Presentation is loading. Please wait.

Presentation is loading. Please wait.

October 29, 2015 The University Information Security Policy & InfoSec one year on… Tom Anstey Weatherall Institute of Molecular Medicine & InfoSec

Published byPeregrine Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "October 29, 2015 The University Information Security Policy & InfoSec one year on… Tom Anstey Weatherall Institute of Molecular Medicine & InfoSec"— Presentation transcript:

1 October 29, 2015 The University Information Security Policy & InfoSec one year on… Tom Anstey Weatherall Institute of Molecular Medicine & InfoSec infosec@it.ox.ac.uk http://www.it.ox.ac.uk/infosec/infosecproject/

2 The need for a Policy! OxCERT led a Information Security Self-Assessment in 2007-2009

3 Information Security Best Practice 2009-2011

4 Cookie legislation May 2012

5 Creating a University Policy (1)

6 Creating a University Policy (2) + ICTF staff + Council Secretariat

7 Creating a University Policy (3)

8 Governance: Central -vs- Local The University Policy tells you *what* to do - a local policy gives more on *how* you do it in your unit The responsibility is devolved downwards, but if the correct local policies and risk assessments are in place and carried out, the responsibility for risk goes upwards Creation of Information Security Advisory Group (ISAG) chaired by Emma Rampton in Council Secretariat; includes University Security Service, Conference of Colleges, ICTF, Academics & InfoSec

9 Identify the problems – Risk Assessments

10 Non-IT Security Not just an IT issue Flowchart for data encryption could be used for paper waste destruction protocol. Includes liaison with: University Marshal Bio-Medical services Legal services Hospital trusts Personnel services

11 Whole Disk Encryption Finding a balance between security and usability.

12 Lunchtime seminars  Each term  5 speakers  8 sessions

13 InfoSec website and SharePoint

14 Incident register

15 Is guidance to IT Staff enough? IT Staff don’t own the sensitive data They don’t know what is stored, nor the associated risk What about paper copies? Is it really IT’s problem?

16 Divisional briefings to administrators This is where the power really is! They’re now on board and understand the need for improved practices, and a local policy. Improved understanding of a unit’s responsibility and liability.

17 It’s in the Toolkit! http://www.it.ox.ac.uk/infosec/istoolkit/ Examples Explanations Encryption … easy to read! On-going work in progress Aims to meet ISO2007:2005

18 Centre for the Protection of National Infrastructure Government cyber- security initiative Fits in with other ox.ac.uk academic work e.g. Andrew Martin, Sadie Creese et al.

19 EPIC on-line training

20 Post mortem discussions

21 Provide proper management backing to get a unit policy into place Increase user awareness and provide training to all users Create information asset & risk registers and develop a business continuity plan for disaster recovery. Start on high impact areas. Manage mobile devices, and encrypt laptop hard disks and devices containing sensitive data, or provide secure remote access Purchase and issue encrypted devices that allow managed password recovery to those needing to remove sensitive data Act on your risk assessments. Give a reasonable timescale for implementation; it is a culture change Summary

Download ppt "October 29, 2015 The University Information Security Policy & InfoSec one year on… Tom Anstey Weatherall Institute of Molecular Medicine & InfoSec"

Similar presentations

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.

NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
IT Retreat 2009 IT Security Controls and Initiatives.

IT Retreat 2009 IT Security Controls and Initiatives.
Normative vs. Descriptive vs. Pragmatic. Sad reality Faculty, staff and students are using mobile devices today, with or without our help (probably without)

Normative vs. Descriptive vs. Pragmatic. Sad reality Faculty, staff and students are using mobile devices today, with or without our help (probably without)
Addressing Information Security at Heller October 16, 2013 secureHeller.

Addressing Information Security at Heller October 16, 2013 secureHeller.
Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.

Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.
Sybase Confidential Propriety.iAnywhere ConfidentialiAnywhere Confidential Proprietary.Sybase Confidential Propriety. Addressing the Challenges of Device.

Sybase Confidential Propriety.iAnywhere ConfidentialiAnywhere Confidential Proprietary.Sybase Confidential Propriety. Addressing the Challenges of Device.
Peer Information Security Policies: A Sampling Summer 2015.

Peer Information Security Policies: A Sampling Summer 2015.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Audit Challenges and Best Practices in a Research University Environment NSAA Annual Conference Jeffrey Huskamp Vice President and CIO.

Audit Challenges and Best Practices in a Research University Environment NSAA Annual Conference Jeffrey Huskamp Vice President and CIO.
Evolving IT Framework Standards (Compliance and IT)

Evolving IT Framework Standards (Compliance and IT)
ESCCO Data Security Training David Dixon September 2014.

ESCCO Data Security Training David Dixon September 2014.
Https://st-julians-itgs.wikispaces.com/3.10+IT+systems+in+organizations.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Managing IT Risk MRC Weatherall Institute of Molecular Medicine Tom Anstey Risk - combination of the probability of an event and.

Managing IT Risk MRC Weatherall Institute of Molecular Medicine Tom Anstey Risk - combination of the probability of an event and.

Similar presentations

Ads by Google