Security Overview at Lancaster University

May, 2017John Couzins (IT Security Manager)

Summary

• External Requirements

– Cyber Essentials Plus

– IG Toolkit

– ISO 27001

• Information Classification

– Personal and Sensitive personal

• Information Transfer/Storage/Disposal

• Questions

External Requirements

Research grants are now frequently requiring external accreditation:

• Cyber Essentials

• Information Governance (IG) Toolkit

• ISO27001

Cyber Essentials Plus

Cyber Essentials is a basic scheme developed by Government and industry to address IT security.

• Launched in 2014

• LU certified in January 2017

• Mainly focused on the endpoint (desktop/laptop)

• Required by large number of government bodies

• Research Councils UK looking at this as a requirement

• Windows 10

• No admin rights on desktops

IG Toolkit

IG Toolkit used by NHS to assess how organisation process and handle information covering personal data.

• More mature and granular

• Policy driven

• Less specific around technical detail

• Achieved in past on small scale

• Looking at how we can expand this

ISO 27001

ISO27001:2013 is a specification for an information security management system (ISMS)

• Very mature

• Policy heavy

• Very hard to get at organisation level

• No current offering, but a number of our policies align with the standard

University Policy: Information Classification

Ordinary

• Information that has no constraints on its publication

• Available to all including external parties

Confidential

• Information of internal interest or being prepared for publication

• Recipients may forward to others within the control of University, e.g. confidentiality agreement

Restricted

• Information which is for circulation to named recipients only

Personal

• Protected by law

• Access should be by relevant staff only

• The information can be circulated to named recipients only

Personal and Sensitive personal

• Personal data means data which relate to a living individual who can be identified by the data

• Sensitive personal data means personal data consisting of information as to

• Racial or ethnic origin

• Political opinions, religious beliefs or other of similar nature

• Physical or mental health

• Sexual life

• Any offences

Information Transfer

Storage

Where can data be stored

• Laptops and Desktops (encrypted with physical security)

• Central file store (correctly permissioned)

• Cloud – Box (Not Dropbox)

• Printed copies – physically secured

• Memory cards, external disks etc are not advised

http://www.lancaster.ac.uk/iss/security/advice

Disposal

• Portable

• University Equipment

• Cloud

Questions?