Skip to end of metadata
Go to start of metadata

This Wiki Space is not maintained anymore. You can find the most up to date information of the new page of SIG-ISM



This Wiki Space is for the TERENA Chief Information Security Officer (CISO) group initiative. The group has decided to change its name to "Information Security Management" SIG.

Th SIG-ISM website is available at TERENA.

The SIG-ISM mailing list is: ism<at>terena<dot>org. You can request for subscription here.

SIG-ISM Steering Committee

Meetings and minutes

Dates and locationsCISO meeting at TNC2014, 19 May 2014, Dublin, Ireland

1st NREN Chief Security Officers' Meeting

2nd NREN Chief Security Officers' Meeting

(info) TERENA Technical Committee Meeting

TF-NOC/TF-CSIRT/CISO session at the TF-NOC Task Force meeting

(lightbulb) Alf Moens, SURF - Security and Trust

TNC2014 - CISO Session

NREN Security Strategy Workshop by SURFnet

28 September 2012, Ljubljana, Slovenia

26 September 2013, London, UK

3 December 2013, on-line

20 March 2014, Cambridge, UK

24 February 2104

19 May 2014, Dublin, Ireland

3-4 September 2014, Utrecht, Netherlands

1st NREN Chief Security Officers’ Meeting

28 September 2012

Hotel Slon, Ljubljana, Slovenia

A meeting of individuals designated as security officers within TERENA National and International Members was suggested by the TERENA Advisory Council at its meeting in May 2012. The aim was identify the security interests of these organisations beyond incident handling and response, to identify who (if anyone) was responsible for security affairs, and to determine whether there is any requirement for wider collaboration within the TERENA community.

To this end, a meeting was organised adjacent to the 37th TF-CSIRT meeting in Ljubljana, Slovenia to which NRENs were asked to send their Chief Security Officers (CSOs). This is a relatively new concept within research and education organisations, so it was expected that many, if not most of these organisations would not officially have a nominated CSO. However, organisations were asked to send the person most fitting the role, or who might fulfil such a role in future.

A number of discussion points were circulated in advance of the meeting as follows:

  • What are the risks with respect to data, infrastructure and the applications that are being run, and how are these risks assessed?
  • What sort of policies are required to manage potential risks, are these in situ, and how can these be updated as necessary?
  • Information Security Management Systems and ISO 27001 certification - which parts of an NREN are/should be risk assessed and certified, and how is this achieved?
  • What sort of disaster recovery plans, if any, do NRENs have? How are disasters defined, handled and communicated?
  • Should NRENs appoint Chief Security Officers to minimise risk, or is a designated person sufficient?

The meeting was held using an open discussion format. This report summaries the outcome of the discussions and the conclusions that were formulated.

Why are Chief Security Officers necessary?

A Chief Security Officer is usually a senior level executive within an organisation responsible for information security. This may include systems, network and data security; incident response and handling; regulatory compliance; risk management; and disaster recovery. They are commonplace in medium-to-large commercial companies, and are increasingly employed in government and other types of organisation. However, the concept is relatively unknown within the research and education community, and very few NRENs appear to have a designated CSO.

CSOs have become increasingly important as organisations become almost totally reliant on IT information systems. Whilst not all NRENs operate truly mission critical systems, incidents can still cause a great deal of disruption and damage, and resolving them can cost significant amounts of effort and money. In addition, there can be a significant loss of reputation that can ultimately affect the continued existence of an NREN, and even expose them to legal liabilities.

What is the role of a Chief Security Officer?

It was generally agreed that a CSO needed to advise management on security matters, and in crisis situations, even have the ability to execute emergency powers. As a result, such roles ideally needed to be part of the management team, or at least have a very close working relationship with it. A pre-requisite for assessing and mitigating risks was to compile and maintain an inventory of assets, to understand operational requirements, and to define the role and extent of the CSO responsibilities. For example, system and network security would traditionally be expected to fall under the remit of a CSO, but their role should also encompass physical access to buildings and data storage. In addition, security awareness training, a public relations policy for dealing with the press, and even a social media policy for employees may be required in the modern environment.

