Page History

A meeting of individuals designated as security officers within TERENA National and International Members was suggested by the TERENA Advisory Council at its meeting in May 2012. The aim was identify the security interests of these organisations beyond incident handling and response, to identify who (if anyone) was responsible for security affairs, and to determine whether there is any requirement for wider collaboration within the TERENA community.

To this end, a meeting was organised adjacent to the 37th TF-CSIRT meeting in Ljubljana, Slovenia to which NRENs were asked to send their Chief Security Officers (CSOs). This is a relatively new concept within research and education organisations, so it was expected that many, if not most of these organisations would not officially have a nominated CSO. However, organisations were asked to send the person most fitting the role, or who might fulfil such a role in future.

A number of discussion points were circulated in advance of the meeting as follows:

• What are the risks with respect to data, infrastructure and the applications that are being run, and how are these risks assessed?
• What sort of policies are required to manage potential risks, are these in situ, and how can these be updated as necessary?
• Information Security Management Systems and ISO 27001 certification - which parts of an NREN are/should be risk assessed and certified, and how is this achieved?
• What sort of disaster recovery plans, if any, do NRENs have? How are disasters defined, handled and communicated?
• Should NRENs appoint Chief Security Officers to minimise risk, or is a designated person sufficient?

The meeting was held using an open discussion format. This report summaries the outcome of the discussions and the conclusions that were formulated.

Why are Chief Security Officers necessary?

A Chief Security Officer is usually a senior level executive within an organisation responsible for information security. This may include systems, network and data security; incident response and handling; regulatory compliance; risk management; and disaster recovery. They are commonplace in medium-to-large commercial companies, and are increasingly employed in government and other types of organisation. However, the concept is relatively unknown within the research and education community, and very few NRENs appear to have a designated CSO.

CSOs have become increasingly important as organisations become almost totally reliant on IT information systems. Whilst not all NRENs operate truly mission critical systems, incidents can still cause a great deal of disruption and damage, and resolving them can cost significant amounts of effort and money. In addition, there can be a significant loss of reputation that can ultimately affect the continued existence of an NREN, and even expose them to legal liabilities.

What is the role of a Chief Security Officer?

It was generally agreed that a CSO needed to advise management on security matters, and in crisis situations, even have the ability to execute emergency powers. As a result, such roles ideally needed to be part of the management team, or at least have a very close working relationship with it. A pre-requisite for assessing and mitigating risks was to compile and maintain an inventory of assets, to understand operational requirements, and to define the role and extent of the CSO responsibilities. For example, system and network security would traditionally be expected to fall under the remit of a CSO, but their role should also encompass physical access to buildings and data storage. In addition, security awareness training, a public relations policy for dealing with the press, and even a social media policy for employees may be required in the modern environment.

It should be clear that the primary responsibility of a CSO should be to assess and document potential risks to IT services develop a policy for minimising these risks, and then to have a disaster recovery plan in the event that the worst happens. Other responsibilities might be to ensure compliance with regulatory and other legal requirements, and to implement processes that might lead to external certification in due course (which typically takes 3 to 5 years). In some circumstances, a CSO might even take a role in advising law makers in the development of appropriate legislation. It is extremely important to establish and maintain communication channels between key members of staff. It is also important these channels are regularly tested, and possibly even periodic drills held to ensure that everyone in the process understands what is required from them.

Who has a Chief Security Officer?

Only CERN, DANTE, CSC (parent organisation of Funet) and UNINETT currently had an officially designated Chief Security Officer, although in the case of DANTE, this was a very recent appointment in response to an external audit. Most other organisations had someone who advised on security matters, but these duties were mostly undertaken on an informal basis and they had no powers or responsibilities in crisis situations. The persons informally advising on security matters were usually those working in Computer Incident Response and Security Teams (CSIRTs), largely because these are often the only established security-related activities within organisations. Incident handling and response is a specialised aspect of security though, and is usually not concerned with physical security and disaster recovery. CSIRT staff are typically concerned with enforcing policies, but not making those policies.

Who has a Disaster Management and Business Continuity Plan?

Every organisation present had some sort of disaster management plan, although the exact nature of these varied considerably. Seven organisations had formal organisationwide plans, two had separate departmental plans, whilst two had unofficial plans. However, only three organisations actually had plans for alternative (off-site) provision of services in the event of disaster. Three organisations had actually been forced to implement their crisis management/recovery plans in the past, whilst a further organisation enacted their plan in response to an external disaster (earthquake). These plans had generally proved adequate, although in one case the plans had ultimately proved inadequate due to unforeseen complications relating to an ongoing and extreme external crisis. It was generally felt though, that NRENs were reactive rather than proactive with respect to crisis management.

Recommendations

1. It was felt that NRENs would eventually be required to implement Information Security Management Systems (ISMSs) in order to identify and mitigate risks to their infrastructures. It was therefore suggested that some presentations or training on the subject might be arranged by TERENA; possibly during TNC 2013. Possible speakers/trainers were Michael Brophy (Certification Europe), Bert van ? (SIDN), and IT Governance. CERN also had a standard presentation about the CERN CSO Team and its duties that might be utilised. The target audience should be senior NREN managers as ISMSs would require their endorsement if they were to be successful.
   
   
2. It was also suggested that TF-MSP investigate the implementation of ISMSs, and whether some base guidelines could or should be formulated for NRENs. This might include an investigation into whether ISO 27001 was applicable to, or necessary for NRENs.
   
   
3. Concern was expressed by the fact that only 12 research and education networking organisations were represented at the meeting, especially considering that a number of attendees were not CSOs and had attended the meeting on their own initiative. The general feeling was that security was not taken seriously by NREN management, that the issues were poorly understood, and that information dissemination from senior management was inadequate. The issue of how to attract better representation and involvement from the 42+ TERENA members needed to be addressed by TF-MSP and perhaps even at the level of the TERENA General Assembly. However, one approach might be the use of policy and technical audits (e.g. ISO 9001) as external recommendations often carried more weight than internal representations.