How can universities improve IT security? What should we think of the information security management system (ISMS)? SWITCH Journal spoke with Bruno Vuillemin, who is IT security officer at the University of Fribourg and a member of SWITCH’s ISMS working group.
The regulations were authored by a group of experts with different backgrounds and approved by the rector’s office. They detail all major aspects, stating in particular that IT security entails risk management and that the responsible people have to be informed about these risks. It remains a solid working foundation that helps to simplify discussions with stakeholders.
According to the regulations, to evaluate risks and communicate them to the hierarchy. In emergencies, all operative precautions. The risk analysis process is explained in another document in somewhat greater detail: analyse the situation, inform the person in charge of the application, suggest possible countermeasures, let them make a choice, discuss the extent of residual risks and get their approval.
The Rector receives an annual report on the risks – each month there is a meeting with the data security officer, who is also a member of the university board of directors. The meeting is, above all, a forum for discussing the risk evaluation. The fact that she also participates in the meetings of the rector’s office gives the risk evaluations a certain finality, and I pass on the results to the respective application managers.
It’s the IT equivalent of Sisyphus! A relatively large amount of work goes into it, and the impact can barely be quantified in the short-term. An improvement can be expected in the long-term, provided that all stakeholders also do their part. But that doesn’t change the fact that there will be more and more victims, meaning that security precautions will remain necessary.
I think implementing an ISMS is indispensable. It might very well be a simple version with a relatively ‘light’ implementation. But it still always has to be able to perform the necessary tasks: (1) It should enable top management, specialist authorities, application managers and well as the IT directors to stay informed about the risks, their scale and any possible countermeasures to be taken. It must allow decisions to be made and the residual risks to be assessed in a way that requires these persons to express their acknowledgement. (2) This has to happen by way of a risk management process on the management level, which has to be clear, accepted and regarded as trustworthy in terms of best practices. (3) This process must provide for periodic follow-up checks so that the extent of the risks can be subsequently evaluated. The internal and external control bodies must have access to documentation in order to analyse the process and to make suggestions for improvements. This makes it possible to establish a climate of trust between IT security and the various stakeholders.
Alexandre Gachet, Director of the IT Services, showed great interest. We’ve taken ISO 27000 as our foundation for starting to think about general documents and tried to keep them as concise as possible. In view of SWITCH’s new ISMS working group, Mr. Gachet and I now feel confident that it would make sense to wait and see what the working group determines about this issue and then consider how to implement the respective measures at the University of Fribourg. The working group is expected to present its first results at the end of 2017/mid-2018. So I’m very hopeful that we will have results approved by the rector’s office in 2018, 2019. The current regulations will remain in force, however, and I think they are still sufficient as a basic foundation.
Because an ISMS is a risk management process that has to be approved by upper management, I think the main challenge is getting upper management to show a strong and sustained commitment to this issue. The next challenge will be to introduce an effective and not overly cumbersome process that is acceptable to upper management and all other parties involved. This is where it will be very important to share experiences within the community in terms of a successful formalization of the process. Ultimately, the goal is to develop an ISMS that can be implemented with a reasonable level of effort. It should also be mentioned that representatives from SWITCH in the ISMS working group are making a very concerted effort to be part of this process and see to its organisation. This is also very helpful.