2 SIG ISM The aims of the SIG-ISM are: * Establish a community of NREN security management professionals develop, maintain and promote trust framework between NRENs based on international standards * promote the use of international security standards and share best practices for security management within NRENs * discuss and promote issues of information security management of particular interest to NRENs In the direction of these fundamental points, the 1st SIG-ISM that will be held at the Imperial College in London wishes to bring together CISOs and all people interested on ISM to develop and strengthen the ISM Community around the globe.
3 Agenda Tuesday 12:30-13:30 Arrival and registration 13:30-13:45 Welcome and introduction Alf Moens (SURF) 13:45-14:15 How to gain and maintain ISO certification Urpo Kaila (CSC) 14:15-14:45 Jisc and the ISO27001 James Davis (Jisc) 14:15-14:45 Coffee break 14:45-16:45 Round-table discussions What do NREN need to implement as a standard? The aim of this discussion is to generate a document to highlight the basic steps NRENS should follow to implement security management. 16:45-17:00 Summary of the day 17:00-19:00 Checking in... 19:00-21:00 Joint dinner
4 Introduction SIG ISM Steering committee: Started autumn 2014, at workshop in Utrecht, monthly VC meetings: James, Rolf, Wayne, Alf Charter: approved! Participation: free for anyone but aimed at security opfficers of NRENs It s not about incidents, it s about security management. Reach out to other Task forces and SIGs Maintain register of security officers Should we work on a trust framework?
5 Agenda Wednesday 09:00-9:30 Risk Registers, the good and the bad Making Real Change Wayne Routly (GEANT) 9:30-10:30 Round-table discussions Risk analysis The aim of this discussion is to generate a short paper around the current risks and the new threads coming up. 10:30-11:00 Coffee break 11:00-11:30 Finalising the discussion on Risks 11:30-12:20 REFEDS and SIG-ISM Nicole Harris (GEANT) 12:20-12:30 Discussion about future meetings and Wrap-up
6 Participants Alf Moens - SURFnet bv Wayne Routly - DANTE Alessandra Scicchitano - GEANT Association Dominique Launay - GIP RENATER Maciej Milostan - PSNC / PIONIER John Chapman - Jisc Antonio Fuentes Bermejo - RedIRIS Fernand De Decker - BELNET Rolf Sture Normann - UNINETT AS Cynthia Wagner - Fondation RESTENA Thomas Tam - Canada's Advanced Research and Innovation Network Jacob Asbæk Wolf - NORDUnet A/S Øivind Høiem - UNINETT AS James Davis - Jisc Urpo Kaila - CSC - IT Center for Science Ltd. Nicole Harris - GÉANT Association apologized  Aidan Carty - HEAnet David Simonsen - WAYF - Where are you from Vlado Pribolsan - - Croatian Research and Education Federation Ralf Groeper - DFN
7 Standards and certifications Inventory - Do you have a security officer? An approved security policy? - Which standard for information security are you using? - Are you implementing any certifications? - Which? - Who is asking for this? - How much effort is it? Discussion - What standard should a NREN use for information security?
8 Risk Identification and Management Do you perform any risk analysis? Company wide, for a project or for an information system? What do you need to protect? What are the core assets of a NREN? What are the main threats for a NREN? What are the main threats for a university?
10 Sources for threat information SURF Cyberdreigingsbeeld 2014 https://www.surf.nl/nieuws/2014/11/handvatten-omcybersecurity-instellingen-te-verbeteren.html Cyber Security Beeld Nederland 4 (NCSC) https://www.ncsc.nl/dienstverlening/expertise-advies/ kennisdeling/trendrapporten/cybersecuritybeeldnederland-4.html Dutch Cyber Security Council (CSR) (cyber security guide for the board room) _VENJ_Cybersecurity_UK_vdef.pdf Enisa Threat Landscape evolving-threat-environment/enisa-threat-landscape-midyear-2013/at_download/fullreport World Economic Forum evolving-threat-environment/enisa-threat-landscape-midyear-2013/at_download/fullreport 10
11 Threat types Threats Asset types Threat Landscape and Good Practice Guide Unauthorised physical access/unauthorised entries to Hardware, Infrastructure premises for Internet Infrastructure Physical attacks Sabotage Hardware, Infrastructure Disasters Natural disasters Hardware, Software, Information, Services, Interconnection, Infrastructure, Human resources Environmental disasters Hardware, Software, Information, Services, Interconnection, Infrastructure, Human resources Failures/Malfunctions Failures of parts of devices Protocols, Hardware, Software, Information, Services Configuration errors Protocols, Hardware, Software, Information, Services Outages Lack of resources Hardware, Software, Information, Services, Interconnection, Infrastructure, Human resources Network outages Hardware, Software, Information, Services Unintentional damages (accidental) Information leakage/sharing Hardware, Software, Information, Services, Interconnection Unintentional change of data in an information systems Protocols, Hardware, Software, Information, Services Damage/Loss (IT assets) Damage caused by a third parties Hardware, Software, Information, Services, Interconnection, Infrastructure, Human resources Loss of reputation Interconnection, Human resources Nefarious activity/abuse Manipulation of hardware and software Protocols, Hardware, Software, Information, Services Denial of service attacks (DoS/DDoS) Hardware, Software, Information, Services Eavesdropping /Interception/Hijacking Interception compromising emissions Protocols, Software, Information, Services Man in the middle/session hijacking Software, Information, Services Legal Violations of law or regulation/breaches of legislation Software, Information, Interconnection, Human resources Failure to meet contractual requirements Software, Information, Interconnection, Human resources Source: Enisa Threat Landscape and Good Practice Guide for Internet Infrastructure, jan. 2015
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
ISMS User s Guide for Medical Organizations Guidance on the Application of ISMS Certification Criteria (Ver.2.0) ISMS: Information Security Management System 8 November 2004 Japan Information Processing
Priority III: A National Cyberspace Security Awareness and Training Program Everyone who relies on part of cyberspace is encouraged to help secure the part of cyberspace that they can influence or control.
