GÉANT Security and Privacy White Paper

White paper

GÉANT Security and Privacy White Paper (v8)

Version 5 of the White Paper (GÉANT Security and Privacy Activities White paper) was submitted to GPPC for comments on 18 December 2017. After a consultation with GPPC, version 6 of the document was submitted on 23 January 2018. 

Annexes (Action templates)

Annex 1: Baselining for Products and Services and Organisations

Annex 2: Firewall on Demand
Annex 3: Centralised DDoS mitigation
Annex 4: SOC operations and tools
Annex 5: Vulnerability Assessment "as-a-service"
Annex 6: EduVPN
Annex 7: Other security products and services
Annex 8: Legal and Privacy Compliance
Annex 9: Management of Risks
Annex 10: Training
Annex 11: Awareness
Annex 12: Incident Response, Business Continuity and Crisis Management


Preparation

GN4-3 Security White Paper outline for download

We aim to provide guidance for security activities for GÉANT and the NRENs for the period of 2018 – 2022. In the GN3-4 Security White Paper, we will address some of the cybersecurity challenges of the NREN community, focussing on six main areas:

Main themes
Security Baselining for products, services and organisations Agreed frameworks and guidelines, their applications, what they mean for the organisation, frameworks as a means to prove and improve mutual trust between organisations thru benchmarking and sharing, both organisational and technical
(Managed) Security products and servicesServices delivered by NRENs or joint services delivered by GÉANT, for example Certificate Services (TCS, other), DDoS mitigation, (virtualised) Firewalling, and others. Research into the use of emerging technologies such as quantum cryptology and blockchain technologies. 
Legal compliance (including privacy compliance)EU and other regulations on security, privacy and data sharing, measures that need to be taken and implemented (GDPR[i], NIS Guideline, EIDAS, to mention a few), representing NRENs in influencing what the regulations will be about in the future
Management of risks 

Identifying risks, risk management methods, risk registers, (cyber) threat assessments, threat intelligence sharing, sharing best practices 

Training and awarenessCreating cyber security awareness culture, communicating risks, threats and their mitigation internally; specific training needs of the security officers, applying the newest training methods (online trainings, serious gaming, simulation)
Incident response, business continuity and crisis managementAddressing and managing security breaches and attacks not only on networks, but also on internal services, ways of dealing with unexpected threats, managing crises, preparing for the unexpected

[i] In this paper, we will not discuss implementing GDPR compliance as the new GÉANT Task Force will be working on it.

Community Consultations

Community consultations are organised to:

  1. Collect feedback on the 6 main themes identified 
  2. Collect specific ideas that could be included in the paper 
  3. Rate the ideas suggested from the most to least urgent 

The results of the community consultations:

ConsultationDate, placeResults
SIG-ISM Security white paper consultation5 October, BrusselsSLIDES
Public Security white paper consultation (1)16 October, OnlineSLIDES
Public Security white paper consultation (2)25 October, OnlineSLIDES & additional proposals
Public Security white paper consultation (3)31 October, Online

Reference docs for the last consultation:

  1. Incident response, business continuity & crisis management AND Security Baselining for products, services and organisations (Alf Moens)
  2. Training and awareness AND Management of Risks (Sigita Jurkynaite)

Consultation notes:

Joint results (ratings)-

Security white paper brainstorm sessions results.xlsx

(including 25 October)


Recent space activity

Authors

Alf Moens (SURFnet)

Sigita Jurkynaitė (GÉANT)