Itc.isg.ed.ac.uk

Information Technology Committee
Security Update
This paper describes the security incidents in the past year and brings the reports up to the current date Action requested Does the paper have resource implications? No Risk Assessment Does the paper include a risk analysis? Yes If ‘Yes’, in which section(s) of the paper are they described? The entire paper Equality and Diversity Has due consideration been given to the equality impact of this paper? Yes, and there are no implications Originator of the paper Brian Gilmore, CITSO 1 Nov 2013 Freedom of information Can this paper be included in open business? Yes IT Security

The following paper is an updated version of that presented to the Risk Management
Committee as part of the Annual report on IT events to that committee.
It has been updated to bring all the reported events up to the date of the paper.
The appointment of the Chief IT Security Officer has provided a much better focus on IT
security. During the year he has introduced a more robust mechanism for classifying and
reporting security incidents and has been able to start to address School awareness.
The VP for Knowledge Management issued a letter highlighting security issues to all Heads
of School and Heads of Support Units at the beginning of 2013. As a follow up, the Chief IT
Security Officer has visited most Heads of School to:
• help reinforce the security message; • inform them of the range of potential risks; and • establish the scale of IT operations in each school. It is very pleasing to note that the level of preparedness and resources that are available to handle school issues tallies very closely with the scale of issues facing individual schools. During the year and to date there have been 17 security incidents which can be graded from serious to extremely serious. A log of these incidents is produced below: Incident
15-Mar-13 Email with patient info Patient info outside NHS Carelessness It was particularly disappointing to see the reoccurrence of the Viagra compromise. In these cases the issue to rectify lies with the College, rather than IS. The issue in Engineering occurred where the site concerned was being replaced but was running a critical function with out of date software. There are two elements to this type of attack. One is the source of the compromise which is usually easy to clear up. The second is that the infected web pages, although they carry no further risk other than reputational, need to be cleaned and the indexes updated in Google. This can be very tricky and we now have a very useful ‘cookbook’ from Engineering to assist in this. As part of the external penetration testing service that we have licensed (on a free at the point of use basis) from ESISS is a web testing service. This service has been released to Computing Officers and good use of it seems to be being made in CSE and CMVM. Limited use of it so far has been made in CHSS. The service seems to err on the side of ‘false positives’ but it should ne emphasised that anyone who is running a web service should be using this tool on a regular basis to ensure that loopholes have not emerged. The incident on 2nd October resulted in a small loss of personal data which was reported to the Information Commissioner by the University’s Data Protection officer. There was no further follow up from the Information Commissioner. The accidental loss of data relating to the 31st Jul incident was a result of a mistake arising from a change of ownership of the system which will not recur. There is an on-going stream of small incidents which can be reported from a number of sources including that of the Janet Incident response Team (CSIRT). The incidents range from the loss of a single password, through a phishing incident to a malware infection. Each incident is logged in the Helpdesk system. In April this year a systematic classification was started which enables us to classify incidents in a common way with both the sector as a whole and with the Russell Group in particular. It is too early to make sensible comparisons and the level of reporting varies very widely in the sector but over time this should be possible. A reluctance to report incidents both within this institution and across all institutions will need to be overcome. A table summarising the number and type of incident is given below.

Source: http://www.itc.isg.ed.ac.uk/docs/open/Paper_B_Security_Update.pdf