Day 1 (22 February 2016)
The chair of the SIG-ISM Steering Committee Alf Moens opened the meeting and welcomed the participants.
He then introduced the Traffic Light Protocol (TLP) as the means to indicate the level of confidentiality within the group. It was agreed that the meeting is by default TLP Amber, but presenters can decide how to mark their presentations - TLP White and Green to be added to the event page on the wiki, TLP Yellow and Red - confidential.
Urpo suggested that the code as a standard for this community should be published on the SIG-ISM webpages.
ACTION: Add information about the TLP on the SIG-ISM website.
Agenda of the meeting was approved, no changes suggested. Alf informed that Alessandra and Rolf, members of the Steering Committee, are joining the meeting remotely.
During the round of introductions, the main expectations of the workshop were set: to discuss risk management experiences, best practises, benchmarking, practical steps, and possible collaboration on risk management in the community. It was decided that the goal of the workshop is to determine 5 most prevalent risks of NRENs and decide how those can be addressed by sharing experiences.
Alf then gave an overview on what has been done in the SIG-ISM so far, including Paper on ISM, Paper on Risk Management, contribution in setting up WISE, DDOS mitigation workshop, and presentations at various community events. He elaborated on WISE, which is a global community initiated by e-infrastructures, covering some of the same topics as the SIG. The work of WISE is divided based on the main topics identified for 2016, forming 5 working groups. Participants of this meeting were invited to look up more information on the WISE website and register for one of the WISE working groups.
The Risk Assessment Whitepaper - Alf
Alf presented the white paper on Risk Assessment, where the risk management process is described based on best practices identified during the previous workshop. In this whitepaper, risk management is defined as an every day activity for organisations - therefore having a strategy for risk management is crucial. It is explained that it is important to identify where the risks come from and that when it is regarding information security, confidentiality, integrity, availability of information must be taken into consideration. Risk management process can be divided into 5 main steps: identify, assess, respond, monitor, and report. Once the risks are identified, the likelihood of the risks has to be decided from most likely to unlikely in an internally agreed format (scale 1-5 or similar can be used), taking easy access and motivation into consideration. To describe the impact of a potential risk, different scales can be used depending on the organisation and purpose of the description, but scales based on economics or reputation are useful when presenting the risks to management. When talking about the risks in NRENs, most important assets must be kept in mind throughout the process.
Risk management for Cloud, Computing and Data services - Urpo
The second presentation was given by Urpo, outlining the importance and most important factors of defining and connecting enterprise risk management (ERM) and IT risk management - a process that is typically neglected or misunderstood. Urpo identified the the main phases of the ERM, starting with defining the risk and a working framework. Following that risk identification takes place, and, according to the speaker, most organisations stop here. However, it is crucial to continue the process by defining ownership, mitigation, transference, sometimes even accepting the risks, followed by monitoring and review. Although there are many public and non-public standards are available, those guidelines are usually written for big and mature organisations and adopting them to small NRENs can be impossible.
Lacking a “work for all” solution, every organisation has to clearly define Risk Management process themselves, taking most critical factor - Business Impact Analysis - into consideration and ensuring communication between senior management and operation work.
In the context of NRENs, some of this work (for example, recommendations) can be done together.
PRESENTATIONS OF EXPERIENCES FROM NRENs
NORDUNET - Jacob
Jacob presented the OCTAVE Allegro the Risk Management method used at Nordunet, which was chosen because of its alignment with the business, structure (quantitative and qualitative) and it’s being an easy way to do reporting, also for management. However, the main downside of this method is that there are no good tool that can be used and one needs to invent it. Jacob demonstrated the tool used at Nordunet - OpenISMS (in the making), which is a web interface, created based on the ISO standard, where information on each risk can be entered by selecting options from lists (instead of entering all info manually each time). The tool is useful in generating a report for the risks that were identified as priorities. The report is generated based on the information provided with critical information, containers, threats, control lists (check list). Jacob is planning to improve the tool, migrate all risks to it and share the code for the generic risk analysis tool with the group - open source license soon too.
One of the suggestions received was an ability to automatically generate reports to risk owners, using it as a tool when talking to other departments regarding risk management.
