A Security Maturity Model for NRENs
A Security Maturity Model for NRENs
Information systems are an essential part of all today's organisations that enable the execution of processes and the provision of services. However, more and more risks are emerging that threaten the security of information or systems and thus the entire organisation. This concerns Research & Education (R&E) organisations, i.e. universities and research institutions, as well as those in the private sector. National Research and Education Networks (NRENs) enable national and international networks in this context and provide services to users, some of which can be used worldwide. Thus, they are a potential target for attackers but also vulnerable to threats not only within their own organisation, but throughout the entire NREN community. The highly collaborative nature of NRENs results in a high degree of interdependence, which justifies a special need for protection. This framework is intended to support NRENs and affiliated organisations in establishing appropriate security measures necessary for a coordinated security program that takes into account the specific framework conditions in R&E federations.
GÉANT Member NRENs vary in size, type, user base, offered services, level of cooperation with academic, scientific and educational communities and many other aspects, but for all NRENs security of services, users and operations is crucial. In order to harmonise the security level of NRENs, the Security Baseline as a common framework has been created. This security baseline can be used in various ways and these are some of them:
- A starting point for NRENs looking to develop or enhance current security practice.
- A tool for benchmarking the current status of NREN development in security.
- A guide for NRENs to reach a minimal level of security offer.
- An opportunity to make NREN security programs comparable.
This framework assists organisations in understanding key aspects of security practices that are part of a security program. It defines requirements to cover R&E specific challenges in a modular way, whereby each module covers an organisational topic, such as risk or supplier management. In this way, NRENs can set up a security programme that is as flexible as possible but whose aspects and level are comparable to those of other NRENs.
Security Maturity Levels
This document defines three different levels of maturity which can be used to describe the status of each module. It is not necessary to achieve the highest maturity level for each module, this should be seen as a long-term goal and should be adapted to the criticality of the services offered by the organisation. It is possible that some modules define few or no requirements for a level. This is especially the case with sophisticated processes that do not need to be implemented as a standard.
1 - Baseline
Maturity level 1 matches the title of this framework and defines the so-called "GÉANT Security Baseline". This level defines a GÉANT wide minimum of security and is expected to be met by most NRENs by default and implemented by all NRENs in the short term. This level mainly contains basic requirements that form the basis for an effective security program in an organisation. NRENs should ensure compliance with this level and implement missing requirements as quickly as possible.
Scope: minimum requirements for each organisation
2 - Advanced
Maturity level 2 builds directly on the baseline requirements and extends the modules mainly with organisation-specific adaptations. This level defines modules of a mature security program and provides a good foundation for security management. It represents the medium to long-term goal for NRENs to achieve in order to solidly establish and improve security management. It is expected that most NRENs are partly compliant by implementing just individual requirements and the percentage of fully compliant organisations will grow steady.
Scope: medium to large organisations or such that offer important services or providing access to research collaborations.
3 - Expert
Maturity level 3 is the highest level and requires a deep understanding of security management and security program. It is expected that only a small part of NRENs will reach this level in the near future. Depending on the services offered, the business cases supported and the risk assessment of your own organisation, some or all of the criteria from this level may be relevant. It is designed as a long term strategic goal for NRENs.
Scope: organisations processing sensitive and critical information or providing critical services and infrastructure
This document applies to NRENs and related sub-contractors. It defines a minimum set of security controls necessary to secure not only an NREN as an organisation itself, but organisations of national representatives interconnected with a large, global research and education community
There are many different ways of assessing security readiness that can be examined from an operational, organisational, technical or legal standpoint. This baseline focuses on the organisational requirements for NRENs and core requirements for NREN services. It highlights the most common security areas while focusing on aspects that are unique to the NREN offer. The security modules defined provide a high-level starting point for implementing a security program. In each area, we point to other tools and approaches tailored to the specific needs of NRENs that might help you gain a deeper dive in order to assess aspects of the requirements further.
How to Use the Baseline
This framework supports security managers in establishing and improving a security program by describing important security aspects while listing essential requirements for them. In addition, by using maturity levels, it offers the possibility to continuously improve the organisations security level through the targeted implementation of individual measures.
At the beginning, a review of the requirements against the existing security measures should take place to determine the current status of the organisation. Subsequently, missing requirements should be assessed and appropriate measures planned to increase the maturity level of the organisation. This cyclical process of continuous improvement should be aligned with the organisation's strategic goals and plans to ensure long-term success.
1. Baseline Assessment
The first step is a complete security review. The aim is to check whether the existing security program has already reached a given level of maturity and which requirements for the next level of maturity are still missing.
2. Define Security Plan
Review your risk appetite against the baseline report. Have a clear understanding of budget / resource you have to develop security practices in given areas. Develop a plan to establish security measures to meet missing requirements based on available resources and business objectives.
3. Implement Security Plan
Implement the plan to support the development of new security goals on an annual basis. It is not required to improve the maturity level every year, but at least fulfil individual requirements.
The cycle then begins again with the review.
NREN Organisation Baseline (NO)
This section describes the different security areas and their requirements. This Baseline covers the areas Policy, People, Threats and Operations. Each theme defines a number of modules, each of which describes a specific management aspect. The focus is clearly on the organisational security aspects and not on the technical ones. Each module consists of a general description, requirements grouped by maturity level and supporting references. These refer to other resources relevant to the topic in question. The baseline attempts, whenever possible, to refer to existing documents from other EU projects such as AARC, REFEDS, ENISA or national organisations instead of reinventing the wheel. For each section, the baseline focuses only on the organisational capability of the NREN for its own operation; services provided to customers to meet their security requirements are out of scope for this document.
The requirements are arranged according to the maturity model described above. Since the different levels depend on each other and higher levels often only intensify requirements, it is recommended to implement missing requirements according to this order. It is possible that the requirements that are defined at a lower level are not required at a higher level anymore. In this case, they are replaced at the higher level by other, more restrictive ones that address the same security problem.
It is usually not necessary to use the linked resources to meet the requirements. These are only intended to help establish a process or measure. Only in a few places linked resources are integrated directly into the requirements. Mostly these are specific GÉANT or resources explicitly created for the baseline.
For each module a reference to the Information Security Management System standard ISO/IEC 27001 is provided. This makes it easier for NRENs with an existing management system to integrate the modules accordingly or to assist in setting up such a system.
The Security Baseline is divided into four sections. For more information about each section, please download the pdf.