ucisa Information Security Management Toolkit

 

Introduction

 

The Toolkit is arranged in chapters, each one covering a key aspect of an Information Security Management System (ISMS) and providing advice, instructions and examples to aid implementation. At the end of each chapter is a summary of key points and references. At the end of the document, in the Conclusion, is a collection of all the chapters’ summary points.

The Introduction chapter of the Toolkit also contains a Route map to guide the reader through the stages of an ISMS, and which chapters to refer to.

 

Full Introduction [PDF]

Resources for Introduction [PDF]

This chapter describes the basic concepts of information security, the context within which educational organisations operate, and introduces the topic of information security management. It forms part of Stage 1 – Foundations and Stage 3 – Implementation, support and operation in the Toolkit Route map.

Key topics

  • The three aspects of information security
  • How threats to information are changing
  • The purpose of information security management

 

Chapter 1 - What is information security? [PDF]

Resources for Chapter 1 [PDF]

The first step in establishing adequate information security management within any organisation is the formulation and approval of an overall information risk governance strategy.

This chapter explains information security governance and gives an overview of the development, implementation and maintenance of a successful ISMS. Lead implementers need to be able to sell the concept of an ISMS to top management (e.g. the governing body of a university) and to the senior operational board in order to get them fully behind the initiative, and this section also describes how to do that effectively. It forms part of Stage 1 – Foundations and Stage 2 – Planning, assessment and evaluation in the Toolkit Route map.

Key topics

  • The most critical components in the development, implementation and maintenance of a successful ISMS
  • How to use your organisational structure to give your ISMS the greatest possible chance of success
  • How to align your ISMS with your organisation’s business strategy

 

Chapter 2 - Information security governance [PDF]

Resources for Chapter 2 [PDF]

This chapter describes the external and internal factors which influence an organisation to adopt formal information security management, and which shape an information security management system. It also provides advice on how to balance conflicting drivers. It forms part of Stage 1 – Foundations in the Toolkit Route map.

Key topics

  • The levels at which drivers operate
  • Where drivers come from
  • How to manage drivers

 

Chapter 3 Drivers [PDF]

Resources for Chapter 3 [PDF]

This chapter outlines what is meant by scope and how to decide the scope for an ISMS. It forms part of Stage 2 – Planning, assessment and evaluation in the Toolkit Route map.

Key topics

  • How scope can mean something different depending on the context
  • How to successfully define the scope of an ISMS
  • What to consider when scoping outsourced/third-party services

 

Chapter 4 Scoping [PDF]

Resources for Chapter 4 [PDF]

This chapter of the Toolkit is devoted to the subject of information security risk assessment and management. Information risk management is important as organisations cannot avoid being exposed to information risk. It forms part of Stage 2 – Planning, assessment and evaluation, Stage 3 – Implementation, support and operation and Stage 4 – Performance, evaluation and improvement in the Toolkit Route map.

Within this chapter, a methodology for information risk assessment is described, as well as some of the key considerations involved when carrying out information security risk assessment.

Key topics

  • Why information security risk assessment is important
  • The key steps in carrying out an information security risk assessment
  • • How to decide the appropriate cost of mitigating an information risk

 

Chapter 5 - Risk assessment [PDF]

Resources for Chapter 5 [PDF]

This section describes how to approach security measures, or controls, and how to make them work in practice. It forms part of Stage 2 – Planning, assessment and evaluation and Stage 3 – Implementation, support and operation in the Toolkit Route map.

Key topics

  • Definition of a control
  • How to pick and assess controls
  • What to do about “ready-made” sets of security controls

 

Chapter 6 - Controls [PDF]

Resources for Chapter 6 [PDF]

This section addresses some of the considerations involved in designing an information management scheme and making it operate in practice. It forms part of Stage 2 – Planning, assessment and evaluation in the Toolkit Route map.

Key topics

  • The benefits of having an information management scheme
  • The components of an information management scheme
  • Tips for creating and using a workable and appropriate scheme

 

Chapter 7 Information management [PDF]

Resources for Chapter 7 [PDF]

This chapter outlines the roles and responsibilities, and supporting competencies, required of staff within an organisation in order to implement and sustain a successful information security management system. It forms part of Stage 1 – Foundations and Stage 2 – Planning, assessment and evaluation, and Stage 3 – Implementation, support and operation in the Toolkit Route map

Key topics

  • The roles required to deliver effective information security in an organisation
  • The responsibilities that may be assigned to individuals’ roles or functions
  • The core competencies required of key groups of staff

 

Chapter 8 Roles and competencies [PDF]

Resources for Chapter 8 [PDF]

This section covers the various justifications for, and approaches to, improving awareness of information security, as well as mistakes to avoid. It forms part of Stage 2 – Planning, assessment and evaluation and Stage 3 – Implementation, support and operation in the Toolkit Route map.

Key topics

  • The different ways to target awareness communications to members of an organisation and to specific groups, as well as related challenges
  • The qualities that awareness material should have in order to get attention and support individuals in developing the necessary security skills
  • How to align awareness activities with the rest of the organisation, in terms of managing risk and measuring effectiveness

 

Chapter 9 - Awareness raising [PDF]

Resources for Chapter 9 [PDF]

This chapter covers designing and interpreting measurements for information security management, both generated within the organisation and drawn from external sources. It forms part of Stage 4 – Performance, evaluation and improvement in the Toolkit Route map.

Information security is a particularly challenging field for designing and interpreting measurements, as it deals with unknown circumstances and unexpected events, both of which are hard to measure.

This chapter uses the term measurement throughout, except where quoting other documents.

