[Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security

Boban Krsic krsic at denic.de
Thu Jun 8 14:33:08 UTC 2017


Hi Alain,

Am 07.06.17 um 18:43 schrieb ALAIN AINA:
> Hello,
> 
> As discussed yesterday on the call, this is what i think  sub-group(ICANN Security) should do:
> 
> -  Analyze the risks management framework in place at ICANN in general and for the SSR remit
> - Analyze the security management framework
> 	* Security efforts and effectiveness
> 	* Auditing : reports and recommendations implementation.

this represents IMHO only a limited view and do not follow a holistic
approach on information security and especially on business continuity
management. Both standards ISO/IEC 27001 ISMS and ISO 22301 BCMS are
widely accepted and represented by a risk and process-based approach how
to deal with information security and business continuity issues in
general. In addition to that we get a list of security controls that are
to be used to improve security at the organization. I believe, that with
the use of both standards, we should be able to address all relevant
work items that we identified in Madrid - and that in a efficient way.

Best,
  Boban.

> - Gab analysis
> - Recommendations
> 
> Their works will be fed by the work of the sub-group 1(SSR1 implementation) which shall evaluate the  effectiveness of implementation of
> recommendations 9, 26 and 27 below.
> 
> 
> Hope this helps
> 
> —Alain
> 
> 
> 
> ====================
> 9 ICANN should assess certification options with commonly accepted international standards (e.g., ITIL, ISO and SAS-70) for
> its operational responsibilities. ICANN should publish a clear roadmap towards certification.
> 
> 26 ICANN should prioritize the timely completion of a Risk Management Framework.
> 
> 27 ICANN’s Risk Management Framework should be comprehensive within the scope of its SSR remit and limited missions.
> ========================
> 
> 
>> On 5 Jun 2017, at 05:24, Boban Krsic <krsic at denic.de> wrote:
>>
>> Dear All,
>>
>> Please find attached a first draft of a work plan for subteam 2 - ICANN
>> Security. I propose, that the basis for further development should be a
>> gap analysis (without any obligations to certify something) based on the
>> following two industrial standards: ISO/IEC 27001:2013 Information
>> Security Management Systems (ISMS) and ISO 22301:2012 Business
>> Continuity Management Systems (BCMS). With the use of both standards, we
>> should be able to address all relevant work items that we identified in
>> Madrid. For the beginning, I have created a simple MS Excel that
>> consists all relevant information for project planning and realization
>> of the gap analysis. The file contains a total of four sheets:
>>
>> * Sheet1 (Workplan) contains the main key action steps, a description of
>> the action, expected outcome, evaluation methodology, required skill
>> set, responsible person, proposed timeline, and finally a reference to
>> Madrid’s work item list. The list is not finished and needs to be
>> completed.
>>
>> * Sheet2 (Checklist 27001) contains 32 questions to address all relevant
>> requirements of the main part of a ISMS based on ISO/IEC 27001. With the
>> checklist, we are able to evaluate the following category groups:
>>
>> 	* Scope, relevant parties (stakeholder)
>> 	* Leadership, roles and responsibilities
>> 	* Risk management and risk treatment
>> 	* Resources, competence, awareness and communication
>> 	* Performance evaluation, internal audit and management review
>> 	* Improvement of the ISMS
>>
>> * Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions
>> based on the Annex A of ISO/IEC 27001. It is a list of security controls
>> (or safeguards) that are to be used to improve security of information.
>> The controls are structured, and the purpose of each of the 14 sections
>> from Annex A [1]:
>>
>> 	* Information security policies - controls how to write and
>> review policies
>> 	* Organization of information security – controls on how the
>> responsibilities are assigned
>> 	* Human resources security – controls affecting the employment
>> 	* Asset management – controls related to inventory of assets and
>> acceptable use, also for information classification and media handling
>> 	* Access control – controls for Access control policy, user access
>> management, system and application access control, and user responsibilities
>> 	* Cryptography – controls related to encryption and key management
>> 	* Physical and environmental security – controls defining secure
