Kenneth Høstland talked about how UNINETT are helping universities move from their traditional focus on securing Information Technology (IT) to the wider issue of Information Security (IS), whether driven by regulatory requirements, business requirements, actual threats or technology requirement. This involves developing of information governance, described as “the glue between business processes and supporting IT functions”.
To help in this, UNINETT have developed a support package of an Information Security Policy supported by an intensive one-day IS audit, requiring the involvement of senior organisational management. Although this is based on the ISO 27000 series standards, they have managed to condense more than a hundred pages of ISO document down to a much more digestible ten. The audits commonly find that while IT security is satisfactory, basic documents such as a Security Policy, IT Strategy and continuity and contingency plans are missing. Another frequent area of problems is outsourcing contracts, which rarely pay sufficient attention to security matters.
Standard recommendations are therefore to develop a Security Policy, appoint a Chief Security Officer (not the Head of IT!), perform a risk assessment, document the security architecture and business continuity plan and ensure that all activities handling personal data are identified. This is rather different from the traditional focus on technology security, but if security is indeed “20% technology and 80% attitude” shouldn’t we be paying a bit more attention to the 80%?