information security at university of east london: the benefits (and pitfalls) of a framework...
TRANSCRIPT
Information security at University of East London:
The benefits (and pitfalls) of a framework approachCraig Clark- Information Security and Compliance Manager
Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 102/05/2023
» Involved in information security at UEL since 2014 – previous experience in facilities management and insurance sectors
» Not a traditional techie – background in social engineering, forensic science and risk management
» Mandate covers implementing a ‘security culture’» Certified ISO27001 lead implementer and GDPR practitioner
About me
02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 2
» Sensitive data across multiple systems with multiple owners» No consistent information governance methodology for classification
and retention» ‘Best efforts’ approach from within IT but no formal information security
strategy at vice chancellor and governor level» No full time post for information security » Fragmented approach information sharing
The UEL information security quandary – Previously:
02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 3
» Embeds governance, responsibility and accountability values - protection at the front door
» A ‘one stop shop’ for information security and governance » A mechanism to implement the CIA triad consistently across the
institution » Allows for information security to align with strategic goals » The framework aligns with controls outlined for an ISO27001 ISMS» Allows for a systematic approach to risk
What is an information security framework in a UEL context?
02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 4
02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 5
Policy
Signpostingand awareness
Procedures
Processes
Auditable evidence
Mandatory» Data protection/GDPR » Freedom of Information » Copyright» Intellectual Property » Janet network » Prevent» PCI-DSS
Information security policy Supporting policies
» Acceptable use » Antivirus and malware» Cloud services » Social media» Data retention » Data classification » Access management policy
02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 6
» Updated to reflect evolving risk landscape especially Prevent and GDPR » Modeled on Janet network/UCISA policies and toolkits» For UEL it requires backing at governor level – takes time to get through
various committees» Needs Union involvement to feed in to disciplinary process for staff
breaches » Communication and accountability across all levels is vital
Policies
02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 7
» Multiple modes of delivery (intranet, internal communications, eLearning, workshops and Lynda.com)
» Dedicated workshops tailored to business function (research, service desk etc)
» Dedicated intranet site aimed at highlighting good information security practices at work and at home
» Information security incorporated into risk management strategy and various sub-committees
Signposting and awareness
02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 8
» Covers the who, what, where when and how» Many procedures and processes exist as ‘business as usual’ activities –
but documentation is key to improve the amount of auditable evidence» Where processes and procedures are widely applicable they must be
highly visible and people should be able to suggest improvements» Information sharing agreements and internal audit results should be held
outside the affected department – ideally by governance
Procedures and processes
02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 9
» Framework allows for increased output of auditable evidence » Several audit templates available » ICO has published high level audit areas » Cloud Security Alliance » GDPR likely to impact on evidence requirements
Auditable evidence
02/05/2023Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 10
Conclusions» The framework is an evolving, flexible process» Final version will include new GDPR processes, policies and procedures » Buy in from the vice chancellor and governor has been vital » It’s a long road!» There has been resistance from some business units and academics but
overall positive experience
Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 11
Contact details
[email protected]/cogitateclark
LinkedIn: https://uk.linkedin.com/in/craig-clark-itil-cis-li-eu-gdpr-p-17480198
Information Security at University of East London: The Benefits (and Pitfalls) of a Framework Approach 12