[Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security

ALAIN AINA aalain at trstech.net
Thu Jun 8 17:04:07 UTC 2017 

Boban,

> On 8 Jun 2017, at 14:33, Boban Krsic <krsic at denic.de> wrote:
> 
> Hi Alain,
> 
> Am 07.06.17 um 18:43 schrieb ALAIN AINA:
>> Hello,
>> 
>> As discussed yesterday on the call, this is what i think  sub-group(ICANN Security) should do:
>> 
>> -  Analyze the risks management framework in place at ICANN in general and for the SSR remit
>> - Analyze the security management framework
>> 	* Security efforts and effectiveness
>> 	* Auditing : reports and recommendations implementation.
> 
> this represents IMHO only a limited view and do not follow a holistic
> approach on information security and especially on business continuity
> management. Both standards ISO/IEC 27001 ISMS and ISO 22301 BCMS are
> widely accepted and represented by a risk and process-based approach how
> to deal with information security and business continuity issues in
> general. In addition to that we get a list of security controls that are
> to be used to improve security at the organization. I believe, that with
> the use of both standards, we should be able to address all relevant
> work items that we identified in Madrid - and that in a efficient way.

As i said during the call, It is not our mandate to audit the security of ICANN information system.We shall limit our role to analysis and evaluation of risks management and security management framework in place, how they are being implemented and do gap analysis...

Evaluate ICANN compliance means:

What are the risks and security management framework in place ?
System security certified ?
Security evaluated/audited ?
Gap analysis
Recommendations

