FITS OM

Define the scope of the Security Administration function. Doing this will help you to put in place resources to ensure ICT security in the school.

It is vital to identify all information assets and key services in order to develop security strategies for each asset and each service. Undertake an exercise to identify and document these, and then maintain the document as part of the FITS Change Management process.

Define a classification system for your school's information assets and key services. This will enable you to deploy effective security strategies based on the relative importance of the information asset or key service.

Conduct an assessment of the potential security threats, along with the likelihood of occurrence and potential business impact for each information asset and key service. This will enable you to prioritise the risks and take mitigating actions in order of importance.

Undertake a security risk assessment, and using the risks identified, put in place any cost-justifiable physical and logical controls to mitigate the risks.

Define, document and implement a process for maintaining physical and logical controls. This might include obtaining regular updates from suppliers' websites and reading specialist journals and supplier bulletins.

Define, document and implement a process that enables you to monitor proactively the physical and logical infrastructure for security breaches and security control failures.

Develop an ICT security policy, and have it agreed by senior management and made available to all staff. Run regular awareness programmes to ensure that all staff are familiar with its contents.

Develop a disciplinary procedure for anyone at school who breaches the security policy. Make all staff and students aware of the policy and any changes made to it. Have details of the procedure included in all induction for new staff.

In concert with Change Management, develop a procedure for having all changes referred to Security Administration for assessment. Ensure that sufficient procedures exist for Security Administration to veto changes or delay their implementation while you put in place any necessary security measures to support the change.

Develop a testing plan to the performance of the physical and logical controls. Use third-party specialists to undertake intrusion tests in addition to your standard tests of physical and logical controls. Maintain the testing plan under FITS Change Management.

In concert with the Incident Management process, define, document and implement a procedure for recording all security incidents on a single incident-logging system to the standards defined in Incident Management. Hold post-incident reviews to feed back into the process any lessons learnt, involving Problem Management processes, where appropriate, to address the root cause of incidents.

Establish a single point of ownership and accountability for the Security Administration function. You can charge this person with implementing the recommendations in Security Administration through a programme of continuous improvement.

Give staff access to training material and provide experienced staff to help them learn the activities. Run an improvement programme to increase function awareness.

Obtain the commitment of all school managers with staff responsibilities to demonstrate compliance with security policy. Mount an awareness campaign to make all appropriate personnel familiar with the contents of the security policy and the role of Security Administration.

Without documentation, the function is open to interpretation and will lack a consistent approach. Document the activities and make this documentation available to all staff performing them. The documentation can be used in training and as a reference point.