How to Share Best Security Practices

Size: px

Start display at page:

Download "How to Share Best Security Practices"

Beverly Taylor
8 years ago
Views:

1 How to Share Best Security Practices Urpo Kaila, EUDAT Security Officer WISE Workshop for Information Security for E-infrastructures , Barcelona This work is licensed under the Creative Commons CC-BY 4.0 licence. Attribution: EUDAT EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-infrastructures. Contract No

2 Standard Building Blocks of Information Security Several frameworks available Security Reviews and Tes9ng Confiden9ality Integrity Availability So<ware and Service Development Security Security and Risk Management Computer Security Network Security Opera9onal Security Assets - > Risks - > Controls - > Metrics Governance & ITSM Access Controls Asset Management

3 Different kind and levels of security skills Auditors Directors IT Security Managers Administrators, Operators Programmers IT - Support Service Managers Users Experts on technical security Security Managers, Operating Engineers

4 Well known legacy professional security skills definitions and certifications Security Management (ISC)² CBK ISACA COBIT PECB Generic CISSP CISM GCED GCIH GSNA Technical Security SANS CEH BoK Vendor specific (includes security) MTA RHCSE

5 How do you measure security skills? By bragging? By experience? CV? By trainings obtained? By certifications achieved? Skills certifications are standard requirements in the private sector Obtaining and maintaining such certification is somewhat expensive A certification shows that a person knows at least the basics of the trade it does not prove that the person is a senior professional, which requires more experience.

6 A common problem with generic security skills and security guidelines It is difficult to apply them efficiently in your organisation Proceed from outlining to to implementation

7 How can skills become practice? The principles and theoretical skills must be adapted in your context in an reasonable and in an efficient way Best practices should be implemented Definition (wikipedia): A best practice is a method that has consistently shown superior. Best practices are used to maintain quality and can be based on benchmarking. Best practices are a feature in many of accredited management standards.

8 How could implementation be easier? Necessary prerequisites Skills Management support A plan with check-ups Leadership (it will not just happen) Share experiences on how to implement with your peers Also cover confidential/sensitive information Informal information often more crucial than formal documents Apply the House of Chatham rule One size does not fit all

9 A successful track record I ve had rewarding experiences in sharing best practices with Several government agencies Private companies NREN s Universities Research infrastructures It would probably have been extremely difficult for us to achieve ISO without sharing best practices earlier The standards and frameworks tell you what to do Best practices tells you, by examples, how to do it

10 Methods of sharing best practices Articles, books Presentations Trainings Reviews and audits Guidelines Site visits Workshops Informal communication N.B. Everything does not need to be formalised, informal f2f meetings are also very valuable

11 Suggestions for joint ISMS activities Joint skills transfer program on operational security A training kit for Site Security Officers A non-profit lightweight skills certification for Site- Security Officers A voluntary practice sharing program for Site visits for ISMS sharing Peer reviews/audits of ISMS Articles on current ISMS practices Develop a multilateral NDA covering all of above An effort to apply resources and funding for all above I personally volunteer to contribute if feasible

12 Thank you! All comments are welcome to: EUDAT related security incidents -> Other EUDAT security related ->

How to gain and maintain ISO 27001 certification

Public How to gain and maintain ISO 27001 certification Urpo Kaila, Head of Security CSC IT Center for Science ltd. urpo.kaila@csc.fi, security@csc.fi GÉANT SIG ISM 1 st Workshop, 2015-05-12, imperial.ac.uk