SlideShare a Scribd company logo

Runshaw College and the journey towards ISO 27001

Download as PPTX, PDF
Jisc
Jisc

A presentation by Alex Harding, IT manager, Runshaw College at the Jisc security conference 2019.

Technology
1 of 35
Our Journey Towards ISO27001! Alex Harding, IT Services Manager, Runshaw college
@RunshawSD@RunshawSD Our Journey Towards ISO27001! Alex Harding IT Services Manager Runshaw College
@RunshawSD Our Journey (nearly) to ISO27001! • Runshaw College • IT Services • FE Budgets • Information Security in FE • Timeline –Runshaw College’s Information Security Journey • Future Plans
@RunshawSD
@RunshawSD Two Campus College LEYLAND CHORLEY
@RunshawSD Map data ©2019 Google, GeoBasis-DE/BKG (©2009)
@RunshawSD Wigan West Lancs Southport Preston Blackburn Bolton Leyland Chorley Map data ©2019 Google, GeoBasis-DE/BKG (©2009)
@RunshawSD Student Numbers Established in 1974/1975 5000 students aged 16-19 1000 Adult FE learners 350+ Apprentices 120 Higher Education students c. 6500 “students” in total 2019/2020 450 students aged 16-19
@RunshawSD IT Services
@RunshawSD What Makes UsTick? • ITIL – V3 at Present • Service Desk Institute – On track for 3*Audit. • Agile – Scrum – Agile Service Management
@RunshawSD
@RunshawSD Cyber Security Budgets - Spare any change? Higher Education Further Education £2.80?
@RunshawSD Information Security in Further Education
@RunshawSD Information Security in FE • The education sector consistently falls within the top 5 sectors for the number of reported Information Security Incidents. (ICO 2019) • During 16/17 the sector saw a 40% increase in Info. Sec. incidents. (ICO 2019) • Lack of Awareness is identified as the highest risk for over 2/3rds of colleges. (Harding 2019)
@RunshawSD FE Sector –Top 5Threats Threat Results Rank Change Lack of Awareness 69.57% 1 ▬ Phishing/Social Engineering 56.52% 2 ▲ Ransomware/Malware 39.13% 3= ▼ External Attack 39.13% 3= ▲ Denial of Service 34.78% 4 ▬ • Results taken from a Survey of over 30 FE IT leaders based upon which threats are identified as High or Critical priority. • Rank/Change Comparisons to JISC Security Survey 2018
@RunshawSD England • September 2014 – Government announce that some contracts involving personal data may require Cyber Essentials Certification. • No mention in FE funding documentation. • June 2019 – Requirement to work towards ISO27001 Certification appeared in the FE funding guidance. • Proposed for 20/21. • September 2019 – This requirement has been removed though may return as a future requirement.
@RunshawSD Scotland! November 2017 Requirement for all Public Bodies: • by June 2018 – Join CISP – Deliver CyberAwareness/Training Package – Cyber Incident response plans. • by October 2018 – AchieveCyber Essentials Or – AchieveCyber Essentials Plus
@RunshawSD Current Progress - England • Cyber EssentialsCertification – 4% (JISC 2018) – 26% (Harding 2019) • Cyber Essentials Plus Certification – 0% (JISC 2018) – 4% (Harding 2019) 30% 😭No Response from DFE (Following FOI March 2019)
@RunshawSD How’s Scotland Done? Number CE CE Plus Percentage Colleges 26 8 4 46.15% Universities 15 3 6 60.00% Total 41 11 10 51.22% Data with thanks to the Scottish Government (Following FOI March 2019) 46% 😕
@RunshawSD Our Journey
@RunshawSD Timeline 2017 • Formal High-Level Information Security Policy Defined
@RunshawSD High Level Information Security Policy • Outlines our commitment to achieve and maintain: – Cyber Essentials by 2018. – Cyber Essentials Plus as soon as is practicable. • Moving forward the College will develop an Information Security Management System as per ISO27001. • The College will consider certification of the ISMS by external audit against the ISO27001 standard. 2017
