UCISA-Eduserv Award for Excellence 2011 Application Form Development of Online Information Security Training Institution Name: Originating Department: Contact Name: University of Leicester Information Assurance Services Colin Atkinson, ca46@leicester.ac.uk NOTE: This project is a collaborative development initiated by the University of Leicester and undertaken in conjunction with the University of Leeds, Cranfield University, Imperial College and the University of York. This submission is on behalf of the contributing universities. Objective of the Project 1. In the current financial climate it can be difficult to obtain funding even for key developments, and for a topic such as Information Security, which by its nature doesn t generate great enthusiasm, it can be even more of a problem. The solution often proposed to address such funding problems is to consider collaborative developments. Within the higher education sector, such developments have a very mixed track record with only a few that can be said to have really delivered. It is therefore pleasing to be able put forward a collaborative development that has not only successfully delivered as promised but has produced a product of a quality that would have been difficult to achieve by a single institution. 2. The initial objective of the project, as defined by the University of Leicester, was to develop at minimal cost, high quality training in the area of Information Security suitable for all staff, designed to meet the specific needs of the Higher Education sector which could be delivered online and for which completion was auditable. The quality of the training had to be of a high standard which would be effective in promoting the secure management of information, reducing the risk of information security breaches and satisfying audit and regulatory requirements. 3. The above is clearly a requirement for all institutions. As a collaborative development, this objective was extended to include a requirement for flexibility in the training to accommodate institutional variations in structures and practices.
4. As a collaborative development a further objective was to provide proof of concept as a development model with the specific aims of demonstrating that: - there is sufficient commonality in practices across institutions to allow collaborative developments; - the approach offers scope for considerable cost savings; - a higher level of quality can be achieved by working collectively than individually; - the resulting training would have wider application across the sector. Description of the Project Background to the project 5. Following completion by the University of Leicester in 2010 of the revision of its Information Security policy, as part of its implementation it was necessary to provide training to all staff in the requirements of the new policy. Simply drawing staff s attention to the new policy would certainly not be effective and classroom-based training would be expensive and extremely timeconsuming to deliver. Clearly, training delivered on-line was the way forward. 6. The University considered commercial training products in this area but there was nothing available that met the specific needs of the higher education section in terms of its processes and its organisational structures. In any event given the relatively high staff numbers to be trained, the cost would have been prohibitive. 7. The University was not in a position to develop training materials in-house. Available funding was not sufficient to develop training to an acceptable standard and within a reasonable timescale. As it was probable that other institutions had a similar training requirement and faced the same problems, consideration was given to whether there was scope for a development in collaboration with other institutions. Expressions of interest were sought and in January 2011 a development group was formed consisting of the University of Leeds, Cranfield University, Imperial College, the University of York and the University of Leicester. As none of the institutions had technical resources available to undertake the development it was agreed it would be necessary to employ the services of an e-learning development company. 8. It was recognised that any training developed may be of interest to other institutions in the sector. Whilst the group did not see it as a commercial venture it did provide an opportunity to work with an e-learning development company on more advantageous terms given there was a prospect of a broader market. As a consequence, the group formed a consortium in association with Epic, an e-learning company based in Brighton, who had previously developed high-quality training materials in this field for the government. In February 2011 the project was launched. Development 9. The project followed a standard approach for the development of training materials and went ahead with EPIC providing the technical design and development expertise and the universities providing the training design and content. For the universities, the principal contributing partners were the University of Leeds, Cranfield University and the University of Leicester. 10. It is often at the development stage where many cross-institutional developments have failed due to trying to accommodate every requirement of each collaborator which has led to large unwieldy products and extended timescales. For this development a very tight focus was maintained on learning objectives for which there was considerable agreement and which permitted the accommodation of local variations and needs to be addressed at a later stage. Page 2
11. In terms of quality of the material produced it was highly beneficial to have input from the information security specialists of three universities which gives greater confidence that it meets the information security training needs of the higher education sector. It is unlikely that a single institution could have achieved a similar level of quality in the given timescales. 12. The training that has been produced is highly relevant to the sector in terms of governance, organisational structures, and teaching and research processes, and it does so in a way that is extremely engaging and pitched in a manner that is both understandable and acceptable to staff. 13. It offers the following features: - In terms of scope it meets not only information security needs but also more specifically data protection and freedom of information requirements. - In addition it meets the specific requirements of research staff. - It is focused on higher education institutions. - It uses accessible language and features everyday examples - It is customisable. It is possible to edit the training to meet local variations in organisational structures and specific detailed policy requirements. - Completion by staff is trackable. The training is deliverable online and it is possible to identify who has accessed and completed the training. - It can be delivered through both Blackboard and Moodle. - The time required to complete the training for most staff is 45 minutes with an additional 15 minutes aimed at researchers. - It is not necessary to complete the training in one sitting. Staff may complete the training at their own pace and convenience. 14. Feedback from both academic and administrative staff and at all levels, has been extremely positive, even to the extent of an eagerness and interest to complete the training being demonstrated! Screenshots from the training are given in Appendix A. 15. Much of the development work has been done at a distance with only an occasional need for meetings. The only difficulty encountered in the collaborative approach has been the availability of institutional staff given their other commitments. 