SURFaudit
Compliance and Control
Terena&TF(MSP&(&Trondheim&(&sept.&11th,&2013&(&Alf&Moens
What is SURFaudit? • Introduc@on • How&did&it&start? • Where&are&we&now? –standards,&coopera@on&with&other§ors
• What&do&all&agree&upon&(and&where&do&they&disagree)? • Where&will&we&go? –obligatory –external&auditers,®ulators,&supervising&bodies –external&audit&and&peer&reviews 2
How did it start? • Internal&Demands: –SURFnet –Studielink –governance&codes
• External&demands:&rules&and®ula@ons –privacy&law,&legal&administra@ve&rules,©right&law,& telecommunica@ons&law,&computer&crime&laws –public&opinion
3
SURFaudit consists of • a&control&framework, – based&on&ISO27002,&a&selec@on&of&controls&that&at&least&must&be&implemented&in&Higher&Educa@on. – in&2013&expanded&based&on&clearified&privacy®ula@ons
• a&scoring&scale&and – 5&levels&based&on&CMM
• a&benchmarktool, – with&build&in&scoring,&explana@on,&required&evidence,&repor@ng&and&comparison
• with&broad&commitment&from&security&officers,&ICT&managers,&CIO’s&and&boardmembers&of& the&ins@tu@ons • But&s@ll&voluntary. • Same&methods&and&tools&are&used&in&healthcare&(hospitals)&and&amongst&members&CIO& Pla[orm&(major&Dutch&companies). • SURFaudit&is&part&of&the&Informa@on&Security&Framework&HO(NL. • It’s%a%combina-on%of%organisa-onal,%personell%and%technical%controls! 4
Normenkader 2013
Uitbreiding*2013*opb**richtsnoer*WBP 10.10
Logging&en&Controle
12.2
Correcte&verwerking&in&toepassingssystemen
12.6
Beheer&van&technische&kwetsbaarheden
6.1.5
Geheimhoudingsovereenkomsten
12.3
Encryp@e&en&hashing
9.2.6
Omgang&met&e(waste
15.2.1
Controle&op&naleving&binnen&de&organisa@e
15.2.2
Controle&op&technische&naleving
12.5.5
code&review
10.3.2
Test&van&nieuwe&en&gewijzigde&informa@esystemen
Bij*cloud/uitbesteding: 6.2.3
beveiligingseisen&in&bewerkersovereenkomst
7.2
differen@a@e&van&verwerkte&persoonsgegevens&(classifica@e)
10.2.2
controle&en&beoordeling&van&dienstverlening
13.1.2
Beoordeling&en&adandeling&van&incidenten&en&lekken
10.2.3
beheer&van&wijzigingen&in&de&dienstverlening 5
SURF ICT & Onderzoek BIG Data spionage
ICT & Onderwijs Veilig Toetsen/ Toetsinfrastructuur
SURFnet
Programma BIS
SURFmarket
Studielink
IB&P@SURF: SAFE
SURFcert
Software
SURFaudit
Privacy
Federatie/ Conext
Diensten
IDM
Disseminatie
Studiekeuze123 Taskforce Cloud
GIGAport SURFsara SURFworks
Deelnemingen
ICT & Bedrijfsvoering Compliance Privacy & juridisch organisatie
SURFnet/ Kennisnet
eScience
SURFshare
Radboud
Stuurgroep Informatiebeveiliging & Privacy Hoger Onderwijs (IBHO)
SANS
VU
CIOberaad
Wetenschappelijke instellingen
MBO's, bibliotheken, overigen
CvDUR
COMIT
SURFibo
SCIRT
CVUAD
Framework IB HO
Trainingen
H-BOSS KAAIWO
Onderwijsidentiteit / IAA Internationaal
Cloud
UMC's
SIG IDM
netwerken
Kantoor
SION UvA
Bestuurders
Hogescholen
SURF projecten IBP @ SURF
Science
PI.lab
Universiteiten
Regie in de cloud
Cloud First
EuroCio Cyber Security Counsil
TF-csirt
Terena
Externe partijen PvIB
Kennisnet
CPNI
Stuurgroep KIN
CIO Platform / SIG / Bestuurscommissie
NCSC
Overheid BID
CBP
OCW
CIP
Inspectie
IBP @ SURF, versie 1.8, augustus 2013, Alf Moens
6
Soorten metingen ISO 27001 certificering Inspanning