@RunshawSD Timeline 2017 • Formal High-Level Information Security Policy Defined 2018 • Achieved Cyber Essentials Certification • PenetrationTesting Carried Out (Inc. Phishing)
@RunshawSD Cyber Essentials • Simple, Cost Effective & Basic. (HM Gov 2014) • Five Key Control Areas. • Certification achieved by self-declaration questionnaire. • Some certification bodies may carry out an external vulnerability scan. • Findings/Improvements – Authored Password Policy – 1WarningArea – Multi Factor Authentication 2018 Boundary Firewalls & Gateways Secure Configuration Access Control Malware Protection Patch Management
@RunshawSD PenetrationTesting • After a short tender process, JISC were selected: – External vulnerability scanning. – On-site testing ofWi-Fi and PC Builds. – Covert attempts to breach security. • New for 2018 – Phishing simulation. • To assess the risk posed by a well crafted Phishing attempt. • Not to catch people out  • Agreement with our Governors – Testing to be carried out on a biennial basis. 2018
@RunshawSD Phishing Simulation 2018
@RunshawSD Timeline 2017 • Formal High-Level Information Security Policy Defined 2018 • Achieved Cyber Essentials Certification • PenetrationTesting Carried Out (Inc. Phishing) 2019 • Achieved Cyber Essentials Plus Certification • Information Security Risk Assessment Policy Defined • Information Security Risk Assessment Commenced
@RunshawSD Boundary Firewalls & Gateways Secure Configuration Access Control Malware Protection Patch Management Cyber Essentials Plus • Same Five Key Control Areas, plus: – On site assessments – Internal vulnerability scans – Review of physical security • Findings/Improvements – Legacy OS withVulnerabilities (Windows 2003). – Older, vulnerable versions of: • Adobe Reader • Adobe Flash Player • Firefox – Execution of downloaded files. – 1WarningArea – Multi Factor Authentication 2019
@RunshawSD Risk Assessment Policy • College Risk Appetite = LOW • Risks will be: – Identified – Analysed – Evaluated – Treated (to LOW) or Accepted (if LOW) • Treatment Options: – Avoid – Transfer – Mitigate – Accept • Resultant Risks: – >Low – Require SMT Sign-Off 2019
@RunshawSD Threat Analysis • Started out with a Rich Picture (Checkland 1990) • Diagram features an overview of: – The College's network. – Datacentres. – Power protection. – Threat Actors. – Example attack vectors. – General notes/queries. 2019
@RunshawSD Risk Assessment • Risk Assessment carried out within our ITSMTool (Jira). • Risks can be linked to: – Services & Assets. – Threats. – Control Areas (CE & ISO27002). – Mitigations. • Impact & Likelihood input: – Risk Level calculated. – Risk Treatment suggestion added. • Residual Impact & Likelihood Input – Resultant Risk Level calculated. 2019
@RunshawSD Prioritsation of Mitigations • MoSCoW Method used to prioritise Risks and required mitigations. • Risk score used to define Risk, and subsequent treatment suggestion. • (New) Mitigations are being worked in Score order (High to Low). • Over 200 Risks Identified. – Approx ¾ have existing mitigations MoSCoW -> (Agile Business Consortium, 2014) 2019
@RunshawSD The Future?
@RunshawSD The Future 2019 • Risk Assessment & Gap Analysis Completion 2020 • Cyber Essentials Plus Certification (JISC) • Additional Mitigations Defined & Policies Authored • PenetrationTesting (JISC) THEN • ISO27001 Audit????
@RunshawSD Thank you Alex Harding IT services, print shop and facilities manager Runshaw college

