How to Share Best Security Practices Urpo Kaila, EUDAT Security - - PowerPoint PPT Presentation
How to Share Best Security Practices Urpo Kaila, EUDAT Security Officer urpo.kaila@csc.fi, security@eudat.eu WISE W orkshop for I nformation S ecurity for E -infrastructures 2015-10-22, Barcelona This work is licensed under the Creative Commons
EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No. 654065
www.eudat.eu
Urpo Kaila, EUDAT Security Officer urpo.kaila@csc.fi, security@eudat.eu WISE Workshop for Information Security for E-infrastructures 2015-10-22, Barcelona
This work is licensed under the Creative Commons CC-BY 4.0 licence. Attribution: EUDAT – www.eudat.eu
Standard Building Blocks of Information Security
Access ¡ Controls ¡ Security ¡and ¡Risk ¡ ¡Management ¡ ¡ Opera9onal ¡Security ¡ Network ¡Security ¡ So<ware ¡and ¡Service ¡ Development ¡Security ¡ ¡ Computer ¡Security ¡ Security ¡Reviews ¡ and ¡Tes9ng ¡ Asset ¡Management ¡ Several ¡ ¡frameworks ¡available ¡ ¡
Confiden9ality ¡ Integrity ¡ Availability ¡
Governance ¡ ¡ & ¡ITSM ¡
Assets ¡-‑> ¡Risks ¡-‑> ¡Controls ¡-‑> ¡Metrics ¡
Different kind and levels of security skills
Auditors IT Security Managers Service Managers Programmers Administrators, Operators Security Managers, Operating Engineers IT - Support Users Directors Experts on technical security
Security Management (ISC)² CBK ISACA COBIT PECB … Technical Security SANS CEH BoK …
Well known legacy professional security skills definitions and certifications
Generic CISSP CISM GCED GCIH GSNA … Vendor specific (includes security) MTA RHCSE …
By bragging? By experience? CV? By trainings obtained? By certifications achieved? Skills certifications are standard requirements in the private sector Obtaining and maintaining such certification is somewhat expensive A certification shows that a person knows at least the basics of the trade – it does not prove that the person is a senior professional, which requires more experience.
How do you measure security skills?
A common problem with generic
security skills and security guidelines
Proceed from outlining to to implementation
The principles and theoretical skills must be adapted in your context in an reasonable and in an efficient way Best practices should be implemented Definition (wikipedia): A best practice is a method that has consistently shown superior. Best practices are used to maintain quality and can be based on
many of accredited management standards.
How can skills become practice?
Necessary prerequisites Skills Management support A plan with check-ups Leadership (it will not just happen) Share experiences on how to implement with your peers Also cover confidential/sensitive information Informal information often more crucial than formal documents Apply the House of Chatham rule One size does not fit all
How could implementation be easier?
I’ve had rewarding experiences in sharing best practices with
It would probably have been extremely difficult for us to achieve ISO 27001 without sharing best practices earlier
A successful track record
Articles, books Presentations Trainings Reviews and audits Guidelines Site visits Workshops Informal communication
Methods of sharing best practices
N.B. Everything does not need to be formalised, informal f2f meetings are also very valuable
Joint skills transfer program on operational security A training kit for Site Security Officers A non-profit lightweight skills certification for Site- Security Officers A voluntary practice sharing program for Site visits for ISMS sharing Peer reviews/audits of ISMS Articles on current ISMS practices Develop a multilateral NDA covering all of above An effort to apply resources and funding for all above I personally volunteer to contribute if feasible
Suggestions for joint ISMS activities
www.eudat.eu
EUDAT related security incidents -> csirt@eudat.eu Other EUDAT security related -> security@eudat.eu