Work plan (draft) Sub Team 2 – ICANN Security
Dear All, Please find attached a first draft of a work plan for subteam 2 - ICANN Security. I propose, that the basis for further development should be a gap analysis (without any obligations to certify something) based on the following two industrial standards: ISO/IEC 27001:2013 Information Security Management Systems (ISMS) and ISO 22301:2012 Business Continuity Management Systems (BCMS). With the use of both standards, we should be able to address all relevant work items that we identified in Madrid. For the beginning, I have created a simple MS Excel that consists all relevant information for project planning and realization of the gap analysis. The file contains a total of four sheets: * Sheet1 (Workplan) contains the main key action steps, a description of the action, expected outcome, evaluation methodology, required skill set, responsible person, proposed timeline, and finally a reference to Madrid’s work item list. The list is not finished and needs to be completed. * Sheet2 (Checklist 27001) contains 32 questions to address all relevant requirements of the main part of a ISMS based on ISO/IEC 27001. With the checklist, we are able to evaluate the following category groups: * Scope, relevant parties (stakeholder) * Leadership, roles and responsibilities * Risk management and risk treatment * Resources, competence, awareness and communication * Performance evaluation, internal audit and management review * Improvement of the ISMS * Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions based on the Annex A of ISO/IEC 27001. It is a list of security controls (or safeguards) that are to be used to improve security of information. The controls are structured, and the purpose of each of the 14 sections from Annex A [1]: * Information security policies - controls how to write and review policies * Organization of information security – controls on how the responsibilities are assigned * Human resources security – controls affecting the employment * Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling * Access control – controls for Access control policy, user access management, system and application access control, and user responsibilities * Cryptography – controls related to encryption and key management * Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc. * Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities * Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc. * System acquisition, development and maintenance – controls defining security requirements and security in development and support processes * Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers * Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence * Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy * Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security * Sheet4 (Checklist 22301) similar to sheet1 but with a focus on Business Continuity Management. The checklist contains a list of 90 questions to address all relevant requirements of a BCMS based on ISO 22301. With the checklist, we are able to evaluate the following category groups: * Scope, supply chain, l&r requirements and assurance * Leadership, roles and responsibilities * Risks and opportunities * Business continuity objectives and plans to achieve them * Human resources, competence and training and awareness * Communication and documentation * Operational planning and control * Business Impact Analysis (BIA) and Risk Assessment * Business continuity strategy / Resource recovery strategy * Incident response structure * Business continuity plans * Monitoring, measurement, analysis and evaluation * Internal audit and management review * Improvement of the BCMS I am using a similar list for my annually internal audits at DENIC. Altogether I would expect a total effort of approx. 15-20 m/d to perform key action steps 1.0 and 2.0. External consultants are also possible and in my view a good option. Jennifer, it would be great if you could import the file to google docs and share the link for editing purposes. Any feedback on this would be great. Regards, - Boban. [1]https://advisera.com/27001academy/knowledgebase/overview-of-iso-270012013-an... -- Boban Kršić Chief Information Security Officer DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY E-Mail: krsic@denic.de, Fon: +49 69 272 35-120, Fax: -248 Mobil: +49 172 67 61 671 https://www.denic.de X.509 Key-ID: 00A54FCB79884413A4 Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716 PGP Key-ID: 0x43C89BA9 Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9 Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main
Hi all, The Google doc version has been posted on the wiki here: https://community.icann.org/pages/viewpage.action?pageId=64076120 . RT members have editing rights. Best, Jennifer -----Original Message----- From: <ssr2-review-bounces@icann.org> on behalf of Boban Krsic <krsic@denic.de> Date: Sunday, June 4, 2017 at 10:24 PM To: SSR2 <ssr2-review@icann.org> Subject: [Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security Dear All, Please find attached a first draft of a work plan for subteam 2 - ICANN Security. I propose, that the basis for further development should be a gap analysis (without any obligations to certify something) based on the following two industrial standards: ISO/IEC 27001:2013 Information Security Management Systems (ISMS) and ISO 22301:2012 Business Continuity Management Systems (BCMS). With the use of both standards, we should be able to address all relevant work items that we identified in Madrid. For the beginning, I have created a simple MS Excel that consists all relevant information for project planning and realization of the gap analysis. The file contains a total of four sheets: * Sheet1 (Workplan) contains the main key action steps, a description of the action, expected outcome, evaluation methodology, required skill set, responsible person, proposed timeline, and finally a reference to Madrid’s work item list. The list is not finished and needs to be completed. * Sheet2 (Checklist 27001) contains 32 questions to address all relevant requirements of the main part of a ISMS based on ISO/IEC 27001. With the checklist, we are able to evaluate the following category groups: * Scope, relevant parties (stakeholder) * Leadership, roles and responsibilities * Risk management and risk treatment * Resources, competence, awareness and communication * Performance evaluation, internal audit and management review * Improvement of the ISMS * Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions based on the Annex A of ISO/IEC 27001. It is a list of security controls (or safeguards) that are to be used to improve security of information. The controls are structured, and the purpose of each of the 14 sections from Annex A [1]: * Information security policies - controls how to write and review policies * Organization of information security – controls on how the responsibilities are assigned * Human resources security – controls affecting the employment * Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling * Access control – controls for Access control policy, user access management, system and application access control, and user responsibilities * Cryptography – controls related to encryption and key management * Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc. * Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities * Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc. * System acquisition, development and maintenance – controls defining security requirements and security in development and support processes * Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers * Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence * Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy * Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security * Sheet4 (Checklist 22301) similar to sheet1 but with a focus on Business Continuity Management. The checklist contains a list of 90 questions to address all relevant requirements of a BCMS based on ISO 22301. With the checklist, we are able to evaluate the following category groups: * Scope, supply chain, l&r requirements and assurance * Leadership, roles and responsibilities * Risks and opportunities * Business continuity objectives and plans to achieve them * Human resources, competence and training and awareness * Communication and documentation * Operational planning and control * Business Impact Analysis (BIA) and Risk Assessment * Business continuity strategy / Resource recovery strategy * Incident response structure * Business continuity plans * Monitoring, measurement, analysis and evaluation * Internal audit and management review * Improvement of the BCMS I am using a similar list for my annually internal audits at DENIC. Altogether I would expect a total effort of approx. 15-20 m/d to perform key action steps 1.0 and 2.0. External consultants are also possible and in my view a good option. Jennifer, it would be great if you could import the file to google docs and share the link for editing purposes. Any feedback on this would be great. Regards, - Boban. [1]https://advisera.com/27001academy/knowledgebase/overview-of-iso-270012013-an... -- Boban Kršić Chief Information Security Officer DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY E-Mail: krsic@denic.de, Fon: +49 69 272 35-120, Fax: -248 Mobil: +49 172 67 61 671 https://www.denic.de X.509 Key-ID: 00A54FCB79884413A4 Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716 PGP Key-ID: 0x43C89BA9 Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9 Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main
Thanks Jennifer. - Boban
Am 05.06.2017 um 17:45 schrieb Jennifer Bryce <jennifer.bryce@icann.org>:
Hi all,
The Google doc version has been posted on the wiki here: https://community.icann.org/pages/viewpage.action?pageId=64076120 . RT members have editing rights.
Best, Jennifer
-----Original Message----- From: <ssr2-review-bounces@icann.org> on behalf of Boban Krsic <krsic@denic.de> Date: Sunday, June 4, 2017 at 10:24 PM To: SSR2 <ssr2-review@icann.org> Subject: [Ssr2-review] Work plan (draft) Sub Team 2 – ICANN Security
Dear All,
Please find attached a first draft of a work plan for subteam 2 - ICANN Security. I propose, that the basis for further development should be a gap analysis (without any obligations to certify something) based on the following two industrial standards: ISO/IEC 27001:2013 Information Security Management Systems (ISMS) and ISO 22301:2012 Business Continuity Management Systems (BCMS). With the use of both standards, we should be able to address all relevant work items that we identified in Madrid. For the beginning, I have created a simple MS Excel that consists all relevant information for project planning and realization of the gap analysis. The file contains a total of four sheets:
* Sheet1 (Workplan) contains the main key action steps, a description of the action, expected outcome, evaluation methodology, required skill set, responsible person, proposed timeline, and finally a reference to Madrid’s work item list. The list is not finished and needs to be completed.
* Sheet2 (Checklist 27001) contains 32 questions to address all relevant requirements of the main part of a ISMS based on ISO/IEC 27001. With the checklist, we are able to evaluate the following category groups:
* Scope, relevant parties (stakeholder) * Leadership, roles and responsibilities * Risk management and risk treatment * Resources, competence, awareness and communication * Performance evaluation, internal audit and management review * Improvement of the ISMS
* Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions based on the Annex A of ISO/IEC 27001. It is a list of security controls (or safeguards) that are to be used to improve security of information. The controls are structured, and the purpose of each of the 14 sections from Annex A [1]:
* Information security policies - controls how to write and review policies * Organization of information security – controls on how the responsibilities are assigned * Human resources security – controls affecting the employment * Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling * Access control – controls for Access control policy, user access management, system and application access control, and user responsibilities * Cryptography – controls related to encryption and key management * Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc. * Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities * Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc. * System acquisition, development and maintenance – controls defining security requirements and security in development and support processes * Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers * Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence * Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy * Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security
* Sheet4 (Checklist 22301) similar to sheet1 but with a focus on Business Continuity Management. The checklist contains a list of 90 questions to address all relevant requirements of a BCMS based on ISO 22301. With the checklist, we are able to evaluate the following category groups:
* Scope, supply chain, l&r requirements and assurance * Leadership, roles and responsibilities * Risks and opportunities * Business continuity objectives and plans to achieve them * Human resources, competence and training and awareness * Communication and documentation * Operational planning and control * Business Impact Analysis (BIA) and Risk Assessment * Business continuity strategy / Resource recovery strategy * Incident response structure * Business continuity plans * Monitoring, measurement, analysis and evaluation * Internal audit and management review * Improvement of the BCMS
I am using a similar list for my annually internal audits at DENIC. Altogether I would expect a total effort of approx. 15-20 m/d to perform key action steps 1.0 and 2.0. External consultants are also possible and in my view a good option.