16. Official sign-off of the final product will take place at the end of January 2012 and will be rolled out at the University of Leicester immediately in February. Overall, the project has met its objectives and has demonstrated that institutions can work effectively together to develop high-quality products that are acceptable to each institution and in an extremely cost-effective manner. Return on Investment 17. The training has been developed by the participating universities in conjunction with Epic on a consortium basis. The contribution by each university to the development by Epic was 5,000 excluding VAT. 18. The main cost to the institutions, however, is in terms of staff time, and in this respect the three leading consortium partners, the University of Leeds, Cranfield University and the University of Leicester have borne the bulk of the cost. A precise figure is not available but it is estimated that these three institutions provided in total 210 days effort. Page 3
19. The true total cost of the development to the consortium is therefore probably of the order of 80,000 which at an average cost of 16,000 per institution represents extremely good value for a bespoke training solution. 20. With regard to the return on this investment the partner institutions now have a training resource for a key area which may be rolled out to all staff without restriction, including current and new, and at a cost in pounds per head which is in single figures. In addition, the delivery of the training online will give significant savings in staff time that would normally be spent attending training. 21. It is intended that the training will be made available to interested parties within the sector which will generate a limited amount of income for the consortium. It must be stressed, however, that the participating universities have never seen this as a profit-making exercise and have taken steps to ensure that the training is made available to the sector on a reasonable cost basis. It is also a possibility that any revenues generated may be used to develop further training modules of benefit to the sector 22. The biggest return on the investment however is the reduction in the risk to institutions. If the training is effective in preventing a single significant breach in information security at an institution it will more than have recouped the cost of the development. Demonstration of Excellence 23. The training module that has been developed is unique to the sector. There is no comparable alternative product available. It goes much further than simply making staff aware of information security - it places it in the context of the working environment of a higher education institution. 24. The quality of the product is extremely high. It has been developed in conjunction with a highly regarded e-learning company and in terms of content has benefited considerably from the input of professional staff in the field of information security at three leading institutions. 25. It is not, however, just the quality of the delivered product that is remarkable. Of equal significance is that this has been done on a minimal cost basis both in terms of development of the training and in its delivery. 26. More importantly the consortium approach has proved to be a successful model which will benefit not only the consortium members but also other institutions within the sector. It is clearly highly effective in the area of training, and interest has already been expressed in the areas of staff development generally and other areas such as Health and Safety, but there is no reason why the approach cannot be successfully followed for more technical or systems developments. 27. As a collaborative venture the key success factors appear to have been keeping a very tight focus on the broader objectives and not on local practices, and by limiting the collaboration group to a manageable size. Strategic Benefit 28. Failure to effectively implement information security policy and good practices can be extremely damaging to an institution. An institution depends on information for virtually every activity. If it cannot guarantee the confidentiality, integrity and availability of its information then it can completely undermine its work. Page 4
29. In addition there are significant external drivers. A single breach in information security can be highly damaging to an institution s reputation and seriously affect its ability to attract research and students. 30. An institution must not only provide appropriate training for all staff but must also be able to demonstrate that such training has been completed. It should be noted that the Information Commissioner is not fining organisations for data security breaches but for failures in organisational controls, and in particular failure to provide adequate training for staff in information security. 31. The key strategic value of the provision of information security training is that it significantly reduces the risk of a breach and in the event of a breach occurring it can significantly reduce its impact. Furthermore, information security training tailored to meet the sector s needs and with auditable delivery, provides significant evidence that an institution takes information security seriously and is taking appropriate steps to protect information. Transference of Best Practice 32. Even in advance of the training course being marketed by Epic, the development has attracted a lot of interest, and the University of Leicester has been invited already by the HE and FE Records Management and Information Compliance Group to give a demonstration at its next meeting. There is clearly a gap in the market for training specifically tailored for the sector. 33. As noted above the training course will be made available to other institutions as a commercial offering but at a very reasonable cost. In this respect the material has been designed to allow customisation to meet different institutional needs. 34. As a model the consortium approach has been very successful and can clearly be adopted and applied in other areas of development. The participating universities would be happy to work with other groups in advising on the set up of consortia and their operation. Names of staff involved University of Leicester Colin Atkinson, Director of Information Assurance Services Mark Maynard, Communications Specialist and Student Advocate, IT Services (Project Manager - Training Course Development) Henry Stuart, Senior Information Assurance Officer Nick Adkins, IT Services (Project Manager - Information Security Policy Implementation) University of Leeds Kevin Darley, IT Security Co-ordinator Cranfield University Gary Dooley, Information Security Specialist Imperial University Chris Roberts, IT Security Manager University of York Arthur Clune, Information Security Officer Page 5
Support of Institution Representative University of Leicester 35. I m really impressed with the quality of the material. The team has really applied their imaginations here. It s already helping us to raise the profile of information security as an issue and it was an added bonus to be able to tell our VC that we had saved money by collaborating. Hope this will let other institutions do the same. Mary Visser, Director of IT Services, University of Leicester Page 6
Appendix A