Compliance and Control

SURFaudit Compliance and Control Terena&TF(MSP&(&Trondheim&(&sept.&11th,&2013&(&Alf&Moens What is SURFaudit? Introduc@on How&did&it&start? Where&are&we&now? standards,&coopera@on&with&other&sectors What&do&all&agree&upon&(and&where&do&they&disagree)? Where&will&we&go? obligatory external&auditers,&regulators,&supervising&bodies external&audit&and&peer&reviews 2

How did it start? Internal&Demands: SURFnet Studielink governance&codes External&demands:&rules&and&regula@ons privacy&law,&legal&administra@ve&rules,&copyright&law,& telecommunica@ons&law,&computer&crime&laws public&opinion 3 SURFaudit consists of a&control&framework, based&on&iso27002,&a&selec@on&of&controls&that&at&least&must&be&implemented&in&higher&educa@on. in&2013&expanded&based&on&clearified&privacy&regula@ons a&scoring&scale&and 5&levels&based&on&CMM a&benchmarktool, with&build&in&scoring,&explana@on,&required&evidence,&repor@ng&and&comparison with&broad&commitment&from&security&officers,&ict&managers,&cio s&and&boardmembers&of& the&ins@tu@ons But&s@ll&voluntary. Same&methods&and&tools&are&used&in&healthcare&(hospitals)&and&amongst&members&CIO& Pla[orm&(major&Dutch&companies). SURFaudit&is&part&of&the&Informa@on&Security&Framework&HO(NL. It s%a%combina-on%of%organisa-onal,%personell%and%technical%controls! 4

Normenkader 2013 Uitbreiding*2013*opb**richtsnoer*WBP 10.10 Logging&en&Controle 12.2 Correcte&verwerking&in&toepassingssystemen 12.6 Beheer&van&technische&kwetsbaarheden 6.1.5 Geheimhoudingsovereenkomsten 12.3 Encryp@e&en&hashing 9.2.6 Omgang&met&e(waste 15.2.1 Controle&op&naleving&binnen&de&organisa@e 15.2.2 Controle&op&technische&naleving 12.5.5 code&review 10.3.2 Test&van&nieuwe&en&gewijzigde&informa@esystemen Bij*cloud/uitbesteding: 6.2.3 beveiligingseisen&in&bewerkersovereenkomst 7.2 differen@a@e&van&verwerkte&persoonsgegevens&(classifica@e) 10.2.2 controle&en&beoordeling&van&dienstverlening 13.1.2 Beoordeling&en&adandeling&van&incidenten&en&lekken 10.2.3 beheer&van&wijzigingen&in&de&dienstverlening 5 SURF SURFnet SURFmarket Studielink ICT & Onderzoek BIG Data spionage ICT & Onderwijs Veilig Toetsen/ Toetsinfrastructuur ICT & Bedrijfsvoering Compliance Privacy & juridisch organisatie SURFcert Federatie/ Conext GIGAport SURFworks SURFnet/ Kennisnet Stuurgroep Informatiebeveiliging & Privacy Hoger Onderwijs (IBHO) Software IB&P@SURF: SAFE Diensten SURFsara SURFshare Studiekeuze123 Deelnemingen escience PI.lab Radboud Science VU SANS UvA Programma BIS SURFaudit Privacy IDM Disseminatie Taskforce Cloud Cloud First Regie in de cloud SURF projecten IBP @ SURF Kantoor SION Onderwijsidentiteit / IAA Universiteiten Hogescholen UMC's CIOberaad Wetenschappelijke instellingen MBO's, bibliotheken, overigen CvDUR COMIT SURFibo SCIRT H-BOSS KAAIWO Bestuurders CVUAD SIG IDM Framework IB HO netwerken Trainingen Cloud Terena PvIB CPNI NCSC Internationaal TF-csirt Externe partijen CIO Platform / SIG / Bestuurscommissie Inspectie Overheid BID OCW EuroCio Cyber Security Counsil Kennisnet Stuurgroep KIN CBP CIP IBP @ SURF, versie 1.8, augustus 2013, Alf Moens 6

