5 September 2017 at 9:47am
Vulnerability management is a critical aspect of cybersecurity. Understanding and limiting the vulnerabilities in our systems reduces the chance that they will cause harm to others, to Jisc, or it’s reputation. For some products and services (such as computer operating systems), vulnerability management is a relatively mature and well understood field. In others, particularly for highly specialised software, the level of service available from suppliers to help you manage vulnerabilities in their products and systems is variable to non-existent. 
29 August 2017 at 10:52am
Encryption is a powerful security tool, but one that is very easy to misuse and implement poorly. The past years have seen several vulnerabilities and events that we have had to respond to HEARTBLEED, BEAST, POODLE, the retirement of SHA1 certificates, and PCI DSS mandating TLS 1.1.  We have spent a lot of time and effort ensuring that our own systems are well managed, and it is important that our suppliers are able to keep pace with changes in how we want to use encryption. This has led us to start including requirements for encryption within procurements.
17 August 2017 at 2:04pm
Particularly when we are buying ICT products and services, information from suppliers is likely to have an emphasis on technical security measures – we’ll get lots of information on encryption, compliance with data protection laws, authentication and datacentres. These are important, but we also need to understand how the supplier manages issues of information security, and how they have decided that these controls are effective at protecting our information. We ask our suppliers to:  
11 August 2017 at 3:55pm
Through the work done to gain ISO 27001 certification within Jisc we have had to explore, review, understand and improve how we deal with information security issues in products and services we obtain from suppliers. We must understand the requirements of our systems and services, the security implications, features and properties of our suppliers’ products and services, and how information security becomes an integral part of the relationship with the supplier.
11 August 2016 at 2:31pm
You may have noticed the quiet appearance of ISO 27001 (and ISO 9001!) logos on our website – a few weeks ago our information security management system was successfully certified against ISO/IEC 27001:2013 for the following Trust and Identity services.
13 April 2016 at 4:17pm
The term “threat intelligence” seems creep in scope to cover any and all information in cyber security, regardless of whether it involves any actual intelligence. Threat intelligence needs a number of qualities to be truely valuable.
5 April 2016 at 8:37am
Jisc often receives requests from customers asking to help assess the effectiveness of a security control (firewalls being the most common). Security controls can rarely be assessed in isolation since doing so requires an understanding of the risks that led to the control being selected. This causes obvious problems for measuring effectiveness if controls are implemented for “best practice” rather than identified needs.
1 February 2016 at 1:10pm
One of the many organizational tools to come out of manufacturing is called 5s. Based on a list of five Japanese words Seiri, Seiton, Seiso, Seiketsu, and Shitsuke (Sort, Set, Shine, Standardize and Sustain) it provides techniques that promote efficiency and quality, particularly in a workplace where multiple workers share responsibility for production. Seiton and Seiso, promote the organization and tidying of a workspace. Are these methods relevant to information security? Are organized, tidy and maintained systems more secure?
30 October 2015 at 12:00pm
In the week since the TalkTalk breach there's been commentary on encryption of data, particularly with their CEO's comments that they were not legally required to encrypt data. Of course encrypting the storage of data at rest is a common sense control against a range of threats such as physical theft or loss of the storage device.
27 July 2015 at 4:33pm
I've spent a few weeks investigating how we can use open source tools to provide basic vulnerability assessment functionality within a small ISO 27001 scope (less than thirty systems). The more sophisticated and expensive and commercial products are great, but before we investigated their use I wanted to see what we could get on a limited budget (mostly my time).
Subscribe to iso27001