Tag Archives: risk management

Social engineering and hacking humans

Sebastian Barnes
IT Support Specialist
Leeds Beckett University

Sebastian Barnes was funded to attend this event as a 2017 UCISA bursary winner

SCHOMS Day 3 – IT Security Challenges

The end of SCHOMS 2017 conference was a half day, containing presentations and speeches as well as my favourite presentation of the week from psychologist, Jenny Radcliffe; what a speaker! Jenny delivered a presentation on Social Engineering, telling us about her life experiences in her field of work. It was amazing to listen to and very engaging, which resulted in me making very few notes.

Jenny explained how technology can have amazing security which makes it impossible to hack, however, why hack the technology when you can hack the human? If you know the password, you can bypass! Jenny explained scenarios she has been in where she has had to read body language and pretend to be someone she wasn’t to get the information she wanted. From what I remember, she was able to gain access to an account by just using Facebook; security questions are personal and unique to the person, but most of the time they are listed on Facebook! Mother’s maiden name? Within seconds she able to find this out using the family feature within Facebook. With this information she was able to reset the password and enter the account.

After watching this presentation, I was seriously considering entering this field of work. That’s how good it was!

 

Everything starts with a Project Initiation Document…!

Graham Francis
Director of Continuous Improvement
Havering Sixth Form College

In the first part of this blog , we looked at the reasons why projects fail and the process that we have adopted to try and ensure that this did not happen with our own projects at Havering Sixth Form College. In this blog, we will look at the process that we go through to get a project from an idea to being agreed and adopted by the College Executive.

Often projects will start with a senior member of college management identifying a need such as “we must have a better Asset Management system” or “wouldn’t it be great if we could see our data visually”. Just how these projects would come to fruition was not really considered. In the past, these projects (if adopted) would remain with the originator and would often result in a project, which ultimately exceeded all forms of whatever controls may have been thought to have been put in place in terms of time, cost, resources and staffing, or any possible combination thereof.

In an effort to end this, we have adopted an approach that specifies that no project can proceed before it had been thoroughly researched and a Project Initiation Document had been produced (well that was the theory!).

But what is a Project Initiation Document (or PID for short)? Wikipedia describes its purpose is to capture and record basic information needed to correctly define and plan the project and that it provides “a reference point throughout the project for both the customer and the Project team”. But what does a PID look like? Well, if I’m honest I had no idea and attempts to create one proved frustrating so after much searching of the Internet, which housed many examples, none really suitable to a college environment, I discovered Susanne Madsen’s website and adopted the Blank PID 2016 that she had developed, customising it as necessary.

This document consisted of a number of sections:
• Executive Summary (at the beginning but completed last)
• Project Definition
• Business Case
• Project Planning
• Risks and Issues (an invaluable tool to assist in developing this is the 130 Project Risks (List) created by Anna Mar)
• Project Organisation and Communication
• Project Controls
• Project Acceptance Sign-Off.

By completing each of these sections (in detail), a tightly prescribed understanding of each project is developed. An example of a PID for a recent website redevelopment project that we have undertaken can be found here Website PID.

Whilst considering the purpose of the PID, it was at this point that we started to think quite radically about why previous projects had failed and how we could avoid this in the future. As part of the development of the PID itself, it is necessary to define who the Executive Sponsor is and who is going to manage the project team. This caused us to consider two further questions: ‘How could we get effective Senior Management (Executive) buy-in into the project?’ and ‘How could we ensure that the project meets the needs of the (internal) customer?’.

One requirement of any project managed in this way is to nominate an Executive Sponsor and an Internal Project Team Leader. This again gave us an opportunity for some radical thinking:

• What if (with their agreement) the member of Executive in whose area of responsibility the project would have the most impact, became the Executive Sponsor?
• What if (again with their agreement) we were to make the member of staff who would ultimately be most affected by the changes that the project was envisaged to have, became the Project Team Leader?

We adopted this approach considering that it would ensure Senior Management buy-in whilst also reducing any impact that change would have as the Project Team leader was fully involved with the project itself.

During the process of developing the PID, it is reviewed by a small team of reviewers to ensure clarity and completeness. Once this group have agreed that the PID is complete, then it is passed to the Executive Sponsor for confirmation and signature. Until such time as it is agreed by the executive Sponsor, no work on the project itself is undertaken.

