×

If you want to go fast, go alone. If you want to go far, go together!

News 27-02-2017

By Linda Verhaegen, CENTR Office Manager - Asking for help is something that a lot of people find difficult. You publicly have to acknowledge that somebody else is ahead of you, which would implicitly mean that you are running behind. It is a pity that a lot of people cannot see how very brave it is to ask for help. This is the story of the small but brave .si Registry who took its destiny into its own hands and reached out for help to the .nl Registry, one of the larger players in the ccTLD world.

The story of .si started back in 1992, very similar to many other registries, as part of an academic network and that is what they still are. With only 5 people employed at the time, “security” has always been around, but there was never a “method” in place. For years, there was no information security plan, no documentation, no structure. All the security patches and controls available were in the head of the Operations & Systems Manager. Whenever he went on holidays, the employees at work never felt entirely at ease, never entirely “secure”.

A turning point came when two .si employees, including the Operations & Systems Manager, attended a CENTR Security workshop dedicated to the ISO 27001 standard in January 2014. After two years of good intentions, but without any further security work done, it was clear to .si that they couldn’t do the job alone. They saw they needed help from someone with a lot of experience with the ISO 27001 standard, but with a practical approach. The obvious choice fell on Bert ten Brinke from SIDN, an expert on ISO 27001 and also Chair of the CENTR Security working group. In late autumn 2015, Registry.si Manager Barbara Povše Golob sent an email to Bert with some ideas. Bert structured these ideas and made Barbara sit down to think of additional questions about the main and sub-goals, the risks and the results of these ideas. This exchange resulted in a proper, well-structured project plan and Bert saying: “My intention is not to feed fish to .si, but to teach them how to become fishermen.” The decision to effectively start working on a security method came along with the annual plan for 2016. The goal was not certification, but improving the .si security in a structured way.

Bert then continued with a GAP analysis and a timescale. The estimate was that the work should be done in about one year’s time. The plan itself had a cyclical format. Every 3 to 4 months, Bert travelled to Slovenia for a three days’ visit. These visits all had the same flow. Bert ran through the work that had been completed by .si in the past months. The planning of his stay was discussed. Bert worked with the .si staff, including helping to formalise the planning for the next 3 to 4 months. Every visit ended with an evaluation between Bert and Barbara.

Content-wise, the project focused on the security processes and controls that were documented and/or implemented, or in the works on the one hand. On the other hand, security procedures were looked into as well: existing ones got documented, new ones like “How do you do incident handling?” were written and general procedures were adapted to a small organisation such as the .si Registry.

The practical approach of the project has been rewarding for both the .si Registry and SIDN. By December 2016, 90% of the documentation was done as well as a significant part of the implementation. Besides that, it is striking to see how much the “security mindset” within the .si Registry had evolved to a strategical one.

Looking to this story, the collaboration between .si and .nl can only be regarded at as a nice example of the benefits that sharing and caring can bring among the CENTR community. The project also nicely fits into the wider NIS directive debate. Thanks to the increased knowledge of how information security within a registry should be dealt with, the .si Registry will have more leverage in their negotiations with the Slovenian government and other external parties.

Published By