Some questions about information security and virtualized environments

2.- Confidentiality/Non-repudiation of examination question papers is the big requirement. What technologies /processes do you recommend ?

3.- Also, replacing desktops with Thin Clients for all operations... would it improve the security profile of the examination cell ?

4.- With Virtualisation becoming the order of the day, does it increase/reduce the security concerns ? Are there any security controls in 27001 related to virtualised environment.

Answers:
1.- I am not sure if I have understood your first question, but if you are interested in standards similar to ISO 27001, I mean related to information security, these standards can be interesting for you: ISO 27017 (related to information security controls for cloud services), ISO 27018 (related to protecting privacy in the cloud), ISO 22301 (related to business continuity), IS O 20000 (related to IT services management).

I recommend you these articles:

“ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

“ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud” : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

“What is ISO 22301?” : https://advisera.com/27001academy/what-is-iso-22301/

“What is ISO 20000” : https://advisera.com/20000academy/what-is-iso-20000/

2.- From my point of view, here is very important to establish a strong access control (if the questions are in paper format, you can use a safety deposit box, or if the questions are also in digital format you can use a Single Sign On, or a LDAP server and establish privileges for the access) and maybe cipher the information can be interesting for you (this is only for the digital information, and you can use for example BitLocket, or a TrueCrypt fork, or AES crypt, etc. There are many technologies for this).

3.- Both are the same from the information security point of view: devices that you use to access to information, and it is really the important, I mean, the information. So, in this case, if you want to improve your environment try to improve how the information is accessed (for example through a secure channel), instead to change one device for another.

4.- The virtualization is another way to manage information, and there are threats/vulnerabilities specifically related to this, but if you perform a risk assessment & treatment you can reduce risks related to this environments in the same way that in others environments. So, I am sorry but the virtualization does not increase/reduce the security concerns, simply is another scenario where there are risks that you need to manage. And ISO 27001 does not have specific security controls for virtualized environments, but there are security controls for any environment (including virtualized environments): access control (A.9 of Annex A of ISO 27001:2013), cryptography (A.10), operations security (A.12), communications security (A.13), etc.

This article related to the risk assessment can be interesting for you “ISO 27001 risk assessment & treatment – 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

And our online course can be also interesting for you because we give more information about the risk assessment & treatment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

1. Thank you. Would get back to you again.
2. If you have a case study /success story of ISO 27001 implementation in an academic institution/University, would appreciate receiving the details.

There are many institutions/universities that have implemented successfully ISO 27001 with our templates, we have clients from all the world and from all sectors (including education). Keep in mind that ISO 27001 is developed for any type of business. So maybe can be interesting for you to try our toolkit, and remember that if you buy it, you will also have our support, so click here on “DOWNLOAD FREE TOOLKIT DEMO” and try it! “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/