You are here
An institution like the VUB is charged with a huge amount of information. And in an age of data leaks, hacking and cyberattacks, there must be more caution in the way this information is handled. The Informatieveiligheid en Privacy Comité (Information Security and Privacy committee or IVP) at the VUB is launching an awareness campaign. Chief Information Security Officer and Security Consultant Jan Paredis explains why it’s a question of everyone being responsible.
In the framework of good governance, the VUB has committed to respecting the security and privacy of personal data, the security and confidentiality of non-personal data, and the legal requirements related to this data.
‘To be able to do that well, the VUB is following the CIA rules,’ says Jan Paredis. And no, he isn’t talking about the American intelligence agency. ‘CIA stands for Confidentiality, Integrity and Availability of information. We need to ask ourselves who has access to certain information, whether it can be changed without permission and whether for how long it’s available.’ The VUB is responsible for all information, regardless of its form (written, spoken, printed, stored, sent electronically or by post), the phase in its life cycle (between origination and destruction) or its location. ‘For all clarity: everyone who is linked to the VUB is responsible.’
Who is responsible for what data?
25 May 2018 is not going to pass by unnoticed at the VUB. As from this date, non-compliance with the European GDPR legislation is a punishable offence. ‘In this framework, our Data Protection Officer, Audrey Van Scharen, is working on the privacy protection of all personal information. As Chief Information Security Officer, I’m focusing on the protection of all information; this includes the protection of non-personal information. The first step that we are taking is to make an inventory of all data, indicate who is responsible for which data. In the future, this person will need to classify the data to determine its degree of confidentiality and required security.’
VUB: it’s like 100 SMEs
According to Jan Paredis, the goal of the IVP campaign beginning this week is, first of all, awareness. ‘Unlike a commercial company with a strong hierarchical structure, the decision-making at the VUB is very decentralised. You can compare our university to 100 little Small and Medium-sized enterprises (SMEs) that work together in a wonderful way. But that’s also exactly where the danger is lurking. Because when it comes to security and privacy protection, everyone needs to be on the same page. IVP is the responsibility of every employee. No one can assume that just the ICT team is responsible. Especially considering the size of the information streams within the VUB. I’m going to use info sessions to guide every individual faculty and central department in understanding the process.’
Info sessions for all faculties and central departments
Jan Paredis will soon contact all the faculties and central departments to set dates for these sessions. They last approximately one hour. ‘In these info sessions, I’ll explain what the IVP policy includes, what we are doing and what we expect from everyone else working at VUB. During each session, I’ll go through a few practical standard procedures such as password management, computer protection and document protection via Office 365. I will also highlight the safest way to use our network.’
New website and online training
A special new website is being launched. ‘At ivp.vub.be, employees can read the latest information about IVP. The rule of thumb: if it’s not there, it hasn’t been officially reviewed by the IVP.’ An internal poster campaign and the distribution of webcam covers underline the importance of security and privacy awareness. ‘But it’s not stopping there,’ says Jan Paredis. ‘We are offering everyone at the VUB the opportunity to follow online modules. There is a package of eight short modules. Each of them takes an accessible approach to teaching how to handle phishing emails or how to protect your password. For phishing mails, a major cause of security problems, we are also going to run an under-the-radar campaign. By sending emails to various employees, we are going to seduce them into clicking on a specific link. This leads them to a fake website where we explain why it’s best to think before opening an email or clicking on a link.’
Tip of the day: what do you do about phishing emails?
Leading into the info sessions, Jan Paredis is already giving a few tips. ‘Be careful with incoming email traffic. If you have doubts about the trustworthiness of the sender, without clicking on it, you can simply move your cursor over the link and in the window below, you’ll see which website you’ll really be directed to. If you don’t know the site, don’t click! You’re also often able to recognise phishing emails from the poor use of language. Always ask yourself whether you were expecting an email. If you have any doubts, don’t open or click on the email, but contact the helpdesk: email@example.com. And the most important tip: follow the online training sessions!