Security Management Geant SIG-SIM – Alf Moens

Slides:

Advertisements

Similar presentations

The Crown and Suppliers: A New Way of Working People & Security15:35 – 16:20 Channels & Citizen Engagement Social Media ICT Capability Risk Management.

Advertisements

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

Evolving IT Framework Standards (Compliance and IT)

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

1 Growth Centres Commission Corruption Prevention Network – Annual Forum 11 September 2008 Corruption Prevention Network Annual Forum.

Towards the definition of an eIRGRoma, 10 December An e-Infrastructure in Europe: a strategy and policy driven approach for a policy eIRG A pink.

Networks ∙ Services ∙ People Alessandra Scicchitano TF-CSIRT meeting – Tallinn, Estonia SIG-ISM Update 24 th September 2015 SIG-ISM Secretary.

Eurostat/UNSD Conference on International Outreach and Coordination in National Accounts for Sustainable Development and Growth 6-8 May, Luxembourg These.

Connect. Communicate. Collaborate Click to edit Master title style PERT OPERATIONS.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) 1 st WISE, Barcelona 20 Oct 2015.

Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.

1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.

EU Cybersecurity Strategy and Proposal for Directive on network and information security (NIS) {JOIN(2013) 1 final} {COM(2013) 48 final} Digital Enlightenment.

Networks ∙ Services ∙ People Laura Durnford TF-CPR, Cambridge What are other working groups up to? 29 October 2015 GÉANT.

Why a Commercial Provider should Join the Academic Cloud Federation David Blundell Managing Director 100 Percent IT Ltd Simple, Flexible, Reliable.

Progress Report on the U.S. NSTIC Efforts Jack Suess – Delegate for Research, Development, Education & Innovation

The e-Infrastructure Commons a status report EGI Conference 2015 Sverker Holmgren e-IRG Chair.

Who doesn’t need to be WISE? Bringing into reality global information security collaboration Alessandra Scicchitano GÉANT - Project Development Officer.

Networks ∙ Services ∙ People Jari Miettinen Andrew Mackarel and Nadia Sluer VC #1 Jan 2016 SCOPE SIG June 8 th 2016.

Cloud Security Session: Introduction 25 Sep 2014Cloud Security, Kelsey1 David Kelsey (STFC-RAL) EGI-Geant Symposium Amsterdam 25 Sep 2014.

Networks ∙ Services ∙ People Di4R Network. Services. People. GÉANT 28 th September, Krakow.

SCI & Sirtfi David Kelsey (STFC-RAL) EGI Conference, Lisbon 19 May 2015.

Kick Off Meeting Largs, Scotland

PRACE tools and solutions for federated service management

WISE Information Security for Collaborating E-Infrastructures

Mastering the Art of Collaboration for WISEr Global Security

Accountability & Structured Privacy Management

Bob Jones EGEE Technical Director

Tackling the Privacy Challenge

WISE 2016 WISE: a global trust community where security experts share information and work together, creating collaboration among different e- infrastructures.

David Kelsey STFC-RAL 4th WISE workshop, Nikhef 27 March 2017

WISE WG STAA Awareness and Training

Dissemination and communication – wp5

WISE 2017 Collaborating Communities

Dublin, february th SIG ISM Workshop.

Control on Information Security

Successful Integration is a result of good governance – getting the wiring right Integrated care as an aspiration is simple, and simplest if one begins.

NA5: Policy and International Cooperation

Directory/Inventory – info sharing for security people

Cyber-crisis exercises

Integrated Management System and Certification

David Kelsey STFC-RAL 2nd WISE workshop, XSEDE16, Miami 18 July 2016

CSIRT collaboration in Europe

Cyber Security coordination in Europe CERT-EU’s perspective

The AARC Project Licia Florio (GÉANT) Christos Kanellopoulos (GRNET)

The AARC Project Licia Florio AARC Coordinator GÉANT

6th SIG-ISM Workshop February 2018, Madrid

Support for the AASHTO Committee on Planning (COP) and its Subcommittees in Responding to the AASHTO Strategic Plan Prepared for NCHRP 8-36, TASK 138.

Be WISE! Bringing into reality global information security collaboration Alessandra Scicchitano GÉANT - Project Development Officer.

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Trust and Security Unit

OIDC Federation for Infrastructures

9. Quality and Experimental data

David Kelsey (STFC-RAL)

Culture Statistics: policy needs

Introdicution to EGI.eu

CSIRT collaboration in Europe

Tom Barton (WG Chair) University of Chicago and Internet2

Member Network Meeting

WP6 – EOSC integration J-F. Perrin (ILL) 15th Jan 2019

Closing event 16th July 2019 Technical Assistance for Establishing the Institutional Framework for the Implementation of AIS/AES Project funded by the.

Federated Incident Response

EOSC-hub Contribution to the EOSC WGs

WISE, SCI & policy templates David Kelsey (STFC-RAL, UK Research and Innovation) FIM4R & TIIME, Vienna, 11 February 2019.

