Information Security Best Practice (ISBP)

Quick Links: IS Advisory Group / ISBP project web pages /

Information Security Best Practice - 2012/2013

In May 2011, the Director of IT organised a work shop on information security with the ISBP project team and other colleagues within the collegiate University to discuss the possibilities for a third stage of the Information Security Best Practice programme of activities.
The Director of IT's slides [pdf 148 KB] are available (only within the Oxford University network).

Information Security Best Practice - 2010/2011

The 2010-2011 phase of the ISBP project is housed within the Oxford University Computer Emergency Response Team (OxCERT). Further information on the project can be found within the: OxCERT web pages. A summary of the 2010-2011 phase is provided below

The ISBP project (phase 2010-2011) is guided by the ICT Forum's IS Advisory Group. The project seeks to build on the knowledge, commentary and information gathered during the 2009 Self-Assessment exercise. The main objectives of the 2010-2011 project are to:
  • Consolidate the existing policies on information security (Conditions for Connection and Security of Information) into one, high-level policy document.
  • Review the best practice guidelines provided in 2009, taking into account comments made in the 2009 Self-assessment Questionnaire, and in accordance with the consolidated policy.
  • Develop an Information Security Toolkit, which includes policies, guidelines, documentation and education and awareness programs.
  • Identify areas where resources (knowledge and skills) can be found and shared and investigate the possible pooling and sharing of those resources.
  • Investigate the area of Information Handling to develop guidelines and classification schemes.
  • Consider specific services that could be provided centrally, resulting in a more efficient use of resources. For example:
    • Documentation on Information Handling,
    • Technical solutions associated with Information Handling (e.g. PGP),
    • A centrally provided residential network (ResNet).
    • A central logging service.
    • Guidance on dealing with visitor machines.
    • Guidance on legal issues and other compliance.

In May 2011 the Director of IT and the ISBP project team made a presentation to the MPLS ICT Panel, summarising the work acheived and describing the steps ahead: Presentation to MPLS ICT Panel 2011 [pdf 58 KB] (only within the Oxford University network).

Information Security Best Practice - the 2009 Self-Assessment

The 2009 Self-Assessment exercise asked each unit within the collegiate University to assess their current approach to IT operations, management and security against recommended best practice guidelines (provided in the form of a self-assessment questionnaire). Every unit that completed the questionnaire was sent a confidential report based on their responses. The reports helped units to focus on areas where further resources may need allocating and to highlight if similar units have particular needs. Further detail on the Self-Assessment Questionnaire is available: 2009 Self-Assessment

The Advisory Group considered the responses gathered through the self-assessment process in detail. They summarised their thoughts and recommendations in the following: Report on the findings of the 2009 Self-Assessment Exercise (access restricted to Oxford only)

The information gathered helped the Advisory Group to understand where further attention, resource, and best practice is needed to guide units of the collegiate University in their approach to IT operations, management and security. In general, the best practice guidelines on information handling proved to be an issue for all units within the collegiate University. However, the questionnaire also gave units the opportunity to comment and these comments proved effective in helping the Advisory Group understand why information handling proved to be an issue, where gaps in policy exist and what can be provided to help close those gaps. The comments have been instrumental in guiding the 2010/2011 follow-up activity. A summary of the comments provided through the self-assessment exercise is available: Response to Comments (access restricted to Oxford only).

Communication

The Information Security Advisory Group invites members of the University's IT Support Staff (ITSS) to post questions and comments regarding this activity on the dedicated forum: ITSS Talk Shop. (To browse the ITSS Talk Shop: please use your oxford single sign on details. To post to a forum: please register first and log in to the forum itself by clicking on the 'Log in' button.)

Contact

The Information Security Best Practice activities are project managed by Miranda Llewellyn. If you have further questions about this activity please contact Miranda at: enquiries@odit.ox.ac.uk.