1. Networks ∙ Services ∙ People www.geant.org Mark Johnston SIG ISM - Copenhagen Changing GÉANT’s Security Future GÉANT Feb 22, 2016 CNOO – Head of IIS Fotis Gagadis Security Officer

2. Networks ∙ Services ∙ People www.geant.org 2 We knew that we’ve had things to consider Security had to play the “good” cops Trying to listen Inquire and Observe people We’ve had to Identify where the gaps and things to consider exist Results Some people were not aware of: Risks and environment Security Concepts Historical Issues

3. Networks ∙ Services ∙ People www.geant.org 3 After a couple of weeks at GÉANT and after WISE in Oct 2015 We’ve set objectives People should commit People should understand their actions People should understand that can make unnecessary decisions We’ve had to take control of the environment Train people to think before acting We are changing to a secure conscious organisation

4. Networks ∙ Services ∙ People www.geant.org 4 We have decided to use ISO 27005: Take control of the environment through a Risk Process Standardised Risk Assessment process Integrated some quantitative measures and future fields for Disaster Recovery Most Risk Assessments such as ISO 27005: Cannot take into consideration real comparison data on most of the times e.g. comparison of data in case of fire outbreak before and after fire sprinkler installation (just an example). Hard to find either way Subjective and Act as “threat” agent since information is not objective BUT can be helpful to ensure quick actions and force change Support of Management through a risk dashboard and comparison Rate the risks and assets within a business People are registering their risks

5. Networks ∙ Services ∙ People www.geant.org 5 We have said to people: Think of Confidentiality, Integrity and Availability Rate an Asset based upon CIA from 1-5 However we have not rated Confidentiality, Integrity and Availability to take the Business Impact out of it. On the old/new ISO 27005 at the Appendices takes the asset value as Business impact/Consequence  Asset Value We wanted people to start thinking of the basics but we did not want to be restricted only on the CIA attributes. (People while rating the Consequence did not consider the CIA attributes, but unintentionally were selecting business attributes such as timely, accurate and private which are evolving while business needs change. People were rating Impact as Asset Value even if Impact was requested) Security is more than 1960’s CIA attributes What about Authenticated, Reliable, Compliant, Liable which they can come through measurable Business Objectives Our Process

6. Networks ∙ Services ∙ People www.geant.org 6 We have: Registered their assets in a high level We could not have risks and assets being more than 1000 rows which could be unmanageable Owners of assets Separated assets on tangible and intangible Description of the asset and Location e.g. GÉANT Project Systems Number of those assets Information Classification – Information Kept within these devices, current protection and future protection level Our Process - Registering Assets

7. Networks ∙ Services ∙ People www.geant.org 7 Our Process - Asset Register

8. Networks ∙ Services ∙ People www.geant.org 8 We have said to people: Vulnerability is a lack on a control e.g. Lack of monitoring Threat is the potential danger associated with the exploitation of the vulnerability e.g. Disgruntled Employees Lets create your risk based upon the asset, vulnerability and threat – e.g. Unauthorized actions of employees to GÉANT Systems sensitive resources could not be monitored due to lack of monitoring capabilities (just an example) Lets rate the risk together Vulnerability and Threat ( 1-3), Asset (1-5) Classic: Risk = A x V x T Our Process - Rating the risk

9. Networks ∙ Services ∙ People www.geant.org 9 We have said to people: OK – really good However, what is the overall probability/likelihood of this risk being realised? Provide us with a number from 1-5 with 5 being the highest Some models do not take the overall probability of a risk being realised and this can have effect on decisions Risk = [Impact (Asset) x Vulnerability x Threat] x Likelihood As said people had to start realising concepts and Impact was also introduced. However is the asset value. Our Process - ranking the likelihood of the risk happening to give overall rating

10. Networks ∙ Services ∙ People www.geant.org 10 Our Process – Overall Risk rating

11. Networks ∙ Services ∙ People www.geant.org 11 Our Process Comparison Dashboard – track Risk reduction

12. Networks ∙ Services ∙ People www.geant.org 12 What we would like to do or have done: Normalise the environment (we are getting there) Security following business Potentially ISO 27001 Potentially change our risk approach to much more objective in the future – we would like to do Set security objectives for each team within the organization - done Set the Information and Infrastructure Security Group to control actions - done Set tactical and operational goals and we follow them - done Set strategic goals and we follow them – done Security Strategy updated for both offices - done Audits on Amsterdam office – done Closer to people but we say stop when needed (some people take it on board others…) - done Making Progress and Continual Improvement

13. Networks ∙ Services ∙ People www.geant.org Thank you Networks ∙ Services ∙ People www.geant.org 13 mark.johnston@geant.org fotis.gagadis@geant.org Questions

14. Networks ∙ Services ∙ People www.geant.org 14 Our Process - Example

15. Networks ∙ Services ∙ People www.geant.org 15 Our Process - Example