What is SURFaudit?
SURFaudit helps you get started with issues around governance, risk management and compliance.
This service consists of several products:
Information security & privacy assessment frameworks
To assess the information security and privacy status of your institution, SURF has developed the SURFaudit Information Security Assessment Framework and the SURFaudit Privacy Assessment Framework. They describe what the requirements are to meet a certain maturity level and form the basis of self-assessment and (external) audits. The assessment frameworks contain measures relevant to the security and continuity of corporate data and the privacy of staff and students within your institution. To get started with these assessment frameworks, you can attend one of our master classes.
It is becoming increasingly important to know where you stand with information security and privacy within your own institution, how the sector as a whole is doing, and how your institution is doing compared to the sector. The SURFaudit benchmark is a good way to find out. We aim for an average maturity level of 3 (on a scale of 5) for the whole sector.
SURF Security Baseline
This security baseline provides concrete tools to better implement their information security. It also provides ICT suppliers with clear and standardised requirements to comply with.
With the Governance, Risk and Compliance (GRC) application, institutions can document their information security and privacy maturity and plan the necessary measures. In doing so, this application offers opportunities for a more risk-based approach. By introducing the same GRC application for the entire sector, institutions can work (together) more easily, learn from each other and thus grow in maturity together. The application will be available from 2024.
Cyber Threat Assessment
The Cyber Threat Assessment is a report that describes the biggest threats to the education and research sector in terms of information security. It includes an overview of incidents that have occurred in education and research organisations, current threats and relevant trends. The report is intended to inform administrators, policymakers and professionals so that they can discuss information security risks.
Risk management: risk assessment toolkit
To identify information security risks for your institution, you can use the risk assessment toolkit. However, information security risks should also be considered in conjunction with other security risks. This is why we work closely with the Integral Security community.