CISObsessed – Your Weekly CISO Blog

Dear all,

Welcome to a new post on the CISO Cytroy Cyber Blog! As the Chief Information Security Officer of this University, CISO in short, I thought I should  introduce myself, my role and the role of my department and explain the importance of Cyber Security in the life of our University.

My name is John Doe and I am responsible for the design and implementation of the information strategy for the University operational activities.

In practical terms, it means that I devise  a risk-based approach to managing information security risk, while also driving and shaping the risk attitude of departments and users within the University. In my job, I also lead information security activities, mitigating risk to our IT facilities which may come under threats  from both internal and external sources.   To do this in a comprehensive manner, I develop the overall security governance framework for us, including appropriate security controls, policies and procedures and advise our University governing bodies on the most efficient ways of their implementation and on-going verification.

This is a job of constant vigilance and instant, active response – it keeps us on our toes and forces us every day to try and improve and expand our cyber security skills.  I hope this sounds interesting to you all!

The cyber operational reality drives our operational primary objective: to develop organisational level security strategies that are both flexible and adaptable, making them easily modifiable when the risk environment changes (it’s super dynamic and volatile). Traditionally, my role mostly included identifying information assets and applying corresponding preventative security measures, which were defined with clear boundaries. However, since the field of Cyber has expanded and evolved, boundaries have been changed with regards to technologies and trends making the access threat and sensitive information leakage a constant, on-going  concern.

In my job, it is important to take a holistic view of things, and take into account both the human aspects of Information Security, as well as a proper business and operational context of our University.  Human psychology, human approach to data and information, human ways of making cyber mistakes are all important aspects to be considered jointly with the data operational context -    taking both into account allows us to manage cyber risks from technological, user and business/operational standpoint. In fact, most cyber security incidents I work with point to the fact that traditional cyber security solutions might be skewed towards a system view, meaning that they don’t support the long-term orientation of the organisation in the holistic sense, and lack alignment with the user profile and/or business/operational objectives. We are working actively to improve this.

Let me now introduce my cyber security team and explain how we can all work together to contribute to high degree of cyber security in our working environment.  I hope that when all our  students are familiar with those who work ‘behind the scenes’ to ensure the university is a safer place to operate you will be able to work actively with us, reporting incidents and helping us to put in place effective cyber security procedures. 

Firstly, let me introduce Joe Bloggs, our Security Officer. He reports directly to me and works on identifying vulnerabilities in our network. He is responsible for developing and implementing effective plans to secure our network while also monitoring network usage to make sure it complies with security policies that we have in place. He keeps up to date with developments in the cyber security field and any newly identified threats – he also performs penetration tests to check how secure our networks are.  If there are any network breaches, he will document them, while also collaborating with us and educating his colleagues about security practices and software.

Steve Jobs is our Security Consultant. He also reports to me, and is responsible for protecting sensitive data within our network. His responsibilities involve determining efficient strategies to protect our infrastructure, data and information systems against any cyber risks.  Steve performs threat analysis and system checks, defining and updating cyber security criteria and validation procedures while also meeting with other IT departments to fix safety problems and estimating costs for our project teams. He’s definitely a busy guy!

Sasha Sloane, our Cyber Security Manager, who plans and implements security measures on systems and networks, while also establishing security policies and procedure and training staff on proper use of systems. She also monitors the systems for any security gaps, design effective solutions and provides reports.  Her additional responsibilities include running risk assessments, testing data processing systems and designing firewalls. Her calm and collected demeanour are her secret weapons in dealing with any cyber security threats quickly and efficiently.

Working with Sasha, we have a team of Cyber Security Technicians/Engineers who all work together to fix and protect systems from data threats by staying ‘in the know’ with the latest tech developments. They work together with our talented IT teams to create an emergency arrangement so our systems recover fast in case they are taken down by an attack. They work 365 days a year, around the clock, as our cyber security defence response!

To help us in our daily job, our department is lucky enough to also have a team of amazing Security Administrators who are your day-to-day system managers – they run the systems on a daily basis! They are also the best point of contact for issues such as setting up new accounts, increasing or reducing permissions for existing accounts or even managing user information and roles. They also help to brief us as management on current/emerging security threats.

Last but not least, we have a great team of Security Staff that support all these other roles in their jobs, to provide manpower and ideas!

Following from this brief introduction of our department, let me say a few words about the importance of what we do.  As October was Security Awareness Month, I would like to focus on the significance of Cyber Security for Universities as a whole. Unfortunately, rapid and dynamic technological developments have been leading to increased cyber security attack rates developments This means cybercrime is now considered as a considerable operational and business risk to us. Although we are confident that we have a good grasp of what is going on, our system is open, permissive and highly distributed which means we have loads of users and even more data / sensitive information to deal with!