It should be clear that the primary responsibility of a CSO should be to assess and document potential risks to IT services develop a policy for minimising these risks, and then to have a disaster recovery plan in the event that the worst happens. Other responsibilities might be to ensure compliance with regulatory and other legal requirements, and to implement processes that might lead to external certification in due course (which typically takes 3 to 5 years). In some circumstances, a CSO might even take a role in advising law makers in the development of appropriate legislation. It is extremely important to establish and maintain communication channels between key members of staff. It is also important these channels are regularly tested, and possibly even periodic drills held to ensure that everyone in the process understands what is required from them.

Who has a Chief Security Officer?

Only CERN, DANTE, CSC (parent organisation of Funet) and UNINETT currently had an officially designated Chief Security Officer, although in the case of DANTE, this was a very recent appointment in response to an external audit. Most other organisations had someone who advised on security matters, but these duties were mostly undertaken on an informal basis and they had no powers or responsibilities in crisis situations. The persons informally advising on security matters were usually those working in Computer Incident Response and Security Teams (CSIRTs), largely because these are often the only established security-related activities within organisations. Incident handling and response is a specialised aspect of security though, and is usually not concerned with physical security and disaster recovery. CSIRT staff are typically concerned with enforcing policies, but not making those policies.

Who has a Disaster Management and Business Continuity Plan?

Every organisation present had some sort of disaster management plan, although the exact nature of these varied considerably. Seven organisations had formal organisationwide plans, two had separate departmental plans, whilst two had unofficial plans. However, only three organisations actually had plans for alternative (off-site) provision of services in the event of disaster. Three organisations had actually been forced to implement their crisis management/recovery plans in the past, whilst a further organisation enacted their plan in response to an external disaster (earthquake). These plans had generally proved adequate, although in one case the plans had ultimately proved inadequate due to unforeseen complications relating to an ongoing and extreme external crisis. It was generally felt though, that NRENs were reactive rather than proactive with respect to crisis management.

Recommendations

  1. It was felt that NRENs would eventually be required to implement Information Security Management Systems (ISMSs) in order to identify and mitigate risks to their infrastructures. It was therefore suggested that some presentations or training on the subject might be arranged by TERENA; possibly during TNC 2013. Possible speakers/trainers were Michael Brophy (Certification Europe), Bert van ? (SIDN), and IT Governance. CERN also had a standard presentation about the CERN CSO Team and its duties that might be utilised. The target audience should be senior NREN managers as ISMSs would require their endorsement if they were to be successful.

  2. It was also suggested that TF-MSP investigate the implementation of ISMSs, and whether some base guidelines could or should be formulated for NRENs. This might include an investigation into whether ISO 27001 was applicable to, or necessary for NRENs.

  3. Concern was expressed by the fact that only 12 research and education networking organisations were represented at the meeting, especially considering that a number of attendees were not CSOs and had attended the meeting on their own initiative. The general feeling was that security was not taken seriously by NREN management, that the issues were poorly understood, and that information dissemination from senior management was inadequate. The issue of how to attract better representation and involvement from the 42+ TERENA members needed to be addressed by TF-MSP and perhaps even at the level of the TERENA General Assembly. However, one approach might be the use of policy and technical audits (e.g. ISO 9001) as external recommendations often carried more weight than internal representations.

2nd NREN Chief Security Officers’ Meeting

26 September 2013

London, UK

Chairman: James Davis, Janet

Notes: Michael Nowlan, TERENA

The meeting was a follow-up meeting from the NREN Chief Security Officers’ Meeting 28 September 2012 in Ljubljana, Slovenia.

The meeting did not have a large attendance, there were only 9 attendees representing 8 institutions. It is clear that any future meetings will have to be advertised outside the TF-CSIRT framework to ensure that adequate numbers of appropriate staff from the NRENs attend. There were TF-CSIRT side meetings being held at the same time as the CISO meeting which meant that some NREN representatives could not attend the meeting. There was a round table discussion on the major items arising out of the Ljubljana meeting and the TAC discussions from June 2013.

The end user customer base of the NRENs is somewhat different to a normal customer base, they are all at arm’s length and are customers of downstream connected sites, and they live in a world of academic freedom where normal rules, policies and procedures are challenged all the time. NRENs should be taking care of their own security and not just offering security as a service to their connected institutions. NRENs face security risks in their own rights and should have robust processes and procedures to handle these risks.

