JISC Information SecurityPolicy and Culture

“Case study: Towards an institution-wide security policy

Brian Reynolds, Deputy Director, Computing Services

15 January 2002

“Technology is a queer thing!It brings great benefits with one hand and stabs you in the back

with the other!

CPSnow

JISC Information SecurityPolicy and Culture

• University History and composition• Structure of Computing Services (CSV)• CSV facts and figures• University committee structure relevant to

information security• Work on BS7799• KPMG Audit, comments and recommendations• Benefits of implementing information security policy• University policy development• Next steps

History of Coventry University

• Started as Coventry College of Art in 1843.

• Amalgamated with Lanchester College and Rugby College in 1970.

• Then called Lanchester Polytechnic

• Changed name to Coventry Polytechnic in 1987

• Adopted title Coventry University in 1992

Coventry University

• 7 Academic Schools• 15 Support Departments

– e.g. Registry, Finance, Estates, Computing Services, Personnel

• Approx:– 17,000 students

– 2,000 staff

CSV Structure

Director

Infrastructure

Applications and Local IT Developments

Procurement and Administration

Deputy Director

Customer Services

Help and Advice

Publicity and Information

Operations (speech and data)

Training

Total 74 staff

CSV facts and Figures

• Laid 60 miles of fibre optic cabling• Laid 1,200 miles of copper network cabling• Installed over 18,000 network points• Provided a £1.5m Cisco network• 1 million hits per month on the web server• Provided 30 high-performance NetWare servers• 75,000 modules registered on WebCT so far this

academic year• 120 comms rooms across campus• 600GB data backed up in one cycle

CSV facts and Figures in the last year

• Delivered 4000 hours of training• Handled over 220,000 calls on the switchboard• Completed 2,000 telephone moves and changes• Logged 11,000 calls on the help desk• Provided 4573 hours of front line help• Solved 51% of help desk problems at first line

One of our help desk staff received a call from thePA to the Finance Director reporting that one of herfloppy disks had caused our virus checker to flash avery alarming message. She was asked to put thedisk to one side until a member of staff visited her.When they arrived at her office, they were directedto a corner desk where a disk box had been set upwith a yellow post-it note reading "Quarantine."

She explained she hadput the disk in thisseparate disk box so itwouldn't infect the otherfloppies!

Quarantine

Committees relevant to security

• University– Information Strategy Group– Standing Advisory Group on Information &

Technology

• Computing Services– CSV Security Group

BS7799 Standards

• BS7799 is a British Standard developed as a common framework to enable companies to develop, implement and measure effective security management practice. BS7799 has been provided to address the needs of information security management systems within organisations.

• The standard relates to all information, regardless of the media on which it is stored, or where it is located. The standard provides guidance to the best controls available, which are split into distinct control areas, which are further divided into individual controls which should be considered by an organisation when implementing effective security management.

Work on BS7799 Standard

• The BS7799 pilot study was set in motion by JISC in 1999 and involved six institutions, between them covering a range of sizes, structures and missions. These were:

• Queen’s University, Belfast• University of Bristol• Coventry University• University of Sunderland• University of York• College of St Mark and St John, Plymouth

Comments from the pilot sites

In the discussions with those involved there was a broad consensus on the following points:

• BS7799 is a good basis on which to build an information security policy

• The standards needs to be used as a guide rather than a rigid template

• In places the wording and vocabulary can be hard to relate to an educational context

• There were difficulties in achieving culture change in sections of the university

• BS7799 certification was not worthwhile

KPMG Audit

• The Scope– KPMG conducted a detailed review at the end of 2000

to ascertain how Coventry University complied with the BS7799 Information Security standard.

• The Objective– To gain a detailed appreciation of how the University

was compliant with the standard and the areas where the University could make improvements

KPMG Findings

• KPMG thought the University was generally OK

• 42 specific areas were looked at

• 5 recommendations for future action were made

KPMG Comments

• Information Security specialist advice is received from Janet Cert.

• The University’s Information System Principles document provides best practice for the management and provision of IT services.

• There is a policy for access to University systems by third parties.

