Established in 1966 as the West Australian Institute of Technology, Curtin University is a leading academic and research facility. With campuses in Perth, Kalgoorlie, Dubai, Malaysia, Singapore, and Mauritius, Curtin has more than 56,000 students. Academic faculties include business and law, science and engineering, humanities, and health sciences.
On the research front, Curtin is active in a diverse range of areas including communities and changing environments, resources and energy, IT and communication, and health.
The challenge of funding
Like all tertiary institutions with active research programs, Curtin is reliant on attracting grant funding to support its physical infrastructure and academic teams. Funding is sourced from government bodies as well as private-sector firms.
“It’s a matter of making yourself as attractive as possible for potential research partners,” says Richard Addiscott, Director IT Planning, Governance and Security at Curtin University. “We need to be constantly looking for ways in which we can ensure the University is regarded as a trusted partner and becomes the natural choice for industry, government, and other academic institutions seeking to collaborate in cutting edge research initiatives.”
To support this goal, a decision was made in early 2016 to improve the information security credentials of two of the university’s research groups: the Health Systems and Health Economics (HSHE) group within the Health Sciences Department and the Centre for Data Linkage (CDL) housed within the Centre for Population Health Research.
“My team and I saw it as critical that information security should be seen as a business enabler rather than an inhibitor which is how it’s often been viewed in the past,” says Mr. Addiscott. “To do this, we worked with the Research Office at Curtin to identify opportunities where attaining certification against the internationally recognised ISO 27001 information technology security standard would be of strategic benefit.”
Research Theme Leader for Curtin’s Health Systems and Health Economics group, Dr. Suzanne Robinson, says they were supportive of the initiative from the outset. “From a researcher perspective data governance and security is a fundamental part of our work and attracting research funding. It’s an exciting time when we consider the potential we have in relation to data and research. Having ISO27001 accreditation allows us to demonstrate our commitment to data security and provides a framework for us to assess our standards and approaches, which in turn gives confidence to our industry partners.”
A strategic approach
The first step in the process was to explain to the research groups what was involved and the benefits it would deliver. Buy-in for the project was also sought from the University’s senior executive team and funding secured.
“We also undertook a visit to Monash University in Melbourne where the certification had already been achieved,” he says. “After seeing firsthand the processes they had followed and the business benefits they had obtained, it was clear that we needed to go down the same path.”
To assist with the certification process, the Curtin information security team recognised it would only achieve their goals with proactive collaboration and assistance from their various internal stakeholder groups including time and effort from the CDL and HSHE teams. It was also clear that they would need assistance from an experienced external partner. After reviewing a number of alternatives, an agreement was signed with CQR.
“We could see CQR clearly had the experience and expertise to help us through the certification process,” says Mr. Addiscott. “I wanted people who understood security from a risk and compliance perspective as well as a technical perspective, and CQR was able to cover both areas.”
The first phase of the process began in early 2017 and involved a series of workshops led by the CQR team. These were designed to establish the scope of project and confirm which areas and research teams would be involved.
Mr. Addiscott says it’s important to be conservative and limit the scope for the certification environment in the first instance, and to focus on specifically defined areas. “You don’t try and eat the elephant all at once, but instead take bite-sized chunks over an extended period,” he says. “Once you have achieved certification in one area it is then easier to extend it to cover others in the future.”
The project’s second phase involved careful assessment of all the information assets that currently existed within the defined areas that were to be certified. This included everything from stored data and servers to desktop PCs, mobile devices and network infrastructure.
The team then undertook the third phase in which CQR conducted a series of risk and asset assessment workshops. All security products, services and procedures already in place were evaluated to determine whether they were providing a sufficient level of protection. Any gaps were identified and steps established to have them closed.
“At the end of the process, we had created a comprehensive Information Security Management System (ISMS) that set out all the policies and procedures needed keep the research team’s data secure at all times. This is the foundation for achieving ISO27001 compliance.”
With the ISMS complete and all security measures and procedures documented, CQR undertook a complete internal audit. Every component of the certification was reviewed to determine that the university would meet each requirement of the standard.
“A team of external auditors from SAI Global then came to the university for the formal evaluation. I am pleased to say that, thanks to the work undertaken by our IT team and CQR, we were awarded full ISO27001 compliance on our first attempt in 2017.”
An ongoing process
With the certification now in place, attention is shifting to finding other areas within the University that could benefit from following the process.
“We are also seeing a flow-on, ripple effect from the work that has been completed,” says Mr. Addiscott. “It has led to increased security awareness and experience across Curtin’s broader IT team enabling us to set about continuously maturing our security practices across the spectrum from password management to penetration testing.”
While certification has been achieved, it is certainly not a one-time activity. Procedures and security measures must be constantly evaluated to ensure they meet the strict criteria at all times. This involves an annual review which must be passed for the ISO 27001 rating to be retained.
“CQR will continue to assist us with this process going forward,” he says. “With their proven track record of experience in providing information security services to health organisations and to educational institutions, I’m confident they will remain a valued partner to the university.”