This post is the ninth in a series of ten posts that have been created to identify the best practice found in FE colleges by the Jisc infrastructure review service. An introduction to the infrastructure review synthesis project is provided in the first post in the series.
Security and business continuity
In the most mature organisations the IT team is sufficiently able to ensure that all security related tasks may be handed off to another member of the team, this both enables IT team members to have a genuine break from their duties and reduces the chances that an internal bad actor will go unnoticed.
In a minority of cases we see write once logging or remote system logging in use, the use of this technology means that those with administrative access cannot delete or tamper with the system or security logs. We note that colleges can consider implementing these technologies, especially if making substantial use of contractors.
It is useful to note that in the vast majority of colleges limited (standard) user accounts are used by the IT team for the bulk of their work. In these instances, administrative accounts are only used for tasks that require this access. We note that this account management method limits the exposure (and therefore the risk of compromise) of the domain administrator and other administrative accounts.
Only in the most digitally mature colleges that have sufficient resources to plan, rehearse and revise their backup / disaster recovery processes do we see fully documented and rehearsed business continuity processes. This point is directly linked to the small size of most college-based teams who rarely have the time for proactive measures such as disaster recovery planning.
Again, only the most mature IT organisations have wholly robust backup / disaster recovery systems.
Perhaps most concerningly, many organisations have no form of logically or physically offline backup systems, meaning that we often make strong suggestions about improvements in this area as the lack of offline backups is a critical cyber-security resilience point.
This is partly as some colleges have retired offline tape backups or removable disk pack backups in favour of ‘online’ backups that some perceive to be ‘more modern’, however offline tape backups are still a valid and cost effective mitigation against various cyber threats inclusive of crypto-malware.
Where colleges do have logically or physically offline backups the majority of colleges have not invested in offsite (cloud hosted), verified logically offline backup systems, as this option can come at a high cost.
Offline backups such as tapes or removable disk packs are a useful mitigation in the event that both primary systems and online backups are destroyed by the same bad actor (hacker) or malware incident.
Most backup systems have been designed with a different, historical or legacy risk profile in mind, meaning that in most cases the provision or contingency against a physical event (fire, flood or catastrophic hardware failure) is far better developed than the provision aimed at guarding against or recovering from a cyber-security incident.
Unfortunately, cyber-security incidents are perhaps more common than a physically destructive event. With most colleges failing to have a logically or physically offline backup to mitigate against damage caused by bad actors (hackers) or malware outbreaks we would link this point to the difficulty that some colleges have with timely infrastructure renewal, which we identify as being down to high cost.
Only the most developed IT organisations have the resources required to implement a disaster recovery environment, this means that in most cases following a disaster the RPO (recovery point objective), as in the time taken to restore systems following an incident, will be governed by equipment lead times.
The RTO (recovery time objective), as in the maximum amount of time over which data might be lost, is generally good in the event of a physical event, however in the event of a cyber-security incident the RTO could be highly variable, in that without offline backups there may be no viable restoration route for locally held systems.
It is useful to identify that the majority of college firewalls are modern, kept up to date with security patches and include security subscriptions such as gateway anti-virus and intrusion detection or intrusion prevention signature updates. Most colleges also use their main firewall appliance (sometimes this is referred to as a UTM, unified threat management appliance) for web filtering, monitoring, reporting, and alerting. A small number of colleges make use of a dedicated web filtering, monitoring, and reporting appliance in addition to the main firewall. A smaller number of colleges use ‘e-safety’ software such as e-safe or Impero that use approaches including keystroke logging to enforce safeguarding policies.
Most colleges are generally compliant with the best practice expectations of Ofsted in relation to the Prevent Duty and good safeguarding practices. The minority are not compliant and may find this challenging at Ofsted inspection, should this area be considered in detail by the inspection team, for more information on this point refer to the ETF Prevent Duty resources and to the Jisc document ‘Web filtering and monitoring: Guidance for the further education and skills sector in the context of the Prevent Duty’.
The physical security of IT assets is generally good with server rooms and other key areas such as comms rooms secured by access control systems, master key systems and CCTV.
Physical protection or contingency of server rooms is generally good with fire detection systems, dual air-conditioning systems, and UPS (uninterruptible power supplies) in common use.
Only a minority of college server rooms have fire suppression and environmental alerting systems in place meaning that few colleges have a tier 1 datacentre status.
- As described above most infrastructure reviews reveal that improvements are often required around the cyber security posture of organisations, this is primarily linked to mitigations around disaster recovery and business continuity but also includes other practice based cyber-security improvements.
- The Janet network includes a high level of in-built cyber-security protections such as Foundation DDoS mitigation, which mitigates against the effects of distributed denial of service attacks.
- Jisc provides a range of cyber-security services inclusive of the CSIRT (computer security incident response team), the phishing framework and the penetration testing
- The cyber security assessment service may also be useful to organisations that required a holistic assessment of their cyber-security position.