Friday 19 December 2014

Cryptoy from GCHQ

The Cryptoy app was designed by Science, Technology, Engineering and Maths (STEM) students on an industrial placement at GCHQ. It was created as part of a project to demonstrate encryption techniques at the Cheltenham Science Festival, and has since been demonstrated at other educational events.

Download from: 
http://www.gchq.gov.uk/how_we_work/partnerships/supporting_education/Pages/Cryptoy-app.aspx 
Posted by at No comments:

Monday 24 November 2014

Cyber Essentials Scheme

Cyber Essentials is a government-backed, industry supported scheme to help organisations protect themselves against common cyber attacks.

The scheme has been developed by Government and industry to fulfil two functions. It provides a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threat, within the context of the Government’s 10 Steps to Cyber Security. And through the Assurance Framework it offers a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.

Cyber Essentials defines a set of controls which, when properly implemented, will provide organisations with basic protection from the most prevalent forms of threats coming from the Internet. In particular, it focuses on threats which require low levels of attacker skill, and which are widely available online. Risk management is the fundamental starting point for organisations to take action to protect their information. However, given the nature of the threat, Government believes that action should begin with a core set of security controls which all organisations – large and small - should implement. Cyber Essentials defines what these controls are.

This seems like an interesting development -  I read it as a minimal set of IT controls that should be put in place to deliver IT security (as opposed to _information_ security), before information risk analyses take place.

Posted by at 1 comment:

Friday 10 October 2014

Top Ten Issues in Higher Education



Each year EDUCAUSE / ECAR produces a set of Top-Ten Issues.

A presentation at the EDUCAUSE conference this week gave a first glimpse of the 2015 Issues.  These will be published next January, but are available here:



 Points 7, 8 and 9 all refer to Information Security.
Posted by at No comments:

How to make your University Secure - Poster


Presented at EDUCAUSE poster session.
Posted by at No comments:

How to Make Your University CyberSecure

I ran a workshop at EDUCAUSE last week titled: 'Diamonds and Paper Clips: Steps Needed to Make Your University Cybersecure'. 

We conducted a survey, and there were really interesting results. The results show percentage of universities represented having specific achievements:


Percentage with IS primarily in IT department: 95% (but strong views that IS has to become separated from IT)
Percentage with recognised and agreed Incident Response Process: 20%
Percentage with signed-off university IS policy: 25%
Percentage with information asset register: 35%
Percentage attempting to classify assets: 25%
Percentage with IS risk register: 10%
Percentage where university can identify most valuable information assets: 15%
Percentage where university can identify most valuable assets and perform risk assessment: 3%




Posted by at No comments:

Friday 22 August 2014

How do you identify crown-jewel information assets and protect them?

I have developed an 'Information Asset Register Tool' that is undergoing testing.   Take a look!     If you do, please let me have your comments.

Posted by at No comments:

Excellent Information Security Guide

Internet2 has an excellent Information Security Guide.   It is designed to support university Information Security managers and is a superb resource with an excellent front page interface.

Definitely worth a look.

Posted by at No comments:

Wednesday 2 July 2014




Why senior leaders are the front line against cyberattacks


Found a very interesting McKinsey article which empahsises that senior managers need to lead.  An extract:


"Cybersecurity is a CEO-level issue. The risks of cyberattacks span functions and business units, companies and customers. And given the stakes and the challenging decisions posed by becoming cyberresilient, making the decisions necessary can only be achieved with active engagement from the CEO and other members of the senior-management team."
Posted by at No comments:

Tuesday 27 May 2014

The Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills and carried out by PwC, was announced by David Willetts at the Infosecurity Europe conference.

The survey reported that 81% of large organisations suffered a security breach over the last year, and whilst this is down from 86% a year ago - and organisations are experiencing fewer breaches overall - the severity and impact of attacks has increased, with the average cost of an organisations’ worst breach rising significantly for the third consecutive year. For small organisations the worst breaches cost between £65,000 and £115,000 on average and for large organisations between £600,000 and £1.15 million.

A very important and relevant finding this year is that, "70% of companies that have a poor understanding of security policy experienced staff related breaches, compared to only 41% in companies where security is well understood. This suggests that communicating the security risks to staff and investing in ongoing awareness training results in fewer breaches."

