“Educational institutions are exposed to major risks, and can suffer damage to their reputation or find themselves in trouble as a result of DDoS attacks and the like"
Handbook and roadmap
The taskforce's remit was to produce a handbook on information security for the MBO sector. Among other things, this includes a framework of standards and benchmarks for information security and privacy. The idea behind this is to minimise the risks for the sector, says Doffegnies: ‘We've compiled an MBO roadmap which all the educational institutions have received. It contains an information security model based on ISO 27001 and 27002. It also includes a model for processing personal data, based on Dutch legislation and regulations. We also added implementation scenarios for small and large institutions. This is practical information that can be applied directly.’
The work was completed in 2015, and on 1 January 2016 the products were transferred to the present organisation. There has also been a comprehensive training programme, which the majority of institutions have attended. ‘They now all have at least one member of staff who knows the ins and outs of this,’ says Doffegnies. ‘This is one small step on the way to appointing a security officer. And we've pushed awareness of this issue out into the mainstream. Communication and the acquisition of expertise have also been key factors. The institutions have been given a great deal of documentation and standards.’
According to Doffegnies, SURF's position in this debate has been hugely important: ‘A lot of material had already been developed for the higher education sector, and the vocational sector got a lot from this. We've used SURF's policy models as a framework and applied them to vocational training. For example, we're currently working on an MBO cloud, and we've rewritten the legal framework that was available from SURF for this.’
"For example, we're currently working on an MBO cloud, and we've rewritten the legal framework that was available from SURF for this.”
Different information security levels
Doffegnies emphasises that in spite of these good results the vocational sector still has a way to go: ‘We've defined a benchmark for information security. This includes the different information security levels that can be achieved. 20 institutions used this benchmark as part of a self-assessment process – in fact that also came from SURF. We shared the results of this with each other. This gave us a good idea of where we're currently at, and we can see what things an institution needs to tackle in order to reach the next level.’