Moving from Technology Security to Information Security

Kenneth Høstland talked about how UNINETT are helping universities move from their traditional focus on securing Information Technology (IT) to the wider issue of Information Security (IS), whether driven by regulatory requirements, business requirements, actual threats or technology requirement. This involves developing of information governance, described as “the glue between business processes and supporting IT functions”.

To help in this, UNINETT have developed a support package of an Information Security Policy supported by an intensive one-day IS audit, requiring the involvement of senior organisational management. Although this is based on the ISO 27000 series standards, they have managed to condense more than a hundred pages of ISO document down to a much more digestible ten. The audits commonly find that while IT security is satisfactory, basic documents such as a Security Policy, IT Strategy and continuity and contingency plans are missing. Another frequent area of problems is outsourcing contracts, which rarely pay sufficient attention to security matters.

Standard recommendations are therefore to develop a Security Policy, appoint a Chief Security Officer (not the Head of IT!), perform a risk assessment, document the security architecture and business continuity plan and ensure that all activities handling personal data are identified. This is rather different from the traditional focus on technology security, but if security is indeed “20% technology and 80% attitude” shouldn’t we be paying a bit more attention to the 80%?

This entry was posted in Information security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s