The audit looked at all environments managed centrally by LIS, such as Osiris, Canvas, and Office365. Control measures investigated include Multi Factor Authentication (MFA, where you confirm your identity in two ways) and password policy.

Different maturity levels are distinguished. At level 2, an organization must have described its work processes for each team and act accordingly, says Chief Information Security Officer (CISO) Martin de Vries. He’s happy with the current score of 2.7, but he certainly thinks further improvement is required. “A 3 or 4 is a healthy maturity level, which is what we’re aiming for now.”

For that third level, you must also demonstrate that you act according to your processes, policies, and procedures. If you want to achieve level 4, you have to demonstrate a learning effect. This means identifying a problem, addressing it, and documenting it. The cream of the crop, level 5, is the peak of capability and only awarded to those that go above and beyond the aforementioned.

Incidentally, not all the steps are equally easy to achieve, De Vries says. “Getting from 1 to 2 is pretty easy, as you can see in the rapid growth within a year. But from 2 to 3 is a lot harder because it involves a lot of details. From 3 to 4 is a little easier again if you build the feedback cycle into your processes and show your learning ability. But the only way to really achieve that kind of growth is for the entire organization to get behind it.”

Maastricht, a watershed moment

Since the hack at Maastricht University (December 23, 2019), a great deal has happened in higher education in terms of security. “All the higher education institutions agreed with each other to be audited.” Universities of applied sciences do so every two years, research universities every year.

The standards framework for the audit was based on the attack on Maastricht University. Back then, it was looked at which control measures (‘controls’ in jargon) were affected and these were used to determine the scores of the other universities. Soon after, the Surf assessment framework (Surf is a cooperative association of Dutch educational and research institutions in the field of ICT) was introduced, which is a bit more comprehensive and still used today.

De Vries joined TU/e more than a year after the hack in Maastricht. “Then we had the first limited audit of the control measures applicable to the Maastricht hack and TU/e scored a 1.6.” That wasn’t the score they wanted. You pretty much get that 1 for effort, says De Vries. “We had to do better and we put in a lot of effort to accomplish that.”

Things improved in subsequent years. In the spring of 2023, the first full audit – for 2022 – took place, with a score of 2.4; the same score the university achieved again a year later. “That may seem like halting progress, but there’s an explanation for the same score having been achieved in two years. The auditor we got for the 2023 audit was a little bit stricter.” That raises questions: surely an audit should be standardized so that the outcome doesn’t depend on the auditor? De Vries nods. “That’s true and that’s why Surf ran a tender for audit services in 2023. Some of the audit parties that won the tender coordinate in terms of ‘what they find.’ That eliminates differences and makes the assessments much more uniform.”

Not public

The audit report isn’t made public because of the detailed findings of the auditor contained in it. “That would be a security risk, as it would publicize any remaining weaknesses and leave us open to abuse by people with malicious intent. The teams themselves do get to see the findings that apply to them, so they can make improvements.”

During the hack at TU/e, outdated protocols were taken advantage of. “For example, the hacker was able to get increased permissions for the environment through the domain controllers. A domain controller is a server in the computer network that centrally manages who and what has access to which sections of the network. It’s where authentication takes place for people and devices and an environment through which permissions are distributed and settings can be passed on. The domain controller, therefore, is a critical part of the network. The fact that outdated protocols could be abused relates to several processes, which was also revealed in the audit. You have to learn from that and make sure that the lifecycle of your systems is good, that you have a proper overview of the risks, and that you set the right measures. Then you can phase out obsolete protocols faster. That’s definitely one area in which we need to improve.”

Incidentally, TU/e welcomes ethical hackers. There’s even a protocol for this on the website, called the Responsible Disclose Policy (RDP). And it’s certainly being used, De Vries indicates. The RDP lays out the rules on how ethical hackers should behave when looking for vulnerabilities in the TU/e environment.

Goals for the future

TU/e wants to continue to improve when it comes to security maturity. “The audit for 2025 (which will be done in 2026, ed.) must achieve a score of 3 for the university as a whole. The year after that a 3 must be achieved for all individual control measures, because at the moment one measure may compensate for another.”

On September 1, CISO Martin de Vries will leave TU/e and start working at VDL in the same capacity. Someone to succeed him and help meet the maturity level targets is yet to be found.