Day 1 (22 February 2016)
The chair of the SIG-ISM Steering Committee Alf Moens opened the meeting and welcomed the participants. He then introduced the Traffic Light Protocol (TLP) as the means to indicate the level of confidentiality within the group. It was agreed that the meeting is by default TLP Amber, but presenters can decide how to mark their presentations - TLP White and Green to be added to the event page on the wiki, TLP Yellow and Red - confidential.Urpo suggested that the code as a standard for this community should be published on the SIG-ISM webpages.
ACTION: Add information about the TLP on the SIG-ISM website.
Agenda of the meeting was approved, no changes suggested. Alf informed that Alessandra and Rolf, members of the Steering Committee, are joining the meeting remotely.
During the round of introductions, the main expectations of the workshop were set: to discuss risk management experiences, best practises, benchmarking, practical steps, and possible collaboration on risk management in the community. It was decided that the goal of the workshop is to determine 5 most prevalent risks of NRENs and decide how those can be addressed by sharing experiences.
Alf then gave an overview on what has been done in the SIG-ISM so far, including Paper on ISM, Paper on Risk Management, contribution in setting up WISE, DDOS mitigation workshop, and presentations at various community events. He elaborated on WISE, which is a global community initiated by e-infrastructures, covering some of the same topics as the SIG. The work of WISE is divided based on the main topics identified for 2016, forming 5 working groups. Participants of this meeting were invited to look up more information on the WISE website and register for one of the WISE working groups.
Risk management for Cloud, Computing and Data services - Urpo
The second presentation was given by Urpo, outlining the importance and most important factors of defining and connecting enterprise risk management (ERM) and IT risk management - a process that is typically neglected or misunderstood. Urpo identified the the main phases of the ERM, starting with defining the risk and a working framework. Following that risk identification takes place, and, according to the speaker, most organisations stop here. However, it is crucial to continue the process by defining ownership, mitigation, transference, sometimes even accepting the risks, followed by monitoring and review. Although there are many public and non-public standards are available, those guidelines are usually written for big and mature organisations and adopting them to small NRENs can be impossible.
Lacking a “work for all” solution, every organisation has to clearly define Risk Management process themselves, taking most critical factor - Business Impact Analysis - into consideration and ensuring communication between senior management and operation work.
In the context of NRENs, some of this work (for example, recommendations) can be done together.
Presentations of experiences from NRENs
NORDUNET - Jacob
Jacob presented the OCTAVE Allegro the Risk Management method used at Nordunet, which was chosen because of its alignment with the business, structure (quantitative and qualitative) and it’s being an easy way to do reporting, also for management. However, the main downside of this method is that there are no good tool that can be used and one needs to invent it. Jacob demonstrated the tool used at Nordunet - OpenISMS (in the making), which is a web interface, created based on the ISO standard, where information on each risk can be entered by selecting options from lists (instead of entering all info manually each time). The tool is useful in generating a report for the risks that were identified as priorities. The report is generated based on the information provided with critical information, containers, threats, control lists (check list). Jacob is planning to improve the tool, migrate all risks to it and share the code for the generic risk analysis tool with the group - open source license soon too.
One of the suggestions received was an ability to automatically generate reports to risk owners, using it as a tool when talking to other departments regarding risk management.
CSC - Urpo
Urpo presented the Risk Management process at CSC, which is awarded ISO/IEC 20071 certificate and complies with the requirements and best practises on information security. For implementation of the process, CSC is using a manual internal risk management tool, which requires a number of fields to be filled in manually. Input for risk assessment at CSC is collected from different departments, so it is important to be able to “translate” the IT risks to Business Risks, since IT Risks are often too technical for the management. In practice the process at CSC works well, collaboration with management is improving. Main disadvantage is that the process is still very manual.
Urpo suggested that every organisation should design their own framework. Collaboration between NRENs in this are could be improved by conducting risk assessment surveys in other organisations.
Cyber threat landscape - Bart
Bart presented the “Cyber threat landscape 2015” report, which was created to inform universities of applied sciences in the Netherlands on what are the threats for their institutions. Interviews with the institutions were conducted to determine which risks are the most relevant to them. Based on the input provided by the universities, top threats were identified and explained in the report. Bart noted, that such reports are useful in presenting the risks and potential measurements to the management rather than to the technical staff. The exercise was successful and will be repeated.
