Securing IT Infrastructure at Exeter University

 
E
x
e
t
e
r
 
I
T
 
 
S
e
c
u
r
e
 
b
y
 
D
e
s
i
g
n
 
We will develop and deliver a robust approach to IT
security that will define what “good security” looks like;
build information security in to all services by design; and
deliver demonstrable security and compliance to better
protect and serve the University.
O
u
r
 
M
i
s
s
i
o
n
 
S
e
c
u
r
e
 
b
y
 
D
e
s
i
g
n
 
P
r
o
c
e
s
s
 
 
W
e
 
n
e
e
d
 
a
 
c
o
h
e
r
e
n
t
 
a
n
d
 
c
o
n
s
i
s
t
e
n
t
 
s
e
c
u
r
e
-
b
y
-
d
e
s
i
g
n
 
p
r
o
c
e
s
s
t
o
 
c
o
v
e
r
 
t
h
e
 
U
n
i
v
e
r
s
i
t
y
s
 
i
n
f
o
r
m
a
t
i
o
n
 
s
e
c
u
r
i
t
y
 
r
e
q
u
i
r
e
m
e
n
t
s
 
f
o
r
 
a
l
l
n
e
w
 
a
n
d
 
e
x
i
s
t
i
n
g
 
t
e
c
h
n
o
l
o
g
i
e
s
 
a
n
d
 
t
o
 
s
u
p
p
o
r
t
 
t
h
e
 
U
n
i
v
e
r
s
i
t
y
s
l
e
g
i
s
l
a
t
i
v
e
 
r
e
q
u
i
r
e
m
e
n
t
s
 
a
n
d
 
s
t
r
a
t
e
g
i
c
 
d
i
g
i
t
a
l
 
j
o
u
r
n
e
y
.
 
S
e
c
u
r
e
 
b
y
 
D
e
s
i
g
n
 
P
r
o
c
e
s
s
 
 
T
h
e
 
p
r
o
c
e
s
s
 
w
i
l
l
 
b
e
 
p
r
o
p
o
r
t
i
o
n
a
t
e
 
s
o
 
t
h
a
t
:
All security objectives are identified early and become part of project
requirements;
Effort and attention is focussed where it will have the greatest impact;
Risks are managed effectively in accordance with the criticality of the
service and/or data; and
The appropriate level of assurance is obtained for compliance purposes.
 
S
e
c
u
r
e
 
b
y
 
D
e
s
i
g
n
 
P
r
o
c
e
s
s
 
B
y
 
a
d
o
p
t
i
n
g
 
s
u
c
h
 
a
 
p
r
o
c
e
s
s
 
t
h
e
 
U
n
i
v
e
r
s
i
t
y
 
w
i
l
l
 
a
v
o
i
d
 
c
o
m
m
o
n
 
i
s
s
u
e
s
w
i
t
h
i
n
 
p
r
o
j
e
c
t
s
 
/
 
n
e
w
 
a
n
d
 
e
x
i
s
t
i
n
g
 
s
e
r
v
i
c
e
s
:
Not fully understanding the extent and scope of all security
requirements, e.g. NHS DSPT;
Failing to consider, and manage, third-party security requirements; and
Failing to identify, and perform, key assurance activities, e.g. penetration
testing;
Managing end of life and unsupported services.
T
h
e
 
P
r
o
c
e
s
s
4
.
 
S
i
g
n
 
O
f
f
Reporting on output of assessment
including any residual unmanaged risks;
decision making by “business owner”.
Escalation of risks.
1
.
 
A
s
s
e
t
 
P
r
o
f
i
l
e
Either a DPIA report or Request for
Change is completed; value of data is
understood; proposed solution/service;
external requirements; and third party
involvement
2
.
 
T
r
i
a
g
e
Articulating expected controls; assessing
potential third parties; and determining
ongoing assurance activities
3
.
 
A
s
s
e
s
s
m
e
n
t
Layered assessment of controls and
arrangements based on output of triage;
providing ongoing support; documenting
any exceptions
1
.
 