Recommended

How children's fingerprints on the web could mean the end of PII Authenticati...
How children's fingerprints on the web could mean the end of PII Authenticati...How children's fingerprints on the web could mean the end of PII Authenticati...
How children's fingerprints on the web could mean the end of PII Authenticati...Jisc
 
Online abuse and safeguarding in higher education
Online abuse and safeguarding in higher educationOnline abuse and safeguarding in higher education
Online abuse and safeguarding in higher educationJisc
 
The challenge of security awareness
The challenge of security awarenessThe challenge of security awareness
The challenge of security awarenessJisc
 
Ethics in Cyber Space
Ethics in Cyber SpaceEthics in Cyber Space
Ethics in Cyber SpaceMuhammad Rawaha Saleem
 
Internet Ethics Issues and Action in the United States
Internet Ethics Issues and Action in the United StatesInternet Ethics Issues and Action in the United States
Internet Ethics Issues and Action in the United StatesMichael Zimmer
 
NAESP Conference - July 12, 2014
NAESP Conference - July 12, 2014NAESP Conference - July 12, 2014
NAESP Conference - July 12, 2014emilyensign
 
C3 Presentation - Oct 2015
C3 Presentation - Oct 2015C3 Presentation - Oct 2015
C3 Presentation - Oct 2015emilyensign
 
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Jason Hong
 

Recommended

How children's fingerprints on the web could mean the end of PII Authenticati...
How children's fingerprints on the web could mean the end of PII Authenticati...How children's fingerprints on the web could mean the end of PII Authenticati...
How children's fingerprints on the web could mean the end of PII Authenticati...Jisc
 
Online abuse and safeguarding in higher education
Online abuse and safeguarding in higher educationOnline abuse and safeguarding in higher education
Online abuse and safeguarding in higher educationJisc
 
The challenge of security awareness
The challenge of security awarenessThe challenge of security awareness
The challenge of security awarenessJisc
 
Ethics in Cyber Space
Ethics in Cyber SpaceEthics in Cyber Space
Ethics in Cyber SpaceMuhammad Rawaha Saleem
 
Internet Ethics Issues and Action in the United States
Internet Ethics Issues and Action in the United StatesInternet Ethics Issues and Action in the United States
Internet Ethics Issues and Action in the United StatesMichael Zimmer
 
NAESP Conference - July 12, 2014
NAESP Conference - July 12, 2014NAESP Conference - July 12, 2014
NAESP Conference - July 12, 2014emilyensign
 
C3 Presentation - Oct 2015
C3 Presentation - Oct 2015C3 Presentation - Oct 2015
C3 Presentation - Oct 2015emilyensign
 
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011
Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011Jason Hong
 
Globalcompose.com sample essay paper on cyber ethics
Globalcompose.com sample essay paper on cyber ethicsGlobalcompose.com sample essay paper on cyber ethics
Globalcompose.com sample essay paper on cyber ethicsAcademic Research Paper Writing Services
 
Privacy and protection of children in relation raudhat
Privacy and protection of children in relation raudhatPrivacy and protection of children in relation raudhat
Privacy and protection of children in relation raudhatRaudhat-Rahma Shittu-Agbetola
 
The importance of authenticity in cyber security training and education
The importance of authenticity in cyber security training and educationThe importance of authenticity in cyber security training and education
The importance of authenticity in cyber security training and educationJisc
 
e-Safety Primary
e-Safety Primarye-Safety Primary
e-Safety Primarykturvey
 
E safety
E safetyE safety
E safetysamr300
 
Cyberspace and cyberethics and social networking
Cyberspace and cyberethics and social networkingCyberspace and cyberethics and social networking
Cyberspace and cyberethics and social networkingYUSRA FERNANDO
 
Internet privacy ethics and online security
Internet privacy ethics and online securityInternet privacy ethics and online security
Internet privacy ethics and online securityPaul Berryman
 
Education Privacy
Education Privacy Education Privacy
Education Privacy emilyensign
 
Naughty or nice: Ethical concerns for technology
Naughty or nice: Ethical concerns for technologyNaughty or nice: Ethical concerns for technology
Naughty or nice: Ethical concerns for technologyJohan Koren
 
Not logging on, but living on
Not logging on, but living onNot logging on, but living on
Not logging on, but living onDigital Policy and Law Consulting
 
Onlinemar risks
Onlinemar risksOnlinemar risks
Onlinemar riskstainguyenvizum
 
Cyber ethics
Cyber ethicsCyber ethics
Cyber ethicsGeoffrey Lowe
 
LIFARS - Social Media Dangers to Children
LIFARS - Social Media Dangers to ChildrenLIFARS - Social Media Dangers to Children
LIFARS - Social Media Dangers to ChildrenLIFARS
 
Shannon Morris PDLM presentation
Shannon Morris PDLM presentationShannon Morris PDLM presentation
Shannon Morris PDLM presentationshannoncmorris
 
Using new technology slides
Using new technology slidesUsing new technology slides
Using new technology slidesParticipation Works
 
Naughty or nice 2003 version
Naughty or nice 2003 versionNaughty or nice 2003 version
Naughty or nice 2003 versionJohan Koren
 
