Protecting our Customers

· ostephens

2nd talk of the conference is about Information Security.

Information Security is starting to be taken a lot more seriously in HE. We have seen threats increase (e.g. Code Red, Blaster), and we are now seeing more pressure to manage the risks. The speakers (Mike Roch
, University of Reading and Andrew Cormack, UKERNA) suggest that there is a need for a ‘toolkit’ for Information security.

One possible framework for this is BS7799. However, this standard has not been widely adopted for accrediation purposes, but it may still be useful as a toolkit. There is now an updated version of the standard (ISO/IEC17799:2000), which is more descriptive and has more support from the governing bodies.

So – what is in BS7799-2:2002?

Information Security Policy
Organisational Security
Asset classification and control
Personnel security
Physical and environmental Policy
Communications and operations management
Access control
System development and maintenance
Business continuity management
Legal compliance

However, there are some things missing that perhaps is relevant to HE, which generally relate to the flexibility our users expect (attaching their own equipment to the institutional network, use of the network for social use, etc.)

It took a while to get round to it, but these are the speakers recommendations as to what policy documents are required:

  • Information Security
  • Operations
  • Business continutity plan
  • Staff/student
  • Compliance
  • Information handling
  • Network management
  • System design
  • System management
  • Software management
  • User management
  • Acceptable use

There may also be a need for

  • Outsourcing
  • Mobile computing
  • Teleworking
  • Cryptography
  • Wireless networking

This all seem very well, and some of these policies we already have, but some suggestions seem completely impractical. It’s all very well having a policy saying ‘if you encrypt information, it must be retrievable’ but pretty much impossible to enforce.

Overall I’m thinking – oh god, not more policies. I do see the point, but lets get this done as easily, and painlessly as possible.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.