Cyber Security

The whole subject of cyber security is growing in prominence across the UK – indeed across the world. It is recognised as a significant challenge to organisations and national economies, and with the key role that Universities play in research and education they are as vulnerable as any other sector. Universities own areas of intellectual property of immense value and theft of that intellectual property would be an issue not just for the Universities concerned, but for the wider economy as well.

The UK Government’s National Security Strategy lists “hostile attacks upon UK Cyber Space” as amongst the top 4 priority risk areas next to terrorism, war and major accidents/natural hazards.

In November 2011, the Cabinet Office published a “UK Cyber Security Strategy”

This strategy sets out how the UK Government will tackle the threats, but also in a way that ensures that “. .  cyberspace remains an open space – open to innovation and the free flow of ideas, information and expression.”

That’s important for Universities. We are very open communities, with large student populations, members of the public, and staff involved in a wide range of activities. Our IT infrastructure needs to be open enough to permit all of that, but secure enough to protect important information resources, personal and confidential information.

Like many organisations, we will be keeping our security measures under constant review, particularly in the light of growing cyber security threats. We want to make it easy for staff and students to access our systems but there will always be the need for some security and it is important that all of our users respect this and follow guidelines and instructions where they are provided. You may feel that you are not involved in anything that is secret or confidential. If you are connected to our network, however, you are just as likely to be a target and if you don’t follow security guidelines your equipment could provide an easy entry point for an attacker.

Who Are You?

Identity management is a topic of growing importance in Universities and indeed all organisations. Universities, however, are complex organisations and bring unique challenges. What is identity management? Very simply, it is the whole process of dynamically providing and authorising access to resources to the right people according to their role in, or relationship with, our University.  It brings with it opportunities for much greater security, productivity, and could significantly enhance the experience of all those who engage with us.

Our existing approach to identity management has grown over the years and would now benefit from a fresh approach. We have mechanisms to set up user accounts automatically and grant access to a range of online resources. But they are not all joined up, and they don’t cope well with the growing range of relationships we have with people.

If you are a “normal” undergraduate or postgraduate student, or a straight forward member of staff things are relatively simple. Some people, however, are both a member of staff and a student. At the moment they get two ID’s and end up with a split personality!

We give access to resources to named individual people. If someone changes their job within the University, however, there is no automatic way to remove their access to systems they are no longer entitled to use and give them access to systems for their new role.

As our online presence broadens, we need to establish clear relationships with a whole range of stakeholders who will never fall into the category of a member of staff or student. People attending conferences, parents, visitors, staff from companies with whom we do business, other educational establishments with whom we wish to share information and resources securely.

We have developed a number of solutions to these challenges but we now want to put in place a better overall solution to handle our future needs. That is likely to take some time and we will prioritise the most important areas first. Ultimately, we want to have one source of information about a person’s identity, we want to provide access to services according to the role(s) that person has and not their name, and we want to be able to cope with the full diversity of people through one integrated approach. That will make access to our services easier and more relevant for all those who engage with us.

On the Move

 

Modern video and voice communication technology is now very powerful and increasingly commonplace. For some time now, there have been predictions that the need to travel for business meetings etc will diminish greatly – and there is some evidence that this is happening. But we still travel – a lot.

Like many organisations, RGU has a staff travel policy and of course there is a form to fill in (which at the moment is paper based), and a process to follow. It’s an important process to ensure that staff travel in the most economic way, that absences are properly authorised, that an appropriate risk assessment is carried out for travel to international destinations and that staff have adequate guidance and information for their travel.

It is not, however, the most loved process in the University and it is generally felt that it could be streamlined and improved. A key goal of the new staff portal, which will launch in a few weeks, is to be able to “e-enable” our important administrative processes – and the travel process has been picked as our first one.

The worst thing that we could do would be simply to e-enable the existing process as it stands. This is an opportunity to look at the whole process from the ground up and redesign it. We are planning to do this with a “Kaizen Blitz”, as part of “Lean Kaizen” thinking. You can find more about the Lean Kaizen process here.

Essentially, it involves bringing a team together from across the University – people who travel, people who book travel, people who authorise travel, and people who can challenge existing ways – for about a week. Against a set of clear objectives, they will look at the current process, the issues, what we are trying to achieve and by the end of the week will have proposed a new way for us to manage business travel. Some of the key objectives will be:

• Minimising the number of steps – challenge each stage and the approval routes
• Easing the user experience – make travel booking a straight forward process
• Ensure that risk assessment and other health and safety considerations are nonetheless robustly carried out and audit trail kept
• Ensure that the process is likely to minimise cost of travel
• Enhance the availability of information to travellers, and allow feedback to enhance the experience for future travellers to same destination
• Ensure that the University can quickly identify and respond effectively to unforeseen events and emergencies

Once we have that, we can then start to configure the new online process on the Portal.

We’re just at the stage of identifying the Lean Kaizen team – watch this space.