Jisc has implemented policy changes designed to strengthen cyber security measures across the research and education sectors.
Following consultation last summer, updates have been made to the policy governing the use of Janet, the Jisc-run national research and education network to which all UK colleges, universities and research centres are connected.
Effective from 1 April, 2022, there are three key principles that we are adding to the updated policy, and perhaps the most important is the new obligation for connected organisations to undertake an annual self-assessment of their security posture.
Against a background of increasing threats, it is important for organisations to understand their strengths and weaknesses in order to raise security maturity across the sector.
If a cyber incident badly impacts one organisation connected to Janet, others could also be affected, so we work on the principle that the more secure individual organisations are, the more secure the sector is.
Our 2021 cyber security posture survey tells us there is a variance in skills and resources within institutions, so we don't want to be too draconian on this: we want to work with members to raise the bar, to help them assess where they are and guide them along that never-ending journey to improving security.
Colleges and universities can use whatever model or framework works best for that assessment. We will collaborate through our security community group to see if there is a consensus on which method is preferable or whether we should work together to develop a sector-specific model.
While there's no obligation on members to reveal results of their assessment with Jisc, we see there could be real benefits from sharing data to help provide a broader picture of security in education and research. This would help Jisc understand the gaps and plan how best to support the sector to fill them.
Sharing data in this way could also allow for individual benchmarking against peers. For example, we might tell a member that they are in the ‘top’ quartile of universities; or perhaps the bottom quartile because they haven't got as many specialist security staff and controls in place as other organisations of a similar size. Obviously, we would treat this data confidentially and would not share details publicly.
The second change to the policy concerns the existing GeoIP restrictions, because this has been commonly used as a vector for ransomware attacks against the sector for the past couple of years.
After 1 April, Jisc will consider blocking access to other high-risk protocols or ports in response to new and specific intelligence, and the existing restrictions will shift from an opt-in control to being on by default.
Members will be given plenty of advance warning before we make this change and can, if required, opt out of this additional layer of protection.
The third principle we are adding to the Janet security policy is an enhancement to Jisc’s computer security incident response team’s (CSIRT) remit to perform vulnerability scans across the Janet Network as a whole.
Currently, CSIRT carries out vulnerability scans on an exceptional basis only, but the updated policy allows for proactive scans in response to critical vulnerability alerts or actionable threat intelligence.
This means CSIRT will be better able to identify vulnerabilities that may present a serious threat to the security of the Janet Network or services provided over it. Any weaknesses that are discovered will be shared with all relevant security contacts.
This policy change will help us to stay one step ahead of cyber criminals who are routinely scanning networks looking for weaknesses to exploit.
Cyber security should be a strategic priority, led by the board, with which ultimate responsibility sits. To help senior leaders assess their cyber security, Jisc has produced a set of questions.