• Data custodians have been established for authorisation of access to corporate systems

KPMG Comments

• CSV job descriptions clearly define security roles and responsibilities

• A policy is in place for dealing with security breaches.

• Confidentiality agreements are part of the contract of employment which is signed by staff.

• Security breaches are enforceable under the code of conduct and are dealt with under the HR / University disciplinary procedure.

KPMG Comments

• Secure areas/locations have been established • All secure areas are well controlled• Each University block has two fibre optic

connections to other blocks to ensure continuity of service

• Removal of property from the University must be approved by the finance department

• Loan laptops are signed in and out and guidance is given for the use and security of the laptops

KPMG Comments

• A change management service release and review procedure exists.

• Financial duties are effectively segregated.• The payroll use BACS to transmit payments on a

separate stand alone machine• CSV use software to monitor capacity

requirements and what applications are running• Priority levels are allocated to each fault reported

to the helpdesk

KPMG Comments

• All back-up tapes are stored in a fireproof safe and a catalogue is kept to record each tapes location (off site).

• Staff leavers are removed from distribution lists.• Formal procedures are in place for the creation,

amendment and deletion of user accounts.• CSV review security logs on a weekly basis to

determine unsuccessful access attempts.• A password policy exists and guidance is provided in

security policy leaflets, the policy on security of IT facilities and the student hand book.

We have an academic school with tons of data produced every day. They insist on backing up the stuff themselves, though they have support

agreement with us. Anyway, one of their administrators put a DAT tape into the drive every night and removed it the next morning, labelled it,

and stored it in a closet. One day the disk crashed.

They called us because they couldn't restore the data from tape for some reason. It turned out that although they did put a tape in every night, remove it every morning, label it, and store it, what they forgot to do

was run the backup script. They had a year's supply of backup tapes, neatly dated,

and all of them empty!

KPMG Comments

• Admin and academic networks are separated with VLANs restricting access.

• Controls are considered in the specification stage for the development/procurement of new systems.

• Special access privileges are granted to gain access to databases.

KPMG Comments

• The impact of upgrades to systems are assessed by CSV management before being actioned.

• All University purchases are made through the purchasing department, subject to University purchasing rules

• No modifications are carried out to standard software.

• The University completed a risk assessment as part of the business continuity project.

KPMG Comments

• A framework provided by PriceWaterhouse Coopers has been used in the compilation of continuity plans identifying testing and maintenance priorities.

• The University monitors Internet usage and prevents users accessing undesirable Internet sites.

• There is a central register for recording software licences.

• The staff handbook contains guidance on copyright responsibilities.

KPMG Summary

• The University has made excellent progress against the standard with 70% of controls now in place.

• A presentation to raise Senior Management awareness needs to be made

KPMG Recommendations

• An all encompassing Security Policy needs developing.

• A review of the current documentation should be undertaken to identify any areas which could be rationalised.

• Information classifications should be allocated to identify sensitive and critical information.

KPMG Recommendations cont’

• The University should complete an Information Security Management System (ISMS). The ISMS should include an appropriate risk assessment for each information system and determine the scope to be certified. The boundaries of the system are defined in terms of organisation, location, assets and technology.

KPMG Recommendations cont’

• BS7799 developments should continue and be aligned to the work carried out for the Data Protection Act.

Benefits of implementing Information Security Policy

• The purpose of information security management is to ensure business continuity and reduce business damage by preventing and minimising the impact of security incidents. Reports show that fraud or cases of IT abuse often occur due to the absence of basic controls, with one-half of all detected frauds found by accident.

• Information is a vital asset in any organisation. The protection and security of this information is of prime importance to many aspects of an organisation’s business. It is important that an organisation should not only implement a set of controls and procedures for information security but also manage and maintain them.

• Demonstrating good information security will be seen as a benefit to trading partners who may be involved in the transfer of information. The use of EDI is not widely used within the University, but this is still an important issue.

University Policy Development

• JISC advice helpful– examples from other sites

• Existing documents identified

• Scope includes non-electronic information

• JISC titles + “Policy Statement”

• Supplementary documents produced

Next Steps

• Formal approval of Policy

• Formal process for suspected security breaches

• Procedures for staff departures

• Awareness exercise for Information Custodians … and others