Managing Information Security in Education

Power of Enforcement or

Culture of Security

Ljubomir Trajkovski , M.Sc. CMCLjubomir Trajkovski , M.Sc. CMC

Information Security Management ConsultantInformation Security Management ConsultantLjubomir.Trajkovski@TPConsulting.com.mk

Trajkovski & Partners ConsultingTrajkovski & Partners Consulting

Skopje, MacedoniaSkopje, Macedonia

www.e-society.mk

A Retorical Question • Today :Today :

– There are cca. 100.000 smart children in basic and high schools allover Macedonia today !

– What we will have tomorrow ?

• Tomorrow we would like to have :Tomorrow we would like to have :– Option 1:

• 100.000 Bill Gates (“World ICT Champions”) or

– Option 2: • 100.000 Hackers ( in State prison “Idrizovo”) or

– Option 3: • reasonable ( acceptable ) number of Bill Gates and

hackers ( IDEALLY AS MANY Bills Gates and AS LESS cyber-prisoners in Idrizovo)

www.e-society.mk

What we could do ?Systematic and holistic approach (attitude) to Option 3

1. State intervention (GoM)regulatory approach ( compulsory measures)

2. Stakeholders’ intervention(Association of Schools)Self-regulatory approach ( semi - voluntary measures)

3. Community/Society approach(NGO, parents)• Awareness and education ( voluntary measures)

IMPORTANT : NOT 1. or 2. or 3. BUT 1.+2.+3.4. ALL KEY ACTORS MUST BE PERSISTENT !!!

www.e-society.mk

Regulatory approach (compulsory measures)- GoM

We have to have :We have to have :

Law for Information Security Law for Information Security Management Systems in Public Management Systems in Public sector ( including Education sector) sector ( including Education sector) in RoMin RoM

Worldwide experience (ISO) Worldwide experience (ISO)

ISO 27001 Information Security ISO 27001 Information Security Management System Standard – ISMS Management System Standard – ISMS

Current experience (RoM): Current experience (RoM):

Law on Classified DataLaw on Classified Data

www.e-society.mk

International Initiatives

UNUNUN Resolution 57/239(2002) on the UN Resolution 57/239(2002) on the “Creation of a global culture of cyber “Creation of a global culture of cyber

security”security”

OECDOECDOECD Guidelines for the Security of OECD Guidelines for the Security of

Information Systems and NetworksInformation Systems and Networks

TOWARDS A CULTURE OF SECURITY ( 2002 )TOWARDS A CULTURE OF SECURITY ( 2002 )

EU EU Council Resolution on a European approach towards a Council Resolution on a European approach towards a

culture of network and information security culture of network and information security (2002)(2002)

www.e-society.mk

Self-Regulatory approach (semi voluntary measures) (Assoc. of Schools)

Implementation of ISO 27001 ISMS in Implementation of ISO 27001 ISMS in education community in Macedonia education community in Macedonia

– InfoSec Awareness for school management, teachers, pupils, school IT administrators

– School InfoSec Policy & Procedures

– Infosec education and training

– Regular InfoSec “internal audit” (monitoring and corrective measures)

www.e-society.mk

ISO 27001 ISMS domains 1.1. Security PolicySecurity Policy

2.2. Organization of Information SecurityOrganization of Information Security

3.3. Asset ManagementAsset Management

4.4. Human Resources SecurityHuman Resources Security

5.5. Physical & Environmental SecurityPhysical & Environmental Security

6.6. Communications & Operations ManagementCommunications & Operations Management

7.7. Access ControlAccess Control

8.8. Information Systems Acquisition, Development & MaintenanceInformation Systems Acquisition, Development & Maintenance

9.9. Information Security Incident ManagementInformation Security Incident Management

10.10.Business Continuity ManagementBusiness Continuity Management

11.11.ComplianceCompliance

IMPORTANT : ISO 27001 ISMS COVER ALL REQUIREMENTS FROM IMPORTANT : ISO 27001 ISMS COVER ALL REQUIREMENTS FROM BEFORE MENTIONED RESOLUTIONS AND DECLARATIONSBEFORE MENTIONED RESOLUTIONS AND DECLARATIONS

www.e-society.mk

Community/Society approach (voluntary measures) (NGO and each of us)

Nationwide Nationwide Information Security Information Security Awareness CampaignsAwareness Campaigns

for :for :– Children– Their parents and families– Schools – Association and NGOs working with children

issues– Local communities/Society at large

www.e-society.mk

www.e-society.mk

What is next ?

Let’s start first!Let’s start first!1.1.NGO NGO

– Information Security Awareness & Social marketing

2.2.Schools Association ( MoE ?)Schools Association ( MoE ?)-Implementing & Maintaining ISMS based on ISO

27001

3. GoM3. GoM- National Information Security Policy & Strategy- National Information Security Policy & Strategy

- Law for Information Security Management - Law for Information Security Management www.e-society.mk

At the end of THIS session …

1. I would like to be part of the “Culture of 1. I would like to be part of the “Culture of security” Initiative !security” Initiative !

2. What about YOU ! Join us !2. What about YOU ! Join us !

3. Information Security is EVERYONE 3. Information Security is EVERYONE responsibility !responsibility !

Thanks for your understanding and your Thanks for your understanding and your attention !attention !

Ljubomir TrajkovskiLjubomir TrajkovskiLjubomir.Trajkovski@TPConsulting.com.mk

www.e-society.mk