How to Share Best Security Practices Urpo Kaila, EUDAT Security Officer urpo.kaila@csc.fi, security@eudat.eu WISE W orkshop for I nformation S ecurity for E -infrastructures 2015-10-22, Barcelona This work is licensed under the Creative Commons CC-BY 4.0 licence. Attribution: EUDAT – www.eudat.eu www.eudat.eu EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No. 654065
Standard Building Blocks of Information Security Several ¡ ¡frameworks ¡available ¡ ¡ Security ¡Reviews ¡ and ¡Tes9ng ¡ Security ¡and ¡Risk ¡ Governance ¡ ¡ ¡Management ¡ & ¡ITSM ¡ ¡ So<ware ¡and ¡Service ¡ Access ¡ Development ¡Security ¡ Controls ¡ ¡ Asset ¡Management ¡ C onfiden9ality ¡ I ntegrity ¡ A vailability ¡ Computer ¡Security ¡ Network ¡Security ¡ Opera9onal ¡Security ¡ Assets ¡-‑> ¡Risks ¡-‑> ¡Controls ¡-‑> ¡Metrics ¡
Different kind and levels of security skills IT Security Managers Directors Auditors Service Managers Programmers Administrators, IT - Support Operators Experts on Security Managers, Users technical security Operating Engineers
Well known legacy professional security skills definitions and certifications Generic Security Management CISSP (ISC) ² CBK CISM ISACA COBIT GCED PECB GCIH … GSNA … Technical Security Vendor specific (includes security) SANS MTA CEH BoK RHCSE … …
How do you measure security skills? By bragging? By experience? CV? By trainings obtained? By certifications achieved? Skills certifications are standard requirements in the private sector Obtaining and maintaining such certification is somewhat expensive A certification shows that a person knows at least the basics of the trade – it does not prove that the person is a senior professional, which requires more experience.
A common problem with generic security skills and security guidelines It is difficult to apply them efficiently in your organisation Proceed from outlining to to implementation
How can skills become practice? The principles and theoretical skills must be adapted in your context in an reasonable and in an efficient way Best practices should be implemented Definition (wikipedia): A best practice is a method that has consistently shown superior. Best practices are used to maintain quality and can be based on benchmarking. Best practices are a feature in many of accredited management standards.
How could implementation be easier? Necessary prerequisites Skills Management support A plan with check-ups Leadership (it will not just happen) Share experiences on how to implement with your peers Also cover confidential/sensitive information Informal information often more crucial than formal documents Apply the House of Chatham rule One size does not fit all
A successful track record I’ve had rewarding experiences in sharing best practices with Several government agencies • Private companies • NREN’s • Universities • Research infrastructures • It would probably have been extremely difficult for us to achieve ISO 27001 without sharing best practices earlier • The standards and frameworks tell you what to do • Best practices tells you, by examples, how to do it
Methods of sharing best practices Articles, books Presentations Trainings Reviews and audits Guidelines Site visits Workshops Informal communication N.B. Everything does not need to be formalised, informal f2f meetings are also very valuable
Suggestions for joint ISMS activities Joint skills transfer program on operational security A training kit for Site Security Officers A non-profit lightweight skills certification for Site- Security Officers A voluntary practice sharing program for Site visits for ISMS sharing Peer reviews/audits of ISMS Articles on current ISMS practices Develop a multilateral NDA covering all of above An effort to apply resources and funding for all above I personally volunteer to contribute if feasible
Thank you! All comments are welcome to: urpo.kaila@csc.fi EUDAT related security incidents -> csirt@eudat.eu Other EUDAT security related -> security@eudat.eu www.eudat.eu
Recommend
More recommend