John Blue - Social Media 101, 2018 University of Scouting, Indianapolis, IN, USA
John Blue - Social Media 101, 2018 University of Scouting, Indianapolis, IN, USAJohn Blue - Social Media 101, 2018 University of Scouting, Indianapolis, IN, USA
John Blue - Social Media 101, 2018 University of Scouting, Indianapolis, IN, USAJohn Blue
 
Ethics in Information Technology
Ethics in Information TechnologyEthics in Information Technology
Ethics in Information TechnologyAtul Kumar Pandey
 
Security and social media
Security and social mediaSecurity and social media
Security and social mediaJP Rains, MBA
 
Digital footprints & criminal investigations
Digital footprints & criminal investigationsDigital footprints & criminal investigations
Digital footprints & criminal investigationsCreepSquash
 
Jay Ferro
Jay FerroJay Ferro
Jay FerrodaveGBE
 
Insights service jan19
Insights service jan19Insights service jan19
Insights service jan19jisc_digital_insights
 

More Related Content

What's hot

Privacy and protection of children in relation raudhat
Privacy and protection of children in relation raudhatPrivacy and protection of children in relation raudhat
Privacy and protection of children in relation raudhatRaudhat-Rahma Shittu-Agbetola
 
The importance of authenticity in cyber security training and education
The importance of authenticity in cyber security training and educationThe importance of authenticity in cyber security training and education
The importance of authenticity in cyber security training and educationJisc
 
e-Safety Primary
e-Safety Primarye-Safety Primary
e-Safety Primarykturvey
 
E safety
E safetyE safety
E safetysamr300
 
Cyberspace and cyberethics and social networking
Cyberspace and cyberethics and social networkingCyberspace and cyberethics and social networking
Cyberspace and cyberethics and social networkingYUSRA FERNANDO
 
Internet privacy ethics and online security
Internet privacy ethics and online securityInternet privacy ethics and online security
Internet privacy ethics and online securityPaul Berryman
 
Education Privacy
Education Privacy Education Privacy
Education Privacy emilyensign
 
Naughty or nice: Ethical concerns for technology
Naughty or nice: Ethical concerns for technologyNaughty or nice: Ethical concerns for technology
Naughty or nice: Ethical concerns for technologyJohan Koren
 
LIFARS - Social Media Dangers to Children
LIFARS - Social Media Dangers to ChildrenLIFARS - Social Media Dangers to Children
LIFARS - Social Media Dangers to ChildrenLIFARS
 
Shannon Morris PDLM presentation
Shannon Morris PDLM presentationShannon Morris PDLM presentation
Shannon Morris PDLM presentationshannoncmorris
 
Naughty or nice 2003 version
Naughty or nice 2003 versionNaughty or nice 2003 version
Naughty or nice 2003 versionJohan Koren
 
John Blue - Social Media 101, 2018 University of Scouting, Indianapolis, IN, USA
John Blue - Social Media 101, 2018 University of Scouting, Indianapolis, IN, USAJohn Blue - Social Media 101, 2018 University of Scouting, Indianapolis, IN, USA
John Blue - Social Media 101, 2018 University of Scouting, Indianapolis, IN, USAJohn Blue
 
Ethics in Information Technology
Ethics in Information TechnologyEthics in Information Technology
Ethics in Information TechnologyAtul Kumar Pandey
 
Security and social media
Security and social mediaSecurity and social media
Security and social mediaJP Rains, MBA
 
Digital footprints & criminal investigations
Digital footprints & criminal investigationsDigital footprints & criminal investigations
Digital footprints & criminal investigationsCreepSquash
 

What's hot (20)

Globalcompose.com sample essay paper on cyber ethics
Globalcompose.com sample essay paper on cyber ethicsGlobalcompose.com sample essay paper on cyber ethics
Globalcompose.com sample essay paper on cyber ethics
 
Privacy and protection of children in relation raudhat
Privacy and protection of children in relation raudhatPrivacy and protection of children in relation raudhat
Privacy and protection of children in relation raudhat
 
The importance of authenticity in cyber security training and education
The importance of authenticity in cyber security training and educationThe importance of authenticity in cyber security training and education
The importance of authenticity in cyber security training and education
 
e-Safety Primary
e-Safety Primarye-Safety Primary
e-Safety Primary
 
E safety
E safetyE safety
E safety
 
Cyberspace and cyberethics and social networking
Cyberspace and cyberethics and social networkingCyberspace and cyberethics and social networking
Cyberspace and cyberethics and social networking
 
