The domain name registry is ISO 27001 certified. Why is this necessary?
SWITCH's Chief Information Security Officer answers the burning questions about the domain name registry's information security management system.
The Domain Name System SWITCH operates is among Switzerland’s critical infrastructures. Were it to break down, the impact on the population and the economy would be severe. This is why SWITCH has a number of multi-level backups of the Domain Name System in place (see article "Reliability doesn't happen by accident") On top of this, we wanted to create an additional layer of security in the form of an information security management system (ISMS) and have this certified under ISO 27001. ISO 27001 is the global standard for ISMS certification. The aim of the ISMS is to protect information based on an analysis of business risks in terms of confidentiality, integrity and availability.
SWITCH formed an Information Security Committee (ISC) last year. Working at management level, it draws up security guidelines, assesses risk analyses andplans measures to enhance information security. As Chief Information Security Officer, I head up the ISC .I take instructions from the ISC and am responsible for the operation and continual improvement of the ISMS.
We carried out a business impact analysis to evaluate critical business processes and worked out emergency scenarios and measures to mitigate these and limit the damage caused.With a view to ensuring that normal operation can be restored as quickly as possible in the event of faults and emergencies, we defined a practically oriented incident management process and tested it in a number of emergency exercises.
The consulting firm AWK Group helped SWITCH set up the ISMS. After this intensive phase, SQS awarded SWITCH its ISO 27001 certification. We are thus among the first registries in Europe to have a certified ISMS.
We share our experience with other registries to maintain the security of the overall system for domain names and take it to the next level. Rolling out ISMSs is also on the agenda for Swiss universities.SWITCH will let them, too, benefit from its experience.
However, SWITCH does not intended to rest on its laurels. The process of continual improvement is vital to the ISMS and is thus embedded in all its phases and procedures. Security is an ongoing process, not an end result. The next interim audit by SQS is already scheduled. Certification is a continuing commitment.