Whitepaper information Security Management (and a little on privacy) - - PDF document

22-­‑10-­‑15 ¡ 1 ¡

GEANT SIG ISM

Whitepaper information Security Management (and a little on privacy)

Alf Moens, 1st WISE workshop, Barcelona 20-22/10/2015

Purpose and target group

Purpose * Provide a comprehensive framework for establishing and managing information security for a NREN. * Create a common language within and between NRENs. Target groups:

• Security officers of NRENs
• Security officers of Infrastructures
• Security officers of Academia

22-­‑10-­‑15 ¡ 2 ¡

A Brief History of Security

• NRENs have been working on security for more than 25 years, security

has allways been part of the network

• Most security activity has been focused on technical aspects of security

measures and on incident response

• Lots of research and development
• Very active CERT/CSIRT community with excellent track record

Threat landscape is changing, a pro-active approach is needed

• Multiple vectors for actors
• Connectivity is vital for our users
• Users/academia need realtime and trustworthy connectivity to (third party)

IAAS and SAAS solutions

It’s getting complicated

22-­‑10-­‑15 ¡ 3 ¡

Security Management

• Roles and responsibilities
• Risk Management
• Standards and frameworks
• Policies
• Baselines
• Awareness
• Incident respons
• tools

The Management of Security

• Monthly “control cycle”
• Monitoring daily security operations
• Escalation of incidents
• Reporting
• Improvement cycle
• Awareness and training
• Improvement projects based upon audits of

systems, networks, groups, applications etc.

• Quality Cycle
• Risk assessment and auditing
• Evaluation of improvement plans
• Evaluation of policies, roles and

responsibilities,organisation of security including allocated resources,

• Management review, management

commitment

22-­‑10-­‑15 ¡ 4 ¡

ISO 27001 ISO 27002

NIST, COBIT, PAS 555, ISF, ….

Standards

• Comprehensive set of policies and

guidelines

• Control framework based upon (subset

from) ISO 27002

• Based on best practices
• For and from the security community

Frameworks, baselines

22-­‑10-­‑15 ¡ 5 ¡

• White paper will go into review on the SIG-

ISM list next week

• Send in comments before end of november
• Final paper mid december on Géant website

Draft Paper

• Privacy versus security
• Privacy regulation is about
• Protecting sensitive information (=security)
• Rights of the user
• Keeping your inventory
• EU dataprotection regulation
• Do not store personal data outside of EER (ie.

EU plus Norway, Liechtenstein and Iceland)

• Unless the specific country is on the EU

Whitelist

• http://ec.europa.eu/justice/data-protection/

international-transfers/adequacy/index_en.htm

A little word on Privacy

22-­‑10-­‑15 ¡ 6 ¡

• Commission decisions on the adequacy
• f the protection of personal data in third

countries

• Andorra
• Argentiane
• Canada
• Switzerland
• Faeroe islands
• Guernsey
• Israel
• Jersey
• Isle of Man
• New Zealand
• USA (Safe Harbour)
• Uruguay

EU Directie 95/46/EC

• Individual consent (End user

agreements)

• Binding Corporate rules
• Commission decisions on the

adequacy of the protection of personal data in third countries

• Model Contracts for the transfer of

personal data from the EU/EEA to third countries

• Transfer of Air Passenger Name

Record (PNR) Data and Terrorist Finance Tracking Programme (TFTP)

Data transfers outside the EU

22-­‑10-­‑15 ¡ 7 ¡

www.surfnet.nl Alf Moens alf.moens@surfnet.nl