[Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security
Boban Krsic
krsic at denic.de
Mon Jun 5 15:49:28 UTC 2017
Thanks Jennifer.
- Boban
> Am 05.06.2017 um 17:45 schrieb Jennifer Bryce <jennifer.bryce at icann.org>:
>
> Hi all,
>
> The Google doc version has been posted on the wiki here: https://community.icann.org/pages/viewpage.action?pageId=64076120 . RT members have editing
rights.
>
> Best,
> Jennifer
>
> -----Original Message-----
> From: <ssr2-review-bounces at icann.org> on behalf of Boban Krsic <krsic at denic.de>
> Date: Sunday, June 4, 2017 at 10:24 PM
> To: SSR2 <ssr2-review at icann.org>
> Subject: [Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security
>
> Dear All,
>
> Please find attached a first draft of a work plan for subteam 2 - ICANN
> Security. I propose, that the basis for further development should be a
> gap analysis (without any obligations to certify something) based on the
> following two industrial standards: ISO/IEC 27001:2013 Information
> Security Management Systems (ISMS) and ISO 22301:2012 Business
> Continuity Management Systems (BCMS). With the use of both standards, we
> should be able to address all relevant work items that we identified in
> Madrid. For the beginning, I have created a simple MS Excel that
> consists all relevant information for project planning and realization
> of the gap analysis. The file contains a total of four sheets:
>
> * Sheet1 (Workplan) contains the main key action steps, a description of
> the action, expected outcome, evaluation methodology, required skill
> set, responsible person, proposed timeline, and finally a reference to
> Madrid’s work item list. The list is not finished and needs to be
> completed.
>
> * Sheet2 (Checklist 27001) contains 32 questions to address all relevant
> requirements of the main part of a ISMS based on ISO/IEC 27001. With the
> checklist, we are able to evaluate the following category groups:
>
> * Scope, relevant parties (stakeholder)
> * Leadership, roles and responsibilities
> * Risk management and risk treatment
> * Resources, competence, awareness and communication
> * Performance evaluation, internal audit and management review
> * Improvement of the ISMS
>
> * Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions
> based on the Annex A of ISO/IEC 27001. It is a list of security controls
> (or safeguards) that are to be used to improve security of information.
> The controls are structured, and the purpose of each of the 14 sections
> from Annex A [1]:
>
> * Information security policies - controls how to write and
> review policies
> * Organization of information security – controls on how the
> responsibilities are assigned
> * Human resources security – controls affecting the employment
> * Asset management – controls related to inventory of assets and
> acceptable use, also for information classification and media handling
> * Access control – controls for Access control policy, user access
> management, system and application access control, and user responsibilities
> * Cryptography – controls related to encryption and key management
> * Physical and environmental security – controls defining secure
> areas, entry controls, protection against threats, equipment security,
> secure disposal, clear desk and clear screen policy, etc.
> * Operational security – lots of controls related to management of IT
> production: change management, capacity management, malware, backup,
> logging, monitoring, installation, vulnerabilities
> * Communications security – controls related to network security,
> segregation, network services, transfer of information, messaging, etc.
> * System acquisition, development and maintenance – controls
> defining security requirements and security in development and support
> processes
> * Supplier relationships – controls on what to include in
> agreements, and how to monitor the suppliers
> * Information security incident management – controls for
> reporting events and weaknesses, defining responsibilities, response
> procedures, and collection of evidence
> * Information security aspects of business continuity management –
> controls requiring the planning of business continuity, procedures,
> verification and reviewing, and IT redundancy
> * Compliance – controls requiring the identification of applicable laws
> and regulations, intellectual property protection, personal data
> protection, and reviews of information security
>
> * Sheet4 (Checklist 22301) similar to sheet1 but with a focus on
> Business Continuity Management. The checklist contains a list of 90
> questions to address all relevant requirements of a BCMS based on ISO
> 22301. With the checklist, we are able to evaluate the following
> category groups:
>
> * Scope, supply chain, l&r requirements and assurance
> * Leadership, roles and responsibilities
> * Risks and opportunities
> * Business continuity objectives and plans to achieve them
> * Human resources, competence and training and awareness
> * Communication and documentation
> * Operational planning and control
> * Business Impact Analysis (BIA) and Risk Assessment
> * Business continuity strategy / Resource recovery strategy
> * Incident response structure
> * Business continuity plans
> * Monitoring, measurement, analysis and evaluation
> * Internal audit and management review
> * Improvement of the BCMS
>
> I am using a similar list for my annually internal audits at DENIC.
> Altogether I would expect a total effort of approx. 15-20 m/d to perform
> key action steps 1.0 and 2.0. External consultants are also possible and
> in my view a good option.
>
> Jennifer, it would be great if you could import the file to google docs
> and share the link for editing purposes.
>
> Any feedback on this would be great.
>
> Regards,
>
> - Boban.
>
>
>
> [1]https://advisera.com/27001academy/knowledgebase/overview-of-iso-270012013-annex-a/
>
>
>
>
> --
>
> Boban Kršić
> Chief Information Security Officer
>
> DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
>
> E-Mail: krsic at denic.de, Fon: +49 69 272 35-120, Fax: -248
> Mobil: +49 172 67 61 671
> https://www.denic.de
>
> X.509 Key-ID: 00A54FCB79884413A4
> Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
>
> PGP Key-ID: 0x43C89BA9
> Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
>
> Angaben nach § 25a Absatz 1 GenG:
> DENIC eG (Sitz: Frankfurt am Main)
> Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
> Schweiger
> Vorsitzender des Aufsichtsrats: Thomas Keller
> Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
> Frankfurt am Main
>
>
>
>
>
More information about the Ssr2-review
mailing list