This brings me to another important topic in the world of university risk: GDPR. All universities must comply with the General Data Protection Regulation (GDPR) which came into force on the 25^th of May 2018, replacing the Data Protection Act of 1998. Crucially, for GDPR compliance, we must perform many additional tasks. Firstly, we must supply all staff and students with updated privacy information on how we use your data. This affects my role as CISO because I have to take into consideration how we might use data, and also what security policies we need to enforce to ensure it is protected wherever it is used. We also have to make sure our records are kept appropriately (GDPR insists that data is not kept longer than necessary) which means I have to confer with my colleagues on an appropriate data disposal policy to make sure it is truly removed from our systems with no possibility of recovery. This carries a lot of risk and is a key part of what I do.

We also need to make our staff and research personnel aware of the new guidance on research data management - through relevant communication campaigns and training. GDPR heightens the importance of good data handling, therefore we must educate researches on the best practice for personal data collection, handling, security and sharing (which includes the use of anonymisation techniques!). We also have introduced a Data Protection Impact Assessment for certain projects to minimise privacy risk to participants.

We have also had to review our Departmental Data Protection Policies (DPA) to make sure they comply with GDPR.  Furthermore, we have now only one Data Protection officer who follows GDPR legislation to carry out their role.

We have reviewed our supplier arrangements with data processors and set a policy in place to make sure our contractual obligations have been described in greater detail while also complying with GDPR.

Finally, we  have set out newer and improved security policies to manage personal data to ensure its confidentiality, integrity and identity. This was set out under the DPA, however it required more detailed amendment to comply with the requirements of GDPR.  We have also introduced a procedure for certain types of data breach which need to be reported to the ICO (Internal Comms Officer) within 72 hours – this is a failsafe policy!

 

Please feel free to contact me as well as any member of the cyber security department with any questions– john.doe@uniofcytroy.ac.uk extn 19058.

John Doe

CISO

Useful links and documents to look at! (Harvard referenced for your uni convenience):

Cambridge University (2017). UNIVERSITY OF CAMBRIDGE GDPR DATA PROTECTION WORKING GROUP.

Field Engineer. (n.d.). Data Security Administrator Job Duties. [online] Available at: https://www.cybersecurityeducationguides.org/information-security-administrator/ [Accessed 20 Nov. 2020].

Floridatechonline.com. (2020). Cyber Security Manager Guide. [online] Available at: https://www.floridatechonline.com/blog/information-technology/cybersecurity-manager-career-guide/#:~:text=Cybersecurity%20managers%20accomplish%20their%20responsibilities [Accessed 20 Nov. 2020].

Itgovernance.co.uk. (2016). Cyber Security for Universities. [online] Available at: https://www.itgovernance.co.uk/cyber-security-for-universities [Accessed 20 Nov. 2020].

Maynard, S.B., Onibere, M. and Ahmad, A. (2018). Defining the Strategic Role of the Chief Information Security Officer. Pacific Asia Journal of the Association for Information Systems, pp.61–86.

Microsoft Pulse. (2018). A guide to GDPR for universities. [online] Available at: https://pulse.microsoft.com/en/work-productivity-en/education-en/fa2-a-guide-to-gdpr-for-universities/ [Accessed 20 Nov. 2020].

Ncsc.gov.uk. (2020). The cyber threat to Universities. [online] Available at: https://www.ncsc.gov.uk/report/the-cyber-threat-to-universities.

www.fieldengineer.com. (n.d.). Cyber Security Technician - Job Role, Salary Details | field Engineer. [online] Available at: https://www.fieldengineer.com/skills/cyber-security-technician#:~:text=Cyber%20Security%20Engineers%20fix%20and [Accessed 20 Nov. 2020].

memes for you all to enjoy!:

https://www.google.com/url?sa=i&url=https%3A%2F%2Fmemegenerator.net%2Finstance%2F67841781%2Fwinter-is-coming-brace-yourself-the-ciso-has-good-ideas&psig=AOvVaw1QWLWVPhyaxVUln6NzdHJl&ust=1609708924453000&source=images&cd=vfe&ved=0CAIQjRxqFwoTCOj4iJiX_u0CFQAAAAAdAAAAABAD

https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.boardish.io%2Fthe-5-step-framework-for-cisos-starting-in-a-new-company%2F&psig=AOvVaw05hW_bz0r_cnImQOhCbTBf&ust=1609709041304000&source=images&cd=vfe&ved=0CA0QjhxqFwoTCPCjs8-X_u0CFQAAAAAdAAAAABAD

https://www.google.com/url?sa=i&url=https%3A%2F%2Fm.youtube.com%2Fwatch%3Fv%3Do_XaJdDqQA0&psig=AOvVaw3z8JdkN49US_LiV-o09v7f&ust=1609709073807000&source=images&cd=vfe&ved=0CA0QjhxqFwoTCMjEt96X_u0CFQAAAAAdAAAAABAD