Category Archives: Information Security Toolkit

Somebody will go to jail

The start of a new year is always a time for predictions and forecasts for the year to come – one that caught my eye was the Top 10 Cybersecurity predictions from Richard Starnes. The list makes some grim reading, starting as it does with Somebody will go to jail.

Second on his list was a prediction that information security management training will become the new silver bullet. Citing the IBM 2015 Cyber Security Intelligence Index he notes that over 40% of the average companies’ breaches were mostly due to inadequately or improperly trained personnel. UCISA has taken steps to try and address this, as Jerry Niman advised in an update in December to the UCISA Directors list, by reaching agreement with Leo to make the licence for their Information Security Awareness Learning Suite available to all UCISA full member organisations in perpetuity. The agreement includes reasonable updates for the first three years. This will be fully funded by UCISA, and will be available for institutions to host on the LMS of their choice. There will be no cost to institutions unless further customisation or hosting is required. We are working towards making the suite available in the first quarter this year.

Making the training available is one part of the solution – making sure those that need to take it do is another challenge. A number of institutions have policies that state that all staff should take information security training but not all follow it through and ensure that the policy is fully implemented. Chapter 9 of the UCISA Information Security Management Toolkit highlights the role awareness activities play in managing risk within the institution and highlights how the effectiveness of such activities can be demonstrated.

Starnes’ list highlighted particular challenges around health data but he noted that one implication of an increased focus on cyber security was that the market for information security professionals will tighten, making recruiting experienced professionals more costly. As personnel become more expensive, so the need to understand the importance of the roles and the functions they perform and support increases. Clearly this understanding requires context; that context being provided by recognition of the value of the information and the risk to the institution of a breach of security or loss of data. Will it take somebody going to jail to focus minds?

Comments welcome on new structure for the UCISA Information Security Toolkit

We would like to invite comment from the community on the revised structure and content of the UCISA Information Security Toolkit which was agreed by the project group at a meeting last month.


The UCISA Information Security Toolkit  has been very successful, providing much needed assistance to information security professionals across the sector. Since the original funding application for the project in 2004, there have been a number of iterations of the document,  based upon changing standards and sector wide activity.  The last Toolkit was published in 2007 (third edition).

A number of factors have prompted a rewrite and expansion of the document: cloud technologies, PCI DSS, data classification and supportive practical advice in the form of appropriate feedback cycles (for example Plan/Do/Check/Act). The largest factor was the release of the BS ISO/IEC 27001:2013 standard in the autumn of last year.

The group comprising of colleagues from University College London, University of Oxford, Loughborough University, Cardiff University, the University of York and Janet have met regularly in person and via Skype in order to generate new content.   The revised Toolkit will include a number of practical case studies demonstrating what works and does not work in practice. Topics include: policy development;  raising user awareness;  investigations and research security.

The new Toolkit will be launched in March 2015 to coincide with  UCISA 2015, Edinburgh and Janet Networkshop43,  Exeter.

Matt Cook, Chair, UCISA Networking Group
Head of Infrastructure and Middleware,
Loughborough University, IT Services