A strong common (and unplanned, honest!) theme emerged from the information security session at Networkshop yesterday: that information security, or information risk, is ultimately the responsibility of individual users. Only they can decide which documents it is safe to read on a train, which phone calls they can make in a public place. The role of information services departments should be to help organisations develop the structures, policies, processes and technologies that make it reasonable to expect users to take that responsibility, increase the likelihood that they will exercise it correctly, and deal with the occasions when they don’t. In that way information security becomes an enabler, helping the organisation to achieve its objectives. The alternative approach of trying to “do” information security for users will, at best, mean the organisation misses opportunities to benefit from its data and people, and at worst that we create incentives for users to work in unsafe ways.
Bridget Kenyon explained how organisations and projects can use ISO27001 to identify information risks and appropriate mitigations, and to comply with other standards and requirements. Sean Duffy reported on Birmingham’s experience of enabling users to make the right security decisions. I spoke about how this approach could be encouraged by new requirements to deliver appropriate security for research data throughout its lifecycle.
The other thing we all agreed on was that universities and colleges are complex places and that ‘enterprise’ approaches that try to impose the same security requirements on everyone are very unlikely to be appropriate. Instead we should be focussing on the information, systems, and activities that present particularly high risks. UniversitiesUK’s recent paper on protecting sensitive research data and RUGIT’s assessment of the SANS/CPNI Top20 controls provide a good basis for identifying those risks and controls.