How to Share Best Security Practices Urpo Kaila, EUDAT Security Officer urpo.kaila@csc.fi, security@eudat.eu WISE Workshop for Information Security for E-infrastructures 2015-10-22, Barcelona This work is licensed under the Creative Commons CC-BY 4.0 licence. Attribution: EUDAT www.eudat.eu EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-infrastructures. Contract No. 654065 www.eudat.eu
Standard Building Blocks of Information Security Several frameworks available Security Reviews and Tes9ng Confiden9ality Integrity Availability So<ware and Service Development Security Security and Risk Management Computer Security Network Security Opera9onal Security Assets - > Risks - > Controls - > Metrics Governance & ITSM Access Controls Asset Management
Different kind and levels of security skills Auditors Directors IT Security Managers Administrators, Operators Programmers IT - Support Service Managers Users Experts on technical security Security Managers, Operating Engineers
Well known legacy professional security skills definitions and certifications Security Management (ISC)² CBK ISACA COBIT PECB Generic CISSP CISM GCED GCIH GSNA Technical Security SANS CEH BoK Vendor specific (includes security) MTA RHCSE
How do you measure security skills? By bragging? By experience? CV? By trainings obtained? By certifications achieved? Skills certifications are standard requirements in the private sector Obtaining and maintaining such certification is somewhat expensive A certification shows that a person knows at least the basics of the trade it does not prove that the person is a senior professional, which requires more experience.
A common problem with generic security skills and security guidelines It is difficult to apply them efficiently in your organisation Proceed from outlining to to implementation
How can skills become practice? The principles and theoretical skills must be adapted in your context in an reasonable and in an efficient way Best practices should be implemented Definition (wikipedia): A best practice is a method that has consistently shown superior. Best practices are used to maintain quality and can be based on benchmarking. Best practices are a feature in many of accredited management standards.
How could implementation be easier? Necessary prerequisites Skills Management support A plan with check-ups Leadership (it will not just happen) Share experiences on how to implement with your peers Also cover confidential/sensitive information Informal information often more crucial than formal documents Apply the House of Chatham rule One size does not fit all
A successful track record I ve had rewarding experiences in sharing best practices with Several government agencies Private companies NREN s Universities Research infrastructures It would probably have been extremely difficult for us to achieve ISO 27001 without sharing best practices earlier The standards and frameworks tell you what to do Best practices tells you, by examples, how to do it
Methods of sharing best practices Articles, books Presentations Trainings Reviews and audits Guidelines Site visits Workshops Informal communication N.B. Everything does not need to be formalised, informal f2f meetings are also very valuable
Suggestions for joint ISMS activities Joint skills transfer program on operational security A training kit for Site Security Officers A non-profit lightweight skills certification for Site- Security Officers A voluntary practice sharing program for Site visits for ISMS sharing Peer reviews/audits of ISMS Articles on current ISMS practices Develop a multilateral NDA covering all of above An effort to apply resources and funding for all above I personally volunteer to contribute if feasible
Thank you! All comments are welcome to: urpo.kaila@csc.fi EUDAT related security incidents -> csirt@eudat.eu Other EUDAT security related -> security@eudat.eu www.eudat.eu