By the Advanced Computing Group of the Institute of Physics of Cantabria (IFCA) (CSIC-UC)
The implementation of the ISO27001 standard establishes the necessary policies and procedures to ensure the integrity, confidentiality and availability of information, data and all systems involved in the process.
Thus, from our experience as administrators of the data processing centre (Datacenter) of the Advanced Computing Group of the Institute of Physics of Cantabria (IFCA) (CSIC-UC), recently certified in ISO27001, we propose some good practices when dealing with the structural and procedural changes that we have carried out to obtain the certification.
Through a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) we can obtain our strengths and weaknesses, both from an internal and external point of view, helping us to set objectives, which should be prioritised according to our priorities, being as real and concise as possible in order to draw a strategy that allows us to achieve them successfully.
By means of a risk analysis, we must be able to plan the response in such a way that these risks are mitigated or, failing that, known and assumed. This will depend on the capacity of the organisation, introducing improvement objectives in each iteration.
As it usually happens in most academic institutions, knowledge and ideas flow in a spontaneous and undirected way, giving rise many times to unsuccessful developments, mostly abandoned due to lack of time, resources or change of activity of the person involved.
Knowledge of the centre’s operating, management and implementation procedures is often distributed individually, leading to problems when the responsible individuals are not accessible at the right time when the task to be performed arises, leaving a given task unfinished, which could become a significant problem in the medium and long term.
Furthermore, from the point of view of ISO27001, although most infrastructures are equipped with the right resources and tools, in most cases they are not managed and/or configured correctly, giving rise to future problems related to information security management.
The task will be long and laborious, and will need to be repeated annually, so we must have the necessary resources: economic, material and personal, extended in time.
Obtaining ISO27001 accreditation has two different objectives: an external and purely pragmatic one, which is to promote the quality and prestige of the institution and/or the service to the outside world in a certified manner; and an internal one, which helps us to define and organise the service, assigning responsibilities, establishing policies and procedures for action against the different risks faced by a Datacenter in its daily operations.
For this we must use all the know-how we have in our institutions, trying to recycle the tools already implemented, as well as the experience of the administrators, avoiding the tedious task of searching and acquiring knowledge of new elements.
Having clear objectives (SWOT), risks and problems detected in our experience, as well as the involvement of all levels of the organisation (Direction, Management and Technical Staff), is the key to success. Therefore, it is very useful to define an organisational scheme where roles, tasks and responsibilities are defined. In addition, we must establish realistic execution deadlines, in accordance with the capabilities of our organisation.
ISO27000 has a guide, ISO27002, which is not a certifiable standard but is complementary to ISO27001. It establishes a series of items to be taken into account, distributed in 14 domains, 35 objectives and 114 controls on which the Information Security Management System (ISMS) must act and which will help us to implement ISO27001. To address these 114 controls, we must have different hardware equipment and software tools that cover all the needs required by the standard. There is a wide variety of tools to implement an ISMS and the standard does not specify any specific one, so each organisation is free to use the ones it deems appropriate.
It is possible that not all the controls are applicable to our organisation, we must identify those that are not applicable.
As mentioned above, the certification process can be lengthy, especially the first time. It should not be forgotten that the very purpose of a certification is that it should be prolonged over time, so it should be renewed annually. For this reason, it is highly recommended to have external assistance to help us review the documentation, plan the meetings and advise us when preparing for the internal and external audits, which will be carried out approximately one month apart.
Policies define the rules on which we will base the development of our management system, they are not operational procedures, nor are they predefined, they are not immutable so they must be adapted to our organisation, always maintaining the coherence of its purpose. They must establish clear and concise objectives, a scope, to which documents are applicable, as well as define the functional, organisational and executive responsibilities of the personnel involved. This, in turn, encompasses the responsibility of administrators to always comply with these organisation-wide rules and to try to raise awareness among Datacenter users about the best use of the Datacenter.
At the very least, it would be desirable to implement policies relating to:
- Risk assessment
- Identification and compliance with legal and regulatory requirements
- Software management
- Management of security incidents
- Backup and copies
- Access Controls
- Change management
- Business Continuity Plan (BCP)
- Operations management
- Third-party vendors
- Network management
- Role assignment
- Review and continuous improvement
And are desirable those related to:
- Purchasing management
- Communications management
The implementation of ISO27001 generates a large amount of information and documentation, so it is good to have a document management tool, if possible online, with version control. This will save us a great deal of time when it comes to carrying out searches and configuring access for the personnel involved. From the repository, policies, operating procedures, legal regulations and all documentation that can be audited must be accessible.
These are all the operational procedures (OP) used in the day-to-day operation of the Datacenter, in which the activities to be carried out by the administrator to correctly fulfill the objective of each task to be performed are detailed.
The operational procedures could have a classification similar to the following:
- User management
- Equipment management
- Backup copies
- Mobile devices
- Other hardware
- Emergency Procedures
- Access Control
Each of these entries should have their corresponding subdivisions, being these described in detail, so that in the absence of the personnel that usually performs the procedure or when hiring new personnel, we have an operating instructions manual, thus avoiding unnecessary loss of time. These procedures must be continuously reviewed, updated and checked by means of Business Continuity Plan (BCP) procedures, which are OPs executed on real devices, filing the execution times and the results of the same.
General overview of ISO27001 implementation
The following graphic shows a functional implementation of an ISMS for a data centre. Although the elements are listed generically, the entire scheme shown here can be implemented using Open Source tools available today and totally free of charge.
Establishing and internalising operational policies and procedures involving the entire organisation’s personnel, from top management to technical staff, is the most arduous task of this adventure, but the best possible way to obtain certification. Without this involvement, it would be impossible to carry out this implementation. In this way, access to individual knowledge is extended, avoiding most of the failures due to human intervention, and minimising the learning curve for new personnel.
The organisation of all procedures in a single system that every member of the organisation can view whenever needed, will increase the response capacity to any normal or strange event that occurs.
It is not necessary to have a large budget to implement tools that help us to obtain certification, all the tools used in our implementation are open source and at no cost.
As far as possible, we should be advised by people with experience in implementations in the same field and / or conducting audits. This will help to implement the standard more quickly and efficiently.
Obtaining ISO27001 certification has led the group to a better organisation in its internal structure, a better knowledge of all the services involved in the day-to-day work, an improvement in the response to any event or incident and a better short, medium and long term planning of our services provided to the scientific community.
About the Advanced Computing Group of the Institute of Physics of Cantabria (IFCA) (CSIC-UC)
The Advanced Computing and e-Science Group of the Institute of Physics of Cantabria (IFCA) (CSIC – UC) was created in 2010 in response to the growing scientific needs for powerful computing capabilities and techniques. Since then, it has not stopped expanding its physical and human resources in order to bring the computing service to a new level updated day by day. The service is currently provided by the following people:
- Aida Palacio Hoz, MSc Computer Engineering Administrator and Responsible for Cloud service and Altamira supercomputer.
- Miguel Angel Nuñez Vega, MSc Telecommunications Engineering. Technical Manager of the Datacenter.
- Iban Cabrillo Bartolomé, PhD Science and Technology and D. in Physics. Responsible for Computing Service.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022