Manchester Metropolitan University Information Security Strategy

Similar documents
Cyber Review Sample report

Version 1/2018. GDPR Processor Security Controls

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

BHConsulting. Your trusted cybersecurity partner

ISO/IEC TR TECHNICAL REPORT. Information technology Security techniques Information security management guidelines for financial services

01.0 Policy Responsibilities and Oversight

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Information Security Policy

Certified Information Security Manager (CISM) Course Overview

Information Technology Branch Organization of Cyber Security Technical Standard

Google Cloud & the General Data Protection Regulation (GDPR)

FOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY

External Supplier Control Obligations. Cyber Security

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

WORKSHARE SECURITY OVERVIEW

Information Security Strategy

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Altius IT Policy Collection Compliance and Standards Matrix

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

EU General Data Protection Regulation (GDPR) Achieving compliance

Information Security Controls Policy

BHConsulting. Your trusted cybersecurity partner

Building a Resilient Security Posture for Effective Breach Prevention

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

The NIS Directive and Cybersecurity in

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Policy. Business Resilience MB2010.P.119

Canada Life Cyber Security Statement 2018

SYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

locuz.com SOC Services

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

GDPR Update and ENISA guidelines

Advent IM Ltd ISO/IEC 27001:2013 vs

AUTHORITY FOR ELECTRICITY REGULATION

Security and Architecture SUZANNE GRAHAM

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

Position Description IT Auditor

ROLE DESCRIPTION IT SPECIALIST

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Security Awareness Training Courses

SRM Service Guide. Smart Security. Smart Compliance. Service Guide

Altius IT Policy Collection Compliance and Standards Matrix

General Data Protection Regulation

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

IoT & SCADA Cyber Security Services

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

CISM - Certified Information Security Manager. Course Outline. CISM - Certified Information Security Manager.

Practitioner Certificate in Business Continuity Management (PCBCM) Course Description. 10 th December, 2015 Version 2.0

Embedding GDPR into the SDLC

An Overview of ISO/IEC family of Information Security Management System Standards

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Consolidation Committee Final Report

ISO/IEC Information technology Security techniques Code of practice for information security management

ITG. Information Security Management System Manual

Level Access Information Security Policy

AUDIT OF ICT STRATEGY IMPLEMENTATION

Internet of Things Toolkit for Small and Medium Businesses

The Common Controls Framework BY ADOBE

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

INFORMATION SECURITY AND RISK POLICY

The Experience of Generali Group in Implementing COBIT 5. Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA

Information Security Controls Policy

Twilio cloud communications SECURITY

Protecting your data. EY s approach to data privacy and information security

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

TEL2813/IS2820 Security Management

Security Controls in Service Management

National Policing Community Security Policy

What every IT professional needs to know about penetration tests

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

FDIC InTREx What Documentation Are You Expected to Have?

The University of Queensland

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Cyber Security Program

ORACLE SERVICES FOR APPLICATION MIGRATIONS TO ORACLE HARDWARE INFRASTRUCTURES

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

PROTECT YOUR DATA AND PREPARE FOR THE EUROPEAN GENERAL DATA PROTECTION REGULATION

Data Protection Policy

CISM - Certified Information Security Manager. Course Outline. CISM - Certified Information Security Manager. 22 Mar

IT Audit Process Prof. Liang Yao Week Six IT Audit Planning

POSITION DESCRIPTION

_isms_27001_fnd_en_sample_set01_v2, Group A

IT risks and controls

ISO & ISO & ISO Cloud Documentation Toolkit

Corporate Information Security Policy

Cyber Security Technologies

Transcription:

Manchester Metropolitan University Information Security Strategy 2017-2019 Document Information Document owner Tom Stoddart, Information Security Manager Version: 1.0 Release Date: 01/02/2017 Change History Date Author Version Details 11/11/2016 Tom Stoddart 0.1 First draft 16/11/2016 Tom Stoddart 0.2 Additional content & amendments following stakeholder review 08/12/2016 Tom Stoddart 0.3 Comments and amendments following circulation to InfoSec Board 16/01/2017 Tom Stoddart 0.4 Formatting changes for UEG circulation 01/02/2017 Tom Stoddart 1.0 Approved version following UEG on 31/01/2017 1

Contents Purpose and scope of this strategy... 3 Value Proposition for Future State... 3 Strategic environment... 3 Current weaknesses... 3 Critical Success Factors (CSF) for Realisation of Future State... 4 Governance... 5 Strategic Priorities... 6 Timeline for key initiatives and activities... 7 2

Purpose and scope of this strategy The purpose of this Information Security strategy is to ensure that commitment to (and investments in) information security at Manchester Metropolitan University support the strategic objectives of the University more broadly, as well as the legal requirements relevant to data controllers and processors. The scope of this strategy is all information used at Manchester Metropolitan University, in all formats, regardless of the specific departments and individuals that own and manage the information at a local level. This includes information owned or processed by other organisations but relevant their dealings with Manchester Metropolitan University. While the focus of information security capabilities is provided by the Information Security function, a number of additional departments including Legal and Registry include explicit information responsibilities and are therefore considered in the proposals laid out in this strategy. Value Proposition for Future State The Information Security function will provide and coordinate expertise to influence the information security approach of the University, helping it to achieve its strategic objectives by ensuring the availability, confidentiality and integrity of its information. By recognising the different types of information used, and the business requirements associated with each, we will deliver a secure framework within which we can provide flexibility to suit customer needs while maintaining compliance with legal obligations and sector-specific best practice. Strategic environment This strategy reflects the strategic environment in which the University is functioning, specifically: Staff and student expectations for flexible working (technology, location, time) The differing data requirements of research projects, and third party security requirements The increasing prevalence of malicious activity targeting the sector The emergence of Information Security as a strategic tool The forthcoming EU General Data Protection Regulation (GDPR), due in 2018 The Prevent guidance and its technical implications The increasing adoption of Cloud services (both institution-led and uncontrolled) Current weaknesses An ISO 27001 gap analysis highlighted areas on which to focus activity. These findings were added to the existing audit recommendations and identified risks to prioritise the work required to achieve the future state proposed by this strategy. 3

