Information security SURF services
We pay close attention to the information security of our own services and the services we procure for the institutions. In this way, we minimise the risk of data being misused that is processed by our services, and thus the impact of security incidents. A number of SURF services are ISO 27001-certified.
In terms of information security, SURF aligns itself as much as possible with sectoral and general standards. SURF's information security policy is based on the SCIPR template for information security policy, which contains five principles. These principles are:
- Risk-based: we base measures on the potential security risks of our information, processes and IT facilities.
- Everyone: everyone is and feels responsible for the correct and secure use of resources and powers.
- Always: information security is in the DNA of all our activities.
- Security by design: information security is an integral part of every project or change involving information, processes and IT facilities from the start.
- Security by default: users only have access to information and IT facilities that they need for their work. Opening up information is a conscious choice.
Assurance
SURF has set up an Information Security Management System (ISMS) containing a number of cyclical processes to ensure that our services continue to meet the standards of the ISO 27001 framework and the Baseline Information Security SURF. Examples of these processes are periodic internal audits and self-assessments. In the ISMS, we keep track of their findings and set out actions. This ensures continuous improvement and adjustment.
SURF Information Security Baseline
The technical and procedural measures are elaborated in the Baseline Information Security SURF (BIS). This is based on the Government Information Security Baseline (BIO) and the measures of the ISO 27002 standard for information security. All SURF services must comply with the BIS.
Information and suitability classification
Since 2023, SURF has been working with two risk levels for the Availability and Integrity/Trustworthiness components for information security: Basic and High. The Basic level provides a level of protection that can be considered approximately sufficient for confidential data (multifactor authentication is standard, for example). Our services are also indicated for which data the service is suitable, so that you can quickly see which protection level a SURF service has been set up for. Always check that this corresponds to your own organisation's agreements.
View the SURF Information Security Baseline (pdf)
ISO 27001-certified services
The services covered by Research Facilities have been ISO-certified for some time. The declaration of applicability states the current scope of ISO certification. We are gradually expanding the scope of certification to more SURF services.
SURF services under ISO 27001 certification (February 2024)
- National supercomputer Snellius
- High-performance Dataprocessing - Grid/GSP, Spider, dCache
- Jupyter Notebook Hub
- Data Archive
- Data Persistent Identifier
- B2SAFE
- HPC Cloud
- iRODS Hosting
- RDM Storage Scale-out
- SURF Data Repository
- SURF Research Cloud
- Custom Cloud Solutions
- Managed Services for Sustainable Scientific Solutions (MS4)
- SURF Research Access Management (SRAM)
- SURFconext
- SURFsecureID
- Research Drive
- Object Store
- SURFdrive
- Visualisation
- Yoda hosting
- eduVPN
- SURFcumulus
- SURFcertificates
The services covered by computing, data storage and analysis, visualisation, authentication, authorisation and cloud and grid services are certified in accordance with the global ISO 27001 standard for information security. An external audit takes place annually in which compliance with this standard is tested.
Questions?
Do you have questions or comments about the information security policy of SURF services? If so, please contact our CISO Raoul Vernède at raoul.vernede@surf.nl.
Documents accompanying the SURF information security policy
Frequently asked questions
What is the difference between SURF security baseline for education and research and the BIS (Baseline Information Security SURF) used by SURF?
The SURF security baseline was developed for and by SURF's members and has a specific elaboration for the education and research sector. The BIS (see above) is used as a baseline internally at SURF and contains control measures tailored to SURF. The BIS supports the Information Security Management System (ISMS) which includes matters such as risk management, continuous improvement via PDCA cycle and audits and, together with the information security policy and operational guidelines, forms SURF's information security policy.
Both baselines are based on the ISO 27001/27002 as a best practice to be tailored for each organisation to the specific risks and requirements of its stakeholders.
What is the difference between SURFaudit and ISO 27001 and why does SURF not use the SURFaudit information security assessment framework?
SURFaudit was developed for and by educational institutions and research organisations and is partly based on the ISO 27000 approach. SURFaudit was developed as a self-assessment for an organisation to determine its maturity level per information security component and as a whole (scores range from 1 to 5). Using a maturity level also makes it possible to compare this score with other similar organisations and to visualise growth over time.
For ICT service organisations such as SURF, the use of the internationally recognised standard ISO 27001 is more common. On the basis of external audits by an independent party, they can be certified. A SURFaudit maturity score of 3-5 roughly corresponds to an ISO 27001 certification. A large number of SURF services are covered by ISO 27001 certification (see list above).
What is the difference between the BIO (Baseline Information Security Government) and the BIS used by SURF?
The BIO was drafted for government organisations. SURF is an ICT organisation, which means that SURF cannot adopt some of the government-specific measures contained in the BIO. Moreover, SURF has decided to make some measures as included in the BIO more onerous for its own BIS. If you would like to know more about the differences between the BIO and the BIS, please contact us at cisoteam@surf.nl.
What is NEN7510 and does SURF also comply with it?
NEN7510 is similar to ISO 27001, but specifically for organisations in the healthcare sector. The elaboration of the standard components includes some additional measures. Suppliers to healthcare organisations are often expected to comply with NEN7510, especially if personal health information is processed. SURF does not comply with the NEN7510 standard - in many cases, ISO 27001 certification is also sufficient for suppliers to demonstrate that information security is in order in the services and or products provided, sometimes with an explanation of specific measures, such as access security and encryption. That is why the ISO 27001 certificate is also important for SURF.
What is the SURF suitability classification of a service and what does it mean for me as a user/customer?
The SURF suitability classification is a designation that helps to make a quick assessment of the level of protection offered by a given ICT service. The classification (basic or high) corresponds to the required measures as listed in the BIS. It remains the responsibility of the data owner and thus responsible to determine for themselves whether these measures are sufficient or whether additional measures are needed. The suitability classification is intended as an aid; for the provision of services, contractual agreements remain binding.
Must all components of a SURF service meet the specified suitability rating level?
The short answer to this is yes. Within the BIS, a distinction is made between protection levels 'basic' and 'high' for the aspects of availability and integrity/confidentiality together. All relevant components of a SURF service, whether they are (partly) provided internally by SURF or (partly) purchased externally from external suppliers, must comply with the required relevant security measures.