Jennifer, it would be great if you could import the file to google docs and share the link for editing purposes.
Any feedback on this would be great.
Regards,
- Boban.
[1]https://advisera.com/27001academy/knowledgebase/overview-of-iso-270012013-an...
--
Boban Kršić Chief Information Security Officer
DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
E-Mail: krsic@denic.de, Fon: +49 69 272 35-120, Fax: -248 Mobil: +49 172 67 61 671 https://www.denic.de
X.509 Key-ID: 00A54FCB79884413A4 Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
PGP Key-ID: 0x43C89BA9 Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main
Hello, As discussed yesterday on the call, this is what i think sub-group(ICANN Security) should do: - Analyze the risks management framework in place at ICANN in general and for the SSR remit - Analyze the security management framework * Security efforts and effectiveness * Auditing : reports and recommendations implementation. - Gab analysis - Recommendations Their works will be fed by the work of the sub-group 1(SSR1 implementation) which shall evaluate the effectiveness of implementation of recommendations 9, 26 and 27 below. Hope this helps —Alain ==================== 9 ICANN should assess certification options with commonly accepted international standards (e.g., ITIL, ISO and SAS-70) for its operational responsibilities. ICANN should publish a clear roadmap towards certification. 26 ICANN should prioritize the timely completion of a Risk Management Framework. 27 ICANN’s Risk Management Framework should be comprehensive within the scope of its SSR remit and limited missions. ========================
On 5 Jun 2017, at 05:24, Boban Krsic <krsic@denic.de> wrote:
Dear All,
Please find attached a first draft of a work plan for subteam 2 - ICANN Security. I propose, that the basis for further development should be a gap analysis (without any obligations to certify something) based on the following two industrial standards: ISO/IEC 27001:2013 Information Security Management Systems (ISMS) and ISO 22301:2012 Business Continuity Management Systems (BCMS). With the use of both standards, we should be able to address all relevant work items that we identified in Madrid. For the beginning, I have created a simple MS Excel that consists all relevant information for project planning and realization of the gap analysis. The file contains a total of four sheets:
* Sheet1 (Workplan) contains the main key action steps, a description of the action, expected outcome, evaluation methodology, required skill set, responsible person, proposed timeline, and finally a reference to Madrid’s work item list. The list is not finished and needs to be completed.
* Sheet2 (Checklist 27001) contains 32 questions to address all relevant requirements of the main part of a ISMS based on ISO/IEC 27001. With the checklist, we are able to evaluate the following category groups:
* Scope, relevant parties (stakeholder) * Leadership, roles and responsibilities * Risk management and risk treatment * Resources, competence, awareness and communication * Performance evaluation, internal audit and management review * Improvement of the ISMS
* Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions based on the Annex A of ISO/IEC 27001. It is a list of security controls (or safeguards) that are to be used to improve security of information. The controls are structured, and the purpose of each of the 14 sections from Annex A [1]:
* Information security policies - controls how to write and review policies * Organization of information security – controls on how the responsibilities are assigned * Human resources security – controls affecting the employment * Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling * Access control – controls for Access control policy, user access management, system and application access control, and user responsibilities * Cryptography – controls related to encryption and key management * Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc. * Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities * Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc. * System acquisition, development and maintenance – controls defining security requirements and security in development and support processes * Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers * Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence * Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy * Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security
* Sheet4 (Checklist 22301) similar to sheet1 but with a focus on Business Continuity Management. The checklist contains a list of 90 questions to address all relevant requirements of a BCMS based on ISO 22301. With the checklist, we are able to evaluate the following category groups:
* Scope, supply chain, l&r requirements and assurance * Leadership, roles and responsibilities * Risks and opportunities * Business continuity objectives and plans to achieve them * Human resources, competence and training and awareness * Communication and documentation * Operational planning and control * Business Impact Analysis (BIA) and Risk Assessment * Business continuity strategy / Resource recovery strategy * Incident response structure * Business continuity plans * Monitoring, measurement, analysis and evaluation * Internal audit and management review * Improvement of the BCMS
I am using a similar list for my annually internal audits at DENIC. Altogether I would expect a total effort of approx. 15-20 m/d to perform key action steps 1.0 and 2.0. External consultants are also possible and in my view a good option.
