Page History

The meeting was a follow-up meeting from the NREN Chief Security Officers’ Meeting 28 September 2012 in Ljubljana, Slovenia.

The meeting did not have a large attendance, there were only 9 attendees representing 8 institutions. It is clear that any future meetings will have to be advertised outside the TF-CSIRT framework to ensure that adequate numbers of appropriate staff from the NRENs attend. There were TF-CSIRT side meetings being held at the same time as the CISO meeting which meant that some NREN representatives could not attend the meeting. There was a round table discussion on the major items arising out of the Ljubljana meeting and the TAC discussions from June 2013.

The end user customer base of the NRENs is somewhat different to a normal customer base, they are all at arm’s length and are customers of downstream connected sites, and they live in a world of academic freedom where normal rules, policies and procedures are challenged all the time. NRENs should be taking care of their own security and not just offering security as a service to their connected institutions. NRENs face security risks in their own rights and should have robust processes and procedures to handle these risks.

There was some discussion on certification along the lines of ISO27001. Funet/CSC had recently achieved certification and Janet are considering getting certification for individual services, starting with the more achievable ones and then rolling it out to others.

Senior management in the NRENs should appoint a dedicated or a designated Chief Information Security Officer (CISO) in each NREN. These CISOs should have a direct reporting line to Senior Management in the NREN to ensure that security policies are being observed and enforced in the NREN and to flag any breaches to Senior Management.

The role and responsibilities for the NREN CISO are outlined and are taken from the COBIT definition of the role of the Chief Information Security Officer

Role and Responsibilities of the NREN CISO (from COBIT).

• Mandate: The overall responsibility of the enterprise information security programme in the NREN
• Operating principles: The CISO should report to the Senior Management in the NREN.

The CISO is the liaison between executive management and the information security programme. The CISO should also communicate and co-ordinate closely with key NREN stakeholders to address information protection needs.

The CISO must

• Have an accurate understanding of the NREN strategic vision
• Be an effective communicator
• Be adept at building effective relationships with business leaders
• Be able to translate NREN business objectives into information security requirements

Span of control

The CISO is responsible for:

• Establishing and maintaining an information security management system (ISMS)
• Defining and managing an information security risk treatment plan
• Monitoring and reviewing the ISMS

Authority level/decision rights:

• The CISO is responsible for implementing and maintaining the information security strategy. Accountability (and sign-off of important decisions) resides in the function to which the CISO reports, for example, senior executive management team member or the ISSC.

Delegation rights:

• The CISO should delegate tasks to information security managers and business people.

Escalation path:

• The CISO should escalate key information risk-related issues to his/her direct supervisor and/or the ISSC.
  
  

Actions:

1. Inform NREN management of the existence of the NREN CISO group
   
   
2. Encourage attendance at future meetings
   
   
3. Hold a meeting outside the TF-CSIRT group at an NREN gathering
   
   
4. TERENA to advertise meeting widely amongst NREN management