Information Services Information Technology Committee. 10 th June 2014. ITC Workplan for 2014/15



Similar documents
Information Services. Information Technology Committee. 21 st June IT Risks in Schools

NOS for IT User and Application Specialist. IT Security (ESKITU04) November 2014 V1.0

Audit and Risk Management Committee. IT Security Update

Cybersecurity. Are you prepared?

Click to edit Master title style

Security Controls What Works. Southside Virginia Community College: Security Awareness

Information Services Information Technology Committee. 10 th June IT-Infrastructure Review Roadmap

US companies experience and attitudes towards security threats

Portfolio: Transformation, Modernisation and Regulation

Oxford City Council ICT Strategy

D Ongoing Activities Update

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Technology Review Feedback Vale of Glamorgan Council

Report on Hong Kong SME Cloud Adoption and Security Readiness Survey

Summary of the State of Security

2012 NCSA / Symantec. National Small Business Study

Internet threats: steps to security for your small business

Italy. EY s Global Information Security Survey 2013

UNIVERSITY OF STIRLING: INFORMATION SERVICES Review of Progress: Service Area Plan

Keyfort Cloud Services (KCS)

& Storage in the Cloud Case Study

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Security Event Management. February 7, 2007 (Revision 5)

Cloud Computing Security Considerations

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Autodesk PLM 360 Security Whitepaper

BE SAFE ONLINE: Lesson Plan

Information Services Strategy

Defending Against Data Beaches: Internal Controls for Cybersecurity

Global IT Security Risks: 2012

Student Tech Security Training. ITS Security Office

FERPA: Data & Transport Security Best Practices

Mid Suffolk District Council. Risk Management Strategy

Applying the 80/20 approach for Operational Excellence. How to combat new age threats, optimize investments and increase security.

VoIP Security, an overview of the Threat Landscape

The Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T

Availability Acceleration Access Virtualization - Consolidation

Central Hosting. Case Study

Portal Annual Report 2012/13

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Cybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015

My CEO wants an ipad now what? Mobile Security for the Enterprise

Protect Yourself in the Cloud Age

Strategic Plan FY

Into the cybersecurity breach

Cybersecurity: What CFO s Need to Know

Security aspects of e-tailing. Chapter 7

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Global IT Security Risks

Council, 6 February IT Report. Executive summary and recommendations. Introduction

G-Cloud Definition of Services Security Penetration Testing

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Top 10 Risks in the Cloud

INFORMATION SECURITY Humboldt State University


Computing & Telecommunications Services Monthly Report March 2015

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

2011 NATIONAL SMALL BUSINESS STUDY

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Security Whitepaper: ivvy Products

White Paper on Financial Industry Regulatory Climate

University of Strathclyde: Information Services Directorate Operational Plan for 2014/15

Strategic Plan for Technology

Data Breach Response Planning: Laying the Right Foundation

CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014

A NEW APPROACH TO CYBER SECURITY

Information Security Team

Cisco Unified Communications and Collaboration technology is changing the way we go about the business of the University.

Guidance on data security breach management

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

Information Technology. A Current Perspective on Risk Management

Private Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

24x7 Help Desk Services Questions & Answers for RFP 40016_

Security Management. Keeping the IT Security Administrator Busy

ICT Category Sub Category Description Architecture and Design

e2e Secure Cloud Connect Service - Service Definition Document

Cost effective methods of test environment management. Prabhu Meruga Director - Solution Engineering 16 th July SCQAA Irvine, CA

IT Strategy Review April 2014

VPN Lesson 2: VPN Implementation. Summary

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

Cloud Computing Continued. Jan Šedivý

Unit 3 Cyber security

Worry-free Security in the Cloud for Online Gaming Pioneer

Cisco Security Optimization Service

Best Practices for Trialing the Intronis Cloud Backup and Recovery Solution

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Physically secure facilities will better protect your computing equipment from theft, vandalism and accidental damage

Training Employees to Recognise & Avoid Advanced Threats

FRAMEWORK for NATIONAL NETWORK & CYBER SECURITY

Client Security Risk Assessment Questionnaire

Data Security Breach Management - A Guide

The Business Case Migration to Windows Server 2012 R2 with Lenovo Servers

CABINET 9 th February Report of the Director of Partnerships and Customer Services

Injazat s Managed Services Portfolio

Security Issues with Integrated Smart Buildings

How to ensure control and security when moving to SaaS/cloud applications

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Transcription:

