towards protecting critical infrastructure

Lauren May Information Security Institute, QUT1 of 18

Towards Protecting Critical Infrastructure

Lauren May, Tim Lane

The Role of Information Security Management in Australian Universities

Lauren May Information Security Institute, QUT2 of 18

Outline

• Goals

• IS Threats/Issues in the Tertiary Sector

• The Need for a Systemic Approach

• The Survey

• Practitioner’s Management Model

• The Trial

• Conclusion

Lauren May Information Security Institute, QUT3 of 18

Goal of this research

To improve the culture of compliance towards information security in the Australian university sector.

Lauren May Information Security Institute, QUT4 of 18

IS Threats in the Tertiary Sector

Universities:

• host a large number of diverse systems

• IT exploration and research

• reflect community standards

Lauren May Information Security Institute, QUT5 of 18

Issues in Tertiary Environment

• Challenge of cultures and technologies–academia needs

–corporate and business requirements

–transient and explorative student base

Lauren May Information Security Institute, QUT6 of 18

• Balance of requirements–conflicts of priorities

–coordinated security approach

–acceptance in environment

IS Issues in Tertiary Environment

Lauren May Information Security Institute, QUT7 of 18

The Need for a Systemic Approach to Managing Security

• existing approaches - standards–no single point of understanding

• analysis of factors and issues

• need systemic approach to ISM which will progress appropriate good practice

Lauren May Information Security Institute, QUT8 of 18

The Survey ...

• Participants: all 38 Australian universities – 100% response

– current status of ISM ?– key issues surrounding ISM ?– how to improve ISM ?

Lauren May Information Security Institute, QUT9 of 18

... The Survey – key findings

• existing approaches• awareness, understanding• structured coordinated model• management support• resources

Lauren May Information Security Institute, QUT10 of 18

Security Practitioner’s Management Model

Lauren May Information Security Institute, QUT11 of 18

Security Practitioner’s Management Model

Lauren May Information Security Institute, QUT12 of 18

Security Practitioner’s Management Model

Lauren May Information Security Institute, QUT13 of 18

Security Practitioner’s Management Model

Lauren May Information Security Institute, QUT14 of 18

Security Practitioner’s Management Model

Lauren May Information Security Institute, QUT15 of 18

Security Practitioner’s Management Model

Lauren May Information Security Institute, QUT16 of 18

Security Practitioner’s Management Model

Lauren May Information Security Institute, QUT17 of 18

In trial at Southern Cross University

• IS practitioner

• senior management

• IT staff

• non-IT staff (end users)

Lauren May Information Security Institute, QUT18 of 18

Conclusion

• IS - an important role in universities

• comprehensive survey supports concepts

• model focuses on how to transparently progress security knowledge to implementation

• in trial at Southern Cross University

• future research – benchmarking, measurement