Presentation is loading. Please wait.

Presentation is loading. Please wait.

Control on Information Security

Published byColin Hawkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Control on Information Security"— Presentation transcript:

1 Control on Information Security
State enforced or community powered? Alf Moens - Rolf Sture Normann - june 2015

2 Summary SURFnet and Uninett both invest on improving information security at their universities. Uninett has an assignment from Norwegian government SURFnet coordinates and supports community driven initiatives from universities Both methods have their pros and cons, both prove to be successful Information security is recognised as a key control area for NRENs and universities. Though legislation has been in place for several decades universities only just now start to implement measures to get in control for information security. The upcoming new European privacy legislation seems to be an important driver to accelerate this process. In several countries NRENs play a key role in boosting and supporting the implementation of information security management within their subsidiaries. The approach can be different per country. In this session we will discuss the approach in Norway and in the Netherlands. They differ widely, but both are successful in reaching the goal of improving information security at the NREN and her subsidiaries.

3 Introduction Alf Moens Rolf Sture Normann
Corporate Security Officer SURF Chair Géant SIG ISM Vice chair PvIB Rolf Sture Normann Head of Secretary of information security, HE sector Géant SIG ISM, member Chair of expert group JUS&Sec, Norway

4 Géant SIG Information Security Management
The SIG wants to bring the security management professionals of NRENs together and help them develop privacy & trust strategies and manage Information Security for the NREN as a business. The SIG wants to promote Knowledge Sharing and international collaboration together with the use of international standards and best practices on information security management. Establish a community of security management professionals Develop, maintain and promote trust framework between NRENs based on international standards Promote the use of international security standards and share best practices for security management within NRENs Discuss and promote issues of information security management of particular interest to NRENs

5 Plaasjes: who-is-who, risk list, ISO27002

6 Norwegian approach - UNINETT
UNINETT (Norwegian NREN) is owned by the ministry of education Secretary for information security in HE sector placed at UNINETT 34 primary institutions (secretary) 10 – 15 secondary institutions Security officer is a requirement from the ministry of educations 32 institutions have been provided a basic security «pack» I hope everybode is some familiar with UNINETT, or visit the Nordic booth Secretary can be compared to Alfs department in the Netherlands 34 institutions wil become less, but bigger due to reorganizing HE sector

7 Timeline Information security started as a activity project in 2007 Based on voluntary participation from the institutions 2010 HE sector was under supervision by Office of the Auditor General, stated that the ministry (owner) must take actions Secretary of information security was the result, 2012 (UNINETT) Clear statement (mandate) from the ministry – no longer voluntary Financed by the institutions and activity payment Norwegian strategy of information security Office of the auditor general Lack of security incident handling Lack of security organisation Lack of ROS Lack of ISMS Lack of information asset control and vclassification of information

8 Mandate Contribute to a risk approach, risk assesments
Contribute to establish an ISMS Continuity planning Audit Security forums Security-awareness program Security guidelines and best practices Security advisors

9 The Project ISMS in Norway HE-sector
Background: New demands from different public agencies Laws and regulations Secretariate for Information Security – the Mission Statement Activities: Study of information security practices in the HE-sector Provide an ISMS-framework for HE-institutions based on the findings Implement the framework in selected institutions (pilot) Prepare course material for the HE-sector Help implementing the rest of the institutions

10 Informasjon

11 Conclusion – government enforcement
Credibility and power for the secretary Security officers in place Management cannot disregard security activities Easy to enforce frameworks and security basics But… Proper ownership of security processes? ISMS made and implemented, what then? Risk assesment, Check What about treatment? Require an active secretary and drivers at the institutions

12 Information Security in the Netherlands
51 universities (14 research, 37 universitiss of applied sciences) 40 have a security officer, some fulltime, some parttime 28 have participated in SURFaudit benchmarks All agree upon controlling framework. This is used for auditing Framework information security consisting of model policies, guidelines, starterkits, HE architecture

13 Timeline Information Security
Start in 2002 (SOHO) …. 2007 first benchmark 2009 Framework for information security 2010 development of SURFaudit, controlling framewrok based on ISO 27002 2011 first benchmark: 16 participants 2013 second benchmark: 25 participants 2015 Benchmark with peer reviewing Will make a nice picture with a timeline

14 Governance of Information Security
Strong information security communities: SCIPR/SURFibo (100+ participants) SCIRT (200+ participants) Seminars, workgroups, 2-day conference, early warning mailing list Strong commitment form IT managers and CIO’s from universities Strong commitment form the board No enforcement, though recently government starts questioning Funding: involvement SO’s, SURFnet hires capacity for ghostwriting, projectmanagement Cyberrisk assessment in 2014

15 Different types of assessments and audits
ISO certification Audit Amount of work In 2011 zijn alleen self-assesment uitgevoerd. I 2012 zullen enkel beoordelende audits uitgevoerd gaan worden. Old design, transform to new house style and logo’s Peer Audit Self-assesment with peer support Self-assesment Value

16 SURFaudit - resultaten Benchmark 2013
- scores in Benchmark 2013 lager Redenen (eerste analyse): - uitbreiding normenkader met privacy - toevoeging evidence lijst voor niveau 3 - kritischere metingen, serieuze aanpak Per instelling (resultaten 2013) - hoogste gemiddelde score 3,0 - laagste gemiddelde score 1,8 - 3 instellingen met geen enkele 1 4/5 7

