Information Security Management

Last updated: 
1 month 5 days ago
Blog Manager

I'm the Information Security Manager at Janet and through this blog I'll be sharing some of my experiences, ideas and thoughts on information security topics.

Filter by tags:

Group administrators:

Blog Article

When using software as a service (SaaS) there may be legitimate reasons for an external party to create e-mails from @jisc.ac.uk addresses. In the past this would have been a clear indication of phishing or other attacks, but now we need a more sophisticated approach to separating legitimate mails from malicious ones.

Blog Article
Vulnerability management is a critical aspect of cybersecurity. Understanding and limiting the vulnerabilities in our systems reduces the chance that they will cause harm to others, to Jisc, or it’s reputation.
For some products and services (such as computer operating systems), vulnerability management is a relatively mature and well understood field. In others, particularly for highly specialised software, the level of service available from suppliers to help you manage vulnerabilities in their products and systems is variable to non-existent. 
Blog Article
Encryption is a powerful security tool, but one that is very easy to misuse and implement poorly. The past years have seen several vulnerabilities and events that we have had to respond to HEARTBLEED, BEAST, POODLE, the retirement of SHA1 certificates, and PCI DSS mandating TLS 1.1. 
We have spent a lot of time and effort ensuring that our own systems are well managed, and it is important that our suppliers are able to keep pace with changes in how we want to use encryption. This has led us to start including requirements for encryption within procurements.
Blog Article
Particularly when we are buying ICT products and services, information from suppliers is likely to have an emphasis on technical security measures – we’ll get lots of information on encryption, compliance with data protection laws, authentication and datacentres. These are important, but we also need to understand how the supplier manages issues of information security, and how they have decided that these controls are effective at protecting our information.
We ask our suppliers to:
 
Blog Article
Through the work done to gain ISO 27001 certification within Jisc we have had to explore, review, understand and improve how we deal with information security issues in products and services we obtain from suppliers. We must understand the requirements of our systems and services, the security implications, features and properties of our suppliers’ products and services, and how information security becomes an integral part of the relationship with the supplier.
Blog Article

Many organizations want to check that their suppliers and partners are managing information security risk, and possession of an ISO 27001 certificate is often the preferred way to evidence this. If you are reliant upon the assurances that an ISO certificate can provide, checking that the certificate is valid is an important but not particularly difficult process.

Blog Article

In anything other than the smallest organisations getting insight into how e-mail is being used can be difficult. Cloud based e-mail means that you no longer know technical details of even a trivial implementation, and colleagues can quickly setup SaaS services that send e-mail from your domains without involvement from IT.

Blog Article

You may have noticed the quiet appearance of ISO 27001 (and ISO 9001!) logos on our website – a few weeks ago our information security management system was successfully certified against ISO/IEC 27001:2013 for the following Trust and Identity services.

Prev | Next