Sharing Best Security Practices with your Peers - on an International Level

Transcription

1 Public Sharing Best Security Practices with your Peers - on an International Level Urpo Kaila, <urpo.kaila@csc.fi> Head of Security, csc.fi EUDAT Security Officer WISE Community SC member GÉANT SIG-ISMS SC member EDUCAUSE Security Professionals Conference Seattle,

2 First, about me and my site Me o Head of Security for CSC - IT Center for Science Ltd. o Special interests: Sharing and developing best information security practices, ISO CSC o A non-profit government owned company in Finland providing IT services for research, higher education, and government o Staff: 300 o Services: scientific computing, Funet NREN, IAM, datacenters, IT services, education management 03/02/15 2

3 Sharing Best Practices with Peers A security practitioner needs o A good education o Experience o Management support o Professional continuing training o by ISC2, SANS, ISACA etc o Motivation o and learning from and sharing with peers! o Current real world issues o Sharing in trust (chatham house rule) o Not aligned to vendor or government interests o Learning how, not only what on an international level o the bad guys does also network over borders 03/02/15 3

4 Networking in European Research Infrastructures EUDAT o The collaborative Pan-European infrastructure providing research data services, training and consultancy for researchers, Research Communities and Research Infrastructures & Data Centres o PRACE o Partnership for Advanced Computing in Europe o GÉANT SIG-ISM (formerly TERENA) o GÉANT is the leading collaboration on e-infrastructure and services for research and education. o 4

5 GÉANT SIG-ISM SIG-ISM offers CISOs (Chief Information Security Officers) of national research and education network (NREN) organisations the opportunity to share best practices and learn from each others' experience, to safeguard their NREN against security incidents and threats Events o 1st SIG-ISM workshop on information security management and compliance on 19 May 2015 in London o 2nd SIG-ISM Workshop on risk management in Copenhagen 22nd-23th of February /02/15 5

6 WISE what is it? Wise Information Security for Collaborating E-infrastructure A trusted global framework where security experts can share information on different topics like risk management, experiences about certification process and threat intelligence keeping a special focus on e-infrastructures.

7 How everything started Joint effort of GEANT SIG-ISM (Special Interest Group on Information Security Management) and SCI (Security for Collaboration among Infrastructures) Workshop in Barcelona Spain, October participants

8 How everything started Main idea: 4 big e-infrastructures EGI, EUDAT, GEANT and PRACE getting together to facilitate the exchange of experience and knowledge on security. But also NRENs, XSEDE, NCSA, CTSC and communities like HEP/CERN, HBP and many others participated. A profound need for a real collaboration became evident

9 Activities Led by a Steering Committee Two face-to-face meetings a year The main work happens through working groups. Five WGs: o Updating the SCI framework (SCIV2-WG) o Security Training and Awareness (STAA-WG) o Security Review and Audit (SRA-WG) o Risk Assessment WISE (RAW-WG) o Security in Big and Open Data (SBOD-WG)

10 SCIV2-WG Updating the SCI framework: Already existing framework created by the SCI group o o SCIV2-WG will work towards version 2 of the SCI document that will become the 1 st WISE framework defining best practices, trust and policy standards for collaboration. A wider range of stakeholders will be involved, specifically the NRENs, whose security issues were not present in the first version.

11 SCIv2-WG The WG has just defined the direction of the work and chose the first topic the group will focus on: How to share vulnerabilities among e-infrastructures

12 STAA-WG Security Training and Awareness: Training is wanted and needed for security professionals, systems and network managers and engineers, users of the infrastructures and for decision makers, for a wide range of topics. Main activities of the WG: o Collecting good training practices o Collecting information about relevant existing trainings at the infrastructures o Set up a basic training and awareness program for organizations in the WISE community, identifying which trainings are needed

13 STAA-WG The WG Security Training and Awareness will first do an inventory: What are the target groups for security awareness? What materials are already available and what practices can e-infras share? What are the most important subject for security training? Which free/open training or trainings materials are available? Which commercial trainings are available? The purpose is to identify the training needs and make a first match with available training material.

14 RAW-WG Risk assessment WISE: Large e-infrastructures are vulnerable for high impact security incidents because of the relative easy way that an incident may spread among partner organizations because of the collaborative services that exist among the constituent organizations. So it is important that each member organization has a trusted level of implemented security procedures. The objective of the WG is to provide e-infrastructures and their member organizations with guidelines on how Risk Assessments can be effectively implemented.

15 SRA-WG Security Review and Audit: A proven method to obtain objective and comprehensive information about the current state of information security is to perform security reviews and security audits Some of the activities of the WG: o Follow and contribute to the development of security audits and reviews among the constituents o Share related best practices for implementations o Contribute to development of security standards and frameworks

16 SBOD-WG Security in Big and Open Data: The WG focuses on security issues that arise when dealing with Big and Open data especially within the e-infrastructures. Main activities of the WG: o list and discuss already existing studies and state of the art the starting point for the rest of the work. o work on a list of issues particularly important for e-infrastructures and on a set of recommendations on how to minimize the impact of these issues.

17 Participate in WISE Interested in any of the the working group subjects? Subscribe to the workgroup mailinglist on the WISE website Contact the workgroup chair and let s work together The Working groups are starting their work now

18 Thanks and let s keep in touch I ll be happy to network and keep in touch with all attendants of the EDUCASE Security Professionals conference trough o The WISE Working Groups o <urpo.kaila@csc.fi> o LinkedIN (I am currently the only Urpo Kaila around ;) o Twitter (@utsirp) 03/02/15 18