Chair: Urpo Kaila – CSC, EUDAT
Information security is known to be a complex and constantly evolving, with several subdomains and approaches. It is often non-trivial to reliably identify the current state of information security within an organisation or related to a technology. Additionally, information about security is often skewed and commercial or political interests can provide emotionally interpreted, sometimes distorted information or outright disinformation about security.
A proven method to obtain objective and comprehensive information about the current state of information security is to perform security reviews and security audits. The audits and reviews should be done systematically and they should be based on a standard or a list of requirements. Performing reviews or audits requires experience and understanding to evaluate how the implementation meet the requirements.
Security audits and review can focus on both technical implementations and/or on management and processes.
To promote understanding, skills, and exchange of best practices regarding security audits and reviews among national research and education networking organisations (NRENs), research infrastructures, computing centres and related sites, a Security Review and Audit Working Group (SRA-WG) has been created. The working group will be operating under WISE and it is open for related security professionals and researchers.
The main activities for SRA-WG are to:
- follow and contribute to the development of security audits and reviews among the constituents;
- share related best practices for implementations;
- promote related research and disseminate findings of reviews;
- contribute to the development of security standards and frameworks;
- promote peer reviews.