[Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security

Boban Krsic krsic at denic.de
Sun Jul 9 19:56:41 UTC 2017 

Dear sub-team,

As mentioned on the last F2F workshop in Joburg, I would like to ask you
for some feedback on the new structure of sub topic 2 - ICANN SSR [1].
Please review the re-organized work items (all 37 items merged in 8
groups) and send any feedback direct to the new sub-group mailing list
(cc'd). Following Geoff’s approach – please bear in mind the following
questions: (Thanks Geoff ;-))

* Is this a useful structure to use to organize this activity?
* What is missing from this list?
* Is there anything here that is perhaps out of scope?
* Is this an achievable agenda?
	
Best regards,
  Boban.

[1]
https://docs.google.com/document/d/1DWoT4VoMlT5Dvcy78EXI-O5tQFqa9CblwsDEV6go51s/edit




Am 08.06.17 um 16:33 schrieb Boban Krsic:
> Hi Alain,
> 
> Am 07.06.17 um 18:43 schrieb ALAIN AINA:
>> Hello,
>>
>> As discussed yesterday on the call, this is what i think  sub-group(ICANN Security) should do:
>>
>> -  Analyze the risks management framework in place at ICANN in general and for the SSR remit
>> - Analyze the security management framework
>> 	* Security efforts and effectiveness
>> 	* Auditing : reports and recommendations implementation.
> 
> this represents IMHO only a limited view and do not follow a holistic
> approach on information security and especially on business continuity
> management. Both standards ISO/IEC 27001 ISMS and ISO 22301 BCMS are
> widely accepted and represented by a risk and process-based approach how
> to deal with information security and business continuity issues in
> general. In addition to that we get a list of security controls that are
> to be used to improve security at the organization. I believe, that with
> the use of both standards, we should be able to address all relevant
> work items that we identified in Madrid - and that in a efficient way.
> 
> Best,
>   Boban.
> 
>> - Gab analysis
>> - Recommendations
>>
>> Their works will be fed by the work of the sub-group 1(SSR1 implementation) which shall evaluate the  effectiveness of implementation of
>> recommendations 9, 26 and 27 below.
>>
>>
>> Hope this helps
>>
>> —Alain
>>
>>
>>
>> ====================
>> 9 ICANN should assess certification options with commonly accepted international standards (e.g., ITIL, ISO and SAS-70) for
>> its operational responsibilities. ICANN should publish a clear roadmap towards certification.
>>
>> 26 ICANN should prioritize the timely completion of a Risk Management Framework.
>>
>> 27 ICANN’s Risk Management Framework should be comprehensive within the scope of its SSR remit and limited missions.
>> ========================
>>
>>
>>> On 5 Jun 2017, at 05:24, Boban Krsic <krsic at denic.de> wrote:
>>>
>>> Dear All,
>>>
>>> Please find attached a first draft of a work plan for subteam 2 - ICANN
>>> Security. I propose, that the basis for further development should be a
>>> gap analysis (without any obligations to certify something) based on the
>>> following two industrial standards: ISO/IEC 27001:2013 Information
>>> Security Management Systems (ISMS) and ISO 22301:2012 Business
>>> Continuity Management Systems (BCMS). With the use of both standards, we
>>> should be able to address all relevant work items that we identified in
>>> Madrid. For the beginning, I have created a simple MS Excel that
>>> consists all relevant information for project planning and realization
>>> of the gap analysis. The file contains a total of four sheets:
>>>
>>> * Sheet1 (Workplan) contains the main key action steps, a description of
>>> the action, expected outcome, evaluation methodology, required skill
>>> set, responsible person, proposed timeline, and finally a reference to
>>> Madrid’s work item list. The list is not finished and needs to be
>>> completed.
>>>
>>> * Sheet2 (Checklist 27001) contains 32 questions to address all relevant
>>> requirements of the main part of a ISMS based on ISO/IEC 27001. With the
>>> checklist, we are able to evaluate the following category groups:
>>>
>>> 	* Scope, relevant parties (stakeholder)
>>> 	* Leadership, roles and responsibilities
>>> 	* Risk management and risk treatment
>>> 	* Resources, competence, awareness and communication
>>> 	* Performance evaluation, internal audit and management review
>>> 	* Improvement of the ISMS
>>>
>>> * Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions
>>> based on the Annex A of ISO/IEC 27001. It is a list of security controls
>>> (or safeguards) that are to be used to improve security of information.
>>> The controls are structured, and the purpose of each of the 14 sections
>>> from Annex A [1]:
>>>
>>> 	* Information security policies - controls how to write and
>>> review policies
>>> 	* Organization of information security – controls on how the
>>> responsibilities are assigned
>>> 	* Human resources security – controls affecting the employment
>>> 	* Asset management – controls related to inventory of assets and
>>> acceptable use, also for information classification and media handling
>>> 	* Access control – controls for Access control policy, user access