With the PID formally agreed then it is used as the basis for the Terms of Reference (TOR). The TOR for the Website Redevelopment project can be found here Website TOR . This document acts as a synopsis of the project requirements themselves and is given to prospective suppliers along with the Invitation To Tender/Quotation (ITT/ITQ), an example of which is located ITQ Website. The Terms of Reference is written in such a way that it can be used as a basis for evaluating the project when it has been completed/reached its completion date.

In the next blog, I will focus on monitoring the live project and the evaluation process undertaken when it has been completed.

New Prevent guidance – challenges and considerations

Last month saw HEFCE issue a revision of their framework for monitoring of the Prevent duty in higher education institutions in England. The revised framework places a clear onus on institutions to evidence that they have followed due process when considering their Prevent duty. Further it is worth considering the Prevent duty and the implications of the monitoring requirements when reviewing institutional policies.

Although the HEFCE Framework has been updated, the Home Office guidance underpinning it has not altered since the initial framework was published. Paragraph 27 of Home Office guidance states the there is an “expectation that institutions will have policies around general usage […] we would expect these to contain specific reference the statutory duty”. It is pleasing to see that the Advice note (also updated) that accompanies the updated Prevent monitoring framework points to the UCISA Model Regulations and the suggested amendment to accommodate the Counter Terrorism legislation.

Paragraph 27 goes on to state that institutions “should consider the use of filters” as part of their overall strategy to prevent people from being drawn into terrorism. The HEFCE framework places more emphasis on the need “to consider” by directing providers to provide specific comment on “their approach to web filtering in relation to the Prevent duty, particularly where a decision has yet to be taken at the time of the provider’s previous submission to HEFCE”. The Advice note asks “What factors were taken into account when considering whether and how to use filtering to limit access to harmful content? Has a final decision been taken on web-filtering and how has this been reflected in IT policies and communicated to staff?” (interestingly the framework doesn’t ask for evidence on how it has been communicated to students). What is important is that institutions should take a risk based approach to assessing whether or not they should implement filtering and use the conclusion from those discussions in their evidence to HEFCE.

So what are the potential impacts on policies (and in this regards, the regulations on the use of IT facilities and the network should be regarded as policy)? If there is no filtering then it needs to be clear in the regulations (for both staff and students) that the network is monitored and that any research that may access material of an extremist nature will require specific approval (for example, through a research ethics committee). That approval is still needed if filtering is in place but in that instance it will be required in order for IT service departments to have authority to turn filtering off for given individuals or research groups. There remains a concern that if there is a public statement to the effect that filtering has been turned on, those of inquisitive mind will look at ways of circumventing it and those who are at risk of being drawn into extremist activities will seek other ways of accessing such material.

Finally the Advice note suggests that HEFCE is looking for further evidence of IT policies to provide oversight of websites and social media output across the institution, asking about arrangements for managing both institution’s ‘branded’ websites and social media and for student union (and their societies) websites and social media to ensure that they are not used to promote extremist materials or activities. A blend of approaches is probably needed here. The regulations for use of institutional IT facilities should give adequate coverage for institutional websites – they are likely to be established using institutional resources and maintained by institutional staff. If not, then it may be necessary to include specific Prevent related conditions into contracts where website content is maintained externally. There need to be named individuals (or groups of individuals) with responsibility for officially sanctioned social media accounts who will be bound by the regulations (as outlined in the Social media for staff legal checklist published by Jisc and included in the UCISA Social Media Toolkit). It may be necessary to come to separate arrangements for Students’ Union – they are often separate legal entities and their services may not be hosted by the institution. In these instances, there may be reliance on clauses relating to bringing the institution into disrepute to take action against an individual (which may or may not be an IT regulation issue) or specific agreement (such as within a tenancy agreement) with the Student Union to ensure monitoring takes place.

Peter Tinson
Executive Director
UCISA

Bursary review – Educause

michelle

Michelle Griffiths
ITS Project Manager
IT Services
University of Oxford
Member of UCISA-PCMG

 

 

 

I applied for and was extremely delighted to be awarded a UCISA Bursary to attend the conference of my choice in 2015. I chose to attend Educause 2015 , based on very extremely good feedback from fellow UCISA_PCMG committee members who had attended in previous years.

Educause is a non-profit association whose mission is to advance higher education through the use of Information technology. It is based in North America, but has global reach, with members in Europe, Africa and Australasia. Each year the Educause annual conference is attended by upwards of 7000 higher education professionals. Oxford University has been a member of Educause for a number of years, and has presented at past conferences.

