[Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security

Boban Krsic krsic at denic.de
Thu Jun 8 15:13:27 UTC 2017 

Dear All,

{and especially team members of sub topic 2 – ICANN Security}

just talked to Kerry-Ann regarding a follow up on this issue. We propose
to organize an additional online meeting in the next two weeks to define
a scope and identify which domains of both standards are applicable to
our scope for a gap analysis and which are not. It would be great if you
could assist and participate on this.

@Jennifer
Could you please setting up a doodle survey to find a common 2-hour slot
in the next 10 working days?

Thanks and all the best,
 Boban.


Am 05.06.17 um 22:45 schrieb Barrett, Kerry-Ann:
> Dear Boban
> 
> Thanks in advance for preparing this.  We should decide if we set up a meeting with the sub-team to discuss and set deadlines for feedback and comments before that meeting.
> 
> Sincerely,
> Kerry-Ann Barrett
> Cyber Security Policy Specialist
> Inter-American Committee against Terrorism
> Secretariat for Multidimensional Security
> Organization of American States
> 1889 F Street N.W., Washington, D.C. 20006 
> T. 202-370-4675
> F. 202-458-3857
> kabarrett at oas.org
> www.oas.org/cyber 
> Register to our distribution list here!
> 
> -----Original Message-----
> From: ssr2-review-bounces at icann.org [mailto:ssr2-review-bounces at icann.org] On Behalf Of Jennifer Bryce
> Sent: Monday, June 5, 2017 11:45 AM
> To: Boban Krsic <krsic at denic.de>; SSR2 <ssr2-review at icann.org>
> Subject: [EXT] Re: [Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security
> 
> Hi all,
> 
> The Google doc version has been posted on the wiki here: https://community.icann.org/pages/viewpage.action?pageId=64076120 . RT members have editing rights. 
> 
> Best,
> Jennifer
> 
> -----Original Message-----
> From: <ssr2-review-bounces at icann.org> on behalf of Boban Krsic <krsic at denic.de>
> Date: Sunday, June 4, 2017 at 10:24 PM
> To: SSR2 <ssr2-review at icann.org>
> Subject: [Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security
> 
>     Dear All,
>     
>     Please find attached a first draft of a work plan for subteam 2 - ICANN
>     Security. I propose, that the basis for further development should be a
>     gap analysis (without any obligations to certify something) based on the
>     following two industrial standards: ISO/IEC 27001:2013 Information
>     Security Management Systems (ISMS) and ISO 22301:2012 Business
>     Continuity Management Systems (BCMS). With the use of both standards, we
>     should be able to address all relevant work items that we identified in
>     Madrid. For the beginning, I have created a simple MS Excel that
>     consists all relevant information for project planning and realization
>     of the gap analysis. The file contains a total of four sheets:
>     
>     * Sheet1 (Workplan) contains the main key action steps, a description of
>     the action, expected outcome, evaluation methodology, required skill
>     set, responsible person, proposed timeline, and finally a reference to
>     Madrid’s work item list. The list is not finished and needs to be
>     completed.
>     
>     * Sheet2 (Checklist 27001) contains 32 questions to address all relevant
>     requirements of the main part of a ISMS based on ISO/IEC 27001. With the
>     checklist, we are able to evaluate the following category groups:
>     
>     	* Scope, relevant parties (stakeholder)
>     	* Leadership, roles and responsibilities
>     	* Risk management and risk treatment
>     	* Resources, competence, awareness and communication
>     	* Performance evaluation, internal audit and management review
>     	* Improvement of the ISMS
>     
>     * Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions
>     based on the Annex A of ISO/IEC 27001. It is a list of security controls
>     (or safeguards) that are to be used to improve security of information.
>     The controls are structured, and the purpose of each of the 14 sections
>     from Annex A [1]:
>     	
>     	* Information security policies - controls how to write and
>     review policies
>     	* Organization of information security – controls on how the
>     responsibilities are assigned
>     	* Human resources security – controls affecting the employment
>     	* Asset management – controls related to inventory of assets and
>     acceptable use, also for information classification and media handling
>     	* Access control – controls for Access control policy, user access
>     management, system and application access control, and user responsibilities
>     	* Cryptography – controls related to encryption and key management
