Growing one point in maturity soon takes several years.
Magazine
"At level 3, you have your information security under control'"
Sector-wide agreements have been made in education about information security. Together, we express its level in 'maturity'. On a scale of 1 (ad hoc) to 5 (optimised), the average rating within the education and research sector is currently 2.3. Administrative commitment is crucial for moving forward.
To grow to an average level of 3.0, we still need to take big steps. You don't do something like that overnight. To test information security maturity, institutions in secondary and higher education have audits carried out. In doing so, growing one point quickly takes several years. Just compare two successive levels. At assessment level 2, control measures exist and are implemented in a structured and consistent, but informal way. At level 3, all these measures are documented and implemented in a structural and formal way that is also demonstrable, tested and effective (source: SURFaudit Assessment Framework Information Security). These are big steps.
What we can keep in mind is that achieving level 3.0 is an agreement, but not an end in itself. It is also an indicator that shows where we are growing and where support may be needed.
All layers of the organisation
Institutions that have managed to make great progress all have the topic prominently on the managerial agenda. They have put teams in position and are aware of the continuous attention the subject requires, as information security remains subject to change.
Machteld Roos, vice-chair of the Executive Board of the University of Twente
The University of Twente (UT) is one of the highest-scoring institutions. Machteld Roos, board member at this university, explains their approach: "Decision-making on information security takes place at both tactical and strategic levels. For each measure, we look carefully at the impact and involve all layers of the organisation." UT does so according to a streamlined approach implemented along the following five lines: policy, responsibilities, awareness, training and risk management.
Visible board member support
"We have a detailed information security policy in place, with objectives and guidelines," Roos continues. "This is all laid down and updated periodically. A cycle has been set up for this: plan, do, check, act. It's the process side, the paper side." On the other hand, there is a lot of focus on awareness. For example, the university has made awareness training mandatory for all employees, including board members. This contributes to the effectiveness of measures.
"Of course every board member thinks this issue is important, but you have to make that visible."
The same goes for visibly placing importance on the subject as a board member, says Roos. For example, through visible administrative support to the CISO, responsible for information security policy, its progress and monitoring. At UT, the CISO has a direct line to the board and also comes to the table in board meetings. "Of course every board member thinks this subject is important, but if you don't make that visible, it's much harder to get the whole organisation on board."
Trudy Vos, chair of the Executive Board ROC van Twente
Pathway of years
Board member Trudy Vos of ROC van Twente also stresses the importance of "managerial commitment". "When cyber security is on the administrative agenda, it helps the organisation take it seriously." What does that look like in practice? After years of splintering ICT teams throughout the organisation, ROC van Twente has created a separate service from this field: Educational Technology & IT. "The service is headed by an expert and dedicated director. That has been a very big step, and I am proud that we have taken it," Vos states. "We have also professionalised the functions Data Protection Officer, Security Officer, Privacy Officer and there is a specifically dedicated Security Specialist within the IT team."
"You are never done when it comes to information security. Therefore, thinking in this area should never stop."
"In the step from level 2 to 3, one of the requirements is that processes are well described and recorded. That is relatively simple to do," Vos says. "But system interventions are sometimes needed to take certain steps." For example, her ROC is now working on a core registration system, which also incorporates a student tracking system to which administration systems will be connected. "There is so much involved in that. It's really a journey of years."
Constantly new threat images
"As ROC van Twente, we are not yet at level 3. And once we are, it's still not ready," Vos emphasises. "After all, you're never done when it comes to information security. Thinking in this area should therefore never stop," a conclusion underlined by fellow UT board member Roos. "Because," Roos argues, "the rules and standards for level 3, but actually for every level, are getting stricter and stricter. This is because the world is constantly changing."
Roeland Reijers, CISO at the University of Amsterdam and university of applied sciences
Roeland Reijers, Chief Information Security Officer (CISO) of the University of Amsterdam (UvA) and the University of Applied Sciences Amsterdam (HvA), also stresses that information security is a dynamic process that you are never done with. "Think of technical developments, such as AI and quantum computing, but also new legislation. And not least the changing adversaries and ever new threat images. All developments we need to keep an eye on and respond to with new measures or tightening up existing ones."
Matter of risk management
"If you want to digitise as an educational institution, you have to take security and privacy seriously," says Reijers. "You are not going to drive Formula 1 today with a 1950 Aston Martin either. It's a question of risk management." To him, taking information security seriously means that a faculty should be at maturity level 3 of information security. "Then you are in control, you have things documented and you can transfer things," he says.
For Reijers, this means that twice a year he draws up his own strategic/tactical threat assessment for both the UvA and the HvA. As input for this, he uses the annual threat assessments of the National Cyber Security Centre (NCSC) and SURF, among others, but also trends and incidents that have been in the news or have taken place at their own institutions. "So as to be able to get a bit more speed in the prioritisation in terms of action points," explains Reijers. "The institution-specific threat images also help in substantiating policy to the organisation and board members and in creating awareness throughout the organisation. When you can indicate that you are taking measures to mitigate education and research risks, your colleagues also understand that these measures are necessary."
Working together and taking action yourself
Regarding the feasibility of the ambition to grow as a sector to maturity level 3 in information security, the three board members stress how important it is to work together. They therefore point colleagues to the relevant knowledge available within SURF and MBO Digitaal. "Make use of that," reads the joint advice. "But", warns Vos, "you really have to get to grips with this yourself as an institution. This subject is too important to leave to others."
"We feel a responsibility for the entire education sector."
The institutions mentioned in this article are all relatively large. That can be an advantage in building dedicated teams. Nevertheless, it is also important for smaller institutions to find their way within information security and the desired level of maturity. "Form a coalition with other institutions," Vos' advice reads. "Seek cooperation. The scope for this is there."
"We as UT share a lot of knowledge anyway," adds Roos. "Other institutions ask us how we approach something and whether they can come and see us. Or they ask if we want to come and talk about something. On the other hand, we learn from these other institutions. It really is mutual: keeping up and learning." "As CISO, I don't feel solely responsible for the security of my institutions," Reijers concludes." Together with my fellow CISOs, I also feel a responsibility for the entire education sector."
Text: Sandra Kagie en Maureen van Althuis
About the SURFaudit information security benchmark
In 2023, a record number of 103 institutions took part in the annual SURFaudit benchmark: 14 universities, 34 universities of applied sciences and 55 MBO institutions. The average score of all participants in this benchmark arrives at a maturity level of 2.3 (on a five-point scale). This figure is based on the external audits that the universities and (most) universities of applied sciences commissioned and the self-assessments of the MBO institutions . Given the importance of uniform external assessment, MBOs now also have external audits carried out.
“At level 3, you have your information security under control” is an article from SURF Magazine.
Back to SURF Magazine
Questions following this article? Mail to magazine@surf.nl.