There was some discussion on certification along the lines of ISO27001. Funet/CSC had recently achieved certification and Janet are considering getting certification for individual services, starting with the more achievable ones and then rolling it out to others.

Senior management in the NRENs should appoint a dedicated or a designated Chief Information Security Officer (CISO) in each NREN. These CISOs should have a direct reporting line to Senior Management in the NREN to ensure that security policies are being observed and enforced in the NREN and to flag any breaches to Senior Management.

The role and responsibilities for the NREN CISO are outlined and are taken from the COBIT definition of the role of the Chief Information Security Officer

Role and Responsibilities of the NREN CISO (from COBIT).

  • Mandate: The overall responsibility of the enterprise information security programme in the NREN
  • Operating principles: The CISO should report to the Senior Management in the NREN.

The CISO is the liaison between executive management and the information security programme. The CISO should also communicate and co-ordinate closely with key NREN stakeholders to address information protection needs.

The CISO must

  • Have an accurate understanding of the NREN strategic vision
  • Be an effective communicator
  • Be adept at building effective relationships with business leaders
  • Be able to translate NREN business objectives into information security requirements

Span of control

The CISO is responsible for:

  • Establishing and maintaining an information security management system (ISMS)
  • Defining and managing an information security risk treatment plan
  • Monitoring and reviewing the ISMS

Authority level/decision rights:

  • The CISO is responsible for implementing and maintaining the information security strategy. Accountability (and sign-off of important decisions) resides in the function to which the CISO reports, for example, senior executive management team member or the ISSC.

Delegation rights:

  • The CISO should delegate tasks to information security managers and business people.

Escalation path:

  • The CISO should escalate key information risk-related issues to his/her direct supervisor and/or the ISSC.

Actions:

  1. Inform NREN management of the existence of the NREN CISO group

  2. Encourage attendance at future meetings

  3. Hold a meeting outside the TF-CSIRT group at an NREN gathering

  4. TERENA to advertise meeting widely amongst NREN management

TERENA Techncal Committee Meeting

Icon

3 December 2013

Responding to the TAC request from June 2013, the CISO group reconvened as a side session at the TF-CSIRT meeting in London in September. Due to conflicting meetings, there were relatively few attendees at the session. The task of defining the role and profile of the Chief Information Security Officer was agreed and subsequently circulated on the mailing list.

It was pointed out at the CISO meeting that there was a general lack of awareness and commitment to the concept of security by NRENs and this awareness should be heightened, especially at the management level.

Action: 20131203-4 MN: Validate the CISO profile and role as formulated by the NREN CISO group and report this validation to the GA in Dublin

http://www.terena.org/about/ttc/minutes/TTCminutes-20131203.pdf

TF-NOC Task Force meeting

TF-NOC/TF-CSIRT/CISO Session

20 March 2014

Cambridge, UK

There was a session dedicated to security related discussions at the 10th TF-NOC meeting on 20 March 2014 in Cambridge, UK. The invited speakers of the panel were:

  • James Davis, JANET (CISO)
  • Alf Moens, SURF (CISO)
  • Lionel Ferette (TF-CSIRT chair)
  • Brian Nisbet, HEAnet (TF-NOC)
  • and a representative of the UK National Crime Agency.

The panel concluded that the network security issues are handled by the NOC very well. At the NRENs’ level there seems to be a healthy relationship and regular communication (i.e. clear escalation path) between the NOC and CSIRT teams. Most of the cases the CSIRT person is the member of the NOC team anyway.  Information security areas other than the network security are much more concerned including e.g., stuffing, customer services or finances.

The representative of the UK National Crime Agency emphasized the importance of the notification of local law enforcement bodies (police) about security bridges. Even if no investigation is started immediately, collecting and analyzing information is important. In case of security incidents, collecting as much information as possible and at the same time not contaminating evidences is very difficult in IT. Sharing best practices in this field would be beneficial. It also turned out that however most of the NOCs have contacts to local police (e.g., JANET has an MoU signed with the UK Crime Agency) notifications are very rare. NOC personnel have to be trained on in which cases and how low enforcement should be notified. The role of the CISO could be to overlook this procedure at the NREN level.

