Security Management GEANT SIGSIM ALF MOENS SECURITY MANAGEMENT
- Slides: 22
Security Management GEANT SIG-SIM – ALF MOENS SECURITY MANAGEMENT IN NORWAY – ROLF STURE NORMANN SECURITY MANAGEMENT AT DEIC – HENRIK LARSEN Nordunet 2016 - Helsinki
SIG Information Security Management & WISE Alf Moens
Whoami Corporate security officer SURF Board member SCIPR Chair SIG-ISM Board member WISE Member Géant Community Committee ICT and security background with strong interest in privacy Board member Dutch Platform for security professionals Master Information Security Management (MISM, 2007)
GÉANT - GÉANT is the leading collaboration on network and related infrastructure and services for the benefit of research and education - an EC trusted partner for many years, as the coordinator of network projects cofunded by the European Union (EU). - a member organisation with NRENs as members - Research projects: GN 4 - Network archtecture Network services Trust and identity - Collaboration projects - Several SIGs and taskforces; MSP: NREN service delivery Marcom NOC TF-CSIRT SIG-ISM TF-Storage - Spin offs - REFEDS
The security landscape Organisation, governance, roles and responsibilities, policy Incident detection, prevention and respons Monitoring of infrastructure and suppliers Risk management, security measures Assessments, Audit Awareness and training
Who is doing what in the security landscape?
Géant SIGISM national communities WISE TF-CSIRT CEO Forum SIG-ISM ? ? NREN CERT
Competing or collaborating? Organisation, governance, roles and responsibilities, policy SIG-ISM / WISE / CEO Forum TF-CSIRT Incident detection, prevention and respons Monitoring of infrastructure and suppliers Risk management, security measures NREN-CERT national communities Assessments, Audit Awareness and training
WISE – security for e-infrastructures WISE is for the e-infrastructures, globally, both networking and super- and gridcomputing infrastructures. WISE was initiated by Géant SIG-ISM and SCI. SIG-ISM: Information Security Management SCI: Security for Collaboration among Infrastructures “Launching” e-infrastructures: Géant (European research and education networks) EGI (European Grid Infrastructure) EUDAT (research data services) PRACE (high performance computing) Participating communities NRENs, HEP/CERN, the Human Brain Project, XSEDE, NCSA, CTSC, LIGO and others Kick off meeting at BSC, Barcelona, oktober 2015, 49 participants Workshops at XSEDE and DI 4 R in 2016
WISE working program 2016 • Updating the SCI-framework: an operational security framework with guidance for incident response, changes, user management • Security Training and Awareness: what training do you need, what is available • Risk Assessment: Looking at the major risks on information security for an e-infrastructure • Security Review and Audit: Can we set up a program of peer reviewing? What should you audit and when? • Security in Big and Open Data: Identifying the security needs for big and open data
SIG ISM Géant SIG ISM - Aimed at security officers - Getting in control - Information Security Management - Incident management seen as part of security management Purpose - Trust, on what basis? - To certify or not to certify? Whitepapers - information security management - Risk management 2016: - Expand the community - Establish a Risk Register - How to implement security management - Anually
Artwork: Rolf Sture Normann
SIG ISM is looking at NREN needs Strong CERTs/CSIRTs Trust Some are ISO 27001 certified or are working on it: - Because they are a tld registry - Because they deliver services to government - Internal motivation: goals for quality management With SIG-ISM we are joining forces on the subject of trust Strong CERTs/CSIRTs
Whitepaper on Security Management High level paper on how to organise information security in you organisation - Role and responsibilities - Selecting standards Full paper at: https: //wiki. geant. org/display/SIGISM/SIG+ISM +white+paper+security+management
Whitepaper on Risk Management High level paper on the setting up and maintaining a risk management proces for an NREN. Paper in draft, publicly available in september 2016 Abouth organisation and methods for establishing a risk register aimed at controlling risk and taken the right measures.
Designing the Risk Matrix • SIG ISM worked on 3 subjects of the Risk Matrix in her february workshop in Copenhagen • Risks concerning hosted services • Risks concerning People • Risks concerning federated identity management systems • First steps to a comprehensive risk matrix for an NREN • Cooperate with WISE WG-SRA
Outcome Copenhagen Workshop (work in progress) Hosted Services People • infrastructure complexity • • insecure software or • infrastructures • • supplier • • incident detection • • trust/over-delegation • Economical loss/reputation Sickness Leaving staff Segregation of duties Policies Screening (lack of) Federations • Declining (implicit) trust in growing federations • Federation operator procedures and responsibilities • Users cannot log in • Cannot identify abuser/intruder • Leak/abuse of personal information • SP Data/Attribute profiles appropriate • Protocol implementation vulnerabilities
Results of the September 2016 Trondheim Workshop • • Write up success stories: What works, what doesn’t work Business case for security management: when is security a success? Share information and documentation Expand the risk register Tooling for security and risk management, and for secure sharing of information Set up a directory of key people with a short description (2 -pager) of what they are doing and how Set up a FAQ Survey on ISM Trondheim
Competing or collaborating? Organisation, governance, roles and responsibilities, policy SIG-ISM / WISE / CEO Forum TF-CSIRT Incident detection, prevention and respons Monitoring of infrastructure and suppliers Risk management, security measures NREN-CERT national communities Assessments, Audit Awareness and training
Allways be prepared For your next incident
From incident handling to security management Key Largo
Alf Moens Alf. moens@surfnet. nl www. surfnet. nl Foto’s: Alf Moens
- Moens korteweg equation
- Dr moens
- Mies bernelot moens
- Myrtillier géant
- Geant network map
- Sanglier de turquie
- Machine la plus grosse du monde
- Action geant
- Geant computer
- Geant simulation
- Geant 4
- Le géant atlas dans son café de bonsecours
- Exposé sur les pandas
- Geant 4
- Niconical
- Pub geant
- Gate geant
- Pion geant
- Blatte rhinocéros
- Ahca facility locator
- Dhs acquisition lifecycle framework
- Alf isaksson
- Acquisition lifecycle framework (alf)