[Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security

Boban Krsic krsic at denic.de
Mon Jun 5 05:24:05 UTC 2017

Dear All,

Please find attached a first draft of a work plan for subteam 2 - ICANN
Security. I propose, that the basis for further development should be a
gap analysis (without any obligations to certify something) based on the
following two industrial standards: ISO/IEC 27001:2013 Information
Security Management Systems (ISMS) and ISO 22301:2012 Business
Continuity Management Systems (BCMS). With the use of both standards, we
should be able to address all relevant work items that we identified in
Madrid. For the beginning, I have created a simple MS Excel that
consists all relevant information for project planning and realization
of the gap analysis. The file contains a total of four sheets:

* Sheet1 (Workplan) contains the main key action steps, a description of
the action, expected outcome, evaluation methodology, required skill
set, responsible person, proposed timeline, and finally a reference to
Madrid’s work item list. The list is not finished and needs to be

* Sheet2 (Checklist 27001) contains 32 questions to address all relevant
requirements of the main part of a ISMS based on ISO/IEC 27001. With the
checklist, we are able to evaluate the following category groups:

	* Scope, relevant parties (stakeholder)
	* Leadership, roles and responsibilities
	* Risk management and risk treatment
	* Resources, competence, awareness and communication
	* Performance evaluation, internal audit and management review
	* Improvement of the ISMS

* Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions
based on the Annex A of ISO/IEC 27001. It is a list of security controls
(or safeguards) that are to be used to improve security of information.
The controls are structured, and the purpose of each of the 14 sections
from Annex A [1]:
	* Information security policies - controls how to write and
review policies
	* Organization of information security – controls on how the
responsibilities are assigned
	* Human resources security – controls affecting the employment
	* Asset management – controls related to inventory of assets and
acceptable use, also for information classification and media handling
	* Access control – controls for Access control policy, user access
management, system and application access control, and user responsibilities
	* Cryptography – controls related to encryption and key management
	* Physical and environmental security – controls defining secure
areas, entry controls, protection against threats, equipment security,
secure disposal, clear desk and clear screen policy, etc.
	* Operational security – lots of controls related to management of IT
production: change management, capacity management, malware, backup,
logging, monitoring, installation, vulnerabilities
	* Communications security – controls related to network security,
segregation, network services, transfer of information, messaging, etc.
	* System acquisition, development and maintenance – controls
defining security requirements and security in development and support
	* Supplier relationships – controls on what to include in
agreements, and how to monitor the suppliers
	* Information security incident management – controls for
reporting events and weaknesses, defining responsibilities, response
procedures, and collection of evidence
	* Information security aspects of business continuity management –
controls requiring the planning of business continuity, procedures,
verification and reviewing, and IT redundancy
	* Compliance – controls requiring the identification of applicable laws
and regulations, intellectual property protection, personal data
protection, and reviews of information security

* Sheet4 (Checklist 22301) similar to sheet1 but with a focus on
Business Continuity Management. The checklist contains a list of 90
questions to address all relevant requirements of a BCMS based on ISO
22301. With the checklist, we are able to evaluate the following
category groups:

	* Scope, supply chain, l&r requirements and assurance
	* Leadership, roles and responsibilities
	* Risks and opportunities
	* Business continuity objectives and plans to achieve them
 	* Human resources, competence and training and awareness
	* Communication and documentation
	* Operational planning and control
	* Business Impact Analysis (BIA) and Risk Assessment
	* Business continuity strategy / Resource recovery strategy
	* Incident response structure
	* Business continuity plans
	* Monitoring, measurement, analysis and evaluation
	* Internal audit and management review
	* Improvement of the BCMS

I am using a similar list for my annually internal audits at DENIC.
Altogether I would expect a total effort of approx. 15-20 m/d to perform
key action steps 1.0 and 2.0. External consultants are also possible and
in my view a good option.

Jennifer, it would be great if you could import the file to google docs
and share the link for editing purposes.

Any feedback on this would be great.


	- Boban.



Boban Kršić
Chief Information Security Officer

DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY

E-Mail: krsic at denic.de, Fon: +49 69 272 35-120, Fax: -248
Mobil: +49 172 67 61 671

X.509 Key-ID: 00A54FCB79884413A4
Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716

PGP Key-ID: 0x43C89BA9
Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9

Angaben nach § 25a Absatz 1 GenG:
DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
Frankfurt am Main

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 170531.Workplan_ICANN_Security_draft_0.91.xlsx
Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Size: 38283 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20170605/e9d96dd8/170531.Workplan_ICANN_Security_draft_0.91.xlsx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: OpenPGP digital signature
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20170605/e9d96dd8/signature.asc>

More information about the Ssr2-review mailing list