Internet privacy ethics and online security
Internet privacy ethics and online securityInternet privacy ethics and online security
Internet privacy ethics and online security
 
Education Privacy
Education Privacy Education Privacy
Education Privacy
 
Naughty or nice: Ethical concerns for technology
Naughty or nice: Ethical concerns for technologyNaughty or nice: Ethical concerns for technology
Naughty or nice: Ethical concerns for technology
 
Not logging on, but living on
Not logging on, but living onNot logging on, but living on
Not logging on, but living on
 
Onlinemar risks
Onlinemar risksOnlinemar risks
Onlinemar risks
 
Cyber ethics
Cyber ethicsCyber ethics
Cyber ethics
 
LIFARS - Social Media Dangers to Children
LIFARS - Social Media Dangers to ChildrenLIFARS - Social Media Dangers to Children
LIFARS - Social Media Dangers to Children
 
Shannon Morris PDLM presentation
Shannon Morris PDLM presentationShannon Morris PDLM presentation
Shannon Morris PDLM presentation
 
Using new technology slides
Using new technology slidesUsing new technology slides
Using new technology slides
 
Naughty or nice 2003 version
Naughty or nice 2003 versionNaughty or nice 2003 version
Naughty or nice 2003 version
 
John Blue - Social Media 101, 2018 University of Scouting, Indianapolis, IN, USA
John Blue - Social Media 101, 2018 University of Scouting, Indianapolis, IN, USAJohn Blue - Social Media 101, 2018 University of Scouting, Indianapolis, IN, USA
John Blue - Social Media 101, 2018 University of Scouting, Indianapolis, IN, USA
 
Ethics in Information Technology
Ethics in Information TechnologyEthics in Information Technology
Ethics in Information Technology
 
Security and social media
Security and social mediaSecurity and social media
Security and social media
 
Digital footprints & criminal investigations
Digital footprints & criminal investigationsDigital footprints & criminal investigations
Digital footprints & criminal investigations
 

Similar to Runshaw College and the journey towards ISO 27001

Jay Ferro
Jay FerroJay Ferro
Jay FerrodaveGBE
 
Cb2500 week01 - course introduction importance of mis
Cb2500 week01 - course introduction importance of misCb2500 week01 - course introduction importance of mis
Cb2500 week01 - course introduction importance of miskisstyyy
 
TALK Cybersecurity Summit 2017: Panel on Ky Cyber Ed Pathway
TALK Cybersecurity Summit 2017: Panel on Ky Cyber Ed PathwayTALK Cybersecurity Summit 2017: Panel on Ky Cyber Ed Pathway
TALK Cybersecurity Summit 2017: Panel on Ky Cyber Ed PathwayDawn Yankeelov
 
[WSO2Con Asia 2018] Get on the Bus for the Journey
[WSO2Con Asia 2018] Get on the Bus for the Journey[WSO2Con Asia 2018] Get on the Bus for the Journey
[WSO2Con Asia 2018] Get on the Bus for the JourneyWSO2
 
OneIS CANHEIT V03 NN
OneIS CANHEIT V03 NNOneIS CANHEIT V03 NN
OneIS CANHEIT V03 NNMark Roman
 
#DSRActive Series - The Digital Dynamic
#DSRActive Series - The Digital Dynamic#DSRActive Series - The Digital Dynamic
#DSRActive Series - The Digital DynamicSportXchange
 
Introduction wbl presentatrion april 2015
Introduction wbl presentatrion april 2015Introduction wbl presentatrion april 2015
Introduction wbl presentatrion april 2015Jane Mackenzie
 
Insights webinar 16th oct 2019 surveys launch - vr2
Insights webinar 16th oct 2019 surveys launch - vr2Insights webinar 16th oct 2019 surveys launch - vr2
Insights webinar 16th oct 2019 surveys launch - vr2jisc_digital_insights
 
How to access the AEDC data collections
How to access the AEDC data collectionsHow to access the AEDC data collections
How to access the AEDC data collectionsSonia Whiteley
 