The main areas of interest from the Educause programme based on my current projects were in the areas of identity management, smart cards, and risk management. The organization of the event was extremely good; there was a mobile app that you could download and schedule which presentations you wanted to attend, which then formed your own customized conference schedule. The event was vast: with approximately 7000 attendees, you need to be really well organized. The “First timer pit stop” area was a must on the first day of the event after registration. The “International Welcome lounge” became my home from home after attending the presentations. I used the IT equipment in the International Lounge to type up my blogs, ready to be posted onto the UCISA blog site:

The keynote speakers in particular were really inspiring and engaging. I was particularly moved by the closing keynote speech by Emily Pillotan.

Emily runs a non-profit design company and shared a few of her project stories with the audience. These included a farmers’ market public space, a middle school library, two homes for the homeless, creating a space for young girls, and creating items to be used in a domestic abuse centre. After explaining each scheme, Emily provided quotes from individuals that worked on the project. This was by far the focal point which really underlines why Emily does what she does and the value she helps put back into people’s lives and communities.

The general session was presented by Daniel Pink from MIT, who described motivation from the perspective of science. Daniel said that everyone in the room was an expert in motivation, they just may not realise it yet! He also said that we all have an explicit knowledge of physics without having studied it as a major. Daniel discussed when you should reward good behavior and bad behavior, and whether this changes behavior. I think I will be adding one of his books to my reading list: Drive: The Surprising Truth About What Motivates Us.

One of the sessions that made me think outside of the box a little when it comes to career aspirations was the panel discussion “From IT Support to CIO: A journey of three women” The career path from support to CIO is not a usual one, in my experience; however, the experiences shared by the panel made it clear that if you are motivated and think big, you can succeed to the highest heights!  Originally, I was not planning to attend this presentation, but whilst looking for another room, I came across this, which seemed more appealing!

Since attending Educause a number of Identity Management suppliers have been in contact with me, which is near perfect timing for the IAM programme. I have passed onto the programme manager in charge of IDM all the contact details I gathered whilst attending Educause, which will be used to help source an IDM solution.

I would like to thank UCISA for giving me the opportunity to attend Educause 2015. It has helped me broaden my networking and knowledge base, learn from my peers, gain a useful insight into how International institutions work, and bring all that I have learnt back to Oxford University and UCISA_PCMG to share with colleagues and peers.

Day Type of Session Presenter(s) Title
1 Session 1 – Opening keynote Daniel Pink (MIT) How small wins can transform your organization (blog post)
1 Session 2 – Presentation Lawrence Bobranski (University of SasKatchewan) A practical approach to risk management that delivers results  (blog post)
1 Session 3 –Poster Myles Darson – JISC National BI Service for UK education
1 Session 4 – Panel Clint Davis, Mike Carlin and Thomas Hoover (UNC and UTC) Transforming IT – a tale of two institutions
2 Session  1- Direct poll Randall Albert (AD, Ringling college of art and design) Project Management (blog post)
2 Session 2 – Keynote speaker Andrew McAfee (MIT) The second machine age: work, progress and prosperity in the time of brilliant technologies 
2 Session 3 – Panel discussion Melody childs, Cathy O’Bryan, Wendy Woodward and Sue B. Workman From IT Support to CIO: A journey of three women  (blog post
2 Session 4 – presentation Emory Craig, Mike Griffith and Maya Georgeiva Wearable tech and augmented vision – Pedagogy in the future
3 Session 1 – presentation Ron Kraemer, Kevin Morooney and Anne West Trust and Identity in education and research identity for everyone  (blog post
3 Session 2- Closing keynote Emily Pillotan If you build it: The power of design to change the world  (blog post)

Insights from US and Canadian institutions on risk management and information security

michelle

 

 

Michelle Griffiths
ITS Project Manager
IT Services
University of Oxford
Member of UCISA-PCMG

 

 

Here are some highlights from a session I attended today about the application of practical risk management strategies, presented by the University of Tampa and the University of Saskatchewan.

