Policy changes will boost cyber resilience at colleges and universities

Jisc has implemented policy changes designed to strengthen cyber security across the research and education sectors.

Following consultation last summer, updates have been made to the policy  governing the use of the Jisc-run national research and education network, Janet, to which all UK colleges, universities and research centres are connected. 

Effective from 1 April, 2022, there are three updates to the policy:

1. A new obligation for connected organisations to undertake an annual self-assessment of their security posture.
2. Expansion of the existing geographic location IP blocking restrictions.
3. Extension of Jisc’s computer security incident response team’s (CSIRT) remit to perform vulnerability scans across the Janet Network as a whole.

Jisc’s head of Janet policy and strategy, Dr John Chapman, explains:  

“We’ve made the policy changes against a background of increasing threats and on the basis that raising security standards at individual organisations will help the resilience of the whole sector. 

“For example, ransomware, which, according to our 2021 cyber security posture survey, is currently the number one threat to further and higher education institutions, can spread among connected organisations.

“So, it’s important that individual research and education organisations understand their cyber security strengths and weaknesses. An annual self-assessment will help achieve this.

“For now, institutions can use whatever assessment methods works best for them, but we will be collaborating with members through our security community group to see if there is a consensus on which method works best or whether we should work together to develop a sector-specific model. 

“Colleges and universities don’t have to give us the results of their assessment, although we encourage them to share. The data, which will be confidential, will help Jisc to identify key problem areas and plan how to support the sector to find solutions.” 

As part of Jisc’s obligation to protect members’ connections to the Janet Network, the updated policy will also allow it to block access to more high-risk protocols or ports. 

Currently, the GeoIP restrictions only block the remote desktop protocol because this is often used as a vector for ransomware attacks. The restrictions will also shift from an opt-in control to being on by default.  

Finally, Jisc’s computer security incident response team’s (CSIRT) remit to scan the network only in exceptional circumstances is being extended to allow for proactive scans in response to critical vulnerability alerts or threat intelligence.