Security master plan turns into lasting collaboration
In January 2019 the National Audit Office published a report (link is in Danish) criticizing numerous Danish universities for their outdated IT standards, with emphasis on cyber security. This was also mentioned in the media (link is in Danish). What the report does not highlight is how Aalborg University together with Netic had already addressed the areas of concern. They had already received approval for their new security master plan.
Prior to this the university conducted a GAP analysis with the purpose of identifying potential security gaps, and in addition to reports both by the Danish Centre for Cyber Security and a similar English institution, risk assessments of the most business-critical systems and a maturity analysis with reference to ISO 27001 were conducted.
Aalborg University was well prepared for the report by the National Audit Office. However, it did serve as a foundation for further improvement for Netic and the Information Security Manager of Aalborg University, Gitte Melph, who set out to integrate the National Audit Office’s five focus areas into the university’s future operations.
“Development never stalls – neither for us nor for the bad guys – and mistakes can have serious consequences. It’s all about being prepared and building the right barricades at the right places before a weakness is exploited by the wrong people,” – Gitte Melph
There are a lot of barricades to keep track of for an institution the size of Aalborg University. Not only does the agency recommend that Aalborg University, like every other public institution, implement various security standards such as ISO 27001. They are also responsible for personal data belonging to about 30,000 students and 5,000 employees together with their many research projects and collaborations spread all across the globe.
“Netic is very open about their progress. We are on the same wavelength, and it was quickly evident that they had the experience we were looking for. And we were able to start right away,”
Because of the scale of the organization, there are many potential gaps to entrench before it’s too late. For this reason, Aalborg University decided in mid 2018 that a new master plan concerning focus areas and execution should be conducted. This is where Netic enters the picture.
“We were in need of qualified and professional sparring in order to draw up the strategy. We needed more people to take a look at the case. The assistance from Netic allowed us to execute faster and more efficient,” – Gitte Melph
Since the university’s deadline was short (just about four months), it was important that the sparring partner was able to contribute with value from day one. The GAP analysis consisted of investigating and security checking all of AAU’s systems as well as conducting interviews with the system owners. After analysing all the potential security gaps Netic presented a security maturity assessment.
“Our goal is and has always been to increase the security. It is the reason why we’ve been brought into this world. Our continued collaboration with Netic allows us to draw on existing expert know-how, and we hope to benefit from this as long as possible,” Gitte Melph
The collaboration already started at the first consultation meeting. The project plan was divided into three overall steps. The first step was the drafting of a security maturity assessment, and subsequently 16 different efforts were identified, including network segmentation for prevention of cybercrime and protection of mobile devices. This analysis served as a basis for the following priority plan that was set out to be in effect the coming two-three years. Netic stepped in and was prepared with a thorough investment plan based on the previously conducted GAP analysis. The investment plan gave AAU a direct overview of which areas required attention and which technologies could fix the problems. In addition the report also highlighted the expected allocated time to solve each identified GAP.
At first Aalborg University was looking for assistance with the plan itself, but when it was ready and the implementation process of the planned initiatives was approaching, the university chose to continue the collaboration with Netic.