Critical Success Factors (CSF) for Realisation of Future State CSF 1: Establish an Information Security Management System to support pursuit of the University s strategic aims 1. Implementation of Information Security Management System aligned to ISO 27001:2013, verified by external gap analysis 2. Adoption of Governance model that provides required assurance to the Board and oversees prioritisation of and spend on InfoSec projects 3. Adoption of a consistent vocabulary for describing our system to internal and external stakeholders, including regulators and research partners CSF 2: Implement information asset lifecycle management, supporting risk management, control selection and compliance activity (prioritising personal data to support GDPR) 1. Implementation of asset register 2. Engagement of asset owners and business areas in asset management 3. Compliance with classification scheme and handling requirements 4. Information is easily identified for FOI and DPA (including Subject Access Requests) 5. Volume of information held decreases as retention and disposal schedule is applied 6. Transition to GDPR achieved on time and without significant risk CSF 3: Assess and manage information risk according to asset value and business impact, helping to prioritise resources and mitigation efforts 1. Risks are identified to enable timely preventative actions 2. Risk treatment decisions are informed by proportionate, quantitative risk assessments 3. Information risk management informs the corporate risk register, providing visibility to Board CSF 4: Ensure proportionate IT solutions contribute to the security of the information they process, and support the IS Strategy 1. Firewall reports on blocked threats vs issues 2. % of infrastructure meeting patching requirements 3. Internal vulnerability scanning gives increasing assurance 4. Consolidation of remote access methods 5. Mechanisms for secure data transfer and storage CSF 5: Ensure the University meets statutory and legal obligations and selected standards, including DPA, PCI-DSS and Prevent 1. Information Security Incident reporting 2. UNIAC audits give increasing assurance 3. External technical reviews give increasing assurance 4. PCI-DSS compliance maintained 5. Implementation of web filtering in line with Prevent guidance 4

CSF 6: Ensure students, staff and contractors have the skills, knowledge and guidance to enhance the security of information at Manchester Metropolitan University 1. InfoSec and DPA training completion rate 2. InfoSec awareness/training included in induction 3. Feedback on usability of new web resource 4. Increase in security consultancy offered to projects outside of ISDS Governance Strategic governance is essential for effective prioritisation and quality delivery of proposed initiatives. The details of Information Systems governance more broadly are in place, but Information Security will interact with existing governance structures as shown below. 5

Strategic Priorities Priority 1: Development of an Information Security Management Framework Implement an Information Security Management framework aligned to ISO 27001:2013 to support the University s strategic aims and compliance activities, and enhance the understanding of staff and students. This framework will provide an outline to-be state, and the programme of supporting work to reach that state will be aligned to the key requirements and technical controls of the ISO 27001:2013 standard. This will enable us to discuss information security and controls using the same concepts and language as other modern organisations, benefitting our relationships with suppliers, research partners and other stakeholders. Conduct a gap analysis against the ISO27001:2013 standard Establish governance & develop a suitably resourced information security team Review and supplement existing policies & internal compliance activity Implement incident management procedures Develop a training & awareness programme for staff and students Develop a programme of internal & external audit/assurance Priority 2: Information Asset Management Implement full information asset lifecycle management, supporting risk management, IT controls and compliance activity by identifying, valuing and managing information assets Develop an information asset register, allocating asset ownership Develop proportionate asset classification and handling requirements Implement asset retention & disposal Develop and document an approach to information risk management Produce and maintain guidance on system usage Priority 3: Communications Security Strengthen and consolidate existing perimeter and network controls, ensuring a consistent and best-practice approach that supports the University s strategic aims and compliance activities Enhanced perimeter security including web filtering Implement network controls to support remote & mobile access and bring your own device Priority 4: Operations Security Strengthen and consolidate existing operations procedures, ensuring consistency and proportionality in support of the University s strategic aims and compliance activities Ensure that patching & updates are scheduled Ensure that servers and clients are suitably hardened by default Develop security standards for website deployments Review user access management, including for admin, new and departing staff Document and standardise the collection of log files for audit and intrusion detection Business continuity & disaster recovery 6

Timeline for key initiatives and activities The high-level timeline depicts the key initiatives that must be delivered in order to achieve the overall strategy and the future state for Information Security. Note that significant work remains to define a number of these initiatives, including the specific projects and deliverables that will be included within each. This planning work, including resource estimates, will be taken through the governance model described above. While much of the information lifecycle management activity is required for GDPR compliance and these elements will be prioritised according to a time line governed by the GDPR Working Group from an Information Security perspective the work goes further than personal data and seeks to manage all information. 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback