Speaker
Description
The members of SURF, NREN in the Netherlands, may use a variety of the services we offer. Some services are used in a chain, others can be used as a separate product. The push for more resilience in cybersecurity, in the educational sector in specific, has been strong recent years. So as an NREN we need to keep in tune with the progress of security technology. We may even need better security to be or stay at the forefront. In addition this push translates into the need of our members to be able to assess the security measures of our services.
We want to help our members save time and hassle, so we help them in two ways: with an ISO 27001 certification and a suitability classification. First, we bring all our services - around 60 (!) under the scope of our 27001 certification by the end of 2024. Second, we help our members by offering a suitability classification for each service.
In this 25 minute talk I will walk the audience through the way we approach this within the organisation. The target audience for this talk would be CISOs, security strategists, developers of security services and security management professionals in specific. The talk will be interesting for them because three key components are addressed with clear, hands-on examples:
• within the organisation: how to implement a framework of standards (i.e. ISO 27001) for each service individually (even if a chain of services is involved), and
• how to keep this thorough security implementation manageable (we all lack time)
• in collaboration with our members/research/educational institutes: how a related suitability classification helps them to assess what security level is implemented by us. The idea is that they can easily establish whether the protection suits their security needs (and the other way around, how this helps us as an NREN to best match their needs)
The presentation shows the audience how our NREN offers security in their services. This topic would be relevant to the event as it aims to inspire other security professionals with clear, hands-on examples how to adopt a similar approach in their own organisation. In addition the suitability classification could be a new aid in the toolbox of the target audience to help their members.
In this talk I will explain and show examples of:
• why SURF chooses to bring their 60 services under the scope of the ISO certification
• the process of working towards the internal and external audits in project form with 26 new services at the same time – where to start, which steps we take, how we as CISO team help, support and give advice to the teams involved, in what timeframe we implement this and how we get/keep colleagues motivated
• templates and approach for scoring CIA, making a risk analysis, etc., or in other words what we as ISO’s do to help the involved teams and keep them going and how a security baseline helps
• the translation of the CIA score in a suitability score for our members. The suitability classification is a designation that helps our members make a good assessment of the level of protection offered by a particular service. We list this classification on our company website.