>> areas, entry controls, protection against threats, equipment security,
>> secure disposal, clear desk and clear screen policy, etc.
>> 	* Operational security – lots of controls related to management of IT
>> production: change management, capacity management, malware, backup,
>> logging, monitoring, installation, vulnerabilities
>> 	* Communications security – controls related to network security,
>> segregation, network services, transfer of information, messaging, etc.
>> 	* System acquisition, development and maintenance – controls
>> defining security requirements and security in development and support
>> processes
>> 	* Supplier relationships – controls on what to include in
>> agreements, and how to monitor the suppliers
>> 	* Information security incident management – controls for
>> reporting events and weaknesses, defining responsibilities, response
>> procedures, and collection of evidence
>> 	* Information security aspects of business continuity management –
>> controls requiring the planning of business continuity, procedures,
>> verification and reviewing, and IT redundancy
>> 	* Compliance – controls requiring the identification of applicable laws
>> and regulations, intellectual property protection, personal data
>> protection, and reviews of information security
>>
>> * Sheet4 (Checklist 22301) similar to sheet1 but with a focus on
>> Business Continuity Management. The checklist contains a list of 90
>> questions to address all relevant requirements of a BCMS based on ISO
>> 22301. With the checklist, we are able to evaluate the following
>> category groups:
>>
>> 	* Scope, supply chain, l&r requirements and assurance
>> 	* Leadership, roles and responsibilities
>> 	* Risks and opportunities
>> 	* Business continuity objectives and plans to achieve them
>> 	* Human resources, competence and training and awareness
>> 	* Communication and documentation
>> 	* Operational planning and control
>> 	* Business Impact Analysis (BIA) and Risk Assessment
>> 	* Business continuity strategy / Resource recovery strategy
>> 	* Incident response structure
>> 	* Business continuity plans
>> 	* Monitoring, measurement, analysis and evaluation
>> 	* Internal audit and management review
>> 	* Improvement of the BCMS
>>
>> I am using a similar list for my annually internal audits at DENIC.
>> Altogether I would expect a total effort of approx. 15-20 m/d to perform
>> key action steps 1.0 and 2.0. External consultants are also possible and
>> in my view a good option.
>>
>> Jennifer, it would be great if you could import the file to google docs
>> and share the link for editing purposes.
>>
>> Any feedback on this would be great.
>>
>> Regards,
>>
>> 	- Boban.
>>
>>
>>
>> [1]https://advisera.com/27001academy/knowledgebase/overview-of-iso-270012013-annex-a/
>>
>>
>>
>>
>> --
>>
>> Boban Kršić
>> Chief Information Security Officer
>>
>> DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
>>
>> E-Mail: krsic at denic.de, Fon: +49 69 272 35-120, Fax: -248
>> Mobil: +49 172 67 61 671
>> https://www.denic.de
>>
>> X.509 Key-ID: 00A54FCB79884413A4
>> Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
>>
>> PGP Key-ID: 0x43C89BA9
>> Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
>>
>> Angaben nach § 25a Absatz 1 GenG:
>> DENIC eG (Sitz: Frankfurt am Main)
>> Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
>> Schweiger
>> Vorsitzender des Aufsichtsrats: Thomas Keller
>> Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
>> Frankfurt am Main
>>
>>
>>
>> <170531.Workplan_ICANN_Security_draft_0.91.xlsx>_______________________________________________
>> Ssr2-review mailing list
>> Ssr2-review at icann.org
>> https://mm.icann.org/mailman/listinfo/ssr2-review
> 
> 
> 
> _______________________________________________
> Ssr2-review mailing list
> Ssr2-review at icann.org
> https://mm.icann.org/mailman/listinfo/ssr2-review
> 


-- 

Boban Kršić
Chief Information Security Officer

DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY

E-Mail: krsic at denic.de, Fon: +49 69 272 35-120, Fax: -248
Mobil: +49 172 67 61 671
https://www.denic.de

X.509 Key-ID: 00A54FCB79884413A4
Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716

PGP Key-ID: 0x43C89BA9
Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9

Angaben nach § 25a Absatz 1 GenG:
DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
Frankfurt am Main

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: OpenPGP digital signature
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20170608/401b9f9a/signature.asc>


More information about the Ssr2-review mailing list