Control on Information Security State enforced or community powered? Alf Moens - Rolf Sture Normann - june 2015

Summary SURFnet and Uninett both invest on improving information security at their universities. Uninett has an assignment from Norwegian government SURFnet coordinates and supports community driven initiatives from universities Both methods have their pros and cons, both prove to be successful Information security is recognised as a key control area for NRENs and universities. Though legislation has been in place for several decades universities only just now start to implement measures to get in control for information security. The upcoming new European privacy legislation seems to be an important driver to accelerate this process. In several countries NRENs play a key role in boosting and supporting the implementation of information security management within their subsidiaries. The approach can be different per country. In this session we will discuss the approach in Norway and in the Netherlands. They differ widely, but both are successful in reaching the goal of improving information security at the NREN and her subsidiaries.

Introduction Alf Moens Rolf Sture Normann Corporate Security Officer SURF Chair Géant SIG ISM Vice chair PvIB Rolf Sture Normann Head of Secretary of information security, HE sector Géant SIG ISM, member Chair of expert group JUS&Sec, Norway

Géant SIG Information Security Management The SIG wants to bring the security management professionals of NRENs together and help them develop privacy & trust strategies and manage Information Security for the NREN as a business. The SIG wants to promote Knowledge Sharing and international collaboration together with the use of international standards and best practices on information security management. Establish a community of security management professionals Develop, maintain and promote trust framework between NRENs based on international standards Promote the use of international security standards and share best practices for security management within NRENs Discuss and promote issues of information security management of particular interest to NRENs https://www.surf.nl/over-surf/contact/routebeschrijving-surf-surfmarket-en-surfnet/index.html

Plaasjes: who-is-who, risk list, ISO27002

Norwegian approach - UNINETT UNINETT (Norwegian NREN) is owned by the ministry of education Secretary for information security in HE sector placed at UNINETT 34 primary institutions (secretary) 10 – 15 secondary institutions Security officer is a requirement from the ministry of educations 32 institutions have been provided a basic security «pack» I hope everybode is some familiar with UNINETT, or visit the Nordic booth Secretary can be compared to Alfs department in the Netherlands 34 institutions wil become less, but bigger due to reorganizing HE sector

Timeline Information security started as a activity in @Campus project in 2007 Based on voluntary participation from the institutions 2010 HE sector was under supervision by Office of the Auditor General, stated that the ministry (owner) must take actions Secretary of information security was the result, 2012 (UNINETT) Clear statement (mandate) from the ministry – no longer voluntary Financed by the institutions and activity payment Norwegian strategy of information security Office of the auditor general Lack of security incident handling Lack of security organisation Lack of ROS Lack of ISMS Lack of information asset control and vclassification of information

Mandate Contribute to a risk approach, risk assesments Contribute to establish an ISMS Continuity planning Audit Security forums Security-awareness program Security guidelines and best practices Security advisors

The Project ISMS in Norway HE-sector Background: New demands from different public agencies Laws and regulations Secretariate for Information Security – the Mission Statement Activities: Study of information security practices in the HE-sector Provide an ISMS-framework for HE-institutions based on the findings Implement the framework in selected institutions (pilot) Prepare course material for the HE-sector Help implementing the rest of the institutions

Informasjon WWW.UNINETT.NO/INFOSIKKERHET

Conclusion – government enforcement Credibility and power for the secretary Security officers in place Management cannot disregard security activities Easy to enforce frameworks and security basics But… Proper ownership of security processes? ISMS made and implemented, what then? Risk assesment, Check What about treatment? Require an active secretary and drivers at the institutions

Information Security in the Netherlands 51 universities (14 research, 37 universitiss of applied sciences) 40 have a security officer, some fulltime, some parttime 28 have participated in SURFaudit benchmarks All agree upon controlling framework. This is used for auditing Framework information security consisting of model policies, guidelines, starterkits, HE architecture

Timeline Information Security Start in 2002 (SOHO) …. 2007 first benchmark 2009 Framework for information security 2010 development of SURFaudit, controlling framewrok based on ISO 27002 2011 first benchmark: 16 participants 2013 second benchmark: 25 participants 2015 Benchmark with peer reviewing Will make a nice picture with a timeline

Governance of Information Security Strong information security communities: SCIPR/SURFibo (100+ participants) SCIRT (200+ participants) Seminars, workgroups, 2-day conference, early warning mailing list Strong commitment form IT managers and CIO’s from universities Strong commitment form the board No enforcement, though recently government starts questioning Funding: involvement SO’s, SURFnet hires capacity for ghostwriting, projectmanagement Cyberrisk assessment in 2014

Different types of assessments and audits ISO 27001 certification Audit Amount of work In 2011 zijn alleen self-assesment uitgevoerd. I 2012 zullen enkel beoordelende audits uitgevoerd gaan worden. Old design, transform to new house style and logo’s Peer Audit Self-assesment with peer support Self-assesment Value

SURFaudit - resultaten Benchmark 2013 - scores in Benchmark 2013 lager Redenen (eerste analyse): - uitbreiding normenkader met privacy - toevoeging evidence lijst voor niveau 3 - kritischere metingen, serieuze aanpak Per instelling (resultaten 2013) - hoogste gemiddelde score 3,0 - laagste gemiddelde score 1,8 - 3 instellingen met geen enkele 1 4/5 7

Conclusions Dutch approach Getting in control takes a long time if you do it the Dutch way: “Polderen”: getting a solution everyone agrees upon Though you might have agreement that doesn’t mean every university will follow. If there is no strong outside pressure (incidents, image, supervising body), IS is not top of the list Using the knowledge and experience in the universities can deliver fast and useful results

Conclusions/Comparison Both approaches are successful Try combining them Find a supervising body who enforces but is willing to give you some slack Key is to have a good set of best practices Norsk Dutch Initiative State enforced Community powered Coverage 95% 65% Responsibility central institution Funding direct indirect Implementation Started 2010 Started 2003 Ownership Questionable Implicit

References Cyber Risk Assessment HE-NL: Cyberdreigingsbeeld HO https://www.surf.nl/nieuws/2014/11/handvatten-om-cybersecurity-instellingen-te- verbeteren.html Security en privacy @ SURF https://www.surf.nl/themas/beveiliging Security @ Uninett: WWW.UNINETT.NO/INFOSIKKERHET

Rolf Sture Normann rolf.sture.normann@uninett.no Alf Moens alf.moens@surfnet.nl