...
List of attendees:
Notes: After a brief introduction to the TERENA CISO group initiative given by Wayne Routly (DANTE), Alf Moens (SURF) elaborated on the main drivers and objectives of such a group of high-level security experts. Building trusted relationship and coordination within and beyond the NRENs’ security teams is the most important aspect. Advocating the use of standards and sharing tangible implementation practices would be the key, besides trying to agree on common policy requirements. There is a growing demand and pressure on the NRENs from the universities to be able to talk to one single CISO person at managerial level. Coordination and clear escalation paths are as much important as swift policy decisions and compliance with the corresponding EC directives. There is a need for a dedicated role and a single person (i.e. contact/decision point) at NRENs to achieve and maintain the necessary trust level for the national as well as international user community. Peter Szegedi (TERENA) threw the open question to the audience on how to proceed and asked for a roll call. SWITCH, GARR, SURF and RENATER noted that they already have a dedicated CISO person and the majority of the other NREN representatives were interested in finding an overall structure for their internal security related activities including CSIRT and NOC. NIIF mentioned that they have an official ISO certification that would be the good example to follow by others. Christoph Graf (SWITCH) commented that creating a TERENA Special Interest Group (SIG) would indeed be more appropriate than a task force at this stage. A quick show of hands indicated that about 80% of the attendees would participate in such a SIG. Albert Hankel (SURFnet) said that SURFnet is willing to organize an “NREN Security Strategy Workshop” after the summer where all the interested NRENs are invited to. This meeting can also be the official kick-off meeting for the new TERENA CISO SIG. Alf Moens (SURF) and Wayne Routly (DANTE) volunteered to coordinate the workshop preparation and later on participate in the Steering Committee of the new SIG. The logistic details of the SURFnet Workshop will soon be circulated on the TERENA CISO mailing list. Everybody is welcome to join the mailing list. |
| Note |
|---|
Invitation for NREN Security Strategy Workshop SURFnet is in the process of renewing its strategy with respect to security, privacy and trust. We recognize that other NRENs may also be rethinking their Security Strategy and that it is important to collaborate on an international scale. This is an invitation to join us in a workshop to discuss these issues and look for potential collaborations. Digital infrastructures have become mission critical for the day-to-day operations of our constituencies. As a consequence, people are starting to take security and privacy in their digital lives more seriously. Ignorance and misuse (such as cyber criminality but also espionage) can lead to profound impacts and losses for individuals and organizations. They need to be able to rely on experts for protection and guidance. NRENs stimulate optimal use of ICT in Higher Education, be it in new or in proven activities. To enable such use, the HE community needs to feel safe and secure; they need to trust their digital environment. NRENs have a proven track record in this area with trust and collaboration as their core values – the HE community looks to NRENs for protection and guidance. As ICT infrastructures continue to evolve, more and more is required to maintain this position. In the Netherlands SURF is currently restructuring all the security, privacy and trust (SP&T) activities in such a way that SURFnet will play a leading and guiding role for Dutch HE in the years to come. SURFnet is looking to develop new services, intensify collaborations with academic SP&T research groups and increase dissemination of knowledge and best practices in the HE community. In order to do so, it is in our view very important to collaborate with other NRENs on an international scale. This is already happening on an operational level in TF-CSIRT for example, but not yet at a strategic level. In addition, for some time now a couple of NREN Chief Information Security Officers (CISOs) have been talking about setting up a CISO-working party. Currently it is unknown how many NRENs have a CISO or someone acting as a CISO. A couple of CISOs think it is useful for NREN CISOs to know each other and to start working together in addressing the many issues the NRENs and their constituents are facing now and in coming years. The NREN’s have been working together for more than twenty years, based on mutual trust. We are moving from networking to application services, we therefore need to define what the trust is based upon and how we can ensure future cooperation can be achieved with the same of higher level of trust. Workshop To foster international collaboration at a strategic level, we would like to organize a security strategy workshop with a number of selected NRENs leading in SP&T in the NREN community. Our goal is to share views on SP&T, discuss issues and look for potential collaborations. If successful, the result will be a shared view on how NRENs can collaborate internationally on SP&T and a list of follow-up actions. Themes we already identified are: - How can NRENs exchange strategic views on SP&T and work towards a shared view? - How can NRENs develop a trust framework between NRENs and for their products and services? - How can NRENs exchange knowledge on and approaches to important SP&T issues (such as the upcoming European privacy laws)? - How can NRENs learn from other SP&T NREN services? (e.g. copy them or procure them from another NREN) - Are there any SP&T issues that can only be solved in international collaborations? - How can NRENs organize this? Is there interest in forming a dedicated community of CISOs and other security managers? Preliminary programme proposal Day 1 13.30 Plenary - welcome & purpose of workshop - introduce flip charts with major questions (people can sticker ideas throughout the workshop) - provocative (?) speaker to kick off discussions 14.30 Break 15.00 Parallel sessions CISO - How can NRENs develop a trust framework between NRENs? Services - How can NRENs develop a trust framework for their products and services? 16.30 Report back on parallel sessions 17.00 Drinks & check-in hotel 19.00 Dinner
Day 2 09.00 Plenary 09.30 Parallel sessions CISO - How can NRENs exchange knowledge on and approaches to important SP&T issues (such as the upcoming European privacy laws)? Services - How can NRENs learn from other SP&T NREN services? (e.g. copy them or procure them from another NREN) 10.30 Break 11.00 Report back on parallel sessions 11.30 Plenary & wrap up - come back to flip charts and try to answer major questions - conclusions & future outlook - thank you 12.30 Lunch
Major questions for flip charts - How can NRENs exchange strategic views on SP&T and work towards a shared view? - Are there any SP&T issues that can only be solved in international collaborations? - How can NRENs organize this? Is there interest in forming a dedicated community of CISOs and other security managers? - … |