There was a requirement to investigate the possibility whether specialized TRANSITS security trainings can be given to NOC personnel on legal/policy issues and reporting of security bridges (including the collection and preservation of evidences). Lionel (TF-CSIRT chair) offered invitation to TF-NOC participants to TF-CSIRT meetings.

The participants agreed that attracting the right people is difficult. We need both management awareness and identification of key personnel at NRENs. For raising management awareness, a CISO meeting will be organised at TNC2014.

Security and Trust

Icon

Alf Moens, SURF

24 February 2104

For some time a couple of NREN CISO’s have been talking about setting up a CISO-working party. For this moment it is unknown how many NREN’s have a CISO or someone acting as a CISO. A couple of CISO’s think it is useful for NREN CISO’s to know each other and to start working together in addressing the many issues the NREN’s and their constituents are facing now and in coming years.

The NREN’s have been working together for more than twenty years, based on mutual trust. We are moving from networking to application services, we there fore need to define what the trust is based upon and how we can ensure future cooperation can be achieved with the same of higher level of trust.

Objectives (these can be ranked)

  • Build a community of NREN CISO’s: This will speed up communication and exchanging of ideas and initiatives in quiet times and in times of crises.
  • Share knowledge and experience
    • On strategic and tactical subjects concerning information security
    • On organizing information security for the NREN constituents
  • Develop strategies for addressing present and future threats
  • Develop a trust framework for NRENs, and their products and services, based upon international standards and good practices in some NRENS

Scope

The scope of the CISO working party is

  • the NRENs
  • the constituents of the NRENs, not individual but as a group
  • strategic and tactical on information security and mutual trust

Subjects (to start with)

  • “inventory” of NREN CISO’s: who-is-who, who are we missing?
  • inventory of local communities in security and privacy related to the NREN constituents. Combine the experiences of existing communities for drafting a best practice
  • Agree on Trust: What is mutual trust between NRENs based upon and how can this be secured in the future
  • inventory of materials local communities have available
  • organisation of the working party, should it be a taskforce?

Some strategic subjects are already addressed in other taskforces

Liaison with

  • Incident respons ic.  TF-CSIRT
  • Product and service development: TF-MSP
  • Operations: TF-NOC
  • External relations - TF-CPR

TNC2014 - CISO Session

19 May 2014

Dublin, Ireland

Chairman: Wayne Routly (DANTE)

List of attendees:

  • Peter Szegedi - TERENA
  • Ingimar Jónsson - RHnet/University of Iceland
  • Christoph Graf - SWITCH
  • Marius Urkis - LITNET
  • Stefan Winter - RESTENA
  • Cynthia Wagner - Fondation RESTENA
  • Jovana Palibrk - Academic Network of Serbia
  • Valentino Cavalli - TERENA
  • Dave Mifsud - University of Malta
  • Esther Robles Blazquez - RedIRIS
  • Andrea Kropáčová - CESNET, a. l. e.
  • Wayne Routly - DANTE
  • Dominique Launay - RENATER
  • Piotr Strzyżewski - PIONIER Consortium
  • Claudio Allocchio - GARR
  • Christian Panigl - ACOnet
  • Albert Hankel - SURFnet bv
  • Jari Miettinen - CSC - IT Center for Science Ltd.
  • Tomas P. de Miguel - RedIRIS
  • Janos Mohacsi - NIIF/HUNGARNET
  • Alf Moens - SURF (via video)
  • Vlado Pribolsan - CARNet (via video)
  • Wayne Routly - DANTE

Notes:

After a brief introduction to the TERENA CISO group initiative given by Wayne Routly (DANTE),  Alf Moens (SURF) elaborated on the main drivers and objectives of such a group of high-level security experts. Building trusted relationship and coordination within and beyond the NRENs’ security teams is the most important aspect. Advocating the use of standards and sharing tangible implementation practices would be the key, besides trying to agree on common policy requirements. There is a growing demand and pressure on the NRENs from the universities to be able to talk to one single CISO person at managerial level. Coordination and clear escalation paths are as much important as swift policy decisions and compliance with the corresponding EC directives. There is a need for a dedicated role and a single person (i.e. contact/decision point) at NRENs to achieve and maintain the necessary trust level for the national as well as international user community.