>     	* Physical and environmental security – controls defining secure
>     areas, entry controls, protection against threats, equipment security,
>     secure disposal, clear desk and clear screen policy, etc.
>     	* Operational security – lots of controls related to management of IT
>     production: change management, capacity management, malware, backup,
>     logging, monitoring, installation, vulnerabilities
>     	* Communications security – controls related to network security,
>     segregation, network services, transfer of information, messaging, etc.
>     	* System acquisition, development and maintenance – controls
>     defining security requirements and security in development and support
>     processes
>     	* Supplier relationships – controls on what to include in
>     agreements, and how to monitor the suppliers
>     	* Information security incident management – controls for
>     reporting events and weaknesses, defining responsibilities, response
>     procedures, and collection of evidence
>     	* Information security aspects of business continuity management –
>     controls requiring the planning of business continuity, procedures,
>     verification and reviewing, and IT redundancy
>     	* Compliance – controls requiring the identification of applicable laws
>     and regulations, intellectual property protection, personal data
>     protection, and reviews of information security
>     
>     * Sheet4 (Checklist 22301) similar to sheet1 but with a focus on
>     Business Continuity Management. The checklist contains a list of 90
>     questions to address all relevant requirements of a BCMS based on ISO
>     22301. With the checklist, we are able to evaluate the following
>     category groups:
>     
>     	* Scope, supply chain, l&r requirements and assurance
>     	* Leadership, roles and responsibilities
>     	* Risks and opportunities
>     	* Business continuity objectives and plans to achieve them
>      	* Human resources, competence and training and awareness
>     	* Communication and documentation
>     	* Operational planning and control
>     	* Business Impact Analysis (BIA) and Risk Assessment
>     	* Business continuity strategy / Resource recovery strategy
>     	* Incident response structure
>     	* Business continuity plans
>     	* Monitoring, measurement, analysis and evaluation
>     	* Internal audit and management review
>     	* Improvement of the BCMS
>     
>     I am using a similar list for my annually internal audits at DENIC.
>     Altogether I would expect a total effort of approx. 15-20 m/d to perform
>     key action steps 1.0 and 2.0. External consultants are also possible and
>     in my view a good option.
>     
>     Jennifer, it would be great if you could import the file to google docs
>     and share the link for editing purposes.
>     
>     Any feedback on this would be great.
>     
>     Regards,
>     
>     	- Boban.
>     
>     
>     
>     [1]https://advisera.com/27001academy/knowledgebase/overview-of-iso-270012013-annex-a/
>     
>     
>     
>     
>     -- 
>     
>     Boban Kršić
>     Chief Information Security Officer
>     
>     DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
>     
>     E-Mail: krsic at denic.de, Fon: +49 69 272 35-120, Fax: -248
>     Mobil: +49 172 67 61 671
>     https://www.denic.de
>     
>     X.509 Key-ID: 00A54FCB79884413A4
>     Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
>     
>     PGP Key-ID: 0x43C89BA9
>     Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
>     
>     Angaben nach § 25a Absatz 1 GenG:
>     DENIC eG (Sitz: Frankfurt am Main)
>     Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
>     Schweiger
>     Vorsitzender des Aufsichtsrats: Thomas Keller
>     Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
>     Frankfurt am Main
>     
>     
>     
>     
> 
> _______________________________________________
> Ssr2-review mailing list
> Ssr2-review at icann.org
> https://mm.icann.org/mailman/listinfo/ssr2-review
> 


-- 

Boban Kršić
Chief Information Security Officer

DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY

E-Mail: krsic at denic.de, Fon: +49 69 272 35-120, Fax: -248
Mobil: +49 172 67 61 671
https://www.denic.de

X.509 Key-ID: 00A54FCB79884413A4
Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716

PGP Key-ID: 0x43C89BA9
Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9

Angaben nach § 25a Absatz 1 GenG:
DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
Frankfurt am Main

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: OpenPGP digital signature
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20170608/48526e9a/signature.asc>

More information about the Ssr2-review mailing list