    Overview – University of Tampa

  • Tampa – 8000 students from 50 states and 140 countries
  • 65% of full time students live in campus housing
  • Information security programme was started three years ago
  • CISO (Chief Information Security Officer) reports to the UT President
  • Co-manages a cyber security lab
  • Only school in the States that has reached full ISO/IEC 27001:2013 accreditation
    Overview – University of Saskatchewan

  • Member of Canada’s U15, top 15 research universities
  • 22,500 students from 100 countries
  • 16:1 faculty to student ratio
  • Info security programme formed in June 2012
  • Three representatives – ICT Security, ICT Compliance and ICT Access
  • Risk based programme not enforced
  • SSO (Single Sign-On) – for all systems that is managed by five staff
  • Cyber security challenges – Profit, risk and loss
    Risk management should focus on:

  • Lack of executive support
  • Inadequate investment
  • Inefficient investment
  • Inefficient info security leadership
  • Info security gaps
    Risk management challenges:

  • Things you don’t know/realize
  • Things you realize you don’t know
  • Things you realize you know
    Practical approach to risk management:

  • Answers are at your fingertips
  • Don’t worry about adopting every aspect of a rigorous standard approach
  • Focus on Info security lifecycle
  • Get Exec level buy-in
  • Get the stakeholders’ perspective on risk – admin staff and faculty

Resource:
Educause security awareness resources

Snake oil or common sense? Demystifying risk management

Tim Banks
Faculty IT Manager
University of Leeds

Let’s face it; risk management doesn’t have the best reputation. Many institutions see it as a necessary evil; something to keep the auditors happy, a document to pull out of the filing cabinet once a year. Something that has to be done, rather than something that people want to engage with. Proper, active IT risk management can be of enormous benefit to an institution and is the foundation upon which professional quality IT services should be built. However, this requires IT staff at every level to see risk management as a live, ongoing process, rather than just an annual activity. We all undertake risk assessments on a daily basis, not because we feel we ought to but because we see the value in doing so. Every time we cross a road, pick a child’s toy up from the floor, prepare a meal or get in a car we are (often unknowingly) assessing likelihood, impact and making judgements on how to proceed based on the overall risk level.

Let’s focus on that last example of driving a car.  The bad thing that could happen (impact) is serious injury or death resulting from a crash. The chance that it will happen (likelihood) depends on a series of triggers such as excessive speed, mechanical failure, poor weather etc.

In order to manage the risk of something bad happening, we implement a series of control measures, each of which requires checking (auditing) at different intervals.

Examples of control measures that reduce the likelihood of a crash are as follows:

  • For example, we make sure that our driving speed is appropriate to the road conditions and monitor this every few seconds whilst driving.
  • We make sure that our car is mechanically sound by putting it through an MOT test every year. However, if we hear strange noises before the next MOT is due, we don’t just ignore them – we make sure that the car is checked out by a mechanic.
  • Tyre condition is something that we would (or at least should) check weekly and when it’s wet, we use windscreen wipers to reduce the problem of poor visibility in wet weather.

Control measures to reduce the impact of a crash might include:

  • Wearing a seatbelt (which we check is securely fastened each trip; the actual belt is tested every year with the MOT).
  • Airbags (again checked every year).
  • Motorway crash barriers (installed and checked by the Highways agency).

When driving, we don’t think it’s acceptable to just check your speed once a year, but equally don’t try and test the airbags every trip. We have an audit schedule that is appropriate for each control measure. Each control measure is audited by somebody appropriate (e.g. qualified, experienced MOT tester, driver, highways agency engineers). Some are within the direct control of the driver, some need to be actioned and checked by the driver and others have to be entrusted to 3rd parties. We should take the same approach to managing risk in IT services.

I have signed up to attend several risk management sessions at EDUCAUSE 2015 and will report back on them in other blog posts.

Risk management and learning from failure

simon

 

 

 

Simon Geller
Senior Project Manager
University of Sheffield
Member of UCISA-PCMG

 

 

I made it to Indianapolis in time for Peter Tinson’s induction session. That was helpful, and it was good to meet up with UK colleagues or dinner.

The morning plenary started at 8am – not a problem for me as my body clock is still fixed halfway across the Atlantic – with the usual welcome from the CEO of Educause and thanks to the organisers.

Then we got into the star performer of the morning – Daniel Pink on motivation. He’s a good speaker and kept the audience engaged, as indeed a good motivator should!

Risk management and learning from failure
I then attended “A practical approach to risk management” (up my street, as I was lead author on the UCISA-PCMG Toolkit on risk).  However, this session really just focussed on well-known tools and techniques and how they had been implemented at particular institutions.

Of more interest was the following session on how organisations can learn from failure – this was run in a highly collaborative and participatory way, with an open Google doc used to capture thoughts from the participants.  As well as comments in the room and the session had its own Twitter tag, #edu15fail.