17 Conclusions Dutch approach
Getting in control takes a long time if you do it the Dutch way: “Polderen”: getting a solution everyone agrees upon Though you might have agreement that doesn’t mean every university will follow. If there is no strong outside pressure (incidents, image, supervising body), IS is not top of the list Using the knowledge and experience in the universities can deliver fast and useful results

18 Conclusions/Comparison
Both approaches are successful Try combining them Find a supervising body who enforces but is willing to give you some slack Key is to have a good set of best practices Norsk Dutch Initiative State enforced Community powered Coverage 95% 65% Responsibility central institution Funding direct indirect Implementation Started 2010 Started 2003 Ownership Questionable Implicit

19 References Cyber Risk Assessment HE-NL: Cyberdreigingsbeeld HO
verbeteren.html Security en SURF Uninett:

20 Rolf Sture Normann Alf Moens

Download ppt "Control on Information Security"

Similar presentations

Anna Nechai, PhD Legal and Pension Expert

Anna Nechai, PhD Legal and Pension Expert
UNITED NATIONS’ RESPONSE TO THE

UNITED NATIONS’ RESPONSE TO THE
1 CREATING AN EFFECTIVE CENTRAL HARMONIZATION UNIT PEM-PAL WORKSHOP FOR INTERNAL AUDIT OFFICIALS Moldova, 20-22 June 2007 Dr. Darius MATUSEVICIUS Financial.

1 CREATING AN EFFECTIVE CENTRAL HARMONIZATION UNIT PEM-PAL WORKSHOP FOR INTERNAL AUDIT OFFICIALS Moldova, June 2007 Dr. Darius MATUSEVICIUS Financial.
Session V: Programme Roles and Responsibilities

Session V: Programme Roles and Responsibilities
ICGFM Conference, Miami 2006 1 Macedonia: TWINNING experience Dr. Dragoljub Arsovski, General State Auditor Gerrit de Jong, NCA Board Member.

ICGFM Conference, Miami Macedonia: TWINNING experience Dr. Dragoljub Arsovski, General State Auditor Gerrit de Jong, NCA Board Member.
Improving implementation and Enforcement 17 February 2011 Terry Shears - IMPEL Vice Chair.

Improving implementation and Enforcement 17 February 2011 Terry Shears - IMPEL Vice Chair.
Financial Management and Control Arrangements in Practice Monika Kos, Ministry of Finance, the Republic of Poland.

Financial Management and Control Arrangements in Practice Monika Kos, Ministry of Finance, the Republic of Poland.
James Ennis, Department of State, USA ITU-D Question 22/1 Rapporteur.

James Ennis, Department of State, USA ITU-D Question 22/1 Rapporteur.
HDA’s revised strategic direction and Annual Performance Plan 2013/14 March 2013.

HDA’s revised strategic direction and Annual Performance Plan 2013/14 March 2013.
1 Bangladesh ECD Network (BEN) Mohammad Mohsin Mohammad Mohsin Early Childhood Development Specialist Early Childhood Development Specialist UNICEF, Bangladesh.

1 Bangladesh ECD Network (BEN) Mohammad Mohsin Mohammad Mohsin Early Childhood Development Specialist Early Childhood Development Specialist UNICEF, Bangladesh.
European Public Sector Information Systems Conference -- September 30, 1998 Case Study: Building the Skills that Produce Success - A Case Study from the.

European Public Sector Information Systems Conference -- September 30, 1998 Case Study: Building the Skills that Produce Success - A Case Study from the.
Corporate Governance in Financial Institutions OCDE/IAIS/ASSAL Conference on Insurance Regulation & Supervision in Latin America Punta Cana, Dominican.

Corporate Governance in Financial Institutions OCDE/IAIS/ASSAL Conference on Insurance Regulation & Supervision in Latin America Punta Cana, Dominican.
The Role of Standards and Professional Bodies: Drivers of Development.

The Role of Standards and Professional Bodies: Drivers of Development.
PEM-PAL - 2nd Internal auditors’ Community of Practice Workshop

PEM-PAL - 2nd Internal auditors’ Community of Practice Workshop
Roles and Responsibilities

Roles and Responsibilities
CAREER GUIDANCE IN BULGARIA Nadezhda Kamburova Chief expert in NAVET Peer Learning Activity 9-10 April 2008, Vienna.

CAREER GUIDANCE IN BULGARIA Nadezhda Kamburova Chief expert in NAVET Peer Learning Activity 9-10 April 2008, Vienna.
Commissioning Self Analysis and Planning Exercise activity sheets.

Commissioning Self Analysis and Planning Exercise activity sheets.
Mike Parker Chair 7 th December 2005. Mission Statement “A voluntary organisation promoting best practice in the area of health and physical activity”

Mike Parker Chair 7 th December Mission Statement “A voluntary organisation promoting best practice in the area of health and physical activity”
National Quality Infrastructure TRTA3 Approach

National Quality Infrastructure TRTA3 Approach
Networks ∙ Services ∙ People www.geant.org Alessandra Scicchitano TF-CSIRT meeting – Tallinn, Estonia SIG-ISM Update 24 th September 2015 SIG-ISM Secretary.

Networks ∙ Services ∙ People Alessandra Scicchitano TF-CSIRT meeting – Tallinn, Estonia SIG-ISM Update 24 th September 2015 SIG-ISM Secretary.

Similar presentations

Ads by Google