Hope this helps

—Alain









> 
> Best,
>  Boban.
> 
>> - Gab analysis
>> - Recommendations
>> 
>> Their works will be fed by the work of the sub-group 1(SSR1 implementation) which shall evaluate the  effectiveness of implementation of
>> recommendations 9, 26 and 27 below.
>> 
>> 
>> Hope this helps
>> 
>> —Alain
>> 
>> 
>> 
>> ====================
>> 9 ICANN should assess certification options with commonly accepted international standards (e.g., ITIL, ISO and SAS-70) for
>> its operational responsibilities. ICANN should publish a clear roadmap towards certification.
>> 
>> 26 ICANN should prioritize the timely completion of a Risk Management Framework.
>> 
>> 27 ICANN’s Risk Management Framework should be comprehensive within the scope of its SSR remit and limited missions.
>> ========================
>> 
>> 
>>> On 5 Jun 2017, at 05:24, Boban Krsic <krsic at denic.de> wrote:
>>> 
>>> Dear All,
>>> 
>>> Please find attached a first draft of a work plan for subteam 2 - ICANN
>>> Security. I propose, that the basis for further development should be a
>>> gap analysis (without any obligations to certify something) based on the
>>> following two industrial standards: ISO/IEC 27001:2013 Information
>>> Security Management Systems (ISMS) and ISO 22301:2012 Business
>>> Continuity Management Systems (BCMS). With the use of both standards, we
>>> should be able to address all relevant work items that we identified in
>>> Madrid. For the beginning, I have created a simple MS Excel that
>>> consists all relevant information for project planning and realization
>>> of the gap analysis. The file contains a total of four sheets:
>>> 
>>> * Sheet1 (Workplan) contains the main key action steps, a description of
>>> the action, expected outcome, evaluation methodology, required skill
>>> set, responsible person, proposed timeline, and finally a reference to
>>> Madrid’s work item list. The list is not finished and needs to be
>>> completed.
>>> 
>>> * Sheet2 (Checklist 27001) contains 32 questions to address all relevant
>>> requirements of the main part of a ISMS based on ISO/IEC 27001. With the
>>> checklist, we are able to evaluate the following category groups:
>>> 
>>> 	* Scope, relevant parties (stakeholder)
>>> 	* Leadership, roles and responsibilities
>>> 	* Risk management and risk treatment
>>> 	* Resources, competence, awareness and communication
>>> 	* Performance evaluation, internal audit and management review
>>> 	* Improvement of the ISMS
>>> 
>>> * Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions
>>> based on the Annex A of ISO/IEC 27001. It is a list of security controls
>>> (or safeguards) that are to be used to improve security of information.
>>> The controls are structured, and the purpose of each of the 14 sections
>>> from Annex A [1]:
>>> 
>>> 	* Information security policies - controls how to write and
>>> review policies
>>> 	* Organization of information security – controls on how the
>>> responsibilities are assigned
>>> 	* Human resources security – controls affecting the employment
>>> 	* Asset management – controls related to inventory of assets and
>>> acceptable use, also for information classification and media handling
>>> 	* Access control – controls for Access control policy, user access
>>> management, system and application access control, and user responsibilities
>>> 	* Cryptography – controls related to encryption and key management
>>> 	* Physical and environmental security – controls defining secure
>>> areas, entry controls, protection against threats, equipment security,
>>> secure disposal, clear desk and clear screen policy, etc.
>>> 	* Operational security – lots of controls related to management of IT
>>> production: change management, capacity management, malware, backup,
>>> logging, monitoring, installation, vulnerabilities
>>> 	* Communications security – controls related to network security,
>>> segregation, network services, transfer of information, messaging, etc.
>>> 	* System acquisition, development and maintenance – controls
>>> defining security requirements and security in development and support
>>> processes
>>> 	* Supplier relationships – controls on what to include in
>>> agreements, and how to monitor the suppliers
>>> 	* Information security incident management – controls for
>>> reporting events and weaknesses, defining responsibilities, response
>>> procedures, and collection of evidence
>>> 	* Information security aspects of business continuity management –
>>> controls requiring the planning of business continuity, procedures,
>>> verification and reviewing, and IT redundancy
>>> 	* Compliance – controls requiring the identification of applicable laws
>>> and regulations, intellectual property protection, personal data
>>> protection, and reviews of information security
>>> 
>>> * Sheet4 (Checklist 22301) similar to sheet1 but with a focus on
>>> Business Continuity Management. The checklist contains a list of 90
>>> questions to address all relevant requirements of a BCMS based on ISO
>>> 22301. With the checklist, we are able to evaluate the following
>>> category groups:
>>> 
>>> 	* Scope, supply chain, l&r requirements and assurance
>>> 	* Leadership, roles and responsibilities
>>> 	* Risks and opportunities
>>> 	* Business continuity objectives and plans to achieve them
>>> 	* Human resources, competence and training and awareness
>>> 	* Communication and documentation
>>> 	* Operational planning and control
>>> 	* Business Impact Analysis (BIA) and Risk Assessment
>>> 	* Business continuity strategy / Resource recovery strategy
>>> 	* Incident response structure
>>> 	* Business continuity plans
>>> 	* Monitoring, measurement, analysis and evaluation
>>> 	* Internal audit and management review
>>> 	* Improvement of the BCMS
>>> 
>>> I am using a similar list for my annually internal audits at DENIC.
>>> Altogether I would expect a total effort of approx. 15-20 m/d to perform
>>> key action steps 1.0 and 2.0. External consultants are also possible and
>>> in my view a good option.
>>> 
>>> Jennifer, it would be great if you could import the file to google docs
>>> and share the link for editing purposes.
>>> 
>>> Any feedback on this would be great.
>>> 
>>> Regards,
>>> 
>>> 	- Boban.
>>> 
>>> 
>>> 
>>> [1]https://advisera.com/27001academy/knowledgebase/overview-of-iso-270012013-annex-a/
>>> 
>>> 
>>> 
>>> 
>>> --
>>> 
>>> Boban Kršić
>>> Chief Information Security Officer
>>> 
>>> DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
>>> 
>>> E-Mail: krsic at denic.de, Fon: +49 69 272 35-120, Fax: -248
>>> Mobil: +49 172 67 61 671
>>> https://www.denic.de
>>> 
>>> X.509 Key-ID: 00A54FCB79884413A4
>>> Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
>>> 
>>> PGP Key-ID: 0x43C89BA9
>>> Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
>>> 
>>> Angaben nach § 25a Absatz 1 GenG:
>>> DENIC eG (Sitz: Frankfurt am Main)
>>> Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
>>> Schweiger
>>> Vorsitzender des Aufsichtsrats: Thomas Keller
>>> Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
>>> Frankfurt am Main
>>> 
>>> 
>>> 
>>> <170531.Workplan_ICANN_Security_draft_0.91.xlsx>_______________________________________________
>>> Ssr2-review mailing list
>>> Ssr2-review at icann.org
>>> https://mm.icann.org/mailman/listinfo/ssr2-review
>> 
>> 
>> 
>> _______________________________________________
>> Ssr2-review mailing list
>> Ssr2-review at icann.org <mailto:Ssr2-review at icann.org>
>> https://mm.icann.org/mailman/listinfo/ssr2-review <https://mm.icann.org/mailman/listinfo/ssr2-review>
>> 
> 
> 
> --
> 
> Boban Kršić
> Chief Information Security Officer
> 
> DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
> 
> E-Mail: krsic at denic.de <mailto:krsic at denic.de>, Fon: +49 69 272 35-120, Fax: -248
> Mobil: +49 172 67 61 671
> https://www.denic.de <https://www.denic.de/>
> 
> X.509 Key-ID: 00A54FCB79884413A4
> Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
> 
> PGP Key-ID: 0x43C89BA9
> Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
> 
> Angaben nach § 25a Absatz 1 GenG:
> DENIC eG (Sitz: Frankfurt am Main)
> Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
> Schweiger
> Vorsitzender des Aufsichtsrats: Thomas Keller
> Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
> Frankfurt am Main
> 
> _______________________________________________
> Ssr2-review mailing list
> Ssr2-review at icann.org <mailto:Ssr2-review at icann.org>
> https://mm.icann.org/mailman/listinfo/ssr2-review <https://mm.icann.org/mailman/listinfo/ssr2-review>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20170608/a4c01044/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20170608/a4c01044/signature.asc>

More information about the Ssr2-review mailing list