EUNIS InfoSec Workshop @University of Málaga

Rectorado (University of Málaga)


University of Málaga

Avenida de Cervantes, 2 29016 Málaga, Spain
Asbjørn Reglund Thorsen (CISO, Unit, Oslo) , Thorsten Küfer (CISO, University of Münster)


This is a two day workshop taking place Monday, 27.01.2020 (13:00-17:00) and Tuesday, 28.01.2020 (09:00-13:00) at the University of Malagá in Spain. The venue for the meeting is the University of Málaga main building: Rectorado, located at  Avenida de Cervantes, 2. See attached practical information below for more information.

Organized by the EUNIS InfoSec Special Interest Group it targets CIOs, CISOs and IT security related personnel in European higher education institutions.


University of Malaga Logo


  • Organisational information security
  • Setting up an ISMS (Information Security Management System)
  • Managing GDPR
  • Operational IT security
  • Setting up a CERT (Computer Emergency Response Team)
  • Best practices and tools for HEIs
  • University practice talks
  • Networking and discussions


Please see the timetable for a detailed agenda.


  • The workshop is free for EUNIS members.
  • Reception and registration on Monday starting at 12:00.
  • Dinner on Monday at 19.00 on self-payer basis is planned.
  • Hotel rooms can be booked via the well-known portals.
  • Please register before 18.01.2020.
Thorsten Küfer
  • Monday, 27 January
    • 13:00 17:00
      Day 1: Organisational Part
      • 13:00
        Welcome 10m

        Introduction to EUNIS, the InfoSec workshop and its participants.

        Speakers: Asbjørn Reglund Thorsen (CISO, Unit, Oslo) , Thorsten Küfer (CISO, University of Münster) , Victoriano Giralt (CIO, University of Malaga)
      • 13:10
        Introduction 20m

        Introduction by the host Victoriano Giralt, CIO of University of Malaga. Situation of Spanish universities regarding information security.

        Speaker: Victoriano Giralt (CIO, University of Malaga)
      • 13:30
        Risk managing cybersecurity at modern universities 30m

        In his keynote Dr. Gaute Wangen will discuss key issues in risk managing cybersecurity at the modern university.

        Speaker: Dr Gaute Wangen (NTNU, Trondheim)
      • 14:00
        Bavarian information security program for higher education 30m

        As part of the "Digital Campus Bavaria" program, a cross-university advisory service on information security issues for all state universities and colleges in Bavaria was established at the computer center of the Augsburg University of Applied Sciences. This is financed by the Free State of Bavaria. Tasks are Information Security Inventory at Bavaria's universities, taking into account the requirements of research and teaching. Development of a model to establish and maintain structures and procedures to ensure information security as a model for the Bavarian higher education sector. Networking of IT/Information Security Officers of Bavarian colleges and universities. Scientific support and advice for Bavarian universities in the introduction and implementation of the developed model as well as in all information security relevant topics.

        Speaker: Christian Fötinger (CISO, Higher Education Institutions Bavaria)
      • 14:30
        Experience Implementing Information Security Management System (ISMS) 20m

        After the merge of three IT service organizations, Unit - the Norwegian Directorate for ICT and Joint Services in Higher Education and Research was born. Unit are currently working to implement the national ISMS. We will share some experiences and lesson learned on our road to towards the finished implementation.

        Speaker: Asbjørn Reglund Thorsen (CISO, Unit, Oslo)
      • 14:50
        Networking break 30m
      • 15:20
        GDPR in the everyday life of HEI in Norway 30m

        Talk focuses on GDPR in the everyday life of higher education insitutions in Norway. Achievements and challanges in 2019, as well as recommendations for the year 2020.

        Speaker: Agnethe Sidselrud (Unit, Oslo)
      • 15:50
        Possibilities, limits and alternatives of consent 20m

        Art. 7 GDPR describes conditions for consent. Recital 43 describes especially the Freely Given Consent. Many IT systems have a problem with forced consent during registration that can be avoided.

        Speaker: Martin Neldner (Technische Universität Ilmenau)
      • 16:10
        On the safe side 20m (on the safe side in English) is a web page used by a lot of different insitutions in Norway which offers training and guidance on what to do in emergency situations.

        Speaker: Christine Holm Berntzen (OsloMet)
      • 16:30
        Discussion 20m

        Discussion on differences, benefits, solutions to challenges.

        Speaker: Asbjørn Reglund Thorsen (CISO, Unit, Oslo)
      • 16:50
        Conclusion 10m

        Conclusion to first day and looking at dinner and second day.

        Speaker: Asbjørn Reglund Thorsen (CISO, Unit, Oslo)
  • Tuesday, 28 January
    • 09:00 13:00
      Day 2: Practical Part
      • 09:00
        Introduction 15m

        Reflection on first day and introduction to second day with practical IT security topics.

        Speaker: Thorsten Küfer (CISO, University of Münster)
      • 09:15
        SIM3 and the Open CSIRT Foundation 40m

        Information and services offered by the Open CSIRT Foundation (OCF). Introduction to Security Incident Management Maturity Model (SIM3) and its new online tool.

        Speaker: Don Stikvoort (Open CSIRT Foundation)
      • 09:55
        An API for Management to check on production-readiness! 20m

        Wouldn't it be great if management would have an automated checking mechanism to determine if a service is ready to go operational? A tool that checks if the new system or service has performed risk assessment, has a data processing agreement, performed successful penetration test et cetera. We have made such an API and we are now testing it, aiming for taking it in production in January 2020. Would you like a demonstration?

        Speaker: Asbjørn Reglund Thorsen (CISO, Unit, Oslo)
      • 10:15
        Vulnerability management at University of Münster 20m

        Presentation on how vulnerability management is organized and implemented with OpenVAS at University of Münster. Which prerequisites are required? What are the results?

        Speaker: Thorsten Küfer (CISO, University of Münster)
      • 10:35
        CERT Services for German HEIs 10m

        DFN-CERT is the computer emergency response team of German NREN DFN. Presentation of the IT security related services offered by DFN-CERT for its constituents.

        Speaker: Thorsten Küfer (CISO, University of Münster)
      • 10:45
        Networking break 30m
      • 11:15
        Physical access. Live hacking 45m

        Three live demos that show how a hacker can compromise a PC when having physical access to it. Get ready for some live hacking.

        Speaker: Asbjørn Reglund Thorsen (CISO, Unit, Oslo)
      • 12:00
        Group discussion 30m

        Preperation and mitigation of Emotet threat.

        Further discussion in groups of 5-7 on the most pressing challenges that came up so far.

        Speaker: Asbjørn Reglund Thorsen (CISO, Unit, Oslo)
      • 12:30
        Discussion results 15m

        Discussion feedback and results

        Speaker: Thorsten Küfer (CISO, University of Münster)
      • 12:45
        Conclusion 15m

        Conclusion and wrap up. Publication of workshop results. Next meeting as pre-congress workshop at annual EUNIS conference in Helsinki (June, 08.-12.2020).

        Speaker: Thorsten Küfer (CISO, University of Münster)