Information Services Information Technology Committee 10 th June 2014 ITC Workplan for 2014/15 Brief description of the paper The paper is a combination of a committee workplan for 2014/15 and a report on activity during 2013/14. The plan is for discussion and comment the report is for information. The plan and the report were required by KSC for their meeting in October and so has already been reviewed and accepted by KSC. So we are in the slightly strange position of having an acceptable workplan that ITC hasn t seen. This does not mean that we cannot make changes if we wish to, but we can have confidence that it is covering the areas that are important to KSC. ction requested For comment - we will finalise the plan based on comments received. Resource implications Does the paper have resource implications? No Risk ssessment Does the paper include a risk analysis? No Equality and Diversity Has due consideration been given to the equality impact of this paper? Yes There are no diversity implications. ny other relevant information The Review Group will submit annual reports from this point onwards to ITC. Originator of the paper Simon Marsden October 2014 Freedom of information Can this paper be included in open business? Yes

ITC Workplan The ITC committee has a pattern of working based on having 3 meetings a year. The work is divided into the following broad areas: IT Strategy Oversight and input to major IT initiatives Service monitoring robustness, resilience, priorities Security 2014/15 Plan Strategy IT infrastructure Implementing the outcomes of the IT Infrastructure review Overall strategy Review overall guiding principles document. Oversight of major initiatives Research Data Management (IS) Telephone Replacement (IS) Office 365 for staff (IS) University web site content management system change (IS) Delivery of web services to mobile devices (IS) Media Refresh (IS) Service Monitoring The main strands of work planned in this area are: Ongoing monitoring of priorities Roll out of software licensing risk management Policy around availability taking into account planned and unplanned down time Security Ensuring our policy and guidance are current and disseminate best practice. nnual report for Risk Management Committee on security incidents/breaches Multi factor authentication implemented in high risk situations S L Marsden October 2014

2013/14 Review Strategy Within the strategy we have an overall IT Strategy which is concerned with the principles which guide the development of IT services. Within the overall umbrella sub strategies are developed. Over the last year a plan for developing our capability to manage and deliver multi media content was developed resulting in the IT Committee supporting an IS business case in the planning round which received funding. Going forward there will be an initiative to develop the service monitoring of that will be part of the oversight activity in the 14/15 plan. The video services are more closely aligned with the work of the Learning and Teaching Committee and it is expected that the requirements for infrastructure will be driven by their agenda. We have been conducting an IT Infrastructure Review over the summer. The expectation is that we will produce a 5 year roadmap for the development of the IT infrastructure, the roadmap will be reviewed by both ITC and KSC. Timing of the review has resulted in the work being carried out in between meetings of the IT Committee. Oversight and input to major IT initiatives 2013/14 Research Data Management (IS) The RDM services have made good progress with the policy and tools for creating data plans in plans together with technical delivery of data store ie up to 500Gb of active file storage per researcher and the data share ie sharing published data sets in place and data vault ie long term storage is still to be developed. Telephone Replacement (IS) Replacing analogue phones which are near end of life with digital phones has been constrained by funding but has also been included in the infrastructure review. Shared cademic Timetabling (IS) This 3 year project has delivered well, we now have a timetabling unit located in SSG who are running the processes and continuing to further develop the service. The main objectives of delivering personal timetables for students and more effective MI showing teaching space usage have been delivered and the project has closed. The software that we purchased Scientia has been found to have some limitations which have impacted on our delivery, the software is not as reliable as we need and the functions to allow student self sign up for class events eg tutorials will not work in combination with our other processes. Scientia recognise the issues and are engaged on a product re-write which will address the problems but which will take at least 2 years to deliver. In the mean time we have put additional monitoring and process control around the service to greatly reduce the unreliability issue. From a user perspective we managed the peak period through the start of the academic year this year with far less disruption than in the previous year. Office 365 for staff (IS) Our in house Microsoft Exchange service which delivered diary for all staff and email for about 60% of staff has been successfully replaced with Microsoft s cloud service Office 365. The change has been well received. Driven by user demand we are now in the process of

