- There are many areas where levels of compliance are very good, particularly the technical areas which are the direct responsibility of the ITSS.
- The area of Information Handling is one where the levels of compliance are the lowest and further investigation is required.
- The issues in the questionnaire cover much more than just IT and therefore, roles and responsibilities need to be clearly defined.
- The role of the ICTF and the Information Security Advisory Group (IS-AG) is crucial to the success of this project.
- To maintain the influence of the Information Security Advisory Group (and hence the ICTF)
- To maintain the link with ODIT
- To redress the balance of resources for OxCERT
- To have dedicated roles to work full time on the project where necessary
- To provide the relative expertise in Information Security and project management/organisation
- To maintain and - where possible - improve the communications and reporting framework to include the ICTF, ODIT and PICT
- To engage with other relevant functional groups (such as Administrators etc).
The proposed solution is to create a new post within OxCERT and for OxCERT to extend their remit from being purely an incident response team to including wider Information Security duties. This will allow OxCERT (via the chair of the IS-AG) to continue to provide the necessary expertise and be responsible for the ISBP 2010 project whilst maintaining their other roles and responsibilities. The OxCERT post will be funded for 18 months (to cover the duration of the next phase of the project) though OUCS have agreed that the post will be created for a period of 3 years. This was felt necessary to provide adequate time to train and embrace a new member of the team. This will mean that the project is led by Jonathan Ashton of OXCERT and reports will go via Roger Treweek (head of Networks and Communications in OUCS) to PICT. Paul Jeffreys is Project Sponsor.
The remainder of the ISBP 2010 funding will cover the post of Project Manager for 18 months which will continue to be filled by Miranda Llewellyn. In terms of communication, the role of the IS-AG will remain the same as the involvement and influence of the ICTF continues to be critical to the future success of the project. One of the first jobs for the Advisory Group however will be to determine how to extend and define the scope of the project, and how to incorporate the relevant functional groups (such as Administrators etc.) in the process.
- To investigate, via the Advisory Group, the scope of the project and incorporate other relevant user groups such as Administrators.
- Consolidation of the Conditions for Connection and Security of Information policies into one, high-level policy document.
- Review the best practice guidelines, taking into account comments made in the 2009 Self-Assessment questionnaire, and in accordance with the consolidated policy.
- Development of the best practice guidelines into an Information Security Toolkit to include, for example, sample policies, guidelines, documentation and suggestions for education and awareness programmes.
- Identification of areas where resources (knowledge and skills) can be found and shared and investigate the possible pooling and sharing of those resources.
- Investigate the area of 'Information Handling' with a view to developing relevant guidelines, classification schemes and approaches to risk analysis/management.
- Identify requirements for possible future projects, for example requirements for services that could be provided centrally.
- Consolidated Information Security policy – agreed by all relevant parties across the University
- A revised "Best Practice" document
- Information Security Toolkit or portfolio of resources
- Recommendations regarding information classification and "information handling"
- Recommendations regarding approaches to risk assessment/analysis
- Subsequent recommendations regarding appropriate controls for securing storage and sharing of information (e.g. encryption)
- Recommendations regarding a framework to maintain and monitor information security throughout the collegiate University
- Progress Report to PICT after 12 months, making recommendations for the final 6 months of the project
- Repeat of the Self-Assessment Questionnaire exercise (if confirmed by PICT through the Progress Report)
- Final report on findings and further recommendations
At the root of the project is the definition of the Information Security policy document. The policy should define the University's objectives for Information Security in line with its operational requirements and strategic plan. It should also define the scope of the policy and identify roles and responsibilities for security. It should be a brief, high level document that is available and communicated to all parties that states what the University is trying to achieve. However, particularly in a devolved environment such as a collegiate university, the policy should not go into detail about how those objectives should be met: Each unit within the University will have their own methods, practices and controls in order to achieve the objectives, depending on local influences. The Information Security Toolkit will look into providing guidance as to how those objectives might be met.
Aside from that, in order for the policy to be effective and successful, there are a number of critical success factors: The policy must be agreed and signed off at a high level in order to a) demonstrate the support of high-level management for Information Security and b) in order to give the policy some 'weight'. The Advisory Group will therefore investigate how to achieve this. One option already being looked into is to make the policy 'legal' within the University.
Equally important is managing to correctly define the scope of the policy and agree on the objectives of the University for Information Security. In order to do this it is important to have representation from all appropriate users groups. This could include, for example, ITSS, Administrators, Heads of Department, Managers, PICT, legal service, HR etc. This is vital not only to accurately reflect the overall objectives of the University, but also in order for an agreeable policy to be achieved. Having a policy that is agreed by a wide range of people across the University is likely to result in far higher levels of success in terms of implementing the policy. Currently the Advisory Group consists only of ITSS - due to the nature and origins of the ISBP 2009 initiative. However, one important job for the Advisory Group is to address this issue early on in order to successfully produce the Information Security policy.
The policy will also define areas of responsibility for Information Security. As well as agreeing those areas of responsibility, the key here is communication of the policy and hence communication of responsibility. Again this is vital to the successful implementation of the policy and will help determine who is responsible for any breaches of that policy.
The last of these three points will result in analysis of certain technical solutions (e.g. for encryption of data) and will involve the scoping of any potential future projects (e.g. provision of certain central services and/or documentation such as central logging, encryption, incident handling guidelines etc.). It is currently beyond the scope of this project to actually trial or begin implementation of any such projects. These may, however, be the subject of future bids that result from the investigations of ISBP 2010.
- They are internationally recognised standards (why re-invent the wheel?)
- They can help to define an appropriate framework for the management of Information Security and state what needs to be done, rather than how to do it
- They can therefore be applied selectively in order to fit the devolved environment that is the University of Oxford
- Certain units within the University are coming under increased pressure to conform to these (or similar) standards
- Other universities across the UK are also having to implement such standards
- They can be used as a baseline for defining policies and producing guidelines
- They are used as the baseline for the UCISA Information Security Toolkit
- They can be of use when it comes to audit if necessary.
The project plan is outlined below however it should be noted that the objectives will continually be under review and will undoubtedly evolve. This flexibility and review is a necessary thing but underpinning it all will be the work on the policy, information handling and the best practice guidelines.
- Set up project team, assist with recruitment of OxCERT post to enable release of resources from OxCERT
- Work on consolidating the policies
- Communications with ICTF - workshop at ICTF conference and article in the ICFT newsletter
- Meeting of the Advisory Group (IS-AG)
- Build Information Security Toolkit and maintain web pages
- Trinity Term meeting of the ICTF - JA to present IS-AG report
- Meeting of the Advisory Group
- Investigate 'information handling' and sharing resources
- Progress report submitted to PICT after 12 months (May 2011), make recommendations to PICT and receive guidance on how to proceed in the last six months
- Consider running the Self-Assessment activity again (if agreed with PICT)
- Hilary term meeting of the ICTF - JA to present IS-AG report
- Communications opportunities at the ICTF conference
- Meeting of the Advisory Group
- Possible Self-Assessment activity
- Trinity Term meeting of the ICTF - JA to present IS-AG report
- Update Information Security Toolkit
- End of project - complete final report
- Communicate progress and status of any follow up stage (via web, ICTF channels etc)
Back to main page: Project Planning