The Education and Skills Funding Agency (ESFA) had initially amended the contract for those who receive that funding to attain the ISO27001 Information Security Management certification.
Jisc and the AoC made representations citing that the scale of work, redirection of resource and the very short time frame was an unrealistic expectation for the sector. As a result the ESFA modified the requirement to a more incremental process of initially attaining the Cyber Essentials (CE) by September 2020. This is to be followed by attaining the Cyber Essentials Plus (CE+) award by September 2021.
The ISO27001 aspiration remains on the security improvement radar as a future requirement, but no date for this has been set and Jisc members do not need to be working towards this standard unless they have identified other funding streams that mandate attainment.
***Covid-19 prevention changes everything***
Following the massive interruptions to the usual business delivery models of all Jisc members caused by the protective rules put in place to restrict the proliferation of infections, the ESFA moderated the requirement to state:
“Where the College will handle information at OFFICIAL on behalf of the Department, the requirements under Cabinet Office Procurement Policy Note 09/14 – Use of Cyber Essentials Scheme certification, or any subsequent updated document, are mandated, the College will endeavour to meet the requirements of Cyber Essentials for the 2020/21 Funding Year and present the results to the Department on request. The scope must be relevant to the Services supplied to, or on behalf of, the Department.”
The key elements in this statement are “endeavour” and to be able to “present the results to the department on request”. While the delivery models for teaching, learning and business administration have all changed significantly resulting in new security concerns due to most users and devices accessing services from the ‘wrong’ side of the security perimeter, Cyber Essentials remains the aim and simply ignoring it isn’t an option. This statement above recognises that leadership and service delivery teams will have had a change of priority, work load and may not be able to access sites to improve infrastructure.
Meeting the Cyber Essentials requirement is mainly an IT infrastructure function requiring a self-declaration to a question set that commits the Jisc member to a defined security posture. From the 110+ Infrastructure Reviews conducted across the sector, we are aware that for many members meeting this posture will involve many changes and improvements to IT service delivery mechanisms requiring the support of the senior leadership and investment.
Producing an evidence log of improvement is likely to be best done using an IT risk register and an associated IT risk treatment plan. This doesn’t have to overly complicated, simply a record of the identified risk, what mitigation is in place (if any) and what the likelihood of occurrence and possible business impact with an indication of its priority.
The IT risk register should identify mechanisms required or already deployed but in need of further configuration to mitigate or eliminate risk. Additionally, where a mitigation process has underlying dependencies requiring prior resolution to facilitate the overall removal of a risk, this becomes the IT risk treatment plan which is updated as stages are completed and reviewed before being finally signed off as finished.
Jisc are currently assisting members with advice and guidance about their current security posture in relation to Cyber Essentials and the steps that can be undertaken to improve. Jisc has created multiple resources for members to utilise:
Jisc Cyber Security Portal – multiple services for internal and external security validation
Jisc Consultancy – multiple services including an Enterprise Security Review and Risk Assessment
Jisc Training – online session for all aspects of business including Cyber Essentials drop-ins
More to follow, please get in touch via this blog or your Jisc Account manager.