Welcome and round of Introductions (Alf Moens - SURFnet)
Alf opened the meeting, outlined the agenda and invited all participants to introduce themselves. He then gave an update on the activities of WISE and Global CEO Forum Security working group and introduced the idea of regional collaboration of members of the SIG-ISM (members discussed this idea further at the end of the meeting - see notes below).

For more information on WISE, please check their website: https://wise-community.org/ and wiki pages: WISE Home. The next WISE meeting will take place on 27-29 March in Amsterdam, hosted by Nikhef. If you would like to participate, please register here: https://eventr.geant.org/events/2544

Update of SIG-ISM charter (Sigita Jurkynaite, GÉANT)

Every year, GÉANT Community Committee evaluates the achievements and KPIs that each SIG has set for themselves. SIG-ISM has successfully achieved all planned achievements of year 1. Sigita suggested to set more ambitious (yet achievable) goals for 2017. The group had comments and additions. The revised version is to be presented the next day, including all suggestions.

For the revised version presented on the second day of the workshop, please see below.

Finalising the SIG-ISM mission statement (Urpo Kaila, CSC)

The mission statement of SIG-ISM was circulated on the mailing list at the beginning of the year. Urpo presented the initial version of the statement and the comments received. More feedback was given by the participants, which will be included into the new version. It will be sent to everyone for approval shortly.

H2020 project PROTECTIVE (Brian Lee, Athlone Institute of Technology, Ireland)

H2020 project PROTECTIVE - Proactive Risk Management through Improved Situational Awareness. This project aims to develop an information sharing framework and advanced analytics to improve risk monitoring and information sharing for NREN and other CSIRTS. Brian presented the structure of the project and the questions that their institution with the international partners aim to answer by the end of the 36 month project.

For questions and comments, please contact Brian directly: blee@AIT.IE

OZON Cyber security Exercise (Sandy Janssen, SURFnet)

Sandy, one of the national Dutch cyber security exercise organisers, presented the exercise, which took place at the end of last year. 200 participants from 28 Dutch institutions took part in the 2 day exercise. You can see a video impression from the exercise here (with English subtitles):

IKT16 Norwegian National, Intersectoral Exercise (Per Arne Enstad, UNINETT CERT)

Per Arne, one of the organisers of the Norwegian exercise, told the participants about the planning, execution and evaluation phases of the exercise, which took place in 2016. More than 50 public and private enterprises and response environments took part in the exercise. All participants were assigned to one the 5 planned scenarios, which described different attacks on Bank & Finance, Education Sector, The Government, journalists, various enterprises in different sectors.

Joint cyber exercises (Charlie van Genuchten, SURFnet/GÉANT)

Charlie continued the theme of security exercises, talking about definitions of (cyber) crisis, different types of exercises and possible needs and objectives of the SIG-ISM group regarding crisis management. There was a general consensus in the room regarding the need to test the crisis management plans (if any) not only within an organisation, but also internationally. Following a brainstorm session in groups, some primary basic requirements and possible objectives of a joined international cyber security crisis exercise.

Developments in the threat landscape (Bart Bosma, SURFnet)

Bart presented on the process and the results of a cyber threat assessment of education and research sectors, that took place in 2016. He provided more details on trends, threats, processes, context and measures. Full report (in Dutch) can be found here. The slides above are in English.

Working groups

The participants of the meeting split into two working groups, focusing on (1) creating an inventory for security officers and (2) minimal security measures for an NREN.

Working groups continued

Wrap-up from the working groups

WG 1: INVENTORY FOR SECURITY OFFICERS

The first working group identified what information to share with whom, how public the lists should be, set the primary and future goals for the WG. It was decided that the most immediate action is to design a structure for an online platform with clearly identified levels of publicity. Linda Cornwall (Linda.Cornwall@stfc.ac.uk) will be leading this. Sigita Jurkynaite will help with the set up of the wiki pages (level 1 & level 2 to start with) and privacy settings. The main page would have a table with a list of NRENs that leads to each individual institution's page. Those individual pages would contain information provided (and regularly edited) by the NREN staff.

To improve the communication within this and other groups, it was suggested that a chat room is created using Slack, Skype (or other) where members could discuss and share TLP White & Green information. This action is not urgent, but added to the planned achievements list for 2017.

Slides with the discussion points and conclusions from the WG session: Directory/Inventory - info sharing for security people

WG 2: MINIMAL SET OF SECURITY MEASURES

(renamed to "Guidance on setting up and running a ISMS for NRENs")

After discussing some basic questions, identified in the previous meetings (slides from previous meeting can be downloaded from here), this working group has set itself a goal to provide guidance on how to set up and run ISMS for NRENs. They are aiming on having the first documents published by the end of this year and complete the set of guidelines some time in 2018. Robert Tofte (rtofte@nordu.net) will coordinate this group. Sigita Jurkynaite will create a mailing list and inform the SIG-ISM members. The date and time for the first virtual meeting: 5 April at 13:00 CET. (contact Robert or Sigita if would would like to participate or subscribe to the mailing list: https://lists.geant.org/sympa/subscribe/ism-wg2)

Regional collaboration: Which regions want to start?

Alf Moens, supported by the SIG-SIM Steering Committee members, presented the idea of collaboration in smaller (regional) groups, where more sensitive information can be shared and members could advise each other on day-to-day questions that are not discussed in the bigger group. The regional groups would be supported by the SIG-ISM. In some cases they would also be instrumental in getting new NRENs engaged in the international collaboration in this area of work. A few groups were identified:

NORDIC (+ BALTIC?) - Urpo Kaila suggested to take a lead and host a meeting in Finland this summer

BENELUX - Alf Moens will lead this

ENGLISH SPEAKING REGION (UK, Ireland) - James Davis tentatively agreed to lead this group

GERMAN SPEAKING REGION (Germany - Switzerland - Austria) - Christian Fotinger requested to get the contact details of the participants from this region to initiate potential regional collaboration

SOUTH (Spain - Italy - Portugal) - future

SOUTH-EAST EUROPE (Poland - Czech - Croatia - others?) - future

AFRICA (SANREN - UBUNTUNET - WACREN) - perhaps something that could be considered in the future.

Revised SIG-ISM Charter

Sigita Jurkynaite presented a revised version of the achievements/KPIs part of the charter, including the changes made during the workshop discussions. The group agreed on the proposal and set the deadlines for each KPI. The charter will be presented and considered at the GCC meeting on 24 Feb 2017.

AoB

Roderick Mooi (SANREN) and Renier Van Heerden (SANREN) will be in Europe for the TF-CSIRT & One Conference in the Hague and TNC17 in Linz, Austria. During the few weeks in between those events, they would like to visit some European NRENs and talk to security officers/CERTs.

If you would like to invite them to visit your institution, please contact Roderick: roderick@sanren.ac.za