Manchester Metropolitan University Information Security Strategy 2017-2019 Document Information Document owner Tom Stoddart, Information Security Manager Version: 1.0 Release Date: 01/02/2017 Change History Date Author Version Details 11/11/2016 Tom Stoddart 0.1 First draft 16/11/2016 Tom Stoddart 0.2 Additional content & amendments following stakeholder review 08/12/2016 Tom Stoddart 0.3 Comments and amendments following circulation to InfoSec Board 16/01/2017 Tom Stoddart 0.4 Formatting changes for UEG circulation 01/02/2017 Tom Stoddart 1.0 Approved version following UEG on 31/01/2017 1
Contents Purpose and scope of this strategy... 3 Value Proposition for Future State... 3 Strategic environment... 3 Current weaknesses... 3 Critical Success Factors (CSF) for Realisation of Future State... 4 Governance... 5 Strategic Priorities... 6 Timeline for key initiatives and activities... 7 2
Purpose and scope of this strategy The purpose of this Information Security strategy is to ensure that commitment to (and investments in) information security at Manchester Metropolitan University support the strategic objectives of the University more broadly, as well as the legal requirements relevant to data controllers and processors. The scope of this strategy is all information used at Manchester Metropolitan University, in all formats, regardless of the specific departments and individuals that own and manage the information at a local level. This includes information owned or processed by other organisations but relevant their dealings with Manchester Metropolitan University. While the focus of information security capabilities is provided by the Information Security function, a number of additional departments including Legal and Registry include explicit information responsibilities and are therefore considered in the proposals laid out in this strategy. Value Proposition for Future State The Information Security function will provide and coordinate expertise to influence the information security approach of the University, helping it to achieve its strategic objectives by ensuring the availability, confidentiality and integrity of its information. By recognising the different types of information used, and the business requirements associated with each, we will deliver a secure framework within which we can provide flexibility to suit customer needs while maintaining compliance with legal obligations and sector-specific best practice. Strategic environment This strategy reflects the strategic environment in which the University is functioning, specifically: Staff and student expectations for flexible working (technology, location, time) The differing data requirements of research projects, and third party security requirements The increasing prevalence of malicious activity targeting the sector The emergence of Information Security as a strategic tool The forthcoming EU General Data Protection Regulation (GDPR), due in 2018 The Prevent guidance and its technical implications The increasing adoption of Cloud services (both institution-led and uncontrolled) Current weaknesses An ISO 27001 gap analysis highlighted areas on which to focus activity. These findings were added to the existing audit recommendations and identified risks to prioritise the work required to achieve the future state proposed by this strategy. 3
Critical Success Factors (CSF) for Realisation of Future State CSF 1: Establish an Information Security Management System to support pursuit of the University s strategic aims 1. Implementation of Information Security Management System aligned to ISO 27001:2013, verified by external gap analysis 2. Adoption of Governance model that provides required assurance to the Board and oversees prioritisation of and spend on InfoSec projects 3. Adoption of a consistent vocabulary for describing our system to internal and external stakeholders, including regulators and research partners CSF 2: Implement information asset lifecycle management, supporting risk management, control selection and compliance activity (prioritising personal data to support GDPR) 1. Implementation of asset register 2. Engagement of asset owners and business areas in asset management 3. Compliance with classification scheme and handling requirements 4. Information is easily identified for FOI and DPA (including Subject Access Requests) 5. Volume of information held decreases as retention and disposal schedule is applied 6. Transition to GDPR achieved on time and without significant risk CSF 3: Assess and manage information risk according to asset value and business impact, helping to prioritise resources and mitigation efforts 1. Risks are identified to enable timely preventative actions 2. Risk treatment decisions are informed by proportionate, quantitative risk assessments 3. Information risk management informs the corporate risk register, providing visibility to Board CSF 4: Ensure proportionate IT solutions contribute to the security of the information they process, and support the IS Strategy 1. Firewall reports on blocked threats vs issues 2. % of infrastructure meeting patching requirements 3. Internal vulnerability scanning gives increasing assurance 4. Consolidation of remote access methods 5. Mechanisms for secure data transfer and storage CSF 5: Ensure the University meets statutory and legal obligations and selected standards, including DPA, PCI-DSS and Prevent 1. Information Security Incident reporting 2. UNIAC audits give increasing assurance 3. External technical reviews give increasing assurance 4. PCI-DSS compliance maintained 5. Implementation of web filtering in line with Prevent guidance 4
CSF 6: Ensure students, staff and contractors have the skills, knowledge and guidance to enhance the security of information at Manchester Metropolitan University 1. InfoSec and DPA training completion rate 2. InfoSec awareness/training included in induction 3. Feedback on usability of new web resource 4. Increase in security consultancy offered to projects outside of ISDS Governance Strategic governance is essential for effective prioritisation and quality delivery of proposed initiatives. The details of Information Systems governance more broadly are in place, but Information Security will interact with existing governance structures as shown below. 5
Strategic Priorities Priority 1: Development of an Information Security Management Framework Implement an Information Security Management framework aligned to ISO 27001:2013 to support the University s strategic aims and compliance activities, and enhance the understanding of staff and students. This framework will provide an outline to-be state, and the programme of supporting work to reach that state will be aligned to the key requirements and technical controls of the ISO 27001:2013 standard. This will enable us to discuss information security and controls using the same concepts and language as other modern organisations, benefitting our relationships with suppliers, research partners and other stakeholders. Conduct a gap analysis against the ISO27001:2013 standard Establish governance & develop a suitably resourced information security team Review and supplement existing policies & internal compliance activity Implement incident management procedures Develop a training & awareness programme for staff and students Develop a programme of internal & external audit/assurance Priority 2: Information Asset Management Implement full information asset lifecycle management, supporting risk management, IT controls and compliance activity by identifying, valuing and managing information assets Develop an information asset register, allocating asset ownership Develop proportionate asset classification and handling requirements Implement asset retention & disposal Develop and document an approach to information risk management Produce and maintain guidance on system usage Priority 3: Communications Security Strengthen and consolidate existing perimeter and network controls, ensuring a consistent and best-practice approach that supports the University s strategic aims and compliance activities Enhanced perimeter security including web filtering Implement network controls to support remote & mobile access and bring your own device Priority 4: Operations Security Strengthen and consolidate existing operations procedures, ensuring consistency and proportionality in support of the University s strategic aims and compliance activities Ensure that patching & updates are scheduled Ensure that servers and clients are suitably hardened by default Develop security standards for website deployments Review user access management, including for admin, new and departing staff Document and standardise the collection of log files for audit and intrusion detection Business continuity & disaster recovery 6
Timeline for key initiatives and activities The high-level timeline depicts the key initiatives that must be delivered in order to achieve the overall strategy and the future state for Information Security. Note that significant work remains to define a number of these initiatives, including the specific projects and deliverables that will be included within each. This planning work, including resource estimates, will be taken through the governance model described above. While much of the information lifecycle management activity is required for GDPR compliance and these elements will be prioritised according to a time line governed by the GDPR Working Group from an Information Security perspective the work goes further than personal data and seeks to manage all information. 7