Jennifer, it would be great if you could import the file to google docs and share the link for editing purposes.
Any feedback on this would be great.
Regards,
- Boban.
[1]https://advisera.com/27001academy/knowledgebase/overview-of-iso-270012013-an...
--
Boban Kršić Chief Information Security Officer
DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
E-Mail: krsic@denic.de, Fon: +49 69 272 35-120, Fax: -248 Mobil: +49 172 67 61 671 https://www.denic.de
X.509 Key-ID: 00A54FCB79884413A4 Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
PGP Key-ID: 0x43C89BA9 Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main
<170531.Workplan_ICANN_Security_draft_0.91.xlsx>_______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org https://mm.icann.org/mailman/listinfo/ssr2-review
Hi Alain, Am 07.06.17 um 18:43 schrieb ALAIN AINA:
Hello,
As discussed yesterday on the call, this is what i think sub-group(ICANN Security) should do:
- Analyze the risks management framework in place at ICANN in general and for the SSR remit - Analyze the security management framework * Security efforts and effectiveness * Auditing : reports and recommendations implementation.
this represents IMHO only a limited view and do not follow a holistic approach on information security and especially on business continuity management. Both standards ISO/IEC 27001 ISMS and ISO 22301 BCMS are widely accepted and represented by a risk and process-based approach how to deal with information security and business continuity issues in general. In addition to that we get a list of security controls that are to be used to improve security at the organization. I believe, that with the use of both standards, we should be able to address all relevant work items that we identified in Madrid - and that in a efficient way. Best, Boban.
- Gab analysis - Recommendations
Their works will be fed by the work of the sub-group 1(SSR1 implementation) which shall evaluate the effectiveness of implementation of recommendations 9, 26 and 27 below.
Hope this helps
—Alain
==================== 9 ICANN should assess certification options with commonly accepted international standards (e.g., ITIL, ISO and SAS-70) for its operational responsibilities. ICANN should publish a clear roadmap towards certification.
26 ICANN should prioritize the timely completion of a Risk Management Framework.
27 ICANN’s Risk Management Framework should be comprehensive within the scope of its SSR remit and limited missions. ========================
On 5 Jun 2017, at 05:24, Boban Krsic <krsic@denic.de> wrote:
Dear All,
Please find attached a first draft of a work plan for subteam 2 - ICANN Security. I propose, that the basis for further development should be a gap analysis (without any obligations to certify something) based on the following two industrial standards: ISO/IEC 27001:2013 Information Security Management Systems (ISMS) and ISO 22301:2012 Business Continuity Management Systems (BCMS). With the use of both standards, we should be able to address all relevant work items that we identified in Madrid. For the beginning, I have created a simple MS Excel that consists all relevant information for project planning and realization of the gap analysis. The file contains a total of four sheets:
* Sheet1 (Workplan) contains the main key action steps, a description of the action, expected outcome, evaluation methodology, required skill set, responsible person, proposed timeline, and finally a reference to Madrid’s work item list. The list is not finished and needs to be completed.
* Sheet2 (Checklist 27001) contains 32 questions to address all relevant requirements of the main part of a ISMS based on ISO/IEC 27001. With the checklist, we are able to evaluate the following category groups:
* Scope, relevant parties (stakeholder) * Leadership, roles and responsibilities * Risk management and risk treatment * Resources, competence, awareness and communication * Performance evaluation, internal audit and management review * Improvement of the ISMS
* Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions based on the Annex A of ISO/IEC 27001. It is a list of security controls (or safeguards) that are to be used to improve security of information. The controls are structured, and the purpose of each of the 14 sections from Annex A [1]:
* Information security policies - controls how to write and review policies * Organization of information security – controls on how the responsibilities are assigned * Human resources security – controls affecting the employment * Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling * Access control – controls for Access control policy, user access management, system and application access control, and user responsibilities * Cryptography – controls related to encryption and key management * Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc. * Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities * Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc. * System acquisition, development and maintenance – controls defining security requirements and security in development and support processes * Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers * Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence * Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy * Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security
* Sheet4 (Checklist 22301) similar to sheet1 but with a focus on Business Continuity Management. The checklist contains a list of 90 questions to address all relevant requirements of a BCMS based on ISO 22301. With the checklist, we are able to evaluate the following category groups:
* Scope, supply chain, l&r requirements and assurance * Leadership, roles and responsibilities * Risks and opportunities * Business continuity objectives and plans to achieve them * Human resources, competence and training and awareness * Communication and documentation * Operational planning and control * Business Impact Analysis (BIA) and Risk Assessment * Business continuity strategy / Resource recovery strategy * Incident response structure * Business continuity plans * Monitoring, measurement, analysis and evaluation * Internal audit and management review * Improvement of the BCMS
I am using a similar list for my annually internal audits at DENIC. Altogether I would expect a total effort of approx. 15-20 m/d to perform key action steps 1.0 and 2.0. External consultants are also possible and in my view a good option.
