October 29, 2015 The University Information Security Policy & InfoSec one year on… Tom Anstey Weatherall Institute of Molecular Medicine & InfoSec

Slides:



Advertisements
Similar presentations
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Advertisements

NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works
IT Retreat 2009 IT Security Controls and Initiatives.
Normative vs. Descriptive vs. Pragmatic. Sad reality Faculty, staff and students are using mobile devices today, with or without our help (probably without)
Addressing Information Security at Heller October 16, 2013 secureHeller.
Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.
Sybase Confidential Propriety.iAnywhere ConfidentialiAnywhere Confidential Proprietary.Sybase Confidential Propriety. Addressing the Challenges of Device.
Peer Information Security Policies: A Sampling Summer 2015.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Information Security Technological Security Implementation and Privacy Protection.
Audit Challenges and Best Practices in a Research University Environment NSAA Annual Conference Jeffrey Huskamp Vice President and CIO.
Evolving IT Framework Standards (Compliance and IT)
ESCCO Data Security Training David Dixon September 2014.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Managing IT Risk MRC Weatherall Institute of Molecular Medicine Tom Anstey Risk - combination of the probability of an event and.
Perspectives on Business Continuity Management Bill Wheeler, EPO.
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
Cyber Security & Fraud – The impact on small businesses.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.
The Fifteenth National HIPAA Summit Overview of Approaches to Security Officer Training John Parmigiani December 12, 2007.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Management of Data as Responsible Use ICPL Information Privacy and Security As usual in higher education, different institution will have, and take,
Working with HIT Systems
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
IT Security Policies and Campus Networks The dilemma of translating good security policies to practical campus networking Sara McAneney IT Security Officer.
Information Security Standards 2015 Update IIPS Security Standards Committee Roderick Brower - Chair.
Welcome and Introduction to the Security Task Force Peter Siegel Co-Chair, Security Task Force Chief Information Officer and Vice Provost University of.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Session 13 Cyber-security and cybercrime. Contents  What’s the issue?  Why should we care?  What are the risks?  How do they do it?  How do we protect.
Human Factors in Cyber Security: A Review for Research & Education P. Vigneswara Ilavarasan, PhD 1.
Privacy Audit and Privacy Seal Barbara Körffer & Dr. Thomas Probst Independent Centre for Privacy Protection Independent Centre for Privacy ProtectionSchleswig-Holstein.
Policy, Standards and Guidelines Breakout Co-Chairs Victor Hazlewood OCIO Cyber Security, ORNL Kim Milford ISO, University of Rochester.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security tools for records managers Frank Rankin.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
BYOD: An IT Security Perspective. What is BYOD? Bring your own device - refers to the policy of permitting employees to bring personally owned mobile.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
Chapter 3 “A Case Study of Effectively Implemented Information Systems Security Policy[1]” John Doran, CST554, Spring 2008.
Handling Personal Data & Security of Information Paula Trim, Information Officer, Children’s Strategic Services, Mon – Thurs 9:15-2:15.
For more course tutorials visit
Earth’s Mightiest Heroes: Combating the Evils Lurking in Cyberspace
Emergency Action Plans
What Is Tapestry? An Online learning journal system.
Michael Menne IT Solutions Chief Information Security Officer
Demystifying cybersecurity: Best practices to help strengthen your program Chris Candela Senior Consultant Business Consulting Services Charles Schwab.
Proposed Information Security Policy Changes
Data protection for law firms Wednesday 13 July 12pm
Securing the Law Firm Myth vs. Reality vs. Practicality:
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
I have many checklists: how do I get started with cyber security?
Reporting personal data breaches to the ICO
RECORDS AND INFORMATION
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
County HIPAA Review All Rights Reserved 2002.
12 STEPS TO A GDPR AWARE NETWORK
IT & Security Training Skills.
The Role of the Information Security Officer Getting It Right
Cybercrime and Canadian Businesses
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Developing and testing the Plan
Introduction to the PACS Security
Presentation transcript:

October 29, 2015 The University Information Security Policy & InfoSec one year on… Tom Anstey Weatherall Institute of Molecular Medicine & InfoSec

The need for a Policy! OxCERT led a Information Security Self-Assessment in

Information Security Best Practice

Cookie legislation May 2012

Creating a University Policy (1)

Creating a University Policy (2) + ICTF staff + Council Secretariat

Creating a University Policy (3)

Governance: Central -vs- Local The University Policy tells you *what* to do - a local policy gives more on *how* you do it in your unit The responsibility is devolved downwards, but if the correct local policies and risk assessments are in place and carried out, the responsibility for risk goes upwards Creation of Information Security Advisory Group (ISAG) chaired by Emma Rampton in Council Secretariat; includes University Security Service, Conference of Colleges, ICTF, Academics & InfoSec

Identify the problems – Risk Assessments

Non-IT Security Not just an IT issue Flowchart for data encryption could be used for paper waste destruction protocol. Includes liaison with: University Marshal Bio-Medical services Legal services Hospital trusts Personnel services

Whole Disk Encryption Finding a balance between security and usability.

Lunchtime seminars  Each term  5 speakers  8 sessions

InfoSec website and SharePoint

Incident register

Is guidance to IT Staff enough? IT Staff don’t own the sensitive data They don’t know what is stored, nor the associated risk What about paper copies? Is it really IT’s problem?

Divisional briefings to administrators This is where the power really is! They’re now on board and understand the need for improved practices, and a local policy. Improved understanding of a unit’s responsibility and liability.

It’s in the Toolkit! Examples Explanations Encryption … easy to read! On-going work in progress Aims to meet ISO2007:2005

Centre for the Protection of National Infrastructure Government cyber- security initiative Fits in with other ox.ac.uk academic work e.g. Andrew Martin, Sadie Creese et al.

EPIC on-line training

Post mortem discussions

Provide proper management backing to get a unit policy into place Increase user awareness and provide training to all users Create information asset & risk registers and develop a business continuity plan for disaster recovery. Start on high impact areas. Manage mobile devices, and encrypt laptop hard disks and devices containing sensitive data, or provide secure remote access Purchase and issue encrypted devices that allow managed password recovery to those needing to remove sensitive data Act on your risk assessments. Give a reasonable timescale for implementation; it is a culture change Summary

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.