conclusion • It’s complicated – no silver bullet • Set of tools to assist (developed by the community for the community) • Toolkit recognised by Government agencies • Happy to talk further… • Email: execsec@ucisa.ac.uk • Twitter: @pat3460 • ISMT: www.ucisa.ac.uk/ismt • Information security awareness training: www.ucisa.ac.uk/infosectraining

Editor's Notes

  1. Who I am, what UCISA is. Outline UCISA’s work on information security – multi-strand approach
  2. Starting point – Information Security Management Toolkit Background. 2005 – auditors started to take an interest Developed the IST – set of template policies which took the then standard and applied a level of proportionality to them. Initial application of risk to IS policies Following the release of a new version of the ISO standard, we took the opportunity to review the approach we had taken. We recognised that policies on their own don’t deliver effective information security and that it’s an institutional problem and not an IT problem. Consequently we decided to focus on the management of information security – the Information Security Management Toolkit was conceived. Development – one lead author, five sets of institutional contributions
  3. Government had spent a year focussing on businesses to help them protect their intellectual property (recognising that commercial theft was an issue). Then turned focus onto universities. Highlighted cyber essentials and 20 steps to cyber security. IT largely compliant but not the university as a whole. Helped demonstrate need for university policies (supported by senior management), link to risk Survey carried out by Universities UK – idea was that senior management completed the survey. In practice around 50% did – the remainder got their CIO to complete it…
  4. Toolkit is based on a road map – idea is that, depending on your institutional maturity, you can join the road at any point… There are four stages – Foundation, Planning, Implementation and Review
  5. Governance, risk and compliance….
  6. Notes: The tool accompanying this publication allows an organisation to build an Information Security Management System, providing an environment to store, manage, correlate and track the components that make up an ISMS and enabling the relationships between those components to be clear and understood. It is designed so that organisations can either use parts in isolation or the whole system as a comprehensive ISMS
  7. Developed from a UCISA Award for Excellence winner Procured on behalf of the sector Freely available to full UCISA members