1. ISBP 2009 Self-Assessment

The ISBP 2009 activity demonstrated a need for further work in the area of Information Security within the collegiate University. The report produced for PICT showed that:
  • There are many areas where levels of compliance are very good, particularly the technical areas which are the direct responsibility of the ITSS.
  • The area of Information Handling is one where the levels of compliance are the lowest and further investigation is required.
  • The issues in the questionnaire cover much more than just IT and therefore, roles and responsibilities need to be clearly defined.
  • The role of the ICTF and the Information Security Advisory Group (IS-AG) is crucial to the success of this project.
Following that report, PICT agreed to fund 2 FTE for 18 months to carry on the project. Since then the activity has:
  • Reported back to the ICTF at the March ICTF meeting
  • Sent letters to the Heads of Department/College and the IT Officer/Administrator of those units that did not send back a completed questionnaire, in order to inform them of the work done and progress made under the project.
The rest of this report focuses on the activities for the coming 18 months.

2. Organisation of ISBP 2010

The first thing to define is the planned organisational structure with regards to the implementation of ISBP 2010. In doing so, it is necessary to consider the organisational structure of the 2009 exercise. ISBP 2009 was led by the Information Security Advisory Group (IS-AG). This group was formed via the ICTF with the remit of promoting best practice in the field of Information Security, and encouraging communication between ITSS themselves, and also with executive level bodies such as PICT. It is made up of volunteers from across the University and chaired by Jonathan Ashton (a member of the OxCERT team within OUCS). ISBP 2009 did receive funding for one post to assist with the coordination, administration and organisation of the project and this role was taken up by Miranda Llewellyn of ODIT. However the rest of the work on this project was carried out on a voluntary basis within OxCERT, in particular dedicating a large amount of resource to this via the chair of the Advisory Group. It is to be noted that the Advisory Group is also made up of ITSS. Whilst this was considered appropriate as a starting point for ISBP 2009, one of the key findings of that project was the fact that the scope of this project is beyond IT and technical staff. One of the key issues in the early stages of ISBP 2010 will therefore be to define the scope of the project and organisational structure to include all relevant groups across the University. The requirements for the forthcoming project are therefore:
  • To maintain the influence of the Information Security Advisory Group (and hence the ICTF)
  • To maintain the link with ODIT
  • To redress the balance of resources for OxCERT
  • To have dedicated roles to work full time on the project where necessary
  • To provide the relative expertise in Information Security and project management/organisation
  • To maintain and - where possible - improve the communications and reporting framework to include the ICTF, ODIT and PICT
  • To engage with other relevant functional groups (such as Administrators etc).

The proposed solution is to create a new post within OxCERT and for OxCERT to extend their remit from being purely an incident response team to including wider Information Security duties. This will allow OxCERT (via the chair of the IS-AG) to continue to provide the necessary expertise and be responsible for the ISBP 2010 project whilst maintaining their other roles and responsibilities. The OxCERT post will be funded for 18 months (to cover the duration of the next phase of the project) though OUCS have agreed that the post will be created for a period of 3 years. This was felt necessary to provide adequate time to train and embrace a new member of the team. This will mean that the project is led by Jonathan Ashton of OXCERT and reports will go via Roger Treweek (head of Networks and Communications in OUCS) to PICT. Paul Jeffreys is Project Sponsor.

The remainder of the ISBP 2010 funding will cover the post of Project Manager for 18 months which will continue to be filled by Miranda Llewellyn. In terms of communication, the role of the IS-AG will remain the same as the involvement and influence of the ICTF continues to be critical to the future success of the project. One of the first jobs for the Advisory Group however will be to determine how to extend and define the scope of the project, and how to incorporate the relevant functional groups (such as Administrators etc.) in the process.

3. Project Objectives

The objectives for the project revolve around the recommendations made in the ISBP 2009 report to PICT. They are:
  • To investigate, via the Advisory Group, the scope of the project and incorporate other relevant user groups such as Administrators.
  • Consolidation of the Conditions for Connection and Security of Information policies into one, high-level policy document.
  • Review the best practice guidelines, taking into account comments made in the 2009 Self-Assessment questionnaire, and in accordance with the consolidated policy.
  • Development of the best practice guidelines into an Information Security Toolkit to include, for example, sample policies, guidelines, documentation and suggestions for education and awareness programmes.
  • Identification of areas where resources (knowledge and skills) can be found and shared and investigate the possible pooling and sharing of those resources.
  • Investigate the area of 'Information Handling' with a view to developing relevant guidelines, classification schemes and approaches to risk analysis/management.
  • Identify requirements for possible future projects, for example requirements for services that could be provided centrally.

Project Outline

The key deliverables for the project are:
  • Consolidated Information Security policy – agreed by all relevant parties across the University
  • A revised "Best Practice" document
  • Information Security Toolkit or portfolio of resources
  • Recommendations regarding information classification and "information handling"
  • Recommendations regarding approaches to risk assessment/analysis
  • Subsequent recommendations regarding appropriate controls for securing storage and sharing of information (e.g. encryption)
  • Recommendations regarding a framework to maintain and monitor information security throughout the collegiate University
  • Progress Report to PICT after 12 months, making recommendations for the final 6 months of the project
  • Repeat of the Self-Assessment Questionnaire exercise (if confirmed by PICT through the Progress Report)
  • Final report on findings and further recommendations

4. Information Security Policy

At the root of the project is the definition of the Information Security policy document. The policy should define the University's objectives for Information Security in line with its operational requirements and strategic plan. It should also define the scope of the policy and identify roles and responsibilities for security. It should be a brief, high level document that is available and communicated to all parties that states what the University is trying to achieve. However, particularly in a devolved environment such as a collegiate university, the policy should not go into detail about how those objectives should be met: Each unit within the University will have their own methods, practices and controls in order to achieve the objectives, depending on local influences. The Information Security Toolkit will look into providing guidance as to how those objectives might be met.