A
s
s
e
t
 
P
r
o
f
i
l
e
 
2
.
 
T
r
i
a
g
e
3
.
 
A
s
s
e
s
s
m
e
n
t
4
.
 
S
i
g
n
 
O
f
f
1
.
 
A
s
s
e
t
 
P
r
o
f
i
l
e
 
C
l
a
s
s
i
f
y
:
data involved (against classification scheme)
criticality of the system / service
I
T
 
L
e
a
d
 
o
r
 
B
u
s
i
n
e
s
s
 
S
y
s
t
e
m
 
O
w
n
e
r
 
w
i
l
l
:
D
o
c
u
m
e
n
t
:
project budget includes costs for Pen Tests and re-testing
project roles and “business sponsor”
proposed solution (in a high level design) 
use of third parties in the project and new service
specific internal requirements, e.g. remote access
external legislative or regulatory requirements, e.g. DPIA
C
o
m
p
l
e
t
e
:
Either a Request for Change or Data Protection Impact Assessment report
and send to IT Security and Compliance team for assessment
E
n
g
a
g
e
 
w
i
t
h
:
Either the CAB team or the appropriate Information Asset Owner
2
.
 
T
r
i
a
g
e
D
e
t
e
r
m
i
n
e
the risks by reviewing the Request for Change or DPIA document
applicable controls for the change or new service (baseline technical
controls)
any
 additional controls per external requirements
level of assurance and assessment required throughout the project (self
assessments – facilitated review – control testing)
third party security requirements (self assessments - facilitated review –
independent assurance – onsite visits)
nature of security testing required (non – peer code review – vulnerability
scanning – external penetration testing)
I
T
 
S
e
c
u
r
i
t
y
 
a
n
d
 
C
o
m
p
l
i
a
n
c
e
 
T
e
a
m
 
w
i
l
l
:
D
o
c
u
m
e
n
t
scope of security work
resource and timing requirements
3
.
 
A
s
s
e
s
s
m
e
n
t
Perform
assessment activities as determined by the triage stage
reviews of pen testing reports as determine by the triage stage
re-perform any assessment activity as required, e.g. in the case of
control failure
assessment of exceptions and compensating controls
Complete and circulate a Security Risk Report which
details the results of assessment activities including follow on actions and
any residual risks
recommendations for project and “business owner”
I
T
 
S
e
c
u
r
i
t
y
 
a
n
d
 
C
o
m
p
l
i
a
n
c
e
 
T
e
a
m
 
w
i
l
l
:
4
.
 
S
i
g
n
 
O
f
f
B
u
s
i
n
e
s
s
 
S
y
s
t
e
m
 
a
n
d
 
I
n
f
o
r
m
a
t
i
o
n
 
A
s
s
e
t
 
o
w
n
e
r
 
w
i
l
l
:
C
o
n
s
i
d
e
r
 
(
a
s
 
d
o
c
u
m
e
n
t
e
d
 
i
n
 
t
h
e
 
S
e
c
u
r
i
t
y
 
R
i
s
k
 
R
e
p
o
r
t
)
results of assessment activity and follow on actions
recommendations from IT Security & Compliance Team
impact of any residual risks
D
o
c
u
m
e
n
t
the decision made on how to proceed to be detailed in
the Secure by Design Certificate of Approval form and
to include any future review points
4
.
 
S
i
g
n
 
O
f
f
I
T
 
S
e
c
u
r
i
t
y
 
a
n
d
 
C
o
m
p
l
i
a
n
c
e
 
T
e
a
m
 
w
i
l
l
:
R
e
v
i
e
w
 
a
n
d
 
c
o
n
s
i
d
e
r
The Business System Owner and Information Asset
Officer’s response to the Security Risk Report
D
o
c
u
m
e
n
t
Details of the Security Risk Report in the exceptions
database
Add details of the supplier (if any) in a third party
assurance database, including date of next review
Slide Note
Embed
Share

Exeter IT Secure by Design is a comprehensive approach to IT security at the University, focusing on developing robust security measures, integrating security into services by design, ensuring compliance, and managing risks effectively. The secure-by-design process helps in identifying security objectives early, focusing efforts where they are needed most, managing risks according to criticality, and obtaining the necessary level of assurance for compliance. By adopting this process, the University aims to avoid common security issues within projects and services. The process involves steps such as asset profiling, triage, assessment, controls articulation, third-party assessments, and ongoing assurance activities.


