In addition to connecting institutions and people, with presence in all federative units in the country, the National Education and Research Network (RNP) also started to expand the work of information security to the countryside of Brazil. And is doing it up close: more than working in partnership with the Ministries of Brazil, which bring benefits to the education and research ecosystem, now, we are "knocking on the doors" of institutions through consultancy actions on the subject. Yes, recently, RNP signed an agreement with the University of Pernambuco (UPE) to structure the Institution's Information Security Management System.

In addition to supporting the University, the 15 campi, and hospital complex in the governance of institutional information security, the action is a milestone for RNP as well, which, by listening closely to the "pains" and needs of institutions such as UPE, which are part of the RNP System, can structure an applicable model and, thus, evolve the degree of maturity in information security of other education and research institutions throughout Brazil. "This will collaborate with the perspective to supply services to other institutions since we can identify related issues in this area, in addition to the experience gained by the team," explains Rodrigo Facio, an expert in information security at RNP.

It all started about two years ago. In 2019, UPE was suffering a series of cyber attacks and incidents information security incidents. The professor and coordinator of the Communication and Information Technology Department at the University, Haroldo Amaral, identified the need to rely on specialized support in the area and contacted RNP, which began the work by understanding the needs of the Institution and then moved on to the drafting of a Work Plan, which, due to the pandemic, only began to be implemented this year. In an interview with RNP, Haroldo lists the benefits brought to UPE from the "win-win" relationship established by the partnership with RNP:

"In the Institution, information security is extremely lacking. I speak for UPE, which is where I work, but we could apply this statement to other institutions that have similar realities. I could mention several beneficial points from this partnership, but the main thing is: in the face of the reality of the institutions, counting with the expertise of RNP makes us very safe and comfortable in working together and establishing a very healthy partnership with ease of communication. RNP meets our needs and demands and fulfills its role very well. Another positive point is the feedback we are building. The Institution has matured greatly with the knowledge that RNP brings and exchanges with us, and I imagine that, by getting to know the reality of the institutions, RNP also improves their services and can even offer new solutions." 

Harry also considers that "the IT departments of institutions need to strengthen relations with RNP, after understanding the role and importance of the organization. RNP makes a great effort to make this happen, but we have a long way to go to decrease this distance." 

The Partnership

Visit of RNP at UPE, in February this year - Credits: UPE
 

The contract sealed the partnership and, over the coming months, the RNP professionals experts on the subject will work together with the Communication and Information Technology Department of UPE to reach a maturity diagnosis of the Information Security Management System and IT Infrastructure in order to establish the Privacy and Information Security Committee, in addition to drawing up a policy and complementary regulations for information security.

By the end of the partnership, the expected results are improved information security management at the Institution; the ability to analyze future decisions collectively through a committee that will be established for the subject; to have institutional guidelines and instructions through the Information Security Policy and Standards to be established; and increased maturity on the subject, improving governance processes and controls on information security.