transferring all staff still using Staffmail in the College of Humanities and Social Sciences to Office 365 and have a similar migration for Medicine staff planned. Select Print (IS) Introduction of SelectPrint has allowed us to consolidate on a single printing/copying/scanning service for staff and students. Under our contract with Xerox, we now have a fleet of some 700 multi function devices in place selected from a range of 7 models. Students and staff can print to mfds from their own laptops, computers, pads and phones as well as from University equipment. The service has been very positively received. We have seen an increase in usage of about 50% University web site content management system change (IS) The plan to replace our current content management system Polopoly with the open source system Drupal remains on track for December 2015 delivery. We are just about to start the first site migrations ready for full scale activity starting Januray 2015. Delivery of web services to mobile devices (IS) We developed a strategy to use adaptive web pages ie web pages which adjust their display to the size of the screen they are being used on, rather than custom apps for mobile devices. We have done this successfully for both the ESE and MyEd services and are starting to see the adoption of adaptive design in other services eg some aspects of student self service. The strategy recognises that where an app already exists we can incorporate it into our portfolio but that we should not create apps ourselves. Consequently we have adopted a mobile pp from Blackboard for users of the Learn vle and Microsofts apps for Office 365 users. This is great progress. Use of Video management tools in the Business School (CHSS) The Business School purchased a cloud service called Panopto to support their ambition for captutring and delivering lectures and other video material as part of the Edinburgh MB programme. The service has worked well and is providing really helpful input into the business case for a University wide media service. Business Intelligence (USG) The committee has continued to follow the progress of the BI/MI initiative but does not have a governance role so acts as an additional communications channel for the initiative. Service monitoring robustness, resilience, priorities The availability of services remains a significant concern especially at the start of the academic year. The lessons learned from previous years are being fed into a continuous improvement cycle such that we have seen year on year improvements. The start of 2014/15 was to the required standard with or no significant disruption to services. It is important to recognise that the start of the year will always be a vulnerable period with many processes that have to execute at high volume which are not exercised at volume at any other time of the year and software and hardware that changes between peak cycles. The sub group of ITC set up to monitor the service priorities and the levels of service availability and disaster recovery primarily accorded to each category; high, medium or low reported to ITC in June. They recommended no changes to the high priority category. The group has started to engage with overall availability combining planned, ie system maintenance and unplanned ie faults to work

towards setting an overall target. s a first step monitoring of overall availability has been put in place. The committee oversaw the development of a policy to ensure that the risks associated with breaches of software license conditions are routinely reviewed and managed. The process to assess the risks is currently being piloted across all IS with an expectation of rolling it out more widely early in the year. Security Security risks have been a growing concern throughout the year, within ITC and the Risk and udit committees. The growing concern is a reflection of the increasingly difficult external environment and as a consequence, we have been responding and stepping up our activities. The appointment of the Chief Information Technology Officer has made a significant difference. He has provided a focus our activity. The main areas that have been addressed are: Met with heads of schools and established a network of security practitioners within the University Provided that network with a way to feedback on incidents so that we can learn from each other, track levels of incidents and compare them with other Universities. Put in place a firewall rule that requires all web sites in the University to be registered before they can receive traffic from outside of the University. Understanding what we have and who owns it will provide us with a control to monitor activity and to ensure that web servers are being updated and adequately patched for new security vulnerabilities. Procured an external vulnerability testing service Provided guidance on possible data loss o what constitutes high risk information o what actions need to take if they are using high risk information on mobile devices o encryption tools to mitigate the risks ssessed the risks around the possible theft of passwords. The outcome of this is that we believe we need to implement a second factor challenge, ie something more than a password for some services. The area where there is the biggest risk is student record and BI/MI services where many staff quite correctly have access to many student s personal data. Technical solutions which balance usability and security are being evaluated before a final recommendation is made. Provided an annual report to the Risk Management and udit committees attached.

IT Security 2013-2014 report to Risk and udit Committee During the past year there has been a significant expansion in the level of effort over security evident in the Colleges and Schools. In particular, a very active group has been established in Science and Engineering and this model is now being followed in Humanities and Social Science. review of the various security policies has been made by the ITC Working Group on Security and steps taken to update the policies and to establish new policies where there are obvious gaps. short review was held over the danger of leakage of corporate data when an ESE credential is lost. This has led to further discussions with system owners and a proposal for positive action over changes to the security model for the Student Systems area. Ongoing work has continued with both Janet and other Russell Group institutions on the ability to share information on the number and severity of security incidents. This work only proceeds very slowly as there is still extreme reluctance to admit to events unless the issue is forced upon an institution. During the year there have been 11 security incidents which can be graded as serious. This compares to 14 incidents in the previous year. It should be noted that 3 of these incidents have been in the EUS website area. We are engaged with EUS about how they can improve the security awareness of their web site managers. Date Incident Effect Cause Owner 15-ug-13 IRC Bot infection Network attacks - Inadequate patching Biological Caused DoS issues Sciences 16-Sep-13 Trojan 'Key Logger Potential loss of Responded to HSS information phishing email Compromised Website 500 bytes Inadequate patching Informatics 12-Nov-13 downloaded (style sheets) 29-Nov-13 Phishing ttack bility to read Responded to Staffmail. phishing email 06-Feb-14 Compromised Website Inserted web pages Inadequate patching Biological Sciences 20-Feb-14 Credential Loss Id theft through Guardian-Bad CM bogus adverts password Policy 03-Mar-14 Careless Permissions Publically available Carelessness Geosciences files 01-ug-14 Compromised website dded web links Inadequate patching IS-pps 18-Sep-13 Compromised Website Viagra dverts Inadequate patching EUS 22-pr-14 Compromised Website Viagra dverts Inadequate patching EUS 18-Jul-14 Compromised Website Viagra dverts Inadequate patching EUS

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information