Jennifer, it would be great if you could import the file to google docs and share the link for editing purposes.
Any feedback on this would be great.
Regards,
- Boban.
[1]https://advisera.com/27001academy/knowledgebase/overview-of-iso-270012013-an...
--
Boban Kršić Chief Information Security Officer
DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
E-Mail: krsic@denic.de, Fon: +49 69 272 35-120, Fax: -248 Mobil: +49 172 67 61 671 https://www.denic.de
X.509 Key-ID: 00A54FCB79884413A4 Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
PGP Key-ID: 0x43C89BA9 Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main
<170531.Workplan_ICANN_Security_draft_0.91.xlsx>_______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org https://mm.icann.org/mailman/listinfo/ssr2-review
_______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org https://mm.icann.org/mailman/listinfo/ssr2-review
-- Boban Kršić Chief Information Security Officer DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY E-Mail: krsic@denic.de, Fon: +49 69 272 35-120, Fax: -248 Mobil: +49 172 67 61 671 https://www.denic.de X.509 Key-ID: 00A54FCB79884413A4 Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716 PGP Key-ID: 0x43C89BA9 Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9 Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main
Boban,
On 8 Jun 2017, at 14:33, Boban Krsic <krsic@denic.de> wrote:
Hi Alain,
Am 07.06.17 um 18:43 schrieb ALAIN AINA:
Hello,
As discussed yesterday on the call, this is what i think sub-group(ICANN Security) should do:
- Analyze the risks management framework in place at ICANN in general and for the SSR remit - Analyze the security management framework * Security efforts and effectiveness * Auditing : reports and recommendations implementation.
this represents IMHO only a limited view and do not follow a holistic approach on information security and especially on business continuity management. Both standards ISO/IEC 27001 ISMS and ISO 22301 BCMS are widely accepted and represented by a risk and process-based approach how to deal with information security and business continuity issues in general. In addition to that we get a list of security controls that are to be used to improve security at the organization. I believe, that with the use of both standards, we should be able to address all relevant work items that we identified in Madrid - and that in a efficient way.
As i said during the call, It is not our mandate to audit the security of ICANN information system.We shall limit our role to analysis and evaluation of risks management and security management framework in place, how they are being implemented and do gap analysis... Evaluate ICANN compliance means: What are the risks and security management framework in place ? System security certified ? Security evaluated/audited ? Gap analysis Recommendations Hope this helps —Alain
Best, Boban.
- Gab analysis - Recommendations
Their works will be fed by the work of the sub-group 1(SSR1 implementation) which shall evaluate the effectiveness of implementation of recommendations 9, 26 and 27 below.
Hope this helps
—Alain
==================== 9 ICANN should assess certification options with commonly accepted international standards (e.g., ITIL, ISO and SAS-70) for its operational responsibilities. ICANN should publish a clear roadmap towards certification.
26 ICANN should prioritize the timely completion of a Risk Management Framework.
27 ICANN’s Risk Management Framework should be comprehensive within the scope of its SSR remit and limited missions. ========================
On 5 Jun 2017, at 05:24, Boban Krsic <krsic@denic.de> wrote:
Dear All,
Please find attached a first draft of a work plan for subteam 2 - ICANN Security. I propose, that the basis for further development should be a gap analysis (without any obligations to certify something) based on the following two industrial standards: ISO/IEC 27001:2013 Information Security Management Systems (ISMS) and ISO 22301:2012 Business Continuity Management Systems (BCMS). With the use of both standards, we should be able to address all relevant work items that we identified in Madrid. For the beginning, I have created a simple MS Excel that consists all relevant information for project planning and realization of the gap analysis. The file contains a total of four sheets:
* Sheet1 (Workplan) contains the main key action steps, a description of the action, expected outcome, evaluation methodology, required skill set, responsible person, proposed timeline, and finally a reference to Madrid’s work item list. The list is not finished and needs to be completed.