The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016Shannon G., MBA
 
Health IT Summit in Denver 2014 - Opening Keynote "Leading Transformation at ...
Health IT Summit in Denver 2014 - Opening Keynote "Leading Transformation at ...Health IT Summit in Denver 2014 - Opening Keynote "Leading Transformation at ...
Health IT Summit in Denver 2014 - Opening Keynote "Leading Transformation at ...Health IT Conference – iHT2
 
ACBSP 2015 presentation: Preparing Students for the New Digital Economy
ACBSP 2015 presentation: Preparing Students for the New Digital EconomyACBSP 2015 presentation: Preparing Students for the New Digital Economy
ACBSP 2015 presentation: Preparing Students for the New Digital EconomyChrissann Ruehle
 
Preparing Students for the New Digital Economy
Preparing Students for the New Digital EconomyPreparing Students for the New Digital Economy
Preparing Students for the New Digital EconomyACBSP Global Accreditation
 

Similar to Runshaw College and the journey towards ISO 27001 (20)

Jay Ferro
Jay FerroJay Ferro
Jay Ferro
 
Insights service jan19
Insights service jan19Insights service jan19
Insights service jan19
 
Cb2500 week01 - course introduction importance of mis
Cb2500 week01 - course introduction importance of misCb2500 week01 - course introduction importance of mis
Cb2500 week01 - course introduction importance of mis
 
Insightswebinar19 march19
Insightswebinar19 march19Insightswebinar19 march19
Insightswebinar19 march19
 
Insightswebinar19 march19
Insightswebinar19 march19Insightswebinar19 march19
Insightswebinar19 march19
 
Insightswebinar23 janv2
Insightswebinar23 janv2Insightswebinar23 janv2
Insightswebinar23 janv2
 
TALK Cybersecurity Summit 2017: Panel on Ky Cyber Ed Pathway
TALK Cybersecurity Summit 2017: Panel on Ky Cyber Ed PathwayTALK Cybersecurity Summit 2017: Panel on Ky Cyber Ed Pathway
TALK Cybersecurity Summit 2017: Panel on Ky Cyber Ed Pathway
 
[WSO2Con Asia 2018] Get on the Bus for the Journey
[WSO2Con Asia 2018] Get on the Bus for the Journey[WSO2Con Asia 2018] Get on the Bus for the Journey
[WSO2Con Asia 2018] Get on the Bus for the Journey
 
OneIS CANHEIT V03 NN
OneIS CANHEIT V03 NNOneIS CANHEIT V03 NN
OneIS CANHEIT V03 NN
 
Using Learning Data to Predict and Alter Business Outcomes 
Using Learning Data to Predict and Alter Business Outcomes Using Learning Data to Predict and Alter Business Outcomes 
Using Learning Data to Predict and Alter Business Outcomes 
 
#DSRActive Series - The Digital Dynamic
#DSRActive Series - The Digital Dynamic#DSRActive Series - The Digital Dynamic
#DSRActive Series - The Digital Dynamic
 
Introduction wbl presentatrion april 2015
Introduction wbl presentatrion april 2015Introduction wbl presentatrion april 2015
Introduction wbl presentatrion april 2015
 
Insights webinar 16th oct 2019 surveys launch - vr2
Insights webinar 16th oct 2019 surveys launch - vr2Insights webinar 16th oct 2019 surveys launch - vr2
Insights webinar 16th oct 2019 surveys launch - vr2
 
Informatics Master's Programs at USC
Informatics Master's Programs at USCInformatics Master's Programs at USC
Informatics Master's Programs at USC
 
How to access the AEDC data collections
How to access the AEDC data collectionsHow to access the AEDC data collections
How to access the AEDC data collections
 
The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016
 
Health IT Summit in Denver 2014 - Opening Keynote "Leading Transformation at ...
Health IT Summit in Denver 2014 - Opening Keynote "Leading Transformation at ...Health IT Summit in Denver 2014 - Opening Keynote "Leading Transformation at ...
Health IT Summit in Denver 2014 - Opening Keynote "Leading Transformation at ...
 
