Presentation on theme: "JISC Information Security Policy and Culture Case study: Towards an institution- wide security policy Brian Reynolds, Deputy Director, Computing Services."— Presentation transcript:
JISC Information Security Policy and Culture Case study: Towards an institution- wide security policy Brian Reynolds, Deputy Director, Computing Services 15 January 2002
Technology is a queer thing! It brings great benefits with one hand and stabs you in the back with the other! CPSnow
JISC Information Security Policy and Culture University History and composition Structure of Computing Services (CSV) CSV facts and figures University committee structure relevant to information security Work on BS7799 KPMG Audit, comments and recommendations Benefits of implementing information security policy University policy development Next steps
History of Coventry University Started as Coventry College of Art in 1843. Amalgamated with Lanchester College and Rugby College in 1970. Then called Lanchester Polytechnic Changed name to Coventry Polytechnic in 1987 Adopted title Coventry University in 1992
Coventry University 7 Academic Schools 15 Support Departments –e.g. Registry, Finance, Estates, Computing Services, Personnel Approx: –17,000 students –2,000 staff
CSV Structure Director Infrastructure Applications and Local IT Developments Procurement and Administration Deputy Director Customer Services Help and Advice Publicity and Information Operations (speech and data) Training Total 74 staff
CSV facts and Figures Laid 60 miles of fibre optic cabling Laid 1,200 miles of copper network cabling Installed over 18,000 network points Provided a £1.5m Cisco network 1 million hits per month on the web server Provided 30 high-performance NetWare servers 75,000 modules registered on WebCT so far this academic year 120 comms rooms across campus 600GB data backed up in one cycle
CSV facts and Figures in the last year Delivered 4000 hours of training Handled over 220,000 calls on the switchboard Completed 2,000 telephone moves and changes Logged 11,000 calls on the help desk Provided 4573 hours of front line help Solved 51% of help desk problems at first line
Committees relevant to security University –Information Strategy Group –Standing Advisory Group on Information & Technology Computing Services –CSV Security Group
BS7799 Standards BS7799 is a British Standard developed as a common framework to enable companies to develop, implement and measure effective security management practice. BS7799 has been provided to address the needs of information security management systems within organisations.
The standard relates to all information, regardless of the media on which it is stored, or where it is located. The standard provides guidance to the best controls available, which are split into distinct control areas, which are further divided into individual controls which should be considered by an organisation when implementing effective security management.
Work on BS7799 Standard The BS7799 pilot study was set in motion by JISC in 1999 and involved six institutions, between them covering a range of sizes, structures and missions. These were: Queens University, Belfast University of Bristol Coventry University University of Sunderland University of York College of St Mark and St John, Plymouth
Comments from the pilot sites In the discussions with those involved there was a broad consensus on the following points: BS7799 is a good basis on which to build an information security policy The standards needs to be used as a guide rather than a rigid template In places the wording and vocabulary can be hard to relate to an educational context There were difficulties in achieving culture change in sections of the university BS7799 certification was not worthwhile
KPMG Audit The Scope –KPMG conducted a detailed review at the end of 2000 to ascertain how Coventry University complied with the BS7799 Information Security standard. The Objective –To gain a detailed appreciation of how the University was compliant with the standard and the areas where the University could make improvements
KPMG Findings KPMG thought the University was generally OK 42 specific areas were looked at 5 recommendations for future action were made
KPMG Comments Information Security specialist advice is received from Janet Cert. The Universitys Information System Principles document provides best practice for the management and provision of IT services. There is a policy for access to University systems by third parties. Data custodians have been established for authorisation of access to corporate systems
KPMG Comments CSV job descriptions clearly define security roles and responsibilities A policy is in place for dealing with security breaches. Confidentiality agreements are part of the contract of employment which is signed by staff. Security breaches are enforceable under the code of conduct and are dealt with under the HR / University disciplinary procedure.
KPMG Comments Secure areas/locations have been established All secure areas are well controlled Each University block has two fibre optic connections to other blocks to ensure continuity of service Removal of property from the University must be approved by the finance department Loan laptops are signed in and out and guidance is given for the use and security of the laptops
KPMG Comments A change management service release and review procedure exists. Financial duties are effectively segregated. The payroll use BACS to transmit payments on a separate stand alone machine CSV use software to monitor capacity requirements and what applications are running Priority levels are allocated to each fault reported to the helpdesk
KPMG Comments All back-up tapes are stored in a fireproof safe and a catalogue is kept to record each tapes location (off site). Staff leavers are removed from distribution lists. Formal procedures are in place for the creation, amendment and deletion of user accounts. CSV review security logs on a weekly basis to determine unsuccessful access attempts. A password policy exists and guidance is provided in security policy leaflets, the policy on security of IT facilities and the student hand book.
We have an academic school with tons of data produced every day. They insist on backing up the stuff themselves, though they have support agreement with us. Anyway, one of their administrators put a DAT tape into the drive every night and removed it the next morning, labelled it, and stored it in a closet. One day the disk crashed. They called us because they couldn't restore the data from tape for some reason. It turned out that although they did put a tape in every night, remove it every morning, label it, and store it, what they forgot to do was run the backup script. They had a year's supply of backup tapes, neatly dated, and all of them empty!
KPMG Comments Admin and academic networks are separated with VLANs restricting access. Controls are considered in the specification stage for the development/procurement of new systems. Special access privileges are granted to gain access to databases.
KPMG Comments The impact of upgrades to systems are assessed by CSV management before being actioned. All University purchases are made through the purchasing department, subject to University purchasing rules No modifications are carried out to standard software. The University completed a risk assessment as part of the business continuity project.
KPMG Comments A framework provided by PriceWaterhouse Coopers has been used in the compilation of continuity plans identifying testing and maintenance priorities. The University monitors Internet usage and prevents users accessing undesirable Internet sites. There is a central register for recording software licences. The staff handbook contains guidance on copyright responsibilities.
KPMG Summary The University has made excellent progress against the standard with 70% of controls now in place. A presentation to raise Senior Management awareness needs to be made
KPMG Recommendations An all encompassing Security Policy needs developing. A review of the current documentation should be undertaken to identify any areas which could be rationalised. Information classifications should be allocated to identify sensitive and critical information.
KPMG Recommendations cont The University should complete an Information Security Management System (ISMS). The ISMS should include an appropriate risk assessment for each information system and determine the scope to be certified. The boundaries of the system are defined in terms of organisation, location, assets and technology.
KPMG Recommendations cont BS7799 developments should continue and be aligned to the work carried out for the Data Protection Act.
Benefits of implementing Information Security Policy The purpose of information security management is to ensure business continuity and reduce business damage by preventing and minimising the impact of security incidents. Reports show that fraud or cases of IT abuse often occur due to the absence of basic controls, with one-half of all detected frauds found by accident.
Information is a vital asset in any organisation. The protection and security of this information is of prime importance to many aspects of an organisations business. It is important that an organisation should not only implement a set of controls and procedures for information security but also manage and maintain them.
Demonstrating good information security will be seen as a benefit to trading partners who may be involved in the transfer of information. The use of EDI is not widely used within the University, but this is still an important issue.
University Policy Development JISC advice helpful –examples from other sites Existing documents identified Scope includes non-electronic information JISC titles + Policy Statement Supplementary documents produced
Next Steps Formal approval of Policy Formal process for suspected security breaches Procedures for staff departures Awareness exercise for Information Custodians … and others