Re: [Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security

June 5, 2017


      Thanks Jennifer.

    - Boban
...
Am 05.06.2017 um 17:45 schrieb Jennifer Bryce <jennifer.bryce@icann.org>:
Hi all,
The Google doc version has been posted on the wiki here: https://community.icann.org/pages/viewpage.action?pageId=64076120 . RT members have editing
rights.
Best,
Jennifer
-----Original Message-----
From: <ssr2-review-bounces@icann.org> on behalf of Boban Krsic <krsic@denic.de>
Date: Sunday, June 4, 2017 at 10:24 PM
To: SSR2 <ssr2-review@icann.org>
Subject: [Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security
Dear All,
Please find attached a first draft of a work plan for subteam 2 - ICANN
   Security. I propose, that the basis for further development should be a
   gap analysis (without any obligations to certify something) based on the
   following two industrial standards: ISO/IEC 27001:2013 Information
   Security Management Systems (ISMS) and ISO 22301:2012 Business
   Continuity Management Systems (BCMS). With the use of both standards, we
   should be able to address all relevant work items that we identified in
   Madrid. For the beginning, I have created a simple MS Excel that
   consists all relevant information for project planning and realization
   of the gap analysis. The file contains a total of four sheets:
* Sheet1 (Workplan) contains the main key action steps, a description of
   the action, expected outcome, evaluation methodology, required skill
   set, responsible person, proposed timeline, and finally a reference to
   Madrid’s work item list. The list is not finished and needs to be
   completed.
* Sheet2 (Checklist 27001) contains 32 questions to address all relevant
   requirements of the main part of a ISMS based on ISO/IEC 27001. With the
   checklist, we are able to evaluate the following category groups:
* Scope, relevant parties (stakeholder)
       * Leadership, roles and responsibilities
       * Risk management and risk treatment
       * Resources, competence, awareness and communication
       * Performance evaluation, internal audit and management review
       * Improvement of the ISMS
* Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions
   based on the Annex A of ISO/IEC 27001. It is a list of security controls
   (or safeguards) that are to be used to improve security of information.
   The controls are structured, and the purpose of each of the 14 sections
   from Annex A [1]:
* Information security policies - controls how to write and
   review policies
       * Organization of information security – controls on how the
   responsibilities are assigned
       * Human resources security – controls affecting the employment
       * Asset management – controls related to inventory of assets and
   acceptable use, also for information classification and media handling
       * Access control – controls for Access control policy, user access
   management, system and application access control, and user responsibilities
       * Cryptography – controls related to encryption and key management
       * Physical and environmental security – controls defining secure
   areas, entry controls, protection against threats, equipment security,
   secure disposal, clear desk and clear screen policy, etc.
       * Operational security – lots of controls related to management of IT
   production: change management, capacity management, malware, backup,
   logging, monitoring, installation, vulnerabilities
       * Communications security – controls related to network security,
   segregation, network services, transfer of information, messaging, etc.
       * System acquisition, development and maintenance – controls
   defining security requirements and security in development and support
   processes
       * Supplier relationships – controls on what to include in
   agreements, and how to monitor the suppliers
       * Information security incident management – controls for
   reporting events and weaknesses, defining responsibilities, response
   procedures, and collection of evidence
       * Information security aspects of business continuity management –
   controls requiring the planning of business continuity, procedures,
   verification and reviewing, and IT redundancy
       * Compliance – controls requiring the identification of applicable laws
   and regulations, intellectual property protection, personal data
   protection, and reviews of information security
* Sheet4 (Checklist 22301) similar to sheet1 but with a focus on
   Business Continuity Management. The checklist contains a list of 90
   questions to address all relevant requirements of a BCMS based on ISO
   22301. With the checklist, we are able to evaluate the following
   category groups:
* Scope, supply chain, l&r requirements and assurance
       * Leadership, roles and responsibilities
       * Risks and opportunities
       * Business continuity objectives and plans to achieve them
        * Human resources, competence and training and awareness
       * Communication and documentation
       * Operational planning and control
       * Business Impact Analysis (BIA) and Risk Assessment
       * Business continuity strategy / Resource recovery strategy
       * Incident response structure
       * Business continuity plans
       * Monitoring, measurement, analysis and evaluation
       * Internal audit and management review
       * Improvement of the BCMS
I am using a similar list for my annually internal audits at DENIC.
   Altogether I would expect a total effort of approx. 15-20 m/d to perform
   key action steps 1.0 and 2.0. External consultants are also possible and
   in my view a good option.
Jennifer, it would be great if you could import the file to google docs
   and share the link for editing purposes.
Any feedback on this would be great.
Regards,
- Boban.
[1]https://advisera.com/27001academy/knowledgebase/overview-of-iso-270012013-an...
--
Boban Kršić
   Chief Information Security Officer
DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
E-Mail: krsic@denic.de, Fon: +49 69 272 35-120, Fax: -248
   Mobil: +49 172 67 61 671
   https://www.denic.de
X.509 Key-ID: 00A54FCB79884413A4
   Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
PGP Key-ID: 0x43C89BA9
   Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
Angaben nach § 25a Absatz 1 GenG:
   DENIC eG (Sitz: Frankfurt am Main)
   Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
   Schweiger
   Vorsitzender des Aufsichtsrats: Thomas Keller
   Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
   Frankfurt am Main