Presentation transcript:

Security Management Geant SIG-SIM – Alf Moens Security management in Norway – Rolf Sture Normann Security management at DEIC – Henrik Larsen Nordunet 2016 - Helsinki

SIG Information Security Management & WISE Alf Moens

Whoami Corporate security officer SURF Board member SCIPR Chair SIG-ISM Board member WISE Member Géant Community Committee ICT and security background with strong interest in privacy Board member Dutch Platform for security professionals Master Information Security Management (MISM, 2007) Meer over security management process Describe details And add pdca , describe the components

GÉANT GÉANT is the leading collaboration on network and related infrastructure and services for the benefit of research and education an EC trusted partner for many years, as the coordinator of network projects co-funded by the European Union (EU). a member organisation with NRENs as members Research projects: GN4 Network archtecture Network services Trust and identity Collaboration projects Several SIGs and taskforces; MSP: NREN service delivery Marcom NOC TF-CSIRT SIG-ISM TF-Storage Spin offs REFEDS WAT IS GEANT, WAAROM, WELKE SIGS

The security landscape Organisation, governance, roles and responsibilities, policy Incident detection, prevention and respons Monitoring of infrastructure and suppliers Risk management, security measures Awareness and training Assessments, Audit Describe how these communities reinforce each other

Who is doing what in the security landscape? Describe how these communities reinforce each other

national communities Géant SIG-ISM WISE TF-CSIRT CEO Forum SIG-ISM NREN CERT ???? Describe how these communities reinforce each other

Competing or collaborating? Organisation, governance, roles and responsibilities, policy SIG-ISM / WISE / CEO Forum Incident detection, prevention and respons Monitoring of infrastructure and suppliers Risk management, security measures Awareness and training TF-CSIRT NREN-CERT national communities Assessments, Audit Describe how these communities reinforce each other

WISE – security for e-infrastructures WISE is for the e-infrastructures, globally, both networking and super- and gridcomputing infrastructures. WISE was initiated by Géant SIG-ISM and SCI. SIG-ISM: Information Security Management SCI: Security for Collaboration among Infrastructures “Launching” e-infrastructures: Géant (European research and education networks) EGI (European Grid Infrastructure) EUDAT (research data services) PRACE (high performance computing) Participating communities NRENs, HEP/CERN, the Human Brain Project, XSEDE, NCSA, CTSC, LIGO and others Kick off meeting at BSC, Barcelona, oktober 2015, 49 participants Workshops at XSEDE and DI4R in 2016

WISE working program 2016 Updating the SCI-framework: an operational security framework with guidance for incident response, changes, user management Security Training and Awareness: what training do you need, what is available Risk Assessment: Looking at the major risks on information security for an e-infrastructure Security Review and Audit: Can we set up a program of peer reviewing? What should you audit and when? Security in Big and Open Data: Identifying the security needs for big and open data

SIG ISM Géant SIG ISM Aimed at security officers Getting in control Information Security Management Incident management seen as part of security management Purpose - Trust, on what basis? - To certify or not to certify? Whitepapers information security management Risk management 2016: Expand the community Establish a Risk Register How to implement security management Anually

Artwork: Rolf Sture Normann

SIG ISM is looking at NREN needs Strong CERTs/CSIRTs Trust Some are ISO 27001 certified or are working on it: Because they are a tld registry Because they deliver services to government Internal motivation: goals for quality management With SIG-ISM we are joining forces on the subject of trust

Whitepaper on Security Management High level paper on how to organise information security in you organisation Role and responsibilities Selecting standards Full paper at: https://wiki.geant.org/display/SIGISM/SIG+ISM+white+paper+security+management

Whitepaper on Risk Management High level paper on the setting up and maintaining a risk management proces for an NREN. Paper in draft, publicly available in september 2016 Abouth organisation and methods for establishing a risk register aimed at controlling risk and taken the right measures.

Designing the Risk Matrix SIG ISM worked on 3 subjects of the Risk Matrix in her february workshop in Copenhagen Risks concerning hosted services Risks concerning People Risks concerning federated identity management systems First steps to a comprehensive risk matrix for an NREN Cooperate with WISE WG-SRA

Outcome Copenhagen Workshop (work in progress) Hosted Services infrastructure complexity insecure software or infrastructures supplier incident detection trust/over-delegation People Economical loss/reputation Sickness Leaving staff Segregation of duties Policies Screening (lack of) Federations Declining (implicit) trust in growing federations Federation operator procedures and responsibilities Users cannot log in Cannot identify abuser/intruder Leak/abuse of personal information SP Data/Attribute profiles appropriate Protocol implementation vulnerabilities

Results of the September 2016 Trondheim Workshop Write up success stories: What works, what doesn’t work Business case for security management: when is security a success? Share information and documentation Expand the risk register Tooling for security and risk management, and for secure sharing of information Set up a directory of key people with a short description (2-pager) of what they are doing and how Set up a FAQ Survey on ISM Trondheim

Competing or collaborating? Organisation, governance, roles and responsibilities, policy SIG-ISM / WISE / CEO Forum Incident detection, prevention and respons Monitoring of infrastructure and suppliers Risk management, security measures Awareness and training TF-CSIRT NREN-CERT national communities Assessments, Audit Describe how these communities reinforce each other

Allways be prepared For your next incident

From incident handling to security management Key Largo

Alf Moens Alf.moens@surfnet.nl Foto’s: Alf Moens