22-‑10-‑15 ¡ Whitepaper information Security Management (and a little on privacy) GEANT SIG ISM Alf Moens, 1st WISE workshop, Barcelona 20-22/10/2015 Purpose and target group Purpose * Provide a comprehensive framework for establishing and managing information security for a NREN. * Create a common language within and between NRENs. Target groups: - Security officers of NRENs - Security officers of Infrastructures - Security officers of Academia 1 ¡
22-‑10-‑15 ¡ A Brief History of Security • NRENs have been working on security for more than 25 years, security has allways been part of the network • Most security activity has been focused on technical aspects of security measures and on incident response • Lots of research and development • Very active CERT/CSIRT community with excellent track record Threat landscape is changing, a pro-active approach is needed • Multiple vectors for actors • Connectivity is vital for our users • Users/academia need realtime and trustworthy connectivity to (third party) IAAS and SAAS solutions It’s getting complicated 2 ¡
22-‑10-‑15 ¡ Security Management • Roles and responsibilities • Risk Management • Standards and frameworks • Policies • Baselines • Awareness • Incident respons • tools The Management of Security • Monthly “control cycle” - Monitoring daily security operations - Escalation of incidents - Reporting • Improvement cycle - Awareness and training - Improvement projects based upon audits of systems, networks, groups, applications etc. • Quality Cycle - Risk assessment and auditing - Evaluation of improvement plans - Evaluation of policies, roles and responsibilities,organisation of security including allocated resources, - Management review, management commitment 3 ¡
22-‑10-‑15 ¡ Standards ISO 27001 ISO 27002 NIST, COBIT, PAS 555, ISF, … . Frameworks, baselines • Comprehensive set of policies and guidelines • Control framework based upon (subset from) ISO 27002 • Based on best practices • For and from the security community 4 ¡
22-‑10-‑15 ¡ Draft Paper • White paper will go into review on the SIG- ISM list next week • Send in comments before end of november • Final paper mid december on Géant website A little word on Privacy • Privacy versus security • Privacy regulation is about - Protecting sensitive information (=security) - Rights of the user - Keeping your inventory • EU dataprotection regulation - Do not store personal data outside of EER (ie. EU plus Norway, Liechtenstein and Iceland) - Unless the specific country is on the EU Whitelist • http://ec.europa.eu/justice/data-protection/ international-transfers/adequacy/index_en.htm 5 ¡
22-‑10-‑15 ¡ EU Directie 95/46/EC • Commission decisions on the adequacy of the protection of personal data in third countries - Andorra - Argentiane - Canada - Switzerland - Faeroe islands - Guernsey - Israel - Jersey - Isle of Man - New Zealand - USA (Safe Harbour) - Uruguay Data transfers outside the EU • Individual consent (End user agreements) • Binding Corporate rules • Commission decisions on the adequacy of the protection of personal data in third countries • Model Contracts for the transfer of personal data from the EU/EEA to third countries • Transfer of Air Passenger Name Record (PNR) Data and Terrorist Finance Tracking Programme (TFTP) 6 ¡
22-‑10-‑15 ¡ Alf Moens alf.moens@surfnet.nl www.surfnet.nl 7 ¡
Recommend
More recommend
