2. Organisation of ISBP 2010

The first thing to define is the planned organisational structure with regards to the implementation of ISBP 2010. In doing so, it is necessary to consider the organisational structure of the 2009 exercise. ISBP 2009 was led by the Information Security Advisory Group (IS-AG). This group was formed via the ICTF with the remit of promoting best practice in the field of Information Security, and encouraging communication between ITSS themselves, and also with executive level bodies such as PICT. It is made up of volunteers from across the University and chaired by Jonathan Ashton (a member of the OxCERT team within OUCS). ISBP 2009 did receive funding for one post to assist with the coordination, administration and organisation of the project and this role was taken up by Miranda Llewellyn of ODIT. However the rest of the work on this project was carried out on a voluntary basis within OxCERT, in particular dedicating a large amount of resource to this via the chair of the Advisory Group. It is to be noted that the Advisory Group is also made up of ITSS. Whilst this was considered appropriate as a starting point for ISBP 2009, one of the key findings of that project was the fact that the scope of this project is beyond IT and technical staff. One of the key issues in the early stages of ISBP 2010 will therefore be to define the scope of the project and organisational structure to include all relevant groups across the University. The requirements for the forthcoming project are therefore:
  • To maintain the influence of the Information Security Advisory Group (and hence the ICTF)
  • To maintain the link with ODIT
  • To redress the balance of resources for OxCERT
  • To have dedicated roles to work full time on the project where necessary
  • To provide the relative expertise in Information Security and project management/organisation
  • To maintain and - where possible - improve the communications and reporting framework to include the ICTF, ODIT and PICT
  • To engage with other relevant functional groups (such as Administrators etc).

The proposed solution is to create a new post within OxCERT and for OxCERT to extend their remit from being purely an incident response team to including wider Information Security duties. This will allow OxCERT (via the chair of the IS-AG) to continue to provide the necessary expertise and be responsible for the ISBP 2010 project whilst maintaining their other roles and responsibilities. The OxCERT post will be funded for 18 months (to cover the duration of the next phase of the project) though OUCS have agreed that the post will be created for a period of 3 years. This was felt necessary to provide adequate time to train and embrace a new member of the team. This will mean that the project is led by Jonathan Ashton of OXCERT and reports will go via Roger Treweek (head of Networks and Communications in OUCS) to PICT. Paul Jeffreys is Project Sponsor.

The remainder of the ISBP 2010 funding will cover the post of Project Manager for 18 months which will continue to be filled by Miranda Llewellyn. In terms of communication, the role of the IS-AG will remain the same as the involvement and influence of the ICTF continues to be critical to the future success of the project. One of the first jobs for the Advisory Group however will be to determine how to extend and define the scope of the project, and how to incorporate the relevant functional groups (such as Administrators etc.) in the process.

Up: Contents Previous: 1. ISBP 2009 Self-Assessment Next: 3. Project Objectives