Joint Information Systems Committee Supporting Higher and Further Education Information Security: Policy and Culture Introduction and Background Annette Haworth ex-Chair of ex-JCAS Director of Information Services,The University of Reading
Joint Information Systems Committee Supporting Higher and Further Education Background – JCAS - Issues Security is about confidentiality authenticity integrity of information Is HE/FE special? – in general, no but – large number peripatetic users/shared PCs/ across public networks/home-working etc – possible odd deals eg ILL, JISC-services...
Joint Information Systems Committee Supporting Higher and Further Education Background – JCAS - What do we know? Many H/FEIs not got/afford enough technical/managerial expertise What definitely needs doing? – Longterm future of JISC-services and related authentication/authorisation service (aka - what do we do about Athens?) – broadening of concept to help sites
Joint Information Systems Committee Supporting Higher and Further Education Background What did we end up doing? Well, yes, we did have the JISC-service related problems to solve But the real problems institutions face are far broader they are Technical - solutions are not without their complexities, but if there is one & youve got the money/expertise, you can use it - QED But what solution do you need - institutional aims, cultural and legal environments. Definitely not QED
Joint Information Systems Committee Supporting Higher and Further Education Background JISC's Work on Security Policy and Planning 1999Pilot study of the BS7799 methodology 2000Evaluation of BS7799 project -Policy advice to HEIs and FECs -Senior Management Briefing Paper 2001Study of user attitudes to security
Joint Information Systems Committee Supporting Higher and Further Education An Anecdote or How the JISC helped me to survive (so far) Take this Contemplate it in your own environment Survive!
Joint Information Systems Committee Supporting Higher and Further Education …….but why Reading is still working on an information security policy? This is not a one-person job on the side and its not my survival that matters – its the institution What is it aiming to achieve, how can a security policy help/hinder? What is a policy? What is the policy? Who owns it? How is it updated? Is it embedded in the culture? Embedded in other policies? A separate tick-box get-you- through-the-audit item? Have we done the right risk analysis? e.g. perfect security cd. stop our academics doing something valuable
Joint Information Systems Committee Supporting Higher and Further Education Introduction Messages for the Day (1) Policy is vital -Needed to establish responsibilities -Needed as a guide when action is required -Needed as an indication of good practice [legal compliance, auditors, ecommerce etc]
Joint Information Systems Committee Supporting Higher and Further Education Introduction Messages for the Day (2) BS7799/ISO17799 is a feasible approach to use -but hard work to implement in full -there are alternatives which may suit you better [e.g. the German Federal Govt handbook] More important to get a workable policy in place than to get hung up on any one methodology!!
Joint Information Systems Committee Supporting Higher and Further Education Introduction - This session Information security policy: what should it aim to achieve? Towards an institution-wide security policy Security: a matter of user perception