[Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security
MSSI Secretariat
mssi-secretariat at icann.org
Thu Jun 8 22:01:22 UTC 2017
Hi All -
Here is the doodle poll for Subtopic #2 – ICANN Security per the request below - http://doodle.com/poll/wur7y58kse7p5ucb - please reply by Monday, June 12th @ 1900 UTC.
Thank you!
Kind Regards,
Yvette Guigneaux
(MSSI) Multistakeholder Strategy & Strategic Initiatives
Projects & Operations Assistant.
ICANN – Internet Corporation for Assigned Names and Numbers
Email: yvette.guigneaux at icann.org
Cell: +1-310-460-8432
Skype: yvette.guigneaux.icann
www.icann.org
-----Original Message-----
From: ssr2-review-bounces at icann.org [mailto:ssr2-review-bounces at icann.org] On Behalf Of Boban Krsic
Sent: Thursday, June 08, 2017 8:13 AM
To: SSR2 <ssr2-review at icann.org>
Subject: Re: [Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security
Dear All,
{and especially team members of sub topic 2 – ICANN Security}
just talked to Kerry-Ann regarding a follow up on this issue. We propose to organize an additional online meeting in the next two weeks to define a scope and identify which domains of both standards are applicable to our scope for a gap analysis and which are not. It would be great if you could assist and participate on this.
@Jennifer
Could you please setting up a doodle survey to find a common 2-hour slot in the next 10 working days?
Thanks and all the best,
Boban.
Am 05.06.17 um 22:45 schrieb Barrett, Kerry-Ann:
> Dear Boban
>
> Thanks in advance for preparing this. We should decide if we set up a meeting with the sub-team to discuss and set deadlines for feedback and comments before that meeting.
>
> Sincerely,
> Kerry-Ann Barrett
> Cyber Security Policy Specialist
> Inter-American Committee against Terrorism Secretariat for
> Multidimensional Security Organization of American States
> 1889 F Street N.W., Washington, D.C. 20006 T. 202-370-4675 F.
> 202-458-3857 kabarrett at oas.org<mailto:kabarrett at oas.org> www.oas.org/cyber<http://www.oas.org/cyber> Register to our
> distribution list here!
>
> -----Original Message-----
> From: ssr2-review-bounces at icann.org<mailto:ssr2-review-bounces at icann.org>
> [mailto:ssr2-review-bounces at icann.org] On Behalf Of Jennifer Bryce
> Sent: Monday, June 5, 2017 11:45 AM
> To: Boban Krsic <krsic at denic.de<mailto:krsic at denic.de>>; SSR2 <ssr2-review at icann.org<mailto:ssr2-review at icann.org>>
> Subject: [EXT] Re: [Ssr2-review] Work plan (draft) Sub Team 2 – ICANN
> Security
>
> Hi all,
>
> The Google doc version has been posted on the wiki here: https://community.icann.org/pages/viewpage.action?pageId=64076120 . RT members have editing rights.
>
> Best,
> Jennifer
>
> -----Original Message-----
> From: <ssr2-review-bounces at icann.org<mailto:ssr2-review-bounces at icann.org>> on behalf of Boban Krsic
> <krsic at denic.de<mailto:krsic at denic.de>>
> Date: Sunday, June 4, 2017 at 10:24 PM
> To: SSR2 <ssr2-review at icann.org<mailto:ssr2-review at icann.org>>
> Subject: [Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security
>
> Dear All,
>
> Please find attached a first draft of a work plan for subteam 2 - ICANN
> Security. I propose, that the basis for further development should be a
> gap analysis (without any obligations to certify something) based on the
> following two industrial standards: ISO/IEC 27001:2013 Information
> Security Management Systems (ISMS) and ISO 22301:2012 Business
> Continuity Management Systems (BCMS). With the use of both standards, we
> should be able to address all relevant work items that we identified in
> Madrid. For the beginning, I have created a simple MS Excel that
> consists all relevant information for project planning and realization
> of the gap analysis. The file contains a total of four sheets:
>
> * Sheet1 (Workplan) contains the main key action steps, a description of
> the action, expected outcome, evaluation methodology, required skill
> set, responsible person, proposed timeline, and finally a reference to
> Madrid’s work item list. The list is not finished and needs to be
> completed.