Peter Szegedi (TERENA) threw the open question to the audience on how to proceed and asked for a roll call. SWITCH, GARR, SURF and RENATER noted that they already have a dedicated CISO person and the majority of the other NREN representatives were interested in finding an overall structure for their internal security related activities including CSIRT and NOC. NIIF mentioned that they have an official ISO certification that would be the good example to follow by others. Christoph Graf (SWITCH) commented that creating a TERENA Special Interest Group (SIG) would indeed be more appropriate than a task force at this stage. A quick show of hands indicated that about 80% of the attendees would participate in such a SIG.

Albert Hankel (SURFnet) said that SURFnet is willing to organize an “NREN Security Strategy Workshop” after the summer where all the interested NRENs are invited to. This meeting can also be the official kick-off meeting for the new TERENA CISO SIG. Alf Moens (SURF) and Wayne Routly (DANTE) volunteered to coordinate the workshop preparation and later on participate in the Steering Committee of the new SIG.

The logistic details of the SURFnet Workshop will soon be circulated on the TERENA CISO mailing list. Everybody is welcome to join the mailing list.

Icon

Invitation for NREN Security Strategy Workshop

SURFnet is in the process of renewing its strategy with respect to security, privacy and trust. We recognize that other NRENs may also be rethinking their Security Strategy and that it is important to collaborate on an international scale. This is an invitation to join us in a workshop to discuss these issues and look for potential collaborations.

Digital infrastructures have become mission critical for the day-to-day operations of our constituencies. As a consequence, people are starting to take security and privacy in their digital lives more seriously. Ignorance and misuse (such as cyber criminality but also espionage) can lead to profound impacts and losses for individuals and organizations. They need to be able to rely on experts for protection and guidance.

NRENs stimulate optimal use of ICT in Higher Education, be it in new or in proven activities. To enable such use, the HE community needs to feel safe and secure; they need to trust their digital environment. NRENs have a proven track record in this area with trust and collaboration as their core values – the HE community looks to NRENs for protection and guidance. As ICT infrastructures continue to evolve, more and more is required to maintain this position.

In the Netherlands SURF is currently restructuring all the security, privacy and trust (SP&T) activities in such a way that SURFnet will play a leading and guiding role for Dutch HE in the years to come. SURFnet is looking to develop new services, intensify collaborations with academic SP&T research groups and increase dissemination of knowledge and best practices in the HE community. In order to do so, it is in our view very important to collaborate with other NRENs on an international scale. This is already happening on an operational level in TF-CSIRT for example, but not yet at a strategic level.

In addition, for some time now a couple of NREN Chief Information Security Officers (CISOs) have been talking about setting up a CISO-working party. Currently it is unknown how many NRENs have a CISO or someone acting as a CISO. A couple of CISOs think it is useful for NREN CISOs to know each other and to start working together in addressing the many issues the NRENs and their constituents are facing now and in coming years.

The NREN’s have been working together for more than twenty years, based on mutual trust. We are moving from networking to application services, we therefore need to define what the trust is based upon and how we can ensure future cooperation can be achieved with the same of higher level of trust.

Workshop

To foster international collaboration at a strategic level, we would like to organize a security strategy workshop with a number of selected NRENs leading in SP&T in the NREN community. Our goal is to share views on SP&T, discuss issues and look for potential collaborations. If successful, the result will be a shared view on how NRENs can collaborate internationally on SP&T and a list of follow-up actions. Themes we already identified are:

-          How can NRENs exchange strategic views on SP&T and work towards a shared view?

-          How can NRENs develop a trust framework between NRENs and for their products and services?

-          How can NRENs exchange knowledge on and approaches to important SP&T issues (such as the upcoming European privacy laws)?

-          How can NRENs learn from other SP&T NREN services? (e.g. copy them or procure them from another NREN)

-          Are there any SP&T issues that can only be solved in international collaborations?

-          How can NRENs organize this? Is there interest in forming a dedicated community of CISOs and other security managers

Major questions for flip charts

-          How can NRENs exchange strategic views on SP&T and work towards a shared view?

-          Are there any SP&T issues that can only be solved in international collaborations?

-          How can NRENs organize this? Is there interest in forming a dedicated community of CISOs and other security managers?

  • No labels