This story is from the category Corporate 

Together towards a new security architecture

How can universities improve IT security? What should we think of the information security management system (ISMS)? SWITCH Journal spoke with Bruno Vuillemin, who is IT security officer at the University of Fribourg and a member of SWITCH’s ISMS working group.

Published on 06.10.2017

Mr Vuillemin, the University of Fribourg implemented its IT security regulations in 2003, which set out detailed information on who and what committees have specific duties in the area of IT security. What are your experiences with this?

The regulations were authored by a group of experts with different backgrounds and approved by the rector’s office. They detail all major aspects, stating in particular that IT security entails risk management and that the responsible people have to be informed about these risks. It remains a solid working foundation that helps to simplify discussions with stakeholders.

What are your main responsibilities?

According to the regulations, to evaluate risks and communicate them to the hierarchy. In emergencies, all operative precautions. The risk analysis process is explained in another document in somewhat greater detail: analyse the situation, inform the person in charge of the application, suggest possible countermeasures, let them make a choice, discuss the extent of residual risks and get their approval.

You report directly to the rector’s office. What roles do the rector’s office and board of directors play in the area of IT security?

The Rector receives an annual report on the risks – each month there is a meeting with the data security officer, who is also a member of the university board of directors. The meeting is, above all, a forum for discussing the risk evaluation. The fact that she also participates in the meetings of the rector’s office gives the risk evaluations a certain finality, and I pass on the results to the respective application managers.

A ‘Cyber Security Month’ was held on campus in 2015 and 2016. How important is users’ awareness in your risk management activities?

It’s the IT equivalent of Sisyphus! A relatively large amount of work goes into it, and the impact can barely be quantified in the short-term. An improvement can be expected in the long-term, provided that all stakeholders also do their part. But that doesn’t change the fact that there will be more and more victims, meaning that security precautions will remain necessary.

How important is an ISMS for universities?

I think implementing an ISMS is indispensable. It might very well be a simple version with a relatively ‘light’ implementation. But it still always has to be able to perform the necessary tasks: (1) It should enable top management, specialist authorities, application managers and well as the IT directors to stay informed about the risks, their scale and any possible countermeasures to be taken. It must allow decisions to be made and the residual risks to be assessed in a way that requires these persons to express their acknowledgement. (2) This has to happen by way of a risk management process on the management level, which has to be clear, accepted and regarded as trustworthy in terms of best practices. (3) This process must provide for periodic follow-up checks so that the extent of the risks can be subsequently evaluated. The internal and external control bodies must have access to documentation in order to analyse the process and to make suggestions for improvements. This makes it possible to establish a climate of trust between IT security and the various stakeholders.

What plans do you have in terms of an ISMS at the University of Fribourg?

Alexandre Gachet, Director of the IT Services, showed great interest. We’ve taken ISO 27000 as our foundation for starting to think about general documents and tried to keep them as concise as possible. In view of SWITCH’s new ISMS working group, Mr. Gachet and I now feel confident that it would make sense to wait and see what the working group determines about this issue and then consider how to implement the respective measures at the University of Fribourg. The working group is expected to present its first results at the end of 2017/mid-2018. So I’m very hopeful that we will have results approved by the rector’s office in 2018, 2019. The current regulations will remain in force, however, and I think they are still sufficient as a basic foundation.

In your view, where are the greatest challenges?

Because an ISMS is a risk management process that has to be approved by upper management, I think the main challenge is getting upper management to show a strong and sustained commitment to this issue. The next challenge will be to introduce an effective and not overly cumbersome process that is acceptable to upper management and all other parties involved. This is where it will be very important to share experiences within the community in terms of a successful formalization of the process. Ultimately, the goal is to develop an ISMS that can be implemented with a reasonable level of effort. It should also be mentioned that representatives from SWITCH in the ISMS working group are making a very concerted effort to be part of this process and see to its organisation. This is also very helpful.

Information Security Management System (ISMS) Working Group

Universities increasingly need to address the issue of information security. The ISMS Working Group was set up in summer 2014 to look into how directives and processes can be used to safeguard and improve it. The current situation differs considerably from one institution to the next. Members of the Working Group share their experiences and seek out synergies.

Contact: isms@switch.ch

Other articles