Information security at University of East London:

The benefits (and pitfalls) of a framework approachCraig Clark- Information Security and Compliance Manager

Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 102/05/2023

» Involved in information security at UEL since 2014 – previous experience in facilities management and insurance sectors

» Not a traditional techie – background in social engineering, forensic science and risk management

» Mandate covers implementing a ‘security culture’» Certified ISO27001 lead implementer and GDPR practitioner

About me

02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 2

» Sensitive data across multiple systems with multiple owners» No consistent information governance methodology for classification

and retention» ‘Best efforts’ approach from within IT but no formal information security

strategy at vice chancellor and governor level» No full time post for information security » Fragmented approach information sharing

The UEL information security quandary – Previously:

02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 3

» Embeds governance, responsibility and accountability values - protection at the front door

» A ‘one stop shop’ for information security and governance » A mechanism to implement the CIA triad consistently across the

institution » Allows for information security to align with strategic goals » The framework aligns with controls outlined for an ISO27001 ISMS» Allows for a systematic approach to risk

What is an information security framework in a UEL context?

02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 4

02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 5

Policy

Signpostingand awareness

Procedures

Processes

Auditable evidence

Mandatory» Data protection/GDPR » Freedom of Information » Copyright» Intellectual Property  » Janet network  » Prevent» PCI-DSS

Information security policy Supporting policies

» Acceptable use » Antivirus and malware» Cloud services » Social media» Data retention  » Data classification » Access management policy

02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 6

» Updated to reflect evolving risk landscape especially Prevent and GDPR » Modeled on Janet network/UCISA policies and toolkits» For UEL it requires backing at governor level – takes time to get through

various committees» Needs Union involvement to feed in to disciplinary process for staff

breaches » Communication and accountability across all levels is vital

Policies

02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 7

» Multiple modes of delivery (intranet, internal communications, eLearning, workshops and Lynda.com)

» Dedicated workshops tailored to business function (research, service desk etc)

» Dedicated intranet site aimed at highlighting good information security practices at work and at home

» Information security incorporated into risk management strategy and various sub-committees

Signposting and awareness

02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 8

» Covers the who, what, where when and how» Many procedures and processes exist as ‘business as usual’ activities –

but documentation is key to improve the amount of auditable evidence» Where processes and procedures are widely applicable they must be

highly visible and people should be able to suggest improvements» Information sharing agreements and internal audit results should be held

outside the affected department – ideally by governance

Procedures and processes

02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 9

» Framework allows for increased output of auditable evidence » Several audit templates available » ICO has published high level audit areas » Cloud Security Alliance » GDPR likely to impact on evidence requirements

Auditable evidence

02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 10

Conclusions» The framework is an evolving, flexible process» Final version will include new GDPR processes, policies and procedures » Buy in from the vice chancellor and governor has been vital » It’s a long road!» There has been resistance from some business units and academics but

overall positive experience

Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 11

Contact details

C.Clark@uel.ac.uktwitter.com/cogitateclark

LinkedIn: https://uk.linkedin.com/in/craig-clark-itil-cis-li-eu-gdpr-p-17480198

Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 12