GÉANT Security - Fotis
Fotis’ presentation focused on the processed that were initiated by GÉANT Security team in order to gain more control of the security environment. One problem that was identified early in the process is that staff are not aware of the basic security processes (confidentiality, integrity and availability). For that is was decided to investigate where the gaps are by talking to people who work for the organisation and involving them into the process. ISO 27005 Standard was used as the basis of the exercise. A high level asset registry was created and risk owners identified. The assets were rated in the scale of 1-5. Employees were then invited to rate the risks together, based on the calculation of Asset value x Vulnerability x Threat. The next step was to determine the overall probability/likelihood of the risks, so likelihood factor was added to the evaluation formula: Risk=[Impact (Asset) x Vulnerability x Threat] x Likelihood.
According to Fotis, following this process helps the staff to understand the basic concepts and impact of security and be more aware of the security parameters. Consequently, various dashboards created, also for the management, who have to participate in enforcing the processes.The end result is clearly set security objectives for the organisation.
A round of experiences from other NRENs
| University of Vienna/ ACOnet - Alexander | No formalised risk assessment yet. One of the main risks - loosing confidentiality (need to look into confidence that can be lost instead of focusing on specific incidents). |
| DFN - Stefan | Formalising risk management at the moment. One of the problems - there is no documentation of assets, important services are now identified (lack of priorities). Configuration management started last year - services identified, but now need to assess the assets regarding the business processes |
| HEAnet - Aidan | Main focus - DDOS attacks. Main challenge: trying to document a large number of servers and devices, getting and inventory |
| UNINETT - Oivind | Inventory is also a problem, asset registry is needed. Following a common standard with other security institutions in Norway. Espionage risk identified. ACTION: Oivind will translate and share the common Norwegian standard on the wiki and provide an explanation regarding process and tools. |
| BELNET - Fernand | No formal risk management format in place. Some activities were organised, such as business continuity planning, business impact analysis. Broad IT service management employment, specifically for change management. Need for common risk analysis and treatment is identified, but not implemented. Doing risk analysis for separate projects - individuals must identify risks and mitigation. |
| DKCERT - Henrik | No formal risk approach, working on it. Implementing ISO 20071. |
| STFC - Linda | A lot of activities to mitigate the security related groups - specific working groups, loads of work concerning the grid. But no common approach identified. Security threat risk assessment was done in different categories with staff input on likelihood and impact on the specific risks in separate projects. 100 threats were evaluated previously. Now more Cloud related risks added to the exercise - more high impact risks identified: 1. Cloud security incident detection (the highest risk) 2. Changing technology - less control of what technology and software is used (staff choses software based on whether it works rather than whether it is secure) 3. Not enough manpower to do the security activities 4. Staff not complying with the policy ACTION: Linda will share a more detailed list of risks (TLB Amber), which is a summary of STFC threats, via mailing list. |
| RESTENA - Cynthia | No formal process in place, but staff are doing quite a lot in the area anyway. Different procedures are identified and available for staff. Going towards ISO 20071 - need to start with risk identification and management. Manpower is a problem - once this is solved, formalising the processes can be started. |
| GARR - Claudio | Not enough awareness at the universities regarding the financial risks. |
Day 2 (23 February 2016)
The second day of the workshop started with a quick summary of yesterday’s discussions, presented by Alf.
Since one of the expectations of this workshop was to look into possible collaboration on risk management in the community, Alf suggested to identify what makes sense to do together and what should be done individually before proceeding with the workshop.
The following was agreed on by the group:
| TOGETHER | tools, templates, risk register, process |
| INDIVIDUAL | priorities, measuring |
Alf then suggested that looking at the specific NREN and University context, a few levels of risks can be identified as needed to be discussed with the management:
| STRATEGIC |
| PROCESS: network, network services, federation, hosted services, back office admin, people, upstream |
| TECHNICAL |
The “process” level was split into separate categories that are useful for a further discussion, aiming to result in joined NREN risk management effort. Federation, hosted services, and people were selected by the participants as the most relevant ones to start with. It was then decided to work in three groups focusing on one process each. The aim of the brainstorm within the groups was to determine top 5 risks in a given category.
