[Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security

ALAIN AINA aalain at trstech.net
Wed Jun 7 16:43:44 UTC 2017 

Hello,

As discussed yesterday on the call, this is what i think  sub-group(ICANN Security) should do:

-  Analyze the risks management framework in place at ICANN in general and for the SSR remit
- Analyze the security management framework
	* Security efforts and effectiveness
	* Auditing : reports and recommendations implementation.
- Gab analysis
- Recommendations

Their works will be fed by the work of the sub-group 1(SSR1 implementation) which shall evaluate the  effectiveness of implementation of
recommendations 9, 26 and 27 below.


Hope this helps

—Alain



====================
9 ICANN should assess certification options with commonly accepted international standards (e.g., ITIL, ISO and SAS-70) for
its operational responsibilities. ICANN should publish a clear roadmap towards certification.

26 ICANN should prioritize the timely completion of a Risk Management Framework.

27 ICANN’s Risk Management Framework should be comprehensive within the scope of its SSR remit and limited missions.
========================


> On 5 Jun 2017, at 05:24, Boban Krsic <krsic at denic.de> wrote:
> 
> Dear All,
> 
> Please find attached a first draft of a work plan for subteam 2 - ICANN
> Security. I propose, that the basis for further development should be a
> gap analysis (without any obligations to certify something) based on the
> following two industrial standards: ISO/IEC 27001:2013 Information
> Security Management Systems (ISMS) and ISO 22301:2012 Business
> Continuity Management Systems (BCMS). With the use of both standards, we
> should be able to address all relevant work items that we identified in
> Madrid. For the beginning, I have created a simple MS Excel that
> consists all relevant information for project planning and realization
> of the gap analysis. The file contains a total of four sheets:
> 
> * Sheet1 (Workplan) contains the main key action steps, a description of
> the action, expected outcome, evaluation methodology, required skill
> set, responsible person, proposed timeline, and finally a reference to
> Madrid’s work item list. The list is not finished and needs to be
> completed.
> 
> * Sheet2 (Checklist 27001) contains 32 questions to address all relevant
> requirements of the main part of a ISMS based on ISO/IEC 27001. With the
> checklist, we are able to evaluate the following category groups:
> 
> 	* Scope, relevant parties (stakeholder)
> 	* Leadership, roles and responsibilities
> 	* Risk management and risk treatment
> 	* Resources, competence, awareness and communication
> 	* Performance evaluation, internal audit and management review
> 	* Improvement of the ISMS
> 
> * Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions
> based on the Annex A of ISO/IEC 27001. It is a list of security controls
> (or safeguards) that are to be used to improve security of information.
> The controls are structured, and the purpose of each of the 14 sections
> from Annex A [1]:
> 
> 	* Information security policies - controls how to write and
> review policies
> 	* Organization of information security – controls on how the
> responsibilities are assigned
> 	* Human resources security – controls affecting the employment
> 	* Asset management – controls related to inventory of assets and
> acceptable use, also for information classification and media handling
> 	* Access control – controls for Access control policy, user access
> management, system and application access control, and user responsibilities
> 	* Cryptography – controls related to encryption and key management
> 	* Physical and environmental security – controls defining secure
> areas, entry controls, protection against threats, equipment security,
> secure disposal, clear desk and clear screen policy, etc.
> 	* Operational security – lots of controls related to management of IT
> production: change management, capacity management, malware, backup,
> logging, monitoring, installation, vulnerabilities
> 	* Communications security – controls related to network security,
> segregation, network services, transfer of information, messaging, etc.
> 	* System acquisition, development and maintenance – controls
> defining security requirements and security in development and support
> processes
> 	* Supplier relationships – controls on what to include in
> agreements, and how to monitor the suppliers
> 	* Information security incident management – controls for
> reporting events and weaknesses, defining responsibilities, response
> procedures, and collection of evidence
> 	* Information security aspects of business continuity management –
> controls requiring the planning of business continuity, procedures,
> verification and reviewing, and IT redundancy
> 	* Compliance – controls requiring the identification of applicable laws
> and regulations, intellectual property protection, personal data
> protection, and reviews of information security
> 
> * Sheet4 (Checklist 22301) similar to sheet1 but with a focus on
> Business Continuity Management. The checklist contains a list of 90
> questions to address all relevant requirements of a BCMS based on ISO
> 22301. With the checklist, we are able to evaluate the following
> category groups:
> 
> 	* Scope, supply chain, l&r requirements and assurance
> 	* Leadership, roles and responsibilities
> 	* Risks and opportunities
> 	* Business continuity objectives and plans to achieve them
> 	* Human resources, competence and training and awareness
> 	* Communication and documentation
> 	* Operational planning and control
> 	* Business Impact Analysis (BIA) and Risk Assessment
> 	* Business continuity strategy / Resource recovery strategy
> 	* Incident response structure
> 	* Business continuity plans
> 	* Monitoring, measurement, analysis and evaluation
> 	* Internal audit and management review
> 	* Improvement of the BCMS
> 
> I am using a similar list for my annually internal audits at DENIC.
> Altogether I would expect a total effort of approx. 15-20 m/d to perform
> key action steps 1.0 and 2.0. External consultants are also possible and
> in my view a good option.
> 
> Jennifer, it would be great if you could import the file to google docs
> and share the link for editing purposes.
> 
> Any feedback on this would be great.
> 
> Regards,
> 
> 	- Boban.
> 
> 
> 
> [1]https://advisera.com/27001academy/knowledgebase/overview-of-iso-270012013-annex-a/
> 
> 
> 
> 
> --
> 
> Boban Kršić
> Chief Information Security Officer
> 
> DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
> 
> E-Mail: krsic at denic.de, Fon: +49 69 272 35-120, Fax: -248
> Mobil: +49 172 67 61 671
> https://www.denic.de
> 
> X.509 Key-ID: 00A54FCB79884413A4
> Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
> 
> PGP Key-ID: 0x43C89BA9
> Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
> 
> Angaben nach § 25a Absatz 1 GenG:
> DENIC eG (Sitz: Frankfurt am Main)
> Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
> Schweiger
> Vorsitzender des Aufsichtsrats: Thomas Keller
> Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
> Frankfurt am Main
> 
> 
> 
> <170531.Workplan_ICANN_Security_draft_0.91.xlsx>_______________________________________________
> Ssr2-review mailing list
> Ssr2-review at icann.org
> https://mm.icann.org/mailman/listinfo/ssr2-review

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20170607/b5dea112/signature.asc>

More information about the Ssr2-review mailing list