[Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security

Boban Krsic krsic at denic.de
Mon Jun 5 15:49:28 UTC 2017


Thanks Jennifer.

    - Boban



> Am 05.06.2017 um 17:45 schrieb Jennifer Bryce <jennifer.bryce at icann.org>:
>
> Hi all,
>
> The Google doc version has been posted on the wiki here: https://community.icann.org/pages/viewpage.action?pageId=64076120 . RT members have editing
rights.
>
> Best,
> Jennifer
>
> -----Original Message-----
> From: <ssr2-review-bounces at icann.org> on behalf of Boban Krsic <krsic at denic.de>
> Date: Sunday, June 4, 2017 at 10:24 PM
> To: SSR2 <ssr2-review at icann.org>
> Subject: [Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security
>
>    Dear All,
>
>    Please find attached a first draft of a work plan for subteam 2 - ICANN
>    Security. I propose, that the basis for further development should be a
>    gap analysis (without any obligations to certify something) based on the
>    following two industrial standards: ISO/IEC 27001:2013 Information
>    Security Management Systems (ISMS) and ISO 22301:2012 Business
>    Continuity Management Systems (BCMS). With the use of both standards, we
>    should be able to address all relevant work items that we identified in
>    Madrid. For the beginning, I have created a simple MS Excel that
>    consists all relevant information for project planning and realization
>    of the gap analysis. The file contains a total of four sheets:
>
>    * Sheet1 (Workplan) contains the main key action steps, a description of
>    the action, expected outcome, evaluation methodology, required skill
>    set, responsible person, proposed timeline, and finally a reference to
>    Madrid’s work item list. The list is not finished and needs to be
>    completed.
>
>    * Sheet2 (Checklist 27001) contains 32 questions to address all relevant
>    requirements of the main part of a ISMS based on ISO/IEC 27001. With the
>    checklist, we are able to evaluate the following category groups:
>
>        * Scope, relevant parties (stakeholder)
>        * Leadership, roles and responsibilities
>        * Risk management and risk treatment
>        * Resources, competence, awareness and communication
>        * Performance evaluation, internal audit and management review
>        * Improvement of the ISMS
>
>    * Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions
>    based on the Annex A of ISO/IEC 27001. It is a list of security controls
>    (or safeguards) that are to be used to improve security of information.
>    The controls are structured, and the purpose of each of the 14 sections
>    from Annex A [1]:
>
>        * Information security policies - controls how to write and
>    review policies
>        * Organization of information security – controls on how the
>    responsibilities are assigned
>        * Human resources security – controls affecting the employment
>        * Asset management – controls related to inventory of assets and
>    acceptable use, also for information classification and media handling
>        * Access control – controls for Access control policy, user access
>    management, system and application access control, and user responsibilities
>        * Cryptography – controls related to encryption and key management
>        * Physical and environmental security – controls defining secure
>    areas, entry controls, protection against threats, equipment security,
>    secure disposal, clear desk and clear screen policy, etc.
>        * Operational security – lots of controls related to management of IT
>    production: change management, capacity management, malware, backup,
>    logging, monitoring, installation, vulnerabilities
>        * Communications security – controls related to network security,
>    segregation, network services, transfer of information, messaging, etc.
>        * System acquisition, development and maintenance – controls
>    defining security requirements and security in development and support
>    processes
>        * Supplier relationships – controls on what to include in
>    agreements, and how to monitor the suppliers
>        * Information security incident management – controls for
>    reporting events and weaknesses, defining responsibilities, response
>    procedures, and collection of evidence
>        * Information security aspects of business continuity management –
>    controls requiring the planning of business continuity, procedures,
>    verification and reviewing, and IT redundancy
>        * Compliance – controls requiring the identification of applicable laws
>    and regulations, intellectual property protection, personal data
>    protection, and reviews of information security
>
>    * Sheet4 (Checklist 22301) similar to sheet1 but with a focus on
>    Business Continuity Management. The checklist contains a list of 90
>    questions to address all relevant requirements of a BCMS based on ISO
>    22301. With the checklist, we are able to evaluate the following
>    category groups:
>
>        * Scope, supply chain, l&r requirements and assurance
>        * Leadership, roles and responsibilities
>        * Risks and opportunities
>        * Business continuity objectives and plans to achieve them
>         * Human resources, competence and training and awareness
>        * Communication and documentation
>        * Operational planning and control
>        * Business Impact Analysis (BIA) and Risk Assessment
>        * Business continuity strategy / Resource recovery strategy
>        * Incident response structure
>        * Business continuity plans
>        * Monitoring, measurement, analysis and evaluation
>        * Internal audit and management review
>        * Improvement of the BCMS
>
>    I am using a similar list for my annually internal audits at DENIC.
>    Altogether I would expect a total effort of approx. 15-20 m/d to perform
>    key action steps 1.0 and 2.0. External consultants are also possible and
>    in my view a good option.
>
>    Jennifer, it would be great if you could import the file to google docs
>    and share the link for editing purposes.
>
>    Any feedback on this would be great.
>
>    Regards,
>
>        - Boban.
>
>
>
>    [1]https://advisera.com/27001academy/knowledgebase/overview-of-iso-270012013-annex-a/
>
>
>
>
>    --
>
>    Boban Kršić
>    Chief Information Security Officer
>
>    DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
>
>    E-Mail: krsic at denic.de, Fon: +49 69 272 35-120, Fax: -248
>    Mobil: +49 172 67 61 671
>    https://www.denic.de
>
>    X.509 Key-ID: 00A54FCB79884413A4
>    Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
>
>    PGP Key-ID: 0x43C89BA9
>    Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
>
>    Angaben nach § 25a Absatz 1 GenG:
>    DENIC eG (Sitz: Frankfurt am Main)
>    Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
>    Schweiger
>    Vorsitzender des Aufsichtsrats: Thomas Keller
>    Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
>    Frankfurt am Main
>
>
>
>
>




More information about the Ssr2-review mailing list