Last updated: 
4 months 3 weeks ago
Blog Manager

I'm the Information Security Manager at Janet and through this blog I'll be sharing some of my experiences, ideas and thoughts on information security topics.

Blog Article

When using software as a service (SaaS) there may be legitimate reasons for an external party to create e-mails from @jisc.ac.uk addresses. In the past this would have been a clear indication of phishing or other attacks, but now we need a more sophisticated approach to separating legitimate mails from malicious ones.

Blog Article
Vulnerability management is a critical aspect of cybersecurity. Understanding and limiting the vulnerabilities in our systems reduces the chance that they will cause harm to others, to Jisc, or it’s reputation.
For some products and services (such as computer operating systems), vulnerability management is a relatively mature and well understood field. In others, particularly for highly specialised software, the level of service available from suppliers to help you manage vulnerabilities in their products and systems is variable to non-existent. 
Blog Article
Encryption is a powerful security tool, but one that is very easy to misuse and implement poorly. The past years have seen several vulnerabilities and events that we have had to respond to HEARTBLEED, BEAST, POODLE, the retirement of SHA1 certificates, and PCI DSS mandating TLS 1.1. 
We have spent a lot of time and effort ensuring that our own systems are well managed, and it is important that our suppliers are able to keep pace with changes in how we want to use encryption. This has led us to start including requirements for encryption within procurements.
Blog Article
Particularly when we are buying ICT products and services, information from suppliers is likely to have an emphasis on technical security measures – we’ll get lots of information on encryption, compliance with data protection laws, authentication and datacentres. These are important, but we also need to understand how the supplier manages issues of information security, and how they have decided that these controls are effective at protecting our information.
We ask our suppliers to:
 
Blog Article
Through the work done to gain ISO 27001 certification within Jisc we have had to explore, review, understand and improve how we deal with information security issues in products and services we obtain from suppliers. We must understand the requirements of our systems and services, the security implications, features and properties of our suppliers’ products and services, and how information security becomes an integral part of the relationship with the supplier.
Prev | Next