[Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security

Barrett, Kerry-Ann KABarrett at oas.org
Mon Jun 5 20:45:09 UTC 2017

Dear Boban

Thanks in advance for preparing this.  We should decide if we set up a meeting with the sub-team to discuss and set deadlines for feedback and comments before that meeting.

Kerry-Ann Barrett
Cyber Security Policy Specialist
Inter-American Committee against Terrorism
Secretariat for Multidimensional Security
Organization of American States
1889 F Street N.W., Washington, D.C. 20006 
T. 202-370-4675
F. 202-458-3857
kabarrett at oas.org
Register to our distribution list here!

-----Original Message-----
From: ssr2-review-bounces at icann.org [mailto:ssr2-review-bounces at icann.org] On Behalf Of Jennifer Bryce
Sent: Monday, June 5, 2017 11:45 AM
To: Boban Krsic <krsic at denic.de>; SSR2 <ssr2-review at icann.org>
Subject: [EXT] Re: [Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security

Hi all,

The Google doc version has been posted on the wiki here: https://community.icann.org/pages/viewpage.action?pageId=64076120 . RT members have editing rights. 


-----Original Message-----
From: <ssr2-review-bounces at icann.org> on behalf of Boban Krsic <krsic at denic.de>
Date: Sunday, June 4, 2017 at 10:24 PM
To: SSR2 <ssr2-review at icann.org>
Subject: [Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security

    Dear All,
    Please find attached a first draft of a work plan for subteam 2 - ICANN
    Security. I propose, that the basis for further development should be a
    gap analysis (without any obligations to certify something) based on the
    following two industrial standards: ISO/IEC 27001:2013 Information
    Security Management Systems (ISMS) and ISO 22301:2012 Business
    Continuity Management Systems (BCMS). With the use of both standards, we
    should be able to address all relevant work items that we identified in
    Madrid. For the beginning, I have created a simple MS Excel that
    consists all relevant information for project planning and realization
    of the gap analysis. The file contains a total of four sheets:
    * Sheet1 (Workplan) contains the main key action steps, a description of
    the action, expected outcome, evaluation methodology, required skill
    set, responsible person, proposed timeline, and finally a reference to
    Madrid’s work item list. The list is not finished and needs to be
    * Sheet2 (Checklist 27001) contains 32 questions to address all relevant
    requirements of the main part of a ISMS based on ISO/IEC 27001. With the
    checklist, we are able to evaluate the following category groups:
    	* Scope, relevant parties (stakeholder)
    	* Leadership, roles and responsibilities
    	* Risk management and risk treatment
    	* Resources, competence, awareness and communication
    	* Performance evaluation, internal audit and management review
    	* Improvement of the ISMS
    * Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions
    based on the Annex A of ISO/IEC 27001. It is a list of security controls
    (or safeguards) that are to be used to improve security of information.
    The controls are structured, and the purpose of each of the 14 sections
    from Annex A [1]:
    	* Information security policies - controls how to write and
    review policies
    	* Organization of information security – controls on how the
    responsibilities are assigned
    	* Human resources security – controls affecting the employment
    	* Asset management – controls related to inventory of assets and
    acceptable use, also for information classification and media handling
    	* Access control – controls for Access control policy, user access
    management, system and application access control, and user responsibilities
    	* Cryptography – controls related to encryption and key management
    	* Physical and environmental security – controls defining secure
    areas, entry controls, protection against threats, equipment security,
    secure disposal, clear desk and clear screen policy, etc.
    	* Operational security – lots of controls related to management of IT
    production: change management, capacity management, malware, backup,
    logging, monitoring, installation, vulnerabilities
    	* Communications security – controls related to network security,
    segregation, network services, transfer of information, messaging, etc.
    	* System acquisition, development and maintenance – controls
    defining security requirements and security in development and support
    	* Supplier relationships – controls on what to include in
    agreements, and how to monitor the suppliers
    	* Information security incident management – controls for
    reporting events and weaknesses, defining responsibilities, response
    procedures, and collection of evidence
    	* Information security aspects of business continuity management –
    controls requiring the planning of business continuity, procedures,
    verification and reviewing, and IT redundancy
    	* Compliance – controls requiring the identification of applicable laws
    and regulations, intellectual property protection, personal data
    protection, and reviews of information security
    * Sheet4 (Checklist 22301) similar to sheet1 but with a focus on
    Business Continuity Management. The checklist contains a list of 90
    questions to address all relevant requirements of a BCMS based on ISO
    22301. With the checklist, we are able to evaluate the following
    category groups:
    	* Scope, supply chain, l&r requirements and assurance
    	* Leadership, roles and responsibilities
    	* Risks and opportunities
    	* Business continuity objectives and plans to achieve them
     	* Human resources, competence and training and awareness
    	* Communication and documentation
    	* Operational planning and control
    	* Business Impact Analysis (BIA) and Risk Assessment
    	* Business continuity strategy / Resource recovery strategy
    	* Incident response structure
    	* Business continuity plans
    	* Monitoring, measurement, analysis and evaluation
    	* Internal audit and management review
    	* Improvement of the BCMS
    I am using a similar list for my annually internal audits at DENIC.
    Altogether I would expect a total effort of approx. 15-20 m/d to perform
    key action steps 1.0 and 2.0. External consultants are also possible and
    in my view a good option.
    Jennifer, it would be great if you could import the file to google docs
    and share the link for editing purposes.
    Any feedback on this would be great.
    	- Boban.
    Boban Kršić
    Chief Information Security Officer
    DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
    E-Mail: krsic at denic.de, Fon: +49 69 272 35-120, Fax: -248
    Mobil: +49 172 67 61 671
    X.509 Key-ID: 00A54FCB79884413A4
    Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
    PGP Key-ID: 0x43C89BA9
    Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
    Angaben nach § 25a Absatz 1 GenG:
    DENIC eG (Sitz: Frankfurt am Main)
    Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
    Vorsitzender des Aufsichtsrats: Thomas Keller
    Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
    Frankfurt am Main

Ssr2-review mailing list
Ssr2-review at icann.org

More information about the Ssr2-review mailing list