Aside from that, in order for the policy to be effective and successful, there are a number of critical success factors: The policy must be agreed and signed off at a high level in order to a) demonstrate the support of high-level management for Information Security and b) in order to give the policy some 'weight'. The Advisory Group will therefore investigate how to achieve this. One option already being looked into is to make the policy 'legal' within the University.

Equally important is managing to correctly define the scope of the policy and agree on the objectives of the University for Information Security. In order to do this it is important to have representation from all appropriate users groups. This could include, for example, ITSS, Administrators, Heads of Department, Managers, PICT, legal service, HR etc. This is vital not only to accurately reflect the overall objectives of the University, but also in order for an agreeable policy to be achieved. Having a policy that is agreed by a wide range of people across the University is likely to result in far higher levels of success in terms of implementing the policy. Currently the Advisory Group consists only of ITSS - due to the nature and origins of the ISBP 2009 initiative. However, one important job for the Advisory Group is to address this issue early on in order to successfully produce the Information Security policy.

The policy will also define areas of responsibility for Information Security. As well as agreeing those areas of responsibility, the key here is communication of the policy and hence communication of responsibility. Again this is vital to the successful implementation of the policy and will help determine who is responsible for any breaches of that policy.

5. Information Handling

Following on from the results of ISBP 2009, the area of 'Information Handling' is one that clearly needs particular attention. After agreeing the Information Security policy this will be one of the major focuses of the project. The role of the Advisory Group in this instance will be to advise on a suitable approach though it is envisaged that this will be based on identification and analysis of assets and the risks to those assets. This is necessary in order to decide how best to meet the security requirements laid out in the Information Security policy. Therefore, as part of the objectives concerning Information Handling the Advisory Group may look at:
  • Appropriate approaches towards risk assessment
  • Identification and analysis of risks
  • Identification and evaluation for the treatment of risks

The last of these three points will result in analysis of certain technical solutions (e.g. for encryption of data) and will involve the scoping of any potential future projects (e.g. provision of certain central services and/or documentation such as central logging, encryption, incident handling guidelines etc.). It is currently beyond the scope of this project to actually trial or begin implementation of any such projects. These may, however, be the subject of future bids that result from the investigations of ISBP 2010.

6. Best Practice and ISO27001-27002

As in ISBP 2009 it is envisaged that the framework for Information Security management and the best practice guidelines produced will be based, at least in part, on the ISO standards "ISO/IEC 27001:2005 Information Technology - Security techniques - Information security management systems - Requirements" and "ISO/IEC 27002:2005 Information technology - Security techniques - Code for practice for information security management". Clearly there will be other influences in order to meet the functional requirements of various units throughout the University (for example, constraints on certain departments dealing with governmental departments and/or medical data). However, the reasons for using the ISO standards as a starting point are:
  • They are internationally recognised standards (why re-invent the wheel?)
  • They can help to define an appropriate framework for the management of Information Security and state what needs to be done, rather than how to do it
  • They can therefore be applied selectively in order to fit the devolved environment that is the University of Oxford
  • Certain units within the University are coming under increased pressure to conform to these (or similar) standards
  • Other universities across the UK are also having to implement such standards
  • They can be used as a baseline for defining policies and producing guidelines
  • They are used as the baseline for the UCISA Information Security Toolkit
  • They can be of use when it comes to audit if necessary.

7. Project Plan

The project plan is outlined below however it should be noted that the objectives will continually be under review and will undoubtedly evolve. This flexibility and review is a necessary thing but underpinning it all will be the work on the policy, information handling and the best practice guidelines.

First quarter, May 2010 - September 2010
  • Set up project team, assist with recruitment of OxCERT post to enable release of resources from OxCERT
  • Work on consolidating the policies
  • Communications with ICTF - workshop at ICTF conference and article in the ICFT newsletter
  • Meeting of the Advisory Group (IS-AG)
  • Build Information Security Toolkit and maintain web pages
  • Trinity Term meeting of the ICTF - JA to present IS-AG report
Second quarter, October 2010 - January 2011
  • Finalise consolidated policy
  • Update the Self-Assessment Questionnaire in line with consolidated policy
  • Investigate procedure to give the policy legal status
  • Michaelmas Term meeting of the ICTF - JA to present IS-AG report
  • Meeting of the Advisory Group
  • Continue building Information Security Toolkit
Third quarter, February 2011- June 2011
  • Meeting of the Advisory Group
  • Investigate 'information handling' and sharing resources
  • Progress report submitted to PICT after 12 months (May 2011), make recommendations to PICT and receive guidance on how to proceed in the last six months
  • Consider running the Self-Assessment activity again (if agreed with PICT)
  • Hilary term meeting of the ICTF - JA to present IS-AG report
Fourth quarter, June 2011 - October 2011
  • Communications opportunities at the ICTF conference
  • Meeting of the Advisory Group
  • Possible Self-Assessment activity
  • Trinity Term meeting of the ICTF - JA to present IS-AG report
  • Update Information Security Toolkit
  • End of project - complete final report
  • Communicate progress and status of any follow up stage (via web, ICTF channels etc)

Back to main page: Project Planning