>
> * Sheet2 (Checklist 27001) contains 32 questions to address all relevant
> requirements of the main part of a ISMS based on ISO/IEC 27001. With the
> checklist, we are able to evaluate the following category groups:
>
> * Scope, relevant parties (stakeholder)
> * Leadership, roles and responsibilities
> * Risk management and risk treatment
> * Resources, competence, awareness and communication
> * Performance evaluation, internal audit and management review
> * Improvement of the ISMS
>
> * Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions
> based on the Annex A of ISO/IEC 27001. It is a list of security controls
> (or safeguards) that are to be used to improve security of information.
> The controls are structured, and the purpose of each of the 14 sections
> from Annex A [1]:
>
> * Information security policies - controls how to write and
> review policies
> * Organization of information security – controls on how the
> responsibilities are assigned
> * Human resources security – controls affecting the employment
> * Asset management – controls related to inventory of assets and
> acceptable use, also for information classification and media handling
> * Access control – controls for Access control policy, user access
> management, system and application access control, and user responsibilities
> * Cryptography – controls related to encryption and key management
> * Physical and environmental security – controls defining secure
> areas, entry controls, protection against threats, equipment security,
> secure disposal, clear desk and clear screen policy, etc.
> * Operational security – lots of controls related to management of IT
> production: change management, capacity management, malware, backup,
> logging, monitoring, installation, vulnerabilities
> * Communications security – controls related to network security,
> segregation, network services, transfer of information, messaging, etc.
> * System acquisition, development and maintenance – controls
> defining security requirements and security in development and support
> processes
> * Supplier relationships – controls on what to include in
> agreements, and how to monitor the suppliers
> * Information security incident management – controls for
> reporting events and weaknesses, defining responsibilities, response
> procedures, and collection of evidence
> * Information security aspects of business continuity management –
> controls requiring the planning of business continuity, procedures,
> verification and reviewing, and IT redundancy
> * Compliance – controls requiring the identification of applicable laws
> and regulations, intellectual property protection, personal data
> protection, and reviews of information security
>
> * Sheet4 (Checklist 22301) similar to sheet1 but with a focus on
> Business Continuity Management. The checklist contains a list of 90
> questions to address all relevant requirements of a BCMS based on ISO
> 22301. With the checklist, we are able to evaluate the following
> category groups:
>
> * Scope, supply chain, l&r requirements and assurance
> * Leadership, roles and responsibilities
> * Risks and opportunities
> * Business continuity objectives and plans to achieve them
> * Human resources, competence and training and awareness
> * Communication and documentation
> * Operational planning and control
> * Business Impact Analysis (BIA) and Risk Assessment
> * Business continuity strategy / Resource recovery strategy
> * Incident response structure
> * Business continuity plans
> * Monitoring, measurement, analysis and evaluation
> * Internal audit and management review
> * Improvement of the BCMS
>
> I am using a similar list for my annually internal audits at DENIC.
> Altogether I would expect a total effort of approx. 15-20 m/d to perform
> key action steps 1.0 and 2.0. External consultants are also possible and
> in my view a good option.
>
> Jennifer, it would be great if you could import the file to google docs
> and share the link for editing purposes.
>
> Any feedback on this would be great.
>
> Regards,
>
> - Boban.
>
>
>
>
> [1]https://advisera.com/27001academy/knowledgebase/overview-of-iso-270
> 012013-annex-a/
>
>
>
>
> --
>
> Boban Kršić
> Chief Information Security Officer
>
> DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
>
> E-Mail: krsic at denic.de<mailto:krsic at denic.de>, Fon: +49 69 272 35-120, Fax: -248
> Mobil: +49 172 67 61 671
> https://www.denic.de
>
> X.509 Key-ID: 00A54FCB79884413A4
> Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
>
> PGP Key-ID: 0x43C89BA9
> Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
>
> Angaben nach § 25a Absatz 1 GenG:
> DENIC eG (Sitz: Frankfurt am Main)
> Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
> Schweiger
> Vorsitzender des Aufsichtsrats: Thomas Keller
> Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
> Frankfurt am Main
>
>
>
>
>
> _______________________________________________
> Ssr2-review mailing list
> Ssr2-review at icann.org<mailto:Ssr2-review at icann.org>
> https://mm.icann.org/mailman/listinfo/ssr2-review
>
--
Boban Kršić
Chief Information Security Officer
DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
E-Mail: krsic at denic.de<mailto:krsic at denic.de>, Fon: +49 69 272 35-120, Fax: -248
Mobil: +49 172 67 61 671
https://www.denic.de
X.509 Key-ID: 00A54FCB79884413A4
Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
PGP Key-ID: 0x43C89BA9
Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
Angaben nach § 25a Absatz 1 GenG:
DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20170608/1011b0d0/attachment.html>
More information about the Ssr2-review
mailing list