The full PwC report is available from: http://www.pwc.co.uk/audit-assurance/publications/2013-information-security-breaches-survey.jhtml, and provides a useful perspective for our University's Information Security activities and priorities.
Posted by at No comments:

eBay attack is ‘wake-up call to all of us' - Information Commissioner

The Information Commissioner Office blog makes very interesting reading regarding the recent eBay breach. Here is a quote, "This needs to be a wake-up call to all of us. It shows consumers the importance of having different, strong passwords for different online services. It’s a wake-up call to government that the 20-year-old data protection laws are showing their age. But most of all it’s a wake up to businesses. Cyber crime is real. Hacking is real."
Posted by at No comments:

Thursday 20 February 2014

Holistic Management of Employee Risk (HoMER)

Holistic Management of Employee Risk (HoMER)

Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf
Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf
Managing employee risk has become a critical issue for organisations, for which a fine balance is required between treating employees fairly and ethically, and ensuring comprehensive data security. This guidance from the CPNI is worth a read.
Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf

Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf

Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf

 

Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf
Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf
Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf
Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf
Holistic Management of Employee Risk (HoMER)
Holistic Management of Employee Risk (HoMER)
Holistic Management of Employee Risk (HoMER)
Posted by at 1 comment:

European Information Security Summit

The Summit was held at the British Museum (18-19 February).Videos of the talks will be available shortly.

One development discussed in many Panels, and of particular interest, is Europe's new data regime. The European data privacy framework includes a new regulation and a new directive, and will apply to all 27 European member states. The package of measures is aimed at fundamentally overhauling and harmonising the EU’s data protection regime, and will introduce enhanced rights for individuals and tough penalties for non-compliance. It is designed to eliminate the uncertainty created by a patchwork of data protection laws and data breach notifications faced by businesses. One result of this new regime would be that the level of possible fine would increase significantly from the current ICO's limit (in the UK), possibly to between 2 and 5% of a company's global revenue.
Posted by at No comments:

Wednesday 12 February 2014

Data security is not their responsibility say 23% of employees

A news item in Computer Weekly states, "Nearly a quarter of employees believe that data security is not their responsibility, according to a survey by security management firm Absolute Software.

"The survey found that 23% of workers claimed that data security was up to the organisation and not the individual. However, 69% believed that a business should face legal action if the employer loses an individual’s data."

Posted by at No comments:

Tuesday 11 February 2014

ICAEW  'Audit Insights: Cyber Security'

A review from November 2013, which is certainly worth reviewing:

"Auditors working in IT reveal that every business will have their security compromised and must change their mind set around cyber security. In the ICAEW report auditors say that businesses need to be able to tolerate a certain level of security breach and prioritise on protecting what information and data is important to them – their ‘crown jewels’.

Most businesses don’t get the basics right It is estimated that up to 80% of security breaches could be prevented by implementing basic good practices in cyber security. However, businesses of all sizes and across all industries still struggle to get the basics right. People continue to be the weakest link in implementing effective security and human failings are increasingly being exploited by attackers to gain access to confidential information. 

Businesses should focus on their critical information assetsBusinesses cannot sustain an approach of protecting all their information at all times. Instead, businesses increasingly need to prioritise their information assets and focus their resources on their ‘crown jewels’.  This enables a more sophisticated risk-based approach to security which balances the benefits and costs of security measures."

Posted by at No comments:

Safer Internet Day, Tuesday 11 February

Today is Safer Internet Day. It is organised by Insafe in February of each year to promote safer and more responsible use of online technology and mobile phones, especially amongst children and young people across the world.

In Oxford we held a Safer Internet Day Summit.  "Can we build an action plan for the University to protect staff, academics, and students from online harassment and abuse? Teams from Academic IT, Information Security, Legal Services, HR, Security Services and the Equality & Diversity Unit brought together a panel of experts to discuss the theme of this year's international Safer Internet Day 2014, which is 'Let's create a better internet together'.

Presentations addressed the Oxford landscape and included 'How does your institution keep you safe?' by Dr Sara Perry, University of York, a scholar who was harassed online and has researched how academics are particularly vulnerable."

Posted by at No comments:
Subscribe to: Posts (Atom)