* Sheet2 (Checklist 27001) contains 32 questions to address all relevant requirements of the main part of a ISMS based on ISO/IEC 27001. With the checklist, we are able to evaluate the following category groups:
* Scope, relevant parties (stakeholder) * Leadership, roles and responsibilities * Risk management and risk treatment * Resources, competence, awareness and communication * Performance evaluation, internal audit and management review * Improvement of the ISMS
* Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions based on the Annex A of ISO/IEC 27001. It is a list of security controls (or safeguards) that are to be used to improve security of information. The controls are structured, and the purpose of each of the 14 sections from Annex A [1]:
* Information security policies - controls how to write and review policies * Organization of information security – controls on how the responsibilities are assigned * Human resources security – controls affecting the employment * Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling * Access control – controls for Access control policy, user access management, system and application access control, and user responsibilities * Cryptography – controls related to encryption and key management * Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc. * Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities * Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc. * System acquisition, development and maintenance – controls defining security requirements and security in development and support processes * Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers * Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence * Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy * Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security
* Sheet4 (Checklist 22301) similar to sheet1 but with a focus on Business Continuity Management. The checklist contains a list of 90 questions to address all relevant requirements of a BCMS based on ISO 22301. With the checklist, we are able to evaluate the following category groups:
* Scope, supply chain, l&r requirements and assurance * Leadership, roles and responsibilities * Risks and opportunities * Business continuity objectives and plans to achieve them * Human resources, competence and training and awareness * Communication and documentation * Operational planning and control * Business Impact Analysis (BIA) and Risk Assessment * Business continuity strategy / Resource recovery strategy * Incident response structure * Business continuity plans * Monitoring, measurement, analysis and evaluation * Internal audit and management review * Improvement of the BCMS
I am using a similar list for my annually internal audits at DENIC. Altogether I would expect a total effort of approx. 15-20 m/d to perform key action steps 1.0 and 2.0. External consultants are also possible and in my view a good option.
Jennifer, it would be great if you could import the file to google docs and share the link for editing purposes.
Any feedback on this would be great.
Regards,
- Boban.
[1]https://advisera.com/27001academy/knowledgebase/overview-of-iso-270012013-an...
--
Boban Kršić Chief Information Security Officer
DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
E-Mail: krsic@denic.de, Fon: +49 69 272 35-120, Fax: -248 Mobil: +49 172 67 61 671 https://www.denic.de
X.509 Key-ID: 00A54FCB79884413A4 Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
PGP Key-ID: 0x43C89BA9 Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main
<170531.Workplan_ICANN_Security_draft_0.91.xlsx>_______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org https://mm.icann.org/mailman/listinfo/ssr2-review
_______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org <mailto:Ssr2-review@icann.org> https://mm.icann.org/mailman/listinfo/ssr2-review <https://mm.icann.org/mailman/listinfo/ssr2-review>
--
Boban Kršić Chief Information Security Officer
DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
E-Mail: krsic@denic.de <mailto:krsic@denic.de>, Fon: +49 69 272 35-120, Fax: -248 Mobil: +49 172 67 61 671 https://www.denic.de <https://www.denic.de/>
X.509 Key-ID: 00A54FCB79884413A4 Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
PGP Key-ID: 0x43C89BA9 Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main
_______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org <mailto:Ssr2-review@icann.org> https://mm.icann.org/mailman/listinfo/ssr2-review <https://mm.icann.org/mailman/listinfo/ssr2-review>
Alain, Am 08.06.17 um 19:04 schrieb ALAIN AINA:
As i said during the call, It is not our mandate to audit the security of ICANN information system. We shall limit our role to analysis and evaluation of risks management and security management framework in place, how they are being implemented and do gap analysis...
Roger, thanks for clarification. Let's discuss on this next Tuesday. - Boban.
Evaluate ICANN compliance means:
What are the risks and security management framework in place ? System security certified ? Security evaluated/audited ? Gap analysis Recommendations
Hope this helps
—Alain
Best, Boban.
- Gab analysis - Recommendations
Their works will be fed by the work of the sub-group 1(SSR1 implementation) which shall evaluate the effectiveness of implementation of recommendations 9, 26 and 27 below.
Hope this helps
—Alain
==================== 9 ICANN should assess certification options with commonly accepted international standards (e.g., ITIL, ISO and SAS-70) for its operational responsibilities. ICANN should publish a clear roadmap towards certification.
26 ICANN should prioritize the timely completion of a Risk Management Framework.
27 ICANN’s Risk Management Framework should be comprehensive within the scope of its SSR remit and limited missions. ========================
On 5 Jun 2017, at 05:24, Boban Krsic <krsic@denic.de> wrote:
Dear All,
Please find attached a first draft of a work plan for subteam 2 - ICANN Security. I propose, that the basis for further development should be a gap analysis (without any obligations to certify something) based on the following two industrial standards: ISO/IEC 27001:2013 Information Security Management Systems (ISMS) and ISO 22301:2012 Business Continuity Management Systems (BCMS). With the use of both standards, we should be able to address all relevant work items that we identified in Madrid. For the beginning, I have created a simple MS Excel that consists all relevant information for project planning and realization of the gap analysis. The file contains a total of four sheets:
* Sheet1 (Workplan) contains the main key action steps, a description of the action, expected outcome, evaluation methodology, required skill set, responsible person, proposed timeline, and finally a reference to Madrid’s work item list. The list is not finished and needs to be completed.