Soorten metingen ISO 27001 certificering Inspanning Audit Proef audit Begeleid Self-assesment Self-assesment Waarde 7 Framework Information Security!SURFibo!!!!!!!!!!!!!!!!!!!!!!!!!!!Framework!InformationSecurity!Higher!Education!(Netherlands)!!!!!!!!!!!!!!!!!!!!!!!Version(Q1=2012 Guideline(Information(Security(Architecture Baseline( Information( Security Guideline( Acceptable( Use(Policy Starterkit( Starterkit( Identity( RBAC Management Information(Security(Management(System:(ISO(27001 Guideline( Classification Guideline( Integrity( Code Starterkit( Starterkit( Business( CERT(CSIRT) Continuity( Management Examples(of(implementations(within(institutions( Starterkit(InformationSecurity Guideline( Function= Profiles Cloud( implementat ions(((surfnet( /kennisnet) Sourcing( toolkit((cio= association( HE) Quality(Requirements(InformationSecurity(HE( and((surfaudit Template(InformationSecurity(Policy((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( (incl.(organisation(aspects) Secure& Examina@on Privacy Regula@ons Responsible& Disclosure Supporting(technical(material((How=to's,(FAQ's,(etc.) Ready (periodical(review) Documents(maintained(by(third(parties 8

CMM scoring mechanism 9 Where are we now? We&have&commitment:&Ins@tu@ons&should&perform&an& external&audit&every&4&years&and&perform&self( assessments&in&between. First&large&scale&coordinated&audit&in&2008.&First& SURFaudit&large&scale&coordinated&audit&in&november/ december&2011.& Updated&tooling&and&control&framework&in&summer& 2013&plus&addi@onal&training. New&large&scale&coordinated&audit&planned&for& november&2013. 10

6 Universiteiten 9 Hogescholen Ni Omschrijving ve 0 Non$existent au 1 Initial/Ad0Hoc 2 Repeatable0but0 Intuitive0 3 De9ined0Process 4 Managed0and0 Measurable 5 Optimised0 SURFaudit Benchmark 2011 11 Where do we agree? All&par@es&involved,&at&all&levels,&agree&informa@on&security& and&protec@on&of&personal&data&is&essen@al. All&agree&on&(expanded)&framework,&periodical&audits,&etc. SURFnet&should&demand&compliance It s&in&the&contract&condi@ons, It&also&is&in&the&contract&condi@ons&of&Studielink& Smaller&ins@@tu@ons&look&for&parts&they&don t&have&to&do If&voluntary:&>50%&postpones,&especially&if&they&have&to&invest& in&licenses& ad&hoc.& we&are&not&audi@ng&this&year,&we&have&not&been&able&to&do&the& needed&improvements,&nothing&has&changed. 12

What s next? Reinforce&commitment,&Board&level Two&audits&in&2012&of&the&Dutch&privacy&supervising&body&(CBP)&do&help European&data&protec@on&direc@ve&might&be&key&for&embedding&compliance& and&control The&smaller&ins@tu@ons... donot&have&the&exper@se should&not&become&the&weakest&link&in&a&firmly&interconnected&educa@onal& environment& From&project&tot&proces explore&including&surfaudit&in&main&surfnet&services&package&and&make&it& obligatory,&including&tooling Set&up&peer&audi@ng Prepare&for&European&Data&Protec@on&Direc@ve 13 Use and re-use Policy&framework&and&control&framework&are& bases&on&interna@onal&standards&and&european& law:&are&available&to&anyone&interested. Share&(and&compare)&benchmark&figures& European&benchmark? Tooling&we&now&use&is&commercially&available 14

Alf&Moens alf.moens@surf.nl