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSISMS implementation challenges-KASYS
ISMS implementation challenges-KASYS
 
ACBSP 2015 presentation: Preparing Students for the New Digital Economy
ACBSP 2015 presentation: Preparing Students for the New Digital EconomyACBSP 2015 presentation: Preparing Students for the New Digital Economy
ACBSP 2015 presentation: Preparing Students for the New Digital Economy
 
Preparing Students for the New Digital Economy
Preparing Students for the New Digital EconomyPreparing Students for the New Digital Economy
Preparing Students for the New Digital Economy
 

More from Jisc

Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...Jisc
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxJisc
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxJisc
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Jisc
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...Jisc
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptxJisc
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxJisc
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxJisc
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxJisc
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJisc
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxJisc
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 
MarkChilds.pptx
MarkChilds.pptxMarkChilds.pptx
MarkChilds.pptxJisc
 
RStrachanOct23.pptx
RStrachanOct23.pptxRStrachanOct23.pptx
RStrachanOct23.pptxJisc
 
ISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxJisc
 
FerrellWalker.pptx
FerrellWalker.pptxFerrellWalker.pptx
FerrellWalker.pptxJisc
 

More from Jisc (20)

Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptx
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptx
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptx
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptx
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 
MarkChilds.pptx
MarkChilds.pptxMarkChilds.pptx
MarkChilds.pptx
 
RStrachanOct23.pptx
RStrachanOct23.pptxRStrachanOct23.pptx
RStrachanOct23.pptx
 
ISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptx
 
FerrellWalker.pptx
FerrellWalker.pptxFerrellWalker.pptx
FerrellWalker.pptx
 

Recently uploaded

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Recently uploaded (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Runshaw College and the journey towards ISO 27001

