SURF helps institutions of higher education to secure information. We develop common policies and tools. We support education institutions in striking a balance between security, privacy assurance, accessibility and usability.
Information security guidelines
Universities of applied sciences and research universities have a lot of information security knowledge and experience. SURF has brought this knowledge and experience together for a number of frequently occurring issues and questions in guidelines and starter kits that will quickly help you to develop information security at your institution.
Model Information Security Policy
The Model Information Security Policy makes it easy for you to set up a policy for information security or to revise the existing policy. This model makes it easy to exchange experiences in information security with other institutions. The model consists of a ready-made, complete security policy (in Dutch) and explanation of its use (in Dutch). The steering committee on information security and privacy in higher education advises higher education institutions to use this model as the basis for their security policy. A baseline document on information security is also available (in Dutch). This baseline describes the basic measures to be introduced by an education and research institution and the additional measures required for highly sensitivity data. The detailed list of measures is available in the SCIPR collaborative environment.
Information security in vocational education and training ('mbo')
SaMBO-ICT worked with SURF and Kennisnet to launch the Information Security Policy Taskforce to encourage information security in vocational education and training ('MBO') in 2014. This Taskforce uses higher education materials and has brought these together for MBO.
Information Security Starter Kit
The Information Security Starter Kit (in Dutch) describes the 5 phases an organisation has to go through to set up and enforce information security. The starter kit can also be used as a reference tool to see how your institution is doing. It starts with some simple steps to achieve quick results and it ends with a description of process-based information security assurance in the organisation. SCIPR [https://www.surf.nl/en/services-and-products/security-communities/scipr…] created the starter kit.
Information Security Starter Kit
The Business Continuity Starter Kit describes a pragmatic approach to set up and maintain continuity plans. The described methodology will make the way you provide information more robust in just a few months. The starter kit consists of a main document and a large number of sample documents. These can be accessed by the SCIPR participants. SCIPR created and updates the starter kit.
Acceptable Use Policy Guidelines
The Acceptable Use Policy Guidelines describe how your institution can best draw up an application regulation for information services to employees and students. The guidelines include 2 usable models Acceptable Use Policies: 1 for employees and 1 for students. Both are available in Dutch and English. SCIPR keeps these guidelines up-to-date. The 2013 review takes into account social media and cloud computing.
Integrity Code Guideline
A number of institution employees have access to a great deal of confidential information – such as personnel data and study progress data – for their work. Administrators especially are expected to handle this with integrity. The entegrity Code Guideline (in Dutch) offers some guidance in this respect. The guideline contains a practical and usable model integrity code. SCIPR continuously updates the guideline.
A classification of information and information systems makes it possible to devise tailored information security. By taking the right amount of security measures, institutions hedge the risks associated with the provision of information and the possible impact on the organisation. The classification system deals with the security aspects of availability, integrity and confidentiality and takes into account different levels of security. SCIPR updates this guideline and publishes an updated version regularly. The questionnaire associated with the guideline is available on the private SCIPR Intranet site. Opposite you will find an overview of the 25 most common ways of processing personal data (in Dutch), with CIA triad classification. You can also use the Privacy Impact Assesment (PIA), in Dutch, guide for the classification of systems that process personal data.
- SCIPR Classification Guideline (in Dutch) - December 2015 version
Guideline for the Information Security Officer Job Profile
The Guideline for the Information Security Officer Job Profile (in Dutch) gives job descriptions for the most common security jobs. SCIPR created the guideline together with the 'Platform voor Informatiebeveiliging'. This platform also offers a more extensive and generally applicable version with job profiles (in Dutch).
If you are an information security officer in higher education, you can also obtain the available documents in Word format on the SCIPR Intranet site or contact Remco Poortinga.