>>> management, system and application access control, and user responsibilities
>>> 	* Cryptography – controls related to encryption and key management
>>> 	* Physical and environmental security – controls defining secure
>>> areas, entry controls, protection against threats, equipment security,
>>> secure disposal, clear desk and clear screen policy, etc.
>>> 	* Operational security – lots of controls related to management of IT
>>> production: change management, capacity management, malware, backup,
>>> logging, monitoring, installation, vulnerabilities
>>> 	* Communications security – controls related to network security,
>>> segregation, network services, transfer of information, messaging, etc.
>>> 	* System acquisition, development and maintenance – controls
>>> defining security requirements and security in development and support
>>> processes
>>> 	* Supplier relationships – controls on what to include in
>>> agreements, and how to monitor the suppliers
>>> 	* Information security incident management – controls for
>>> reporting events and weaknesses, defining responsibilities, response
>>> procedures, and collection of evidence
>>> 	* Information security aspects of business continuity management –
>>> controls requiring the planning of business continuity, procedures,
>>> verification and reviewing, and IT redundancy
>>> 	* Compliance – controls requiring the identification of applicable laws
>>> and regulations, intellectual property protection, personal data
>>> protection, and reviews of information security
>>>
>>> * Sheet4 (Checklist 22301) similar to sheet1 but with a focus on
>>> Business Continuity Management. The checklist contains a list of 90
>>> questions to address all relevant requirements of a BCMS based on ISO
>>> 22301. With the checklist, we are able to evaluate the following
>>> category groups:
>>>
>>> 	* Scope, supply chain, l&r requirements and assurance
>>> 	* Leadership, roles and responsibilities
>>> 	* Risks and opportunities
>>> 	* Business continuity objectives and plans to achieve them
>>> 	* Human resources, competence and training and awareness
>>> 	* Communication and documentation
>>> 	* Operational planning and control
>>> 	* Business Impact Analysis (BIA) and Risk Assessment
>>> 	* Business continuity strategy / Resource recovery strategy
>>> 	* Incident response structure
>>> 	* Business continuity plans
>>> 	* Monitoring, measurement, analysis and evaluation
>>> 	* Internal audit and management review
>>> 	* Improvement of the BCMS
>>>
>>> I am using a similar list for my annually internal audits at DENIC.
>>> Altogether I would expect a total effort of approx. 15-20 m/d to perform
>>> key action steps 1.0 and 2.0. External consultants are also possible and
>>> in my view a good option.
>>>
>>> Jennifer, it would be great if you could import the file to google docs
>>> and share the link for editing purposes.
>>>
>>> Any feedback on this would be great.
>>>
>>> Regards,
>>>
>>> 	- Boban.
>>>
>>>
>>>
>>> [1]https://advisera.com/27001academy/knowledgebase/overview-of-iso-270012013-annex-a/
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Boban Kršić
>>> Chief Information Security Officer
>>>
>>> DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
>>>
>>> E-Mail: krsic at denic.de, Fon: +49 69 272 35-120, Fax: -248
>>> Mobil: +49 172 67 61 671
>>> https://www.denic.de
>>>
>>> X.509 Key-ID: 00A54FCB79884413A4
>>> Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
>>>
>>> PGP Key-ID: 0x43C89BA9
>>> Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
>>>
>>> Angaben nach § 25a Absatz 1 GenG:
>>> DENIC eG (Sitz: Frankfurt am Main)
>>> Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
>>> Schweiger
>>> Vorsitzender des Aufsichtsrats: Thomas Keller
>>> Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
>>> Frankfurt am Main
>>>
>>>
>>>
>>> <170531.Workplan_ICANN_Security_draft_0.91.xlsx>_______________________________________________
>>> Ssr2-review mailing list
>>> Ssr2-review at icann.org
>>> https://mm.icann.org/mailman/listinfo/ssr2-review
>>
>>
>>
>> _______________________________________________
>> Ssr2-review mailing list
>> Ssr2-review at icann.org
>> https://mm.icann.org/mailman/listinfo/ssr2-review
>>
> 
> 
> 
> 
> _______________________________________________
> Ssr2-review mailing list
> Ssr2-review at icann.org
> https://mm.icann.org/mailman/listinfo/ssr2-review
> 


-- 

Boban Kršić
Chief Information Security Officer

DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY

E-Mail: krsic at denic.de, Fon: +49 69 272 35-120, Fax: -248
Mobil: +49 172 67 61 671
https://www.denic.de

X.509 Key-ID: 00A54FCB79884413A4
Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716

PGP Key-ID: 0x43C89BA9
Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9

Angaben nach § 25a Absatz 1 GenG:
DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
Frankfurt am Main

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: OpenPGP digital signature
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20170709/d80c69d5/signature.asc>

More information about the Ssr2-review mailing list