Closure Report
Project Summary
Over the last years an increased focus has been raised on security and ensuring personal identifiable data is stored securely. This is driven by GDPR requirements as well as increased attacks on the University's services and infrastructure. Data held on behalf of students, staff, visitors and other users must be held securely in all it states such as in transit or at rest. This project was to establish the best way to ensure that specifically student data held at rest within central ISG is adequately secure. It was expected that the outcomes of the project could also be applied to other data sets held within central ISG.
The project was initiated following a request from InfoSec. The project was to engage with an external consultancy to produce a report containing recommendations of appropriate actions and approaches regarding the encryption of student data at rest held in central ISG. The project was then to provide a clear steer regarding how to undertake encryption at rest across central services where appropriate. The report was to balance the need for data security against the impact on application response times as a result of the encryption of data at rest.
The project engaged the services of PricewaterhouseCoopers (PwC) to produce a report documenting where they identified that encryption would deliver the greatest benefit for cost and effort against core systems and the EDW in particular. For the initial phase of the project PwC met with stakeholders across the university both internal and external to IS to identify the key services which hold student data and to review how encryption could best be employed to provide an enhanced level of security for student data at rest. During this process they also assessed the level of threat against the most common attack scenarios in which student data could be targeted and exposed.
The result of their investigation was a report ( 2019_01_uoe_-_encryption_approach_new_final.pdf ) which noted the most common threats to student data with regards the EDW and central business services and recommended a number of options as to how encryption of data at rest could be employed. The report also highlighted a number alternative controls that could be implemented in parallel with encryption at rest to provide a more secure environment for student data.
Upon receiving the final report the project team reviewed the recommendations and taking into account the needs of the university to provide the relatively open environment for both students and staff a proposed plan and approach ( inf144_encryption_at_rest_-_approach_and_plan_v0.3.pdf ) was produced identifying and prioritising 3 follow on projects which should be initiated. As project sponsors InfoSec had been invited to attend the review and participate in the creation of the plan and approach but they declined. As a result once the plan and approach had been reviewed and updated it was forwarded on to InfoSec for their consideration.
Project Scope
The project was to engage with an external consultancy to produce a report containing recommendations of appropriate actions and approaches regarding the encryption of student data at rest held in central ISG.
Data in scope of the project was identified as:
- Student data held at rest in central ISG in both structured and unstructured formats.
- Data which is held or could be held on removable media including data taken as back-ups.
Out of Scope
The following was out of scope of the project:
- All data that is not student data.
- All data in transit.
- Data held on mobile devices e.g. laptops or mobile phones.
- Implementation of tasks to address the recommendations contained in the project report.
Objectives / Deliverables
No. |
Objective / Deliverable |
Priority |
Comments |
O1 |
Establish the scope of the Encryption at Rest project |
|
|
D1.1 |
Signed off scoping document with the external consultancy agreeing the scope of the project and the roles and responsibilities of both parties. |
MUST |
Delivered |
O2 |
Report and Recommendations |
|
|
D2.1 |
Recommendations report, including:
|
MUST |
Delivered |
O3 | Encryption Plan and Approach | ||
D3.1 | Produce an agreed plan and approach detailing how deliver encryption at REST for Student data held in central ISG. | MUST |
Delivered |
D3.2 | Estimates for timescales and resource required to address the plan and approach detailed in D3.1. | SHOULD |
Delivered |
Success Criteria
Objective |
Description |
Achieved |
O1 |
Establish the scope of the Encryption at Rest project |
Yes |
O2 |
Recommendation report produced by the external consultants |
Yes |
O3 | A plan and approach as to how encryption at rest of student data is managed within IS | Yes |
Benefits
The project itself did not deliver any benefits. The benefits would be achieved by the implementation of the 3 projects recommended in the plan and approach report that was the final deliverable of the project.
Analysis of Resource Usage:
Staff Usage Estimate: 33 days
Staff Usage Actual: 35.1 days
Staff Variance: 106%
Key Learning Points
In order to ensure that PwC had timely access to the appropriate individuals from the university, significant effort had to be targeted at co-ordinating meetings and conference calls. As this was a reactionary process based on requests from PwC the success of this phase was assisted by the flexibility of individuals within the University who without fail made themselves available at relatively short notice.
Outstanding Issues
There are no outstanding issues. However in order to achieve any tangible benefits from the project the following 3 projects should be initiated as proposed in the plan and approach report:
- Project 1 - Protecting Student Data in the EDW.
- Project 2 - Protecting Student Data in Central Business Services.
- Project 3 – Proposed Alternative Controls.