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of
ADRI Advice on managing the recordkeeping risks associated with cloud computing ADRI-2010-1-v1.0 Version 1.0 29 July 2010 Advice on managing the recordkeeping risks associated with cloud computing 2 Copyright
Cyber Security: Designing and Maintaining Resilience White paper presented by: Georgia Tech Research Institute Cyber Technology and Information Security Laboratory Dr. George A. Wright Chief Engineer Terrye
The National Cyber Security Strategy (NCSS) Success through cooperation 1. Introduction The Netherlands stands for safe and reliable ICT 1 and the protection of the openness and freedom of the Internet.
Qatar National Cyber Security Strategy MAY 2014 i ii TABLE OF CONTENTS FOREWORD... v EXECUTIVE SUMMARY... vi 1. INTRODUCTION...1 2. THE IMPORTANCE OF CYBER SECURITY TO QATAR...3 2.1 Threats... 3 2.2 Challenges...
The IT Industry s Cybersecurity Principles for Industry and Government 2011 ITI MEMBER COMPANIES Apple Inc. TABLE OF CONTENTS Executive Summary 5 Setting the Stage 7 Six Cybersecurity Principles 9 Principle
Small businesses: What you need to know about cyber security Contents Why you need to know about cyber security... 3 Understanding the risks to your business... 4 How you can manage the risks... 5 Planning
Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND
TELSTRA CYBER SECURITY REPORT 2014 Security insights, trends and impact to Australian organisations EXECUTIVE SUMMARY The internet presents a world of social connectivity, economic growth and endless opportunities
2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee 185-189, 53175 Bonn Contents Contents 1 Introduction 1.1 Version History 1.2 Objective 1.3 Target group 1.4 Application
2014 Australian Government Information Security Manual CONTROLS 2014 Australian Government Information Security Manual CONTROLS Commonwealth of Australia 2014 All material presented in this publication
C o n t e n t s Introduction Corporate Vision Corporate Values 2 4 5 What we strive for Society and Environment Profit and Growth Shareholders and Investors Global Perspective What we value Employees Customers
April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1 Models of IT Security Security Rules & Regulations: An Interpretation Dines Bjørner Fredsvej 11, DK 2840 Holte, Denmark Presented at Humboldt
Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the
Energy & Infrastructure Program Energy Project National Security Program Homeland Security Project Cybersecurity and the North American Electric Grid: New Policy Approaches to Address an Evolving Threat
A REVIEW OF RESPONSIBILITIES OF INTERNET SERVICE PROVIDERS TOWARD THEIR CUSTOMERS NETWORK SECURITY SHUAIBU HASSAN USMAN 1 1 Department of Management and Information Technology Abubakar Tafawa Balewa University
Xerox Litigation Services In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk Your Highest Priority is also Your Greatest Challenge Data breaches are not just
WHITE PAPER Cybersecurity in Modern Critical Infrastructure Environments SECURE-ICS Be in Control Securing Industrial Automation & Control Systems This document is part of CGI s SECURE-ICS family of cyber
Cyber Security of Industrial Control Systems March 2015 Eric Luiijf and Bert Jan te Paske Page 2 Preface Our society and its citizens depend on the undisturbed functioning of (critical) infrastructures
ILM Level 3 Qualifications in Leadership and Management Candidate Handbook 2 Background to ILM The Institute of Leadership & Management (ILM) is Europe s largest independent Leadership and Management Awarding