* Sheet2 (Checklist 27001) contains 32 questions to address all relevant requirements of the main part of a ISMS based on ISO/IEC 27001. With the checklist, we are able to evaluate the following category groups:
* Scope, relevant parties (stakeholder) * Leadership, roles and responsibilities * Risk management and risk treatment * Resources, competence, awareness and communication * Performance evaluation, internal audit and management review * Improvement of the ISMS
* Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions based on the Annex A of ISO/IEC 27001. It is a list of security controls (or safeguards) that are to be used to improve security of information. The controls are structured, and the purpose of each of the 14 sections from Annex A [1]:
* Information security policies - controls how to write and review policies * Organization of information security – controls on how the responsibilities are assigned * Human resources security – controls affecting the employment * Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling * Access control – controls for Access control policy, user access management, system and application access control, and user responsibilities * Cryptography – controls related to encryption and key management * Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc. * Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities * Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc. * System acquisition, development and maintenance – controls defining security requirements and security in development and support processes * Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers * Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence * Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy * Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security
* Sheet4 (Checklist 22301) similar to sheet1 but with a focus on Business Continuity Management. The checklist contains a list of 90 questions to address all relevant requirements of a BCMS based on ISO 22301. With the checklist, we are able to evaluate the following category groups:
* Scope, supply chain, l&r requirements and assurance * Leadership, roles and responsibilities * Risks and opportunities * Business continuity objectives and plans to achieve them * Human resources, competence and training and awareness * Communication and documentation * Operational planning and control * Business Impact Analysis (BIA) and Risk Assessment * Business continuity strategy / Resource recovery strategy * Incident response structure * Business continuity plans * Monitoring, measurement, analysis and evaluation * Internal audit and management review * Improvement of the BCMS
I am using a similar list for my annually internal audits at DENIC. Altogether I would expect a total effort of approx. 15-20 m/d to perform key action steps 1.0 and 2.0. External consultants are also possible and in my view a good option.
Jennifer, it would be great if you could import the file to google docs and share the link for editing purposes.
Any feedback on this would be great.
Regards,
- Boban.
[1]https://advisera.com/27001academy/knowledgebase/overview-of-iso-270012013-an...
--
Boban Kršić Chief Information Security Officer
DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
E-Mail: krsic@denic.de, Fon: +49 69 272 35-120, Fax: -248 Mobil: +49 172 67 61 671 https://www.denic.de
X.509 Key-ID: 00A54FCB79884413A4 Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
PGP Key-ID: 0x43C89BA9 Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main
<170531.Workplan_ICANN_Security_draft_0.91.xlsx>_______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org https://mm.icann.org/mailman/listinfo/ssr2-review
_______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org <mailto:Ssr2-review@icann.org> https://mm.icann.org/mailman/listinfo/ssr2-review <https://mm.icann.org/mailman/listinfo/ssr2-review>
--
Boban Kršić Chief Information Security Officer
DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
E-Mail: krsic@denic.de <mailto:krsic@denic.de>, Fon: +49 69 272 35-120, Fax: -248 Mobil: +49 172 67 61 671 https://www.denic.de <https://www.denic.de/>
X.509 Key-ID: 00A54FCB79884413A4 Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
PGP Key-ID: 0x43C89BA9 Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main
_______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org <mailto:Ssr2-review@icann.org> https://mm.icann.org/mailman/listinfo/ssr2-review <https://mm.icann.org/mailman/listinfo/ssr2-review>
-- Boban Kršić Chief Information Security Officer DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY E-Mail: krsic@denic.de, Fon: +49 69 272 35-120, Fax: -248 Mobil: +49 172 67 61 671 https://www.denic.de X.509 Key-ID: 00A54FCB79884413A4 Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716 PGP Key-ID: 0x43C89BA9 Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9 Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main
Dear sub-team, As mentioned on the last F2F workshop in Joburg, I would like to ask you for some feedback on the new structure of sub topic 2 - ICANN SSR [1]. Please review the re-organized work items (all 37 items merged in 8 groups) and send any feedback direct to the new sub-group mailing list (cc'd). Following Geoff’s approach – please bear in mind the following questions: (Thanks Geoff ;-)) * Is this a useful structure to use to organize this activity? * What is missing from this list? * Is there anything here that is perhaps out of scope? * Is this an achievable agenda? Best regards, Boban. [1] https://docs.google.com/document/d/1DWoT4VoMlT5Dvcy78EXI-O5tQFqa9CblwsDEV6go... Am 08.06.17 um 16:33 schrieb Boban Krsic:
Hi Alain,
Am 07.06.17 um 18:43 schrieb ALAIN AINA:
Hello,
As discussed yesterday on the call, this is what i think sub-group(ICANN Security) should do:
- Analyze the risks management framework in place at ICANN in general and for the SSR remit - Analyze the security management framework * Security efforts and effectiveness * Auditing : reports and recommendations implementation.
this represents IMHO only a limited view and do not follow a holistic approach on information security and especially on business continuity management. Both standards ISO/IEC 27001 ISMS and ISO 22301 BCMS are widely accepted and represented by a risk and process-based approach how to deal with information security and business continuity issues in general. In addition to that we get a list of security controls that are to be used to improve security at the organization. I believe, that with the use of both standards, we should be able to address all relevant work items that we identified in Madrid - and that in a efficient way.
