SURFaudit Framework of Standards
SURFaudit uses the Framework of Standards for Information Security in Higher Education, which specifies what your institution must put in place as a minimum in terms of security and continuity in order to protect business data and the privacy of students and staff. This forms part of the Framework for Information Security in Higher Education.
The framework of standards used by SURFaudit is based on ISO 27002:2013, the most widely accepted international standard in the field of information security. From this ISO standard we selected those components that an educational institution must put in place as a minimum. Amongst others, this selection is based on SURF's Cyberdreigingsbeeld 2015 (PDF, in Dutch), which describes the key threats for the education and research sectors in the field of information security.
The Framework of Standards also incorporates all of the privacy factors referred to in the Dutch Data Protection Authority's guidelines on Personal Data Security (2013, in Dutch). The most recent version of the Framework of Standards was published in 2015.
The standards have been grouped into 6 clusters:
- Policy and organisation.
- Staff, students and guests.
- Rooms and equipment.
- Confidentiality and integrity.
- Monitoring and logging.
In addition to the Framework of Standards, an Assessment Framework is also available. This describes, for each measure in the Framework of Standards, the criteria that must be met if a particular level of maturity is to be achieved. The Assessment Framework was drawn up in close consultation with the educational institutions' internal auditors and subsequently agreed with external auditors. The latest version was produced in conjunction with the vocational training sector.
In a self-assessment or audit, the institution's performance against each measure is determined using the Cobit Maturity Model (CMM):
|0||Non-existent||Processes are not applied.|
|1||Initial/Ad Hoc||Processes are organised in an ad hoc manner and are heavily dependent on individuals.|
|2||Repeatable but Intuitive||Work is done in a specific way.|
|3||Defined Process||Processes have been documented and are known to those involved.|
|4||Managed and Measurable||Processes are managed, are part of an improvement cycle (PDCA) and are measurable.|
|5||Optimised||Improvements are made as a matter of course and best practices are followed|
During the two-yearly SURFaudit benchmark, the results of the participating institutions are averaged out and performance against the baseline is determined for each cluster. The baseline indicates the recommended CMM level for each measure in the Framework of Standards, based amongst others on the risks identified in the Cyber Risks Report. The recommended level will always be one of the following:
- The measure is so crucial that regular review (PDCA) is essential: CMM level 4.
- The measure is so basic that it must be implemented: CMM level 3.
- Based on the analysis of the Cyber Risks Report, the measure is classified as essential: CMM level 3.
- All other measures: CMM level 2.