1 / 10

Information Security: Policy and Culture Introduction and Background

Information Security: Policy and Culture Introduction and Background. Annette Haworth ex-Chair of ex-JCAS Director of Information Services,The University of Reading. Background – JCAS - Issues. Security is about confidentiality authenticity integrity of information Is HE/FE special?

garron
Download Presentation

Information Security: Policy and Culture Introduction and Background

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security: Policy and CultureIntroduction and Background Annette Haworth ex-Chair of ex-JCAS Director of Information Services,The University of Reading Supporting Higher and Further Education

  2. Background – JCAS - Issues • Security is about confidentiality authenticity integrity of information • Is HE/FE special? • in general, no but • large number peripatetic users/shared PCs/ across public networks/home-working etc • possible ‘odd deals’ eg ILL, JISC-services... Supporting Higher and Further Education

  3. Background – JCAS - What do we know? • Many H/FEIs not got/afford enough technical/managerial expertise • What definitely needs doing? • Longterm future of JISC-services and related authentication/authorisation service (aka - what do we do about Athens?) • broadening of concept to help sites Supporting Higher and Further Education

  4. BackgroundWhat did we end up doing? • Well, yes, we did have the JISC-service related problems to solve • But the real problems institutions face are far broader they are Technical - solutions are not without their complexities, but if there is one & you’ve got the money/expertise, you can use it - QED But what ‘solution’ do you ‘need’ - institutional aims, cultural and legal environments. Definitely not QED Supporting Higher and Further Education

  5. Background JISC's Work on Security Policy and Planning • 1999 Pilot study of the BS7799 methodology • 2000 Evaluation of BS7799 project - Policy advice to HEIs and FECs - Senior Management Briefing Paper • 2001 Study of user attitudes to security Supporting Higher and Further Education

  6. An AnecdoteorHow the JISC helped me to survive (so far) Take this http://www.jisc.ac.uk/pub01/security_policy.html Contemplate it in your own environment Survive! Supporting Higher and Further Education

  7. …….butwhy Reading is still working on an information security policy? This is not a one-person job on the side and it’s not my survival that matters – it’s the institution What is it aiming to achieve, how can a security policy help/hinder? What is ‘a policy’? What is ‘the’ policy? Who owns ‘it’? How is ‘it’ updated? Is ‘it’ embedded in the culture? Embedded in other policies? A separate ‘tick-box’ get-you- through-the-audit item? Have we done the right risk analysis? e.g. ‘perfect’ security cd. stop our academics doing something valuable Supporting Higher and Further Education

  8. Introduction Messages for the Day (1) • Policy is vital • - Needed to establish responsibilities • - Needed as a guide when action is required • - Needed as an indication of good practice • [legal compliance, auditors, ecommerce etc] Supporting Higher and Further Education

  9. Introduction Messages for the Day (2)  BS7799/ISO17799 is a feasible approach to use - but hard work to implement in full - there are alternatives which may suit you better [e.g. the German Federal Govt handbook] More important to get a workable policy in place than to get hung up on any one methodology!! Supporting Higher and Further Education

  10. Introduction - This session • Information security policy: what should it aim to achieve? • Towards an institution-wide security policy • Security: a matter of user perception Supporting Higher and Further Education

More Related