The paperless office has been an aspiration for some time. However, for many in the world of education and training, they are now moving towards the next era, looking at a born digital approach with the potential for increased efficiencies, improvements in quality, auditability and transparency, as well as financial savings.
Reviewing your current position
As part of this change organisations will need to review and update how they manage information - including meeting recognised standards such as ISO 27001 - which places them in a position of strength both internally and when trying to attract new business.
Information security is a central consideration, whether that relates to training and assessment or the administrative functions that support these activities and the business. Those who need, and are authorised to access, information as part of their job have to be able to do so as and when required, securely, and be assured that this information is reliable and accurate.
Equally, certain information must under no circumstances be disclosed or visible to anyone who is not authorised to see it. In many areas, a digital approach makes this easier, for example, through appropriate permissions settings and version control.
To ensure the confidentiality, integrity and availability of information assets, organisations need to implement a formal information security management system. I want to share some key considerations for IT and security in ensuring their own systems and processes are successful.
Leading from the top
In some organisations information security may be viewed as a function that is solely owned by an individual or department – but such a view is reductive, and can only ever have limited scope.
A good information security strategy needs to be driven from the top down in order to be effective.
Those with ultimate ownership of information security need to make sure that senior managers understand its importance in day-to-day operations, as well as longer term to minimise risk, help with business continuity and support organisational strategy. In turn, senior managers must demonstrate strong leadership and commitment to information security and provide sufficient resources to support it.
Training and support
In the past, information security was often delegated to an IT function. This is no longer seen as good practice in an environment where governance of information security risk is increasingly a responsibility of the highest levels of management.
It is their responsibility to provide the leadership, direction, resources and oversight to ensure that information security is managed in a robust and effective way. To do this they need the support of teams throughout the entire organisation.
Staff need to understand their responsibilities, and what they can and can’t do with certain types of information. This means having people with the right skills in place to disseminate effective knowledge and training, ensuring that all staff know about the information security programme, understand its importance as well as the ramifications, and how they can act safely and effectively.
Some staff will have specific roles to play within an information security management system, and will require training to ensure that they have the competencies to carry out their roles.
Assessing the risk
As stated previously, information security is about protecting an organisation’s various information assets against unauthorised access, theft or accidental loss. What this does not mean is that all information must be subject to the same, high-level controls.
To gain assurance that you are implementing the right security controls you would be advised to make a thorough risk assessment of the information your organisation holds.
If you think about the huge amounts of information that providers collect, store and process, some of this will necessitate particularly stringent security measures, for example, the personal details of students and staff. Others, such as timetables, will not. Protection needs to be proportional to the sensitivity of a particular item of information and threat it might be exposed to.
Evaluation and continual improvement
Information security management is not a one-off exercise. As with all key organisational functions it should be subject to continual improvement, allowing you to bend and flex as required. It is not sufficient to implement a system and see this as job done.
Once you have your information security management system up and running, with risks being treated and incidents responded to, it is important to evaluate its effectiveness, and to do so regularly, to ensure it continues to meet its objectives.
A closer look at Wales
Understanding that information security underpins the born-digital approach, Welsh Government, the National Training Federation for Wales (NTfW) and Jisc have committed to a change programme driving ISO 27001:2013 conformance – the international information security management standard – across the work-based learning sector in Wales, by July 2017.
Covering everything from financial data and intellectual property, to personal information and other information entrusted by third parties, ISO 27001:2013 is the most widely standard in information security, so in delivering this programme, the Welsh skills sector will be at the forefront of information security in the UK.
Jisc colleagues have already begun engaging with commissioned contract holders in Wales, gaining an understanding of their current processes, how far along the road they are in establishing their own information security management systems, and tailoring support to meet their requirements in accordance with an ambitious timescale.
In the coming months we will be holding a number of events addressing common concerns such as risk management, asset management, information classification and document control and internal audit, as well as a series of good practice meetings where people can share their experiences.
We will also be at the NTfW conference, Developing the Network to Deliver Excellence in Vocational Skills, where we will share simple strategies and tools so that delegates can enhance their own security and pass that knowledge to learners.
We offer a wide range of services that will help you develop a secure digital environment. Contact your designated account manager for more information.