Compliance and Control

Transcriptie

1 SURFaudit Compliance and Control Terena&TF(MSP&(&Trondheim&(&sept.&11th,&2013&(&Alf&Moens What is SURFaudit? How&did&it&start? Where&are&we&now? What&do&all&agree&upon&(and&where&do&they&disagree)? Where&will&we&go? obligatory external&auditers,&regulators,&supervising&bodies external&audit&and&peer&reviews 2

2 How did it start? Internal&Demands: SURFnet Studielink governance&codes public&opinion 3 SURFaudit consists of a&control&framework, a&scoring&scale&and 5&levels&based&on&CMM a&benchmarktool, with&broad&commitment&from&security&officers,&ict&managers,&cio s&and&boardmembers&of& Same&methods&and&tools&are&used&in&healthcare&(hospitals)&and&amongst&members&CIO& Pla[orm&(major&Dutch&companies). It s%a%combina-on%of%organisa-onal,%personell%and%technical%controls! 4

3 Normenkader 2013 Uitbreiding*2013*opb**richtsnoer*WBP Logging&en&Controle 12.2 Correcte&verwerking&in&toepassingssystemen 12.6 Beheer&van&technische&kwetsbaarheden Geheimhoudingsovereenkomsten Omgang&met&e(waste Controle&op&technische&naleving code&review Bij*cloud/uitbesteding: beveiligingseisen&in&bewerkersovereenkomst controle&en&beoordeling&van&dienstverlening Beoordeling&en&adandeling&van&incidenten&en&lekken beheer&van&wijzigingen&in&de&dienstverlening 5 SURF SURFnet SURFmarket Studielink ICT & Onderzoek BIG Data spionage ICT & Onderwijs Veilig Toetsen/ Toetsinfrastructuur ICT & Bedrijfsvoering Compliance Privacy & juridisch organisatie SURFcert Federatie/ Conext GIGAport SURFworks SURFnet/ Kennisnet Stuurgroep Informatiebeveiliging & Privacy Hoger Onderwijs (IBHO) Software SAFE Diensten SURFsara SURFshare Studiekeuze123 Deelnemingen escience PI.lab Radboud Science VU SANS UvA Programma BIS SURFaudit Privacy IDM Disseminatie Taskforce Cloud Cloud First Regie in de cloud SURF projecten SURF Kantoor SION Onderwijsidentiteit / IAA Universiteiten Hogescholen UMC's CIOberaad Wetenschappelijke instellingen MBO's, bibliotheken, overigen CvDUR COMIT SURFibo SCIRT H-BOSS KAAIWO Bestuurders CVUAD SIG IDM Framework IB HO netwerken Trainingen Cloud Terena PvIB CPNI NCSC Internationaal TF-csirt Externe partijen CIO Platform / SIG / Bestuurscommissie Inspectie Overheid BID OCW EuroCio Cyber Security Counsil Kennisnet Stuurgroep KIN CBP CIP SURF, versie 1.8, augustus 2013, Alf Moens 6

4 Soorten metingen ISO certificering Inspanning Audit Proef audit Begeleid Self-assesment Self-assesment Waarde 7 Framework Information Security!SURFibo!!!!!!!!!!!!!!!!!!!!!!!!!!!Framework!InformationSecurity!Higher!Education!(Netherlands)!!!!!!!!!!!!!!!!!!!!!!!Version(Q1=2012 Guideline(Information(Security(Architecture Baseline( Information( Security Guideline( Acceptable( Use(Policy Starterkit( Starterkit( Identity( RBAC Management Information(Security(Management(System:(ISO(27001 Guideline( Classification Guideline( Integrity( Code Starterkit( Starterkit( Business( CERT(CSIRT) Continuity( Management Examples(of(implementations(within(institutions( Starterkit(InformationSecurity Guideline( Function= Profiles Cloud( implementat ions(((surfnet( /kennisnet) Sourcing( toolkit((cio= association( HE) Quality(Requirements(InformationSecurity(HE( and((surfaudit Template(InformationSecurity(Policy((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( (incl.(organisation(aspects) Secure& Privacy Responsible& Disclosure Supporting(technical(material((How=to's,(FAQ's,(etc.) Ready (periodical(review) Documents(maintained(by(third(parties 8

5 CMM scoring mechanism 9 Where are we now? external&audit&every&4&years&and&perform&self( assessments&in&between. First&large&scale&coordinated&audit&in&2008.&First& SURFaudit&large&scale&coordinated&audit&in&november/ december&2011.& Updated&tooling&and&control&framework&in&summer& New&large&scale&coordinated&audit&planned&for& november&

6 6 Universiteiten 9 Hogescholen Ni Omschrijving ve 0 Non$existent au 1 Initial/Ad0Hoc 2 Repeatable0but0 Intuitive0 3 De9ined0Process 4 Managed0and0 Measurable 5 Optimised0 SURFaudit Benchmark Where do we agree? All&agree&on&(expanded)&framework,&periodical&audits,&etc. SURFnet&should&demand&compliance It t&have&to&do If&voluntary:&>50%&postpones,&especially&if&they&have&to&invest& in&licenses& ad&hoc.& needed&improvements,&nothing&has&changed. 12

7 What s next? Reinforce&commitment,&Board&level Two&audits&in&2012&of&the&Dutch&privacy&supervising&body&(CBP)&do&help and&control environment& From&project&tot&proces explore&including&surfaudit&in&main&surfnet&services&package&and&make&it& obligatory,&including&tooling 13 Use and re-use Policy&framework&and&control&framework&are& law:&are&available&to&anyone&interested. Share&(and&compare)&benchmark&figures& European&benchmark? Tooling&we&now&use&is&commercially&available 14

8 Alf&Moens