  • 1. Our Journey Towards ISO27001! Alex Harding, IT Services Manager, Runshaw college
  • 2. @RunshawSD@RunshawSD Our Journey Towards ISO27001! Alex Harding IT Services Manager Runshaw College
  • 3. @RunshawSD Our Journey (nearly) to ISO27001! • Runshaw College • IT Services • FE Budgets • Information Security in FE • Timeline –Runshaw College’s Information Security Journey • Future Plans
  • 6. @RunshawSD Map data ©2019 Google, GeoBasis-DE/BKG (©2009)
  • 8. @RunshawSD Student Numbers Established in 1974/1975 5000 students aged 16-19 1000 Adult FE learners 350+ Apprentices 120 Higher Education students c. 6500 “students” in total 2019/2020 450 students aged 16-19
  • 10. @RunshawSD What Makes UsTick? • ITIL – V3 at Present • Service Desk Institute – On track for 3*Audit. • Agile – Scrum – Agile Service Management
  • 12. @RunshawSD Cyber Security Budgets - Spare any change? Higher Education Further Education £2.80?
  • 14. @RunshawSD Information Security in FE • The education sector consistently falls within the top 5 sectors for the number of reported Information Security Incidents. (ICO 2019) • During 16/17 the sector saw a 40% increase in Info. Sec. incidents. (ICO 2019) • Lack of Awareness is identified as the highest risk for over 2/3rds of colleges. (Harding 2019)
  • 15. @RunshawSD FE Sector –Top 5Threats Threat Results Rank Change Lack of Awareness 69.57% 1 ▬ Phishing/Social Engineering 56.52% 2 ▲ Ransomware/Malware 39.13% 3= ▼ External Attack 39.13% 3= ▲ Denial of Service 34.78% 4 ▬ • Results taken from a Survey of over 30 FE IT leaders based upon which threats are identified as High or Critical priority. • Rank/Change Comparisons to JISC Security Survey 2018
  • 16. @RunshawSD England • September 2014 – Government announce that some contracts involving personal data may require Cyber Essentials Certification. • No mention in FE funding documentation. • June 2019 – Requirement to work towards ISO27001 Certification appeared in the FE funding guidance. • Proposed for 20/21. • September 2019 – This requirement has been removed though may return as a future requirement.
  • 17. @RunshawSD Scotland! November 2017 Requirement for all Public Bodies: • by June 2018 – Join CISP – Deliver CyberAwareness/Training Package – Cyber Incident response plans. • by October 2018 – AchieveCyber Essentials Or – AchieveCyber Essentials Plus
  • 18. @RunshawSD Current Progress - England • Cyber EssentialsCertification – 4% (JISC 2018) – 26% (Harding 2019) • Cyber Essentials Plus Certification – 0% (JISC 2018) – 4% (Harding 2019) 30% 😭No Response from DFE (Following FOI March 2019)
  • 19. @RunshawSD How’s Scotland Done? Number CE CE Plus Percentage Colleges 26 8 4 46.15% Universities 15 3 6 60.00% Total 41 11 10 51.22% Data with thanks to the Scottish Government (Following FOI March 2019) 46% 😕
  • 21. @RunshawSD Timeline 2017 • Formal High-Level Information Security Policy Defined
  • 22. @RunshawSD High Level Information Security Policy • Outlines our commitment to achieve and maintain: – Cyber Essentials by 2018. – Cyber Essentials Plus as soon as is practicable. • Moving forward the College will develop an Information Security Management System as per ISO27001. • The College will consider certification of the ISMS by external audit against the ISO27001 standard. 2017
  • 23. @RunshawSD Timeline 2017 • Formal High-Level Information Security Policy Defined 2018 • Achieved Cyber Essentials Certification • PenetrationTesting Carried Out (Inc. Phishing)
  • 24. @RunshawSD Cyber Essentials • Simple, Cost Effective & Basic. (HM Gov 2014) • Five Key Control Areas. • Certification achieved by self-declaration questionnaire. • Some certification bodies may carry out an external vulnerability scan. • Findings/Improvements – Authored Password Policy – 1WarningArea – Multi Factor Authentication 2018 Boundary Firewalls & Gateways Secure Configuration Access Control Malware Protection Patch Management
  • 25. @RunshawSD PenetrationTesting • After a short tender process, JISC were selected: – External vulnerability scanning. – On-site testing ofWi-Fi and PC Builds. – Covert attempts to breach security. • New for 2018 – Phishing simulation. • To assess the risk posed by a well crafted Phishing attempt. • Not to catch people out  • Agreement with our Governors – Testing to be carried out on a biennial basis. 2018
  • 27. @RunshawSD Timeline 2017 • Formal High-Level Information Security Policy Defined 2018 • Achieved Cyber Essentials Certification • PenetrationTesting Carried Out (Inc. Phishing) 2019 • Achieved Cyber Essentials Plus Certification • Information Security Risk Assessment Policy Defined • Information Security Risk Assessment Commenced
  • 28. @RunshawSD Boundary Firewalls & Gateways Secure Configuration Access Control Malware Protection Patch Management Cyber Essentials Plus • Same Five Key Control Areas, plus: – On site assessments – Internal vulnerability scans – Review of physical security • Findings/Improvements – Legacy OS withVulnerabilities (Windows 2003). – Older, vulnerable versions of: • Adobe Reader • Adobe Flash Player • Firefox – Execution of downloaded files. – 1WarningArea – Multi Factor Authentication 2019
  • 29. @RunshawSD Risk Assessment Policy • College Risk Appetite = LOW • Risks will be: – Identified – Analysed – Evaluated – Treated (to LOW) or Accepted (if LOW) • Treatment Options: – Avoid – Transfer – Mitigate – Accept • Resultant Risks: – >Low – Require SMT Sign-Off 2019
  • 30. @RunshawSD Threat Analysis • Started out with a Rich Picture (Checkland 1990) • Diagram features an overview of: – The College's network. – Datacentres. – Power protection. – Threat Actors. – Example attack vectors. – General notes/queries. 2019
  • 31. @RunshawSD Risk Assessment • Risk Assessment carried out within our ITSMTool (Jira). • Risks can be linked to: – Services & Assets. – Threats. – Control Areas (CE & ISO27002). – Mitigations. • Impact & Likelihood input: – Risk Level calculated. – Risk Treatment suggestion added. • Residual Impact & Likelihood Input – Resultant Risk Level calculated. 2019
  • 32. @RunshawSD Prioritsation of Mitigations • MoSCoW Method used to prioritise Risks and required mitigations. • Risk score used to define Risk, and subsequent treatment suggestion. • (New) Mitigations are being worked in Score order (High to Low). • Over 200 Risks Identified. – Approx ¾ have existing mitigations MoSCoW -> (Agile Business Consortium, 2014) 2019
  • 34. @RunshawSD The Future 2019 • Risk Assessment & Gap Analysis Completion 2020 • Cyber Essentials Plus Certification (JISC) • Additional Mitigations Defined & Policies Authored • PenetrationTesting (JISC) THEN • ISO27001 Audit????
  • 35. @RunshawSD Thank you Alex Harding IT services, print shop and facilities manager Runshaw college