3. @RunshawSD
Our Journey (nearly) to ISO27001!
• Runshaw College
• IT Services
• FE Budgets
• Information Security in FE
• Timeline
–Runshaw College’s Information Security Journey
• Future Plans
8. @RunshawSD
Student Numbers
Established in 1974/1975
5000 students aged 16-19
1000 Adult FE learners
350+ Apprentices
120 Higher Education students
c. 6500 “students” in total
2019/2020
450 students aged 16-19
14. @RunshawSD
Information Security in FE
• The education sector consistently falls within the top 5 sectors for the number of reported
Information Security Incidents.
(ICO 2019)
• During 16/17 the sector saw a 40% increase in Info. Sec. incidents.
(ICO 2019)
• Lack of Awareness is identified as the highest risk for over 2/3rds of colleges.
(Harding 2019)
15. @RunshawSD
FE Sector –Top 5Threats
Threat Results Rank Change
Lack of Awareness 69.57% 1 ▬
Phishing/Social Engineering 56.52% 2 ▲
Ransomware/Malware 39.13% 3= ▼
External Attack 39.13% 3= ▲
Denial of Service 34.78% 4 ▬
• Results taken from a Survey of over 30 FE IT leaders based upon which threats are identified as
High or Critical priority.
• Rank/Change Comparisons to JISC Security Survey 2018
16. @RunshawSD
England
• September 2014
– Government announce that some contracts involving
personal data may require Cyber Essentials
Certification.
• No mention in FE funding documentation.
• June 2019
– Requirement to work towards ISO27001 Certification
appeared in the FE funding guidance.
• Proposed for 20/21.
• September 2019
– This requirement has been removed though may return
as a future requirement.
17. @RunshawSD
Scotland!
November 2017
Requirement for all Public Bodies:
• by June 2018
– Join CISP
– Deliver CyberAwareness/Training Package
– Cyber Incident response plans.
• by October 2018
– AchieveCyber Essentials
Or
– AchieveCyber Essentials Plus
18. @RunshawSD
Current Progress - England
• Cyber EssentialsCertification
– 4% (JISC 2018)
– 26% (Harding 2019)
• Cyber Essentials Plus Certification
– 0% (JISC 2018)
– 4% (Harding 2019)
30% 😭No Response from DFE (Following FOI March 2019)
19. @RunshawSD
How’s Scotland Done?
Number CE CE Plus Percentage
Colleges 26 8 4 46.15%
Universities 15 3 6 60.00%
Total 41 11 10 51.22%
Data with thanks to the Scottish Government (Following FOI March 2019) 46% 😕
22. @RunshawSD
High Level Information Security Policy
• Outlines our commitment to achieve and maintain:
– Cyber Essentials by 2018.
– Cyber Essentials Plus as soon as is practicable.
• Moving forward the College will develop an Information Security Management System as per
ISO27001.
• The College will consider certification of the ISMS by external audit against the ISO27001
standard.
2017
23. @RunshawSD
Timeline
2017
• Formal High-Level Information Security Policy Defined
2018
• Achieved Cyber Essentials Certification
• PenetrationTesting Carried Out (Inc. Phishing)
24. @RunshawSD
Cyber Essentials
• Simple, Cost Effective & Basic.
(HM Gov 2014)
• Five Key Control Areas.
• Certification achieved by self-declaration
questionnaire.
• Some certification bodies may carry out an
external vulnerability scan.
• Findings/Improvements
– Authored Password Policy
– 1WarningArea – Multi Factor Authentication
2018
Boundary Firewalls
& Gateways
Secure
Configuration
Access Control
Malware Protection
Patch Management
25. @RunshawSD
PenetrationTesting
• After a short tender process, JISC were selected:
– External vulnerability scanning.
– On-site testing ofWi-Fi and PC Builds.
– Covert attempts to breach security.
• New for 2018
– Phishing simulation.
• To assess the risk posed by a well crafted Phishing attempt.
• Not to catch people out
• Agreement with our Governors
– Testing to be carried out on a biennial basis.
2018
30. @RunshawSD
Threat Analysis
• Started out with a Rich Picture
(Checkland 1990)
• Diagram features an overview of:
– The College's network.
– Datacentres.
– Power protection.
– Threat Actors.
– Example attack vectors.
– General notes/queries.
2019
31. @RunshawSD
Risk Assessment
• Risk Assessment carried out within
our ITSMTool (Jira).
• Risks can be linked to:
– Services & Assets.
– Threats.
– Control Areas (CE & ISO27002).
– Mitigations.
• Impact & Likelihood input:
– Risk Level calculated.
– Risk Treatment suggestion added.
• Residual Impact & Likelihood Input
– Resultant Risk Level calculated.
2019
32. @RunshawSD
Prioritsation of Mitigations
• MoSCoW Method used to prioritise Risks and required mitigations.
• Risk score used to define Risk, and subsequent treatment suggestion.
• (New) Mitigations are being worked in Score order (High to Low).
• Over 200 Risks Identified.
– Approx ¾ have existing mitigations
MoSCoW -> (Agile Business Consortium, 2014)
2019