CSC - Urpo
Urpo presented the Risk Management process at CSC, which is awarded ISO/IEC 20071 certificate and complies with the requirements and best practises on information security. For implementation of the process, CSC is using a manual internal risk management tool, which requires a number of fields to be filled in manually. Input for risk assessment at CSC is collected from different departments, so it is important to be able to “translate” the IT risks to Business Risks, since IT Risks are often too technical for the management. In practice the process at CSC works well, collaboration with management is improving. Main disadvantage is that the process is still very manual.
Urpo suggested that every organisation should design their own framework. Collaboration between NRENs in this are could be improved by conducting risk assessment surveys in other organisations.
Cyber threat landscape - Bart
Bart presented the “Cyber threat landscape 2015” report, which was created to inform universities of applied sciences in the Netherlands on what are the threats for their institutions. Interviews with the institutions were conducted to determine which risks are the most relevant to them. Based on the input provided by the universities, top threats were identified and explained in the report. Bart noted, that such reports are useful in presenting the risks and potential measurements to the management rather than to the technical staff. The exercise was successful and will be repeated.
GÉANT Security - Fotis
Fotis’ presentation focused on the processed that were initiated by GÉANT Security team in order to gain more control of the security environment. One problem that was identified early in the process is that staff are not aware of the basic security processes (confidentiality, integrity and availability). For that is was decided to investigate where the gaps are by talking to people who work for the organisation and involving them into the process. ISO 27005 Standard was used as the basis of the exercise. A high level asset registry was created and risk owners identified. The assets were rated in the scale of 1-5. Employees were then invited to rate the risks together, based on the calculation of Asset value x Vulnerability x Threat. The next step was to determine the overall probability/likelihood of the risks, so likelihood factor was added to the evaluation formula: Risk=[Impact (Asset) x Vulnerability x Threat] x Likelihood.
According to Fotis, following this process helps the staff to understand the basic concepts and impact of security and be more aware of the security parameters. Consequently, various dashboards created, also for the management, who have to participate in enforcing the processes.The end result is clearly set security objectives for the organisation.
A ROUND OF EXPERIENCES FROM OTHER NRENs
University of Vienna/ ACOnet - Alexander
No formalised risk assessment yet. One of the main risks - loosing confidentiality (need to look into confidence that can be lost instead of focusing on specific incidents).
DFN - Stefan:
Formalising risk management at the moment. One of the problems - there is no documentation of assets, important services are now identified (lack of priorities). Configuration management started last year - services identified, but now need to assess the assets regarding the business processes
HEAnet - Aidan:
Main focus - DDOS attacks. Main challenge: trying to document a large number of servers and devices, getting and inventory
UNINETT - Oivind:
Inventory is also a problem, asset registry is needed. Following a common standard with other security institutions in Norway. Espionage risk identified.
ACTION: Oivind will translate and share the common Norwegian standard on the wiki and provide an explanation regarding process and tools.
BELNET - Fernand
No formal risk management format in place. Some activities were organised, such as business continuity planning, business impact analysis. Broad IT service management employment, specifically for change management. Need for common risk analysis and treatment is identified, but not implemented. Doing risk analysis for separate projects - individuals must identify risks and mitigation.
DKCERT - Henrik
No formal risk approach, working on it. Implementing ISO 20071.
STFC - Linda
A lot of activities to mitigate the security related groups - specific working groups, loads of work concerning the grid. But no common approach identified. Security threat risk assessment was done in different categories with staff input on likelihood and impact on the specific risks in separate projects. 100 threats were evaluated previously.
Now more Cloud related risks added to the exercise - more high impact risks identified:
1. Cloud security incident detection (the highest risk)
2. Changing technology - less control of what technology and software is used (staff choses software based on whether it works rather than whether it is secure)
3. Not enough manpower to do the security activities
4. Staff not complying with the policy
ACTION: Linda will share a more detailed list of risks (TLB Amber), which is a summary of STFC threats, via mailing list.
RESTENA - Cynthia
No formal process in place, but staff are doing quite a lot in the area anyway. Different procedures are identified and available for staff. Going towards ISO 20071 - need to start with risk identification and management. Manpower is a problem - once this is solved, formalising the processes can be started.
GARR - Claudio:
Not enough awareness at the universities regarding the financial risks.