Effective Information Security Services

Provide effective Information Security services that protects UCL but also enables education and research to flourish

Effective Information Security is an increasingly critical consideration for UCL given the potential impact of a security breach on our reputation and our research and education activities. We need to increase our investment and focus in this area to ensure our staff and students are aware of information best practices and we implement technology to prevent and detect attacks.

Information security need to be an integral part of our technology design process to ensure security is a core consideration of any technology based project whether that’s for a new administrative application, infrastructure technology or other system. Besides providing effective information security technology, we also need ensure our students and staff are fully equipped to face an ever-growing array of threats in a connected world across their personal as well as professional lives. They have a central role to play in ensuring themselves and UCL are effectively protected.

Increasing awareness of information security matters and compliance with policies

Awareness and education of staff and students are key elements of an effective information security strategy; technology will never be sufficient on its own. With effective awareness and education, the technology needed for effective information security can be simpler and more flexible. This is important for a diverse research environment such as UCL where researchers and academics need the freedom and agility to adapt their approach to respond to new research challenges quickly.

Implementation of technology solutions to protect UCL

Alongside a comprehensive training and awareness programme, UCL also has a comprehensive information security technology investment programme to implement technology solutions aimed at preventing attacks but also detecting attacks when they occur and mitigating any impact. Unfortunately, details of the technologies already implemented or those planned cannot be provided in an open document such as this.

Provision of platforms for the secure processing of sensitive research data

UCL processes increasing amounts of sensitive data including patient identifiable medical data. Processing of this data 
is essential for the research we undertake but it must be processed in a secure manner. To demonstrate this, our funders are increasingly seeking compliance with external security standards such as Cyber Essentials, ISO 27001 and the NHS DSP toolkit. About five years ago UCL developed the first generation Data Safe Haven for the processing of sensitive medical data in a way that’s compliant with the highest security standard, ISO 27001. This facility was a first within UK HE and is now used by over 600 researchers across UCL. The most recent ISO 27001 audit in early 2019 was highly complementary about the security regime implemented for the Data Safe Haven. The existing Data Safe Haven is now reaching end of life 
and there is also a need for new processing capabilities that cannot be provided by the existing facility. Therefore, a second generation facility will be implemented and again this will be accredited to the most stringent information security standards.

Proactive security validation and compliance with security standards

Alongside training and investment in defensive information security technologies, we will also proactively probe our defences to identify any vulnerabilities that may be exploited by attackers. Our funders, especially government related, are also seeking compliance with security standards such as Cyber Essential even for research that does not involve sensitive data. Therefore, we will seek UCL wide accreditation against this and other necessary standards.