The first group, chaired by Jacob, focused on the hosted services. The following risks were identified and rated:
1. infrastructure complexity
2. insecure software or infrastructures
3. supplier
4. incident detection
5. trust/over-delegation
The second group was chaired by Fotis. As the main risks related to people they listed the following:
Economical loss/reputation
Sickness
Leaving staff
Segregation of duties
Policies
Screening (lack of)
The last group discussed Federation. Chaired by Urpo, they rated the risks as follows:
1. Declining (implicit) trust in growing federations
2. Federation operator procedures and responsibilities
3. Users cannot log in
4. Cannot identify abuser/intruder
5. Leak/abuse of personal information
6. SP Data/Attribute profiles appropriate
7. Protocol implementation vulnerabilities
It was agreed by the workshop participants that the three groups will continue working on the results of the brainstorm sessions led by Jacob, Fotis and Urpo. The intention is to produce three documents that can be shared. The risks identified should be clearly defined and explained and ideas for recommendations should be included.
ACTION: Jacob, Fotis and Urpo would use the input of today’s workshop to develop documents, where the risks identified in groups would be elaborated on and some recommendations made. Send the documents to the Steering Committee by the end of March.
After working in groups, Alf moderated a roundtable on how the documents produced as a result of this workshop can be disseminated. Suggestions to contact various other communities were made, including WISE, REFEDS, GÉANT Task Forces (TF-CSIRT, SIG-NOC).
ACTION: Alf will contact Jules Wolfrat regarding collaboration with WISE, Alessandra will look into possibilities to work with other initiatives and TFs.
The discussion then continued regarding sharing the information on risks with the management. It was decided that it has to be an individual effort, but a community written and rubber-stamped document on risk management would be useful as something that managers would potentially be interested it.
Regarding elevation of the issues discussed in the SIG-ISM via GÉANT, Alessandra explained that the results of the SIGs are reported to GÉANT anyway, so it would be more efficient to spread information if everyone is reporting within their own NREN. However, the issue there is that not all NRENs are part of this group, so there is a need to involve them and build trust on a personal level. F2F meetings are difficult to attend for some, but VC every few months might be a solution.
ACTION: organise VC meetings about risk management with more NRENs involved
The group agreed that information of today’s session and results of the working groups are public and can be posted on the wiki, making sure that it is clear that those are generic risks and not something that specific NRENs from GÉANT are facing.
ACTION: Share notes, pictures and slides from day 2 of the workshop as well as the documents produced as a result of the discussions on the wiki.
It was then agreed that information on the NRENs internal processed and tools used, that was not shared during this workshop but would be instrumental in developing a generic document on risk management, can and should be shared and wiki can be used as a platform. Having examples on how other NRENs are doing in this field would serve as a tool for a benchmarking exercise. However, a joined risk register would require a platform where confidential information could be uploaded.
ACTION: Steering Committee will create a page on the wiki where NRENs can provide information about their internal tools and processes and have a further discussion on where confidential information can be collected and shared
During the closing remarks it was agreed that creating a joined framework specific to NRENs is one of the goals of SIG-ISM, to be developed in the coming years.
Summary of actions
| No. | Action | Assigned to |
|---|---|---|
| CPH-01 | Add information about the TLP on the SIG-ISM website. | Alessandra |
| CPH-02 | Translate and share the common Norwegian standard on the wiki and provide an explanation regarding process and tools. | Oivind |
| CPH-03 | Share a more detailed list of risks (TLB Amber), which is a summary of STFC threats, via mailing list. | Linda |
| CPH-04 | Use the input of the workshop's group sessions and develop documents, where the risks identified in groups would be elaborated on and some recommendations made. Send the documents to the Steering Committee by the end of March. | Jacob, Fotis and Urpo |
| CPH-05 | Look into collaboration with WISE and other initiatives and TFs. | Alf, Alessandra |
| CPH-06 | Organise VC meetings about risk management with more NRENs involved | Alessandra |
| CPH-07 | Share notes, pictures and slides from day 2 of the workshop as well as the documents produced as a result of the discussions on the wiki. | Alessandra, Sigita |
| CPH-08 | Create a page on the wiki where NRENs can provide information about their internal tools and processes for now - discuss the alternative platforms where confidential information can be collected and shared | Steering Committee |