Audit Proef audit Begeleid Self-assesment Waarde
Self-assesment 7
Framework Information Security Starterkit(InformationSecurity
Quality(Requirements(InformationSecurity(HE( and((SURFaudit
Guideline(Information(Security(Architecture
!SURFibo!!!!!!!!!!!!!!!!!!!!!!!!!! !Framework!InformationSecurity!Higher!Education!(Netherlands)!!!!!!!!!!!!!!!!!!!!!!! Version(Q1=2012
Template(InformationSecurity(Policy((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( (incl.(organisation(aspects) Information(Security(Management(System:(ISO(27001 Baseline( Guideline( Information( Acceptable( Security Use(Policy
Guideline( Guideline( Classification Integrity( Code
Starterkit( Starterkit( Identity( RBAC Management
Starterkit( Starterkit( Business( CERT(CSIRT) Continuity( Management
Examples(of(implementations(within(institutions( Ready
(periodical(review)
Guideline( Function= Profiles
e& Secur @on na Exami
rivacy ns P Cloud( Sourcing( a@ o l u g e implementat toolkit(( CIO= R ions((( SURFnet( association( le& b i s HE) n /kennisnet) o Resp sure Supporting(technical(material((How=to's,(FAQ's,(etc.) Disclo Documents(maintained(by(third(parties
8
CMM scoring mechanism
9
Where are we now? • We&have&commitment:&Ins@tu@ons&should&perform&an& external&audit&every&4&years&and&perform&self( assessments&in&between. • First&large&scale&coordinated&audit&in&2008.&First& SURFaudit&large&scale&coordinated&audit&in&november/ december&2011.& • Updated&tooling&and&control&framework&in&summer& 2013&plus&addi@onal&training. • New&large&scale&coordinated&audit&planned&for& november&2013. 10
6 Universiteiten
Ni
9 Hogescholen
Omschrijving
ve 0 Non$existent au 1
Initial/Ad0Hoc
2
Repeatable0but0 Intuitive0
3
De9ined0Process
4
Managed0and0 Measurable
5
Optimised0
SURFaudit Benchmark 2011 11
Where do we agree? • All&par@es&involved,&at&all&levels,&agree&informa@on&security& and&protec@on&of&personal&data&is&essen@al. – All&agree&on&(expanded)&framework,&periodical&audits,&etc.
• “SURFnet&should&demand&compliance” – It’s&in&the&contract&condi@ons, – It&also&is&in&the&contract&condi@ons&of&Studielink&
• Smaller&ins@@tu@ons&look&for&parts&they&don’t&have&to&do • If&voluntary:&>50%&postpones,&especially&if&they&have&to&invest& in&licenses&“ad&hoc”.& – “we&are¬&audi@ng&this&year,&we&have¬&been&able&to&do&the& needed&improvements,¬hing&has&changed.” 12
What’s next? • Reinforce&commitment,&Board&level – Two&audits&in&2012&of&the&Dutch&privacy&supervising&body&(CBP)&do&help – European&data&protec@on&direc@ve&might&be&key&for&embedding&compliance& and&control
• The&smaller&ins@tu@ons... – donot&have&the&exper@se – should¬&become&the&weakest&link&in&a&firmly&interconnected&educa@onal& environment&
• From&project&tot&proces – explore&including&SURFaudit&in&main&SURFnet&services&package&and&make&it& obligatory,&including&tooling – Set&up&peer&audi@ng
• Prepare&for&European&Data&Protec@on&Direc@ve 13
Use and re-use • Policy&framework&and&control&framework&are& bases&on&interna@onal&standards&and&European& law:&Are&available&to&anyone&interested. • Share&(and&compare)&benchmark&figures& –European&benchmark?
• Tooling&we&now&use&is&commercially&available
14
Alf&Moens
[email protected]