Uploaded on Aug 02, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Exeter IT Secure by Design

  2. Our Mission We will develop and deliver a robust approach to IT security that will define what good security looks like; build information security in to all services by design; and deliver demonstrable security and compliance to better protect and serve the University.

  3. Secure by Design Process We need a coherent and consistent secure-by-design process to cover the University s information security requirements for all new and existing technologies and to support the University s legislative requirements and strategic digital journey.

  4. Secure by Design Process The process will be proportionate so that: All security objectives are identified early and become part of project requirements; Effort and attention is focussed where it will have the greatest impact; Risks are managed effectively in accordance with the criticality of the service and/or data; and The appropriate level of assurance is obtained for compliance purposes.

  5. Secure by Design Process By adopting such a process the University will avoid common issues within projects / new and existing services: Not fully understanding the extent and scope of all security requirements, e.g. NHS DSPT; Failing to consider, and manage, third-party security requirements; and Failing to identify, and perform, key assurance activities, e.g. penetration testing; Managing end of life and unsupported services.

  6. The Process 1. Asset Profile 4. Sign Off Either a DPIA report or Request for Change is completed; value of data is understood; proposed solution/service; external requirements; and third party involvement Reporting on output of assessment including any residual unmanaged risks; decision making by business owner . Escalation of risks. 1. Asset Profile 4. Sign Off 2. Triage 3. Assessment 3. Assessment 2. Triage Articulating expected controls; assessing potential third parties; and determining ongoing assurance activities Layered assessment of controls and arrangements based on output of triage; providing ongoing support; documenting any exceptions

  7. IT Lead or Business System Owner will: Classify: data involved (against classification scheme) criticality of the system / service Complete: Either a Request for Change or Data Protection Impact Assessment report and send to IT Security and Compliance team for assessment 1. Asset Profile Document: project budget includes costs for Pen Tests and re-testing project roles and business sponsor proposed solution (in a high level design) use of third parties in the project and new service specific internal requirements, e.g. remote access external legislative or regulatory requirements, e.g. DPIA Engage with: Either the CAB team or the appropriate Information Asset Owner

  8. IT Security and Compliance Team will: Determine the risks by reviewing the Request for Change or DPIA document applicable controls for the change or new service (baseline technical controls) any additional controls per external requirements level of assurance and assessment required throughout the project (self assessments facilitated review control testing) third party security requirements (self assessments - facilitated review independent assurance onsite visits) nature of security testing required (non peer code review vulnerability scanning external penetration testing) 2. Triage Document scope of security work resource and timing requirements

  9. IT Security and Compliance Team will: Perform assessment activities as determined by the triage stage reviews of pen testing reports as determine by the triage stage re-perform any assessment activity as required, e.g. in the case of control failure assessment of exceptions and compensating controls 3. Assessment Complete and circulate a Security Risk Report which details the results of assessment activities including follow on actions and any residual risks recommendations for project and business owner

  10. Business System and Information Asset owner will: Consider (as documented in the Security Risk Report) results of assessment activity and follow on actions recommendations from IT Security & Compliance Team impact of any residual risks 4. Sign Off Document the decision made on how to proceed to be detailed in the Secure by Design Certificate of Approval form and to include any future review points

  11. IT Security and Compliance Team will: Document Details of the Security Risk Report in the exceptions database Add details of the supplier (if any) in a third party assurance database, including date of next review 4. Sign Off Review and consider The Business System Owner and Information Asset Officer s response to the Security Risk Report

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#