You are here

The Road to Institutional Information Security Management

Information Security is a growing institutional challenge; if not managed correctly enterprise strategic objectives are at risk.  Yet all too often Information Security is seen as an IT problem not an institutional priority.  How can you convince the institution executive otherwise and instigate a program to build an information security management system? How do you ensure that policies are appropriate, well maintained, and implemented effectively? This presentation will highlight practical steps towards implementing an ISMS, starting with defining the policy and getting senior management buy in, through to building the business case, implementing the policies and evaluating performance.

Abstract
Information Security is a growing institutional challenge; if not managed correctly enterprise strategic objectives are at risk.  Yet all too often Information Security is seen as an IT problem not an institutional priority.  How can you convince the institution executive otherwise and instigate a program to build an information security management system? How do you ensure that policies are appropriate, well maintained, and implemented effectively?

In 2005 UCISA, the equivalent organisation to CAUDIT in the UK, developed an Information Security Toolkit to support UK Institutions in producing Information Security policies to address (and to demonstrate that they are addressing) threats to the confidentiality, integrity and availability of information systems for which they are responsible, and to help meet audit requirements.  Following an update of the ISO standard for Information Security, we took the opportunity to review the approach we had taken. We recognised that policies on their own don’t deliver effective information security; an institutional approach was needed so we decided to focus on the management of information security – the Information Security Management Toolkit was conceived.

The Information Security Management Toolkit was constructed for use by information security/governance professionals wishing to put in place an ISMS in their organisation. This presentation will draw on the contents of the Toolkit to highlight practical steps towards implementing an ISMS, starting with defining the policy and getting senior management buy in, through to building the business case, implementing the policies and evaluating performance. The interrelationship between the components of an ISMS will be demonstrated through examples of the impact of legislative change and incidents.

The Information Security Management Toolkit is one of a number of resources available to UCISA members. The presentation will conclude with an overview of these resources and how UCISA members are utilising them.