Key topics

  • Why measurements are worth using
  • How to identify useful measurements, and evaluate the usefulness of the ones you are already using
  • How to use measurements

 

Chapter 10 - Measurement [PDF]

Resources for Chapter 10 [PDF]

This chapter covers how to plan to deal effectively with failures in information security and how to use these experiences to improve your information security management system. It forms part of Stage 4 – Performance, Evaluation and Improvement in the Toolkit Route map.

Key topics

  • How to detect and recover when things go wrong
  • How to reduce the impact of adverse events
  • How learning from adverse events can improve information security

 

Chapter 11 When things go wrong: nonconformities and incidents [PDF]

Resources for Chapter 11 [PDF]

This chapter outlines what is meant by continual improvement and looks at how to initiate processes and activities to achieve it. It forms part of Stage 4 – Performance, evaluation and improvement in the Toolkit Route map.

Key topics

  • What is continual improvement?
  • How to identify opportunities for improvement
  • How to create an improvement plan for your organisation

 

Chapter 12- Continual Improvement [PDF]

This section forms part of Stage 1 – Foundations in the Toolkit Route map.

Every organisation requires a top-level policy for information security which must define clear lines of responsibility for delivery and risk ownership. The policy and associated responsibility should be developed as a result of the governance arrangements in place within the organisation (see Chapter 2, Information security governance), and in particular the policy must be approved by the highest body in the organisation’s governance framework.

Managing information security risks should be part of an organisation’s overall risk management strategy, and the formulation of information security policy should form part of that strategy. In organisations with a low maturity in terms of risk management, a governance structure may need to be developed specifically for the purpose of writing the information security policy and the use of a RACI matrix (Responsible, Accountable, Consulted, and Informed) may help to establish it.

The supplementary volume to this publication which, at the time of writing, is still in production builds on the third edition of ucisa’s Information Security Toolkit published in 2007 (the predecessor this publication) and will include revised policies to comply with ISO 27001:2013.

 

Chapter 13 - Policies [PDF]

Resources for Chapter 13 [PDF]

TThis Toolkit has been designed to enable organisations in the educational sector to design, establish, maintain and improve an information security management system. From getting a clear picture of the organisation is, to achieving buy-in, to selecting controls, implementing business changes and ensuring that these changes are properly embedded by the use of awareness materials, measurement and reporting, each step builds on the previous one to create something which is genuinely worth having and which continues to be relevant and cost-effective.

 

Chapter 14 - Conclusion [PDF]

Project Team

The ucisa Information Security Management Toolkit project team consisted of a lead author, a group of five contributing universities, and colleagues from Jisc Technologies.
ucisa would like to thank Jisc for their support to the project through their release of expert Jisc Technologies staff to author and review content.

Lead author
Bridget Kenyon, Head of Information Security, University College London

Cardiff University
Gareth Jenkins, Business Change Manager, Information Security Framework Programme
Ruth Robertson, Deputy Director Governance and Compliance

Jisc Technologies
Andrew Cormack, Chief Security Advisor
James Davis, Information Security Manager

Loughborough University
Matthew Cook, Head of Infrastructure and Middleware
Niraj Kacha, Senior IT Services Specialist
Graeme Fowler, Senior IT Services Specialist

University of Oxford
Jonathan Ashton, Information Security Officer, IT Services
Professor Paul Jeffreys, Director of IT Risk Management, IT Services
Sarah Lawson, Head of IT and Information Security, National Perinatal Epidemiology Unit

University College London
Daniela Cooper, Information Security Officer
Dr Granville Moore, Senior Research Associate, Information Security Research Group
Dr Simon Parkin, Senior Research Associate, Information Security Research Group
Professor Angela Sasse, Head, Information Security Research Group

University of York
Dr Arthur Clune, Head of Systems, IT Services
Kay Mills-Hicks, Information Policy Consultant

The project was managed by Anna Mathews, ucisa Head of Policy and Projects, with oversight from Mark Cockshoot, Chair of the ucisa Infrastructure Group and Alan Radley, Elected Member of the ucisa Executive Committee. Peter Tinson, ucisa Executive Director, provided additional support.

ucisa is very grateful for the assistance received from colleagues across the sector. In particular, we would like to thank the following individuals who provided information or acted as critical friends whilst the Toolkit was being drafted:

Jon Bagshaw, Senior Computer Officer, University of Bradford  
Tony Brookes, University Information Assurance Officer, University Of Derby
Nigel Bailey, IT Business Assurance Manager, King’s College London  
Mike Barwise, Information Risk Management Consultant, Integrated InfoSec 
Matt Ball, Business Analyst, University of Leicester and PCI DSS Sig Chair  
Dr Michael Fraser, Director, Infrastructure Services, IT Services, University of Oxford  
Owen Freel, Project Manager, Universities and Colleges Shared Services  
Barbara Frost, Information Security Manager, University of Manchester 
Brian Gilmore, Director of IT Infrastructure, University of Edinburgh  
William Hammonds, Policy Researcher, Universities UK  
Quentin North, Assistant Director, IT Services, University of Brighton  
Gary Nye, ICT Planning Manager, University of Bedfordshire  
Christa Price, Senior Information Security Officer, University of Salford 
Peter Rigby, Senior Policy Manager, Efficiency and Reform, Research Councils UK  
Bruce Rodger, Head of Infrastructure Services, University of Strathclyde  
Harris Salapasidis, IT Security Manager, University of the Arts London  
Robbie Walker, Security Architect, University of Portsmouth 

 

The external reviewer for the Toolkit was Tim Phillips. We would also like to thank members of the ucisa Networking Group, the ucisa Infrastructure Group and the ucisa Executive Committee for their comments and suggestions.

The Information Security Management Toolkit is also available to download as a complete document as well as chapter by chapter 

A high quality printed copy of this publication is also available upon request