Security communities: working together on security and privacy
About SCIPR
Information security and privacy officers in education work together in SCIPR (SURF Community for Information Security and PRivacy). Among other things, we jointly draw up policies and guidelines there to improve your institution's information security and privacy.
In the SCIPR community, we work together to improve professional information security and privacy. We are a community of practice and help you further professionalise information security by:
- Improving common knowledge.
- Developing policies and procedures on information security,
- Making policies, procedures and best practices available via guidance documents.
- Contributing to the development of SURFaudit. This is the measuring instrument for the Higher Education Information Security Standards Framework.
- Help develop guidelines and advice to help you comply with the changing privacy legislation.
Guidance and starter kits
We have recorded various best practices in models, guidance documents and starter kits.
Would you like to become a member of SCIPR? Then send an email to lidmaatschap@scipr.nl.
Contacts
- chairperson SCIPR: Anita Polderdijk (University of applied sciences Windesheim)
- Secretary SCIPR: Menno Nonhebel (KNAW)
About SCIRT
Operational security experts discuss current security challenges and exchange the latest tips & tricks with peers in SCIRT (SURF Community of Incident Response Teams). The aim is to raise the overall level of knowledge and experience within education and research to a higher level.
Exchange tips & tricks on cybersecurity threats
In our forum, we discuss and analyse the latest cybersecurity threats. We discuss ideas, tips and tricks to successfully ward off the threats from multiple perspectives. We mainly focus on operational security and security incident management (CERT/CSIRT).
We exchange knowledge with each other in various ways:
- digitally, for example via e-mail, a dedicated wiki and secure messaging
- at meetings where you get to know each other and exchange knowledge in an accessible and familiar way
- during workshops, for example in the field of new cyber security techniques or tools
- at the annual two-day Security and Privacy Conference. These are organised jointly by SCIRT, the SCIPR community and SURFcert.
Meetings and workshops are organised at least 3 times a year.
How confidential is a the information? Say it with colours
The Traffic Light Protocol (TLP) is a simple protocol used by cybersecurity professionals to indicate with colours how confidential a specific information exchange is. Everyone then knows how that information should be handled. It is crucial that everyone in the community attaches the same meaning to the 4 TLP colours: TLP:RED, TLP:AMBER, TLP:GREEN and TLP:WHITE.
Meaning of the TLP colours
A basic tenet of using TLP is that only the provider of information is "in charge" of what recipients may do with it. Thus, recipients who are in doubt or wish to distribute more widely should always seek permission from the provider first.
TLP:RED
- "For your eyes and ears only"
- The information is exchanged on a strictly confidential basis and is intended only for its direct recipients.
- The recipient may not distribute TLP:RED information further.
- Only the provider of the information can determine when, and under what conditions, the information can be further disseminated.
TLP:AMBER
- The information is exchanged on a confidential basis and is intended for its recipients, but they may also share it with colleagues within their own organisation if there is a good reason to do so (need to know), e.g. to solve a security problem.
- A recipient of TLP:AMBER information who passes it on to colleagues must explain to these colleagues that they are not allowed to disseminate the information further (in effect, the information then becomes TLP:RED for them).
TLP:GREEN
- The information is not public but may, within reason, be shared within its own community.
- So TLP:GREEN information may, for example, be shared within one's own institution, as long as it does not become public.
TLP:WHITE
- This is basically public information that may be freely shared.
- Note that original rights and obligations, such as copyrights, of course still apply.
SCIRT's main goal is to bring together knowledge from all security experts from SURF member institutions. We are a working group for, but also by the community. You can already join SCIRT if you do CSIRT-related work within your institution. Even if you have not yet organised that into a CSIRT.
Read more about setting up your own CSIRT on the SURFcert wiki
Joining SCIRT is only possible with an e-mail address from a SURF member institution and if you work as an operational security expert. Because sensitive information is regularly shared within the SCIRT community, we have a code of conduct and an application procedure. If you are interested, we will be happy to inform you further about this. Send an e-mail to: lidmaatschap@scirt.nl.
Organisation of the SCIRT community
The current, elected chairman is Ewald Beekman(voorzitter@scirt.nl), he is IT Security Officer at Amsterdam UMC. Don Stikvoort(secretaris@scirt.nl) is the secretary. Rogier Spoor(surf@scirt.nl) guides and supports the SCIRT community from SURF.
A programme group prepares the substantive programme components. It consists of:
- Ewald Beekman - Amsterdam UMC
- Bauke Gehem - Summa College
- Lars Hameeteman - ErasmusMC
- Remon Klein Tank - WUR
- Rogier Spoor - SURF
- Don Stikvoort - Open CSIRT Foundation (external)
STITCH: a short checklist for application security
It is increasingly important that software and services meet security requirements. But how do you choose among all those different lists and guidance documents? SCIRT, the cybersecurity community, therefore developed a simplified checklist: the Security Technical IT Checklist (STITCH).
Every security officer at an institution knows the problem: when is a new service or software secure? With ISO27001, you mainly look at procedural and organisational security. But you also want to practically test technical security. And couldn't that be simpler? Hasn't a fellow institution already done the same? To provide better insight into these kinds of questions, SCIRT made a simple checklist: the STITCH.
STITCH principles
The principle of STITCH is simple: it is a ground rule with a limited number of requirements. You measure these requirements easily, and the results are shared within SCIRT. Security officers use these basic principles to determine the security of a service or software much more quickly and easily. STITCH consists of 8 principles, with detailed examples.
Detailed test results are shared confidentially and only within the SCIRT community. For more information, see the wiki of SCIRT (login required).