SURFaudit benchmark information security 2021: steps taken toward cyber maturity, ambition level not yet achieved
Ambition: average maturity level 3
In late 2019, the serious ransomware incident at Maastricht University took place. In response, the institutions and the education umbrella organisations Universities of the Netherlands and Association of Universities of Applied Sciences expressed the ambition to achieve an average maturity level of 3 (on a scale of 5) for the entire SURFaudit Toetsingskader Informatiebeveiliging. Maturity level 3 means that the documentation is in order, there is generally formal approval by the board and that implementation of the measures is demonstrable, tested and effective.
Results SURFaudit benchmark information security 2021
The results (PDF, in Dutch) show that steps have been taken since the 2019 benchmark. However, the report shows that with an average score of 2.2 on the 2021 benchmark, the ambition to reach an average maturity level of 3 has not yet been achieved. Institutions need more time to put their information security processes (better) in place; as a 1 step increase in maturity level will soon take several years.
Taking resilience-enhancing measures together
A number of topics lend themselves well to a joint approach: information security risk management, logging and monitoring, control of cloud use and outsourcing. The CISOs of the universities and colleges have already identified these topics as spearheads. In the SURF Innovation Zone 'State of the art Cyber Security', too, these topics are further elaborated in collaboration with the institutions. Thus, as a sector, we are jointly taking unambiguous resilience-enhancing measures.
About the SURFaudit benchmark
The SURFaudit benchmark measures the maturity of the higher education sector in terms of cyber security using management measures from the SURFaudit Information Security Assessment Framework. Read more about SURFaudit benchmark.