Speaker
Description
Presenter: Jorge Merchán
Authors: Jorge Merchán, Badí Quinteros
In recent years, Ecuador has approved regulations for information security, including the Organic Law on Personal Data Protection (LOPDP) and the Information Security Management System (ISMS). These regulations are mandatory for both the public and private sectors, including Higher Education Institutions (HEIs).
CEDIA's SOC-CSIRT supports the implementation of the Information Security Management System (ISMS), a regulation updated in 2024. This version includes the same controls as ISO 27002, with implementation elements tailored to the reality of our country.
CEDIA provides security components and guidance for the implementation of the EGSI (Ecuadorian Information Security Management System). These services are offered to over 80 higher education institutions, each with its unique nature, as one solution may not fully fit another institution.
The support encompasses several areas:
1. Technological:
Assisting institutions in adjusting their current tools and services to align with regulations, exploring new basic tools or services to ensure compliance and mitigate IT risks, all while considering financial constraints.
2. Organizational:
Driving changes in organizational structures, including creating new departments, adapting existing ones, documentation updates, among others.
3. Training and Awareness:
Raising awareness from top authorities to operational staff, explaining responsibilities, actions to take, and the knowledge required for each hierarchical level in response to incidents.
4. Administrative:
Identifying the best ways to manage financial, operational, and human resources to adjust processes to current regulations.
5. Regulatory:
Adapting internal regulations to include the information security measures needed by each institution.
6. Conflict Resolution:
Implementing information security often encounters resistance from certain actors within institutions. Having negotiation and understanding skills enables internal process adjustments to be coordinated and proactive.
An essential aspect that CEDIA, through SOC-CSIRT, has achieved is understanding the realities of institutions and adapting information security to core activities such as Administrative Management, Research Management, and Academic Management. Adjustments in each area require specific expertise and expert collaboration to ensure that incorporating information security does not have a negative impact and that the implementation process is gradual.
This presentation allows the audience to learn about CEDIA's experience with HEIs in implementing information security regulations, the challenges encountered, and how they were addressed. It aims to elevate the discussion around implementing information security as a comprehensive approach, not solely focused on cybersecurity.
The audience will be interested in understanding the outcomes of the implementation, including how institutions have improved their security posture with the support of CEDIA's SOC-CSIRT.