Best, Boban.
- Gab analysis - Recommendations
Their works will be fed by the work of the sub-group 1(SSR1 implementation) which shall evaluate the effectiveness of implementation of recommendations 9, 26 and 27 below.
Hope this helps
—Alain
==================== 9 ICANN should assess certification options with commonly accepted international standards (e.g., ITIL, ISO and SAS-70) for its operational responsibilities. ICANN should publish a clear roadmap towards certification.
26 ICANN should prioritize the timely completion of a Risk Management Framework.
27 ICANN’s Risk Management Framework should be comprehensive within the scope of its SSR remit and limited missions. ========================
On 5 Jun 2017, at 05:24, Boban Krsic <krsic@denic.de> wrote:
Dear All,
Please find attached a first draft of a work plan for subteam 2 - ICANN Security. I propose, that the basis for further development should be a gap analysis (without any obligations to certify something) based on the following two industrial standards: ISO/IEC 27001:2013 Information Security Management Systems (ISMS) and ISO 22301:2012 Business Continuity Management Systems (BCMS). With the use of both standards, we should be able to address all relevant work items that we identified in Madrid. For the beginning, I have created a simple MS Excel that consists all relevant information for project planning and realization of the gap analysis. The file contains a total of four sheets:
* Sheet1 (Workplan) contains the main key action steps, a description of the action, expected outcome, evaluation methodology, required skill set, responsible person, proposed timeline, and finally a reference to Madrid’s work item list. The list is not finished and needs to be completed.
* Sheet2 (Checklist 27001) contains 32 questions to address all relevant requirements of the main part of a ISMS based on ISO/IEC 27001. With the checklist, we are able to evaluate the following category groups:
* Scope, relevant parties (stakeholder) * Leadership, roles and responsibilities * Risk management and risk treatment * Resources, competence, awareness and communication * Performance evaluation, internal audit and management review * Improvement of the ISMS
* Sheet3 (Checklist 27001 – Annex A) contains a list of 114 questions based on the Annex A of ISO/IEC 27001. It is a list of security controls (or safeguards) that are to be used to improve security of information. The controls are structured, and the purpose of each of the 14 sections from Annex A [1]:
* Information security policies - controls how to write and review policies * Organization of information security – controls on how the responsibilities are assigned * Human resources security – controls affecting the employment * Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling * Access control – controls for Access control policy, user access management, system and application access control, and user responsibilities * Cryptography – controls related to encryption and key management * Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc. * Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities * Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc. * System acquisition, development and maintenance – controls defining security requirements and security in development and support processes * Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers * Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence * Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy * Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security
* Sheet4 (Checklist 22301) similar to sheet1 but with a focus on Business Continuity Management. The checklist contains a list of 90 questions to address all relevant requirements of a BCMS based on ISO 22301. With the checklist, we are able to evaluate the following category groups:
* Scope, supply chain, l&r requirements and assurance * Leadership, roles and responsibilities * Risks and opportunities * Business continuity objectives and plans to achieve them * Human resources, competence and training and awareness * Communication and documentation * Operational planning and control * Business Impact Analysis (BIA) and Risk Assessment * Business continuity strategy / Resource recovery strategy * Incident response structure * Business continuity plans * Monitoring, measurement, analysis and evaluation * Internal audit and management review * Improvement of the BCMS
I am using a similar list for my annually internal audits at DENIC. Altogether I would expect a total effort of approx. 15-20 m/d to perform key action steps 1.0 and 2.0. External consultants are also possible and in my view a good option.
Jennifer, it would be great if you could import the file to google docs and share the link for editing purposes.
Any feedback on this would be great.
Regards,
- Boban.
[1]https://advisera.com/27001academy/knowledgebase/overview-of-iso-270012013-an...
--
Boban Kršić Chief Information Security Officer
DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
E-Mail: krsic@denic.de, Fon: +49 69 272 35-120, Fax: -248 Mobil: +49 172 67 61 671 https://www.denic.de
X.509 Key-ID: 00A54FCB79884413A4 Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
PGP Key-ID: 0x43C89BA9 Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main
<170531.Workplan_ICANN_Security_draft_0.91.xlsx>_______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org https://mm.icann.org/mailman/listinfo/ssr2-review
_______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org https://mm.icann.org/mailman/listinfo/ssr2-review
_______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org https://mm.icann.org/mailman/listinfo/ssr2-review
-- Boban Kršić Chief Information Security Officer DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY E-Mail: krsic@denic.de, Fon: +49 69 272 35-120, Fax: -248 Mobil: +49 172 67 61 671 https://www.denic.de X.509 Key-ID: 00A54FCB79884413A4 Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716 PGP Key-ID: 0x43C89BA9 Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9 Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main
participants (3)
-
ALAIN AINA -
Boban Krsic -
Jennifer Bryce