exeter university ig manager presentation [1]
TRANSCRIPT
![Page 1: Exeter university ig manager presentation [1]](https://reader037.vdocuments.us/reader037/viewer/2022083117/5884fc231a28ab7d698b4935/html5/thumbnails/1.jpg)
‘What do you think are the key information security challenges
facing universities and how would you address them?’
By Martin Lawrence
![Page 2: Exeter university ig manager presentation [1]](https://reader037.vdocuments.us/reader037/viewer/2022083117/5884fc231a28ab7d698b4935/html5/thumbnails/2.jpg)
What is information security?
Information security is the combination of technical and organisational measures deployed in an organisation that are designed to protect the confidentiality, availability and integrity of information assets.
![Page 3: Exeter university ig manager presentation [1]](https://reader037.vdocuments.us/reader037/viewer/2022083117/5884fc231a28ab7d698b4935/html5/thumbnails/3.jpg)
“a body of knowledge that is organised and managed as a single entity and is of value
to the university”
University of Exeter Information Classification Policy
What is an information asset
![Page 4: Exeter university ig manager presentation [1]](https://reader037.vdocuments.us/reader037/viewer/2022083117/5884fc231a28ab7d698b4935/html5/thumbnails/4.jpg)
Why protect information assets?• Information assets are of value• Information assets are vital to the effective day-
to-day running of the university• The university is also required by law to protect
some information e.g. personal data – • Failure to protect personal data may lead to fines
/ law suits / reputational damage• Confidential data provided by third parties• Failure to uphold confidentiality may lead to law
suits / reputational damage / loss of confidence
![Page 5: Exeter university ig manager presentation [1]](https://reader037.vdocuments.us/reader037/viewer/2022083117/5884fc231a28ab7d698b4935/html5/thumbnails/5.jpg)
University security challenges
• A dynamic organisation creating new information assets and with unique risks
• Creating a security culture in a changing academic and business landscape which values information security and embeds this into existing processes
• International working leading to cross boarder transfers of data
• High value research data of significant national / international value that may be subjected to various internal and external threat actors
![Page 6: Exeter university ig manager presentation [1]](https://reader037.vdocuments.us/reader037/viewer/2022083117/5884fc231a28ab7d698b4935/html5/thumbnails/6.jpg)
External information security threats
• Commodity Threat Actors (Phishing / Scamming)
• Advanced threat actors (national / industrial espionage)
• “Hackivists” (seeking to do damage to the reputation of the University)
![Page 7: Exeter university ig manager presentation [1]](https://reader037.vdocuments.us/reader037/viewer/2022083117/5884fc231a28ab7d698b4935/html5/thumbnails/7.jpg)
Managing information security risks
My proposal for managing information security risks is to adopt the PDCA approach established as part of the
ISO27001 security standard.
![Page 8: Exeter university ig manager presentation [1]](https://reader037.vdocuments.us/reader037/viewer/2022083117/5884fc231a28ab7d698b4935/html5/thumbnails/8.jpg)
The Solution – PLAN • Identifying information assets and their associated
risks• Assigning responsibilities for assets and associated
information risks• Assess these risks against the context of the
organisation and agreeing priorities • Agree what risks are acceptable, what can be
transferred, which require mitigation and which require monitoring
![Page 9: Exeter university ig manager presentation [1]](https://reader037.vdocuments.us/reader037/viewer/2022083117/5884fc231a28ab7d698b4935/html5/thumbnails/9.jpg)
The Solution – DO • Establish and implement an organisation wide
information security policy• Establish a framework for investigating breaches
of information security• Implementing appropriate controls that are
proportionate to the level of risk identified• Create tailored guidance and training on how to
implement these controls• Establish and implement a communications plan
to deliver heightened awareness of information security good practice
![Page 10: Exeter university ig manager presentation [1]](https://reader037.vdocuments.us/reader037/viewer/2022083117/5884fc231a28ab7d698b4935/html5/thumbnails/10.jpg)
The Solution – CHECK • Establishing effective oversight and reporting of
information risks to senior management and risk owners
• Review the effectiveness of controls over time• Review intelligence from security incidents and
establish if any new risks have been identified or whether pre-existing risks need reviewing or escalating
![Page 11: Exeter university ig manager presentation [1]](https://reader037.vdocuments.us/reader037/viewer/2022083117/5884fc231a28ab7d698b4935/html5/thumbnails/11.jpg)
The Solution – ACT • Amend processes or procedures in light of any
vulnerabilities identified • Target communications, awareness exercises
and training in response to any vulnerabilities identified
• Re-assess information risks following information security incidents
• Implement a revised risk treatment plan where appropriate
![Page 12: Exeter university ig manager presentation [1]](https://reader037.vdocuments.us/reader037/viewer/2022083117/5884fc231a28ab7d698b4935/html5/thumbnails/12.jpg)
In Summary • Universities are a dynamic environment whose
information risk profile are constantly changing• There needs to be a firm understanding of the nature of
information risks and what these mean for the organisation
• A dynamic approach needs to be taken to ensure that risks are identified, reviewed and proportional controls put in place
• Risks and their associated controls need to be kept under constant review so as to ensure they remain fit for purpose for the organisation
• Staff need to understand their role in creating a security conscious organisation
![Page 13: Exeter university ig manager presentation [1]](https://reader037.vdocuments.us/reader037/viewer/2022083117/5884fc231a28ab7d698b4935/html5/thumbnails/13.jpg)
Thank you for your timeAny questions?