Categories
Articles

Security Poverty: a problem for everyone

Wendy Nather’s keynote at the FIRST conference (video) considered the security poverty line, and why it should concern those above it at least as much as those below. To secure our systems and data requires resources (tools and people); expertise to apply those effectively; and capability, including sufficient influence to overcome blocking situations or logistics. […]

Categories
Articles

Data Protection expectations on Vulnerability Management

Legal cases aren’t often a source for guidance on system management but, thanks to the cooperation of the victims of a ransomware attack, a recent Monetary Penalty Notice (MPN) from the Information Commissioner (ICO) is an exception. Vulnerability management was mentioned in previous MPNs (e.g. Carphone Warehouse, Cathay Pacific, and DSG), but they don’t go […]

Categories
Peacasts

Assessing our security services

Jisc performs a number of different activities to keep Janet and customer sites secure. Here’s a very short video on how we used a Data Protection Impact Assessment and a Legitimate Interests Assessment to check that those activities do not themselves create disproportionate risks. You can read the reports: Security Operations Centre (SOC): Data Protection Impact […]

Categories
Closed Consultations

Jisc Response to Article 29 Working Party on Right to Portability

These are Jisc’s comments on the Article 29 Working Party’s Guidelines on the Right to Data Portability (WP242). Jisc is the UK’s expert body for digital technology and digital resources in higher education, further education and research. Since its foundation in the early 1990s, Jisc has played a pivotal role in the adoption of information […]

Categories
Publications

Technical Security for E-infrastructures

E-infrastructures are large computer systems with considerable processing and storage capacity and in some cases, holding valuable or sensitive data. They are therefore likely to be attractive targets for attackers with a wide range of motivations. However, to support international research, e-infrastructures must be accessible to users located anywhere on the Internet. In many cases […]

Categories
Articles

The Benefits of Near Misses

Recently we had one of our regular reviews of security incidents that have affected the company in the past few months. All three – one social engineering attack, one technical one, and one equipment loss – were minor, in that only limited information or systems were put at risk; all were detected and fixed, to […]

Categories
Articles

Protecting Users and Systems in 2015

The steady growth in the use of encrypted communications seems likely to increase next year given recent announcements on both web browsers and servers. That’s good news for security people worried that their users may be sending sensitive information such as passwords and credit card numbers over the Internet. However it may also require an […]

Categories
Articles

Protecting Information in 2015

Although it’s now almost three years since the European Commission published their proposed General Data Protection Regulation, it seems unlikely that a final text will be agreed even in 2015. That means we’ll be stuck for at least another year with the 1995 Directive, whose inability to deal with the world of 2015 is becoming […]

Categories
Articles

BYOD: Government Guidance

I had been planning to write up a summary of my thoughts on Bring Your Own Device, but I’m pleased to discover that the UK Government has pretty much done it for me. Their draft guidance, just published for comment, suggests an approach along the following lines: Start by reviewing which information should not be […]

Categories
Articles

How Many Passwords?

A recent discussion got me thinking about what might be the right number of passwords. There are plenty of references that still say you should have a different password for every service, and breaches such as Adobe’s last year show why. If you use the same password on two different websites and one of those […]