Skip to main content

Archived Plans

You can find our plans from previous quarters along with requests from the community on this page. In Q1 2023, we separated the work items of Information Technology from the Information Security, Risk and Compliance and added them to this area. We update this page at the end of each quarter.

Q4 2023 Plans and Community Input

Plans
Item Activity Description
1

Compliance with ISO/IEC 27000

Define our operations within the ISO/IEC 27001 framework and ensure that we are at the level of ISO 27001 certification, with the Plan/Do/Check/Act cycle fully in place.

In Q2 2023, we kicked off our ISO 27001 compliance project, focusing on certifying critical RIPE NCC services first. In Q3 2023, we finalised the design of our Information Security Management System, and in Q4 2023, we will be rolling the system out in the organisation.

We have progressed further in the documentation of the Information Security Policy and supporting policies and processes within the project scope. The timeline for implementation and certification against the ISO 27001 standard is the end of 2024.

2

Vulnerability management framework

In 2023, we are guiding organisation-wide efforts to streamline our patch management and vulnerability management processes.

In Q3 2023, we finalised our Vulnerability and Patch Management policy following internal consultation. We also designed management reporting metrics to monitor the status of vulnerability remediation.

In Q4 2023, we aim to operationalise the vulnerability management policy with application and infrastructure layer vulnerability management processes in order to institutionalise the vulnerability remediation according to the said policy.

3

Cloud security enhancements

In Q2 2023, we executed a thorough assessment of our cloud environment against current security best practices and identified minor improvement areas. We will be executing the improvements identified throughout Q3.

In Q3, we worked on integrating security detection capabilities from our cloud environment to our central security tools & systems to centralise cloud security monitoring. This work will continue in Q4 with the update of our cloud security control framework following the service criticality framework release.

4 Enterprise risk management modernisation

In Q2 2023, our new Risk Management Framework was drafted utilising industry risk management standards. The new framework is coupled with the introduction of a Risk Management Policy. Our enterprise risk assessment against the newly developed framework is ongoing and will be completed by the end of 2023.

5 Security Awareness Programme

In Q2 2023, we designed the yearly cycle of our security awareness program as well as the training party/learning platform that will be utilised. In Q3, we onboarded the organisation to the security awareness learning platform. In Q4, we are launching interactive training sessions for new joiners and high-risk roles and digital learning for the whole organisation.

Community Input
Reference Input RIPE NCC Reaction
IS-2023-#01 - -

Q3 2023 Plans and Community Input

Plans
Item Activity Description
1

Compliance with ISO/IEC 27000

Define our operations within the ISO/IEC 27001 framework and ensure that we are at the level of ISO 27001 certification, with the Plan/Do/Check/Act cycle fully in place.

In Q2 2023, we kicked off our ISO 27001 compliance project, focusing on certifying critical RIPE NCC services first. We are in the process of designing our Information Security Management System and drafting our overarching Information Security Policy according to the ISO 27001 standard.

In Q3 2023, we aim to finalise the Information Security Management System and progress further in the documentation of the Information Security Policy and supporting processes within the project scope. The timeline for implementation and certification against the ISO 27001 standard is the end of 2024.

2

Vulnerability management framework

In 2023 we are guiding organisation-wide efforts to streamline our patch management and vulnerability management processes. 

In Q2 2023, we further expanded the coverage of our infrastructure vulnerability detection. A vulnerability management policy has been drafted and is under consultation.

In Q3, we aim to operationalise the vulnerability management policy with application and infrastructure layer vulnerability management processes in order to institutionalise the vulnerability remediation according to the said policy.

3

Cloud security enhancements

In Q2 2023, we thoroughly assessed our cloud environment against current security best practices and identified minor improvement areas. We will be executing the improvements identified throughout Q3. In Q2 2023, we focused on designing enhanced security visibility for our cloud environment. In Q3, we will integrate the various security tools & systems to centralise cloud security monitoring. Additionally, we are extending our cloud security control framework following the service criticality framework release.

4 Enterprise risk management modernisation

In Q2 2023, our new Risk Management Framework was drafted utilising industry risk management standards. The new framework is coupled with the introduction of a Risk Management Policy. In Q3/Q4, we will execute our enterprise risk assessment against the newly developed framework and risk management policy.

We expect the enterprise risk management modernisation work to be executed throughout 2023.

5 Security Awareness Programme

In Q2 2023, we designed the yearly cycle of our security awareness program as well as the training party/learning platform that will be utilised. In Q3, we will onboard the organisation to the security awareness learning platform and launch interactive training sessions for new joiners and high-risk roles.

Community Input
Reference Input RIPE NCC Reaction
IS-2023-#01 - -

Q2 2023 Plans and Community Input

Plans
Item Activity Description
1

Compliance with ISO/IEC 27000

Define our operations within the ISO/IEC 27001 framework and ensure that we are at the level of ISO 27001 certification, with the Plan/Do/Check/Act cycle fully in place.

In Q1 2023, we completed the gap analysis against the ISO 27001 standard, which was initiated in Q4 2022. In Q2 2023, we will be focusing on designing our Information Security Management System and drafting our overarching Information Security Policy according to the ISO 27001 standard. The timeline for implementation and certification against the standard is the end of 2024.

2

Vulnerability management framework

In 2023 we are guiding organisation-wide efforts to streamline our patch management and vulnerability management processes. 

In Q1 2023, we focused on improving the infrastructure vulnerability detection accuracy and coverage. Additionally, we designed the workflows and tooling for managing the remediation lifecycle of application layer vulnerabilities.

In Q2 2023, we will continue to expand the coverage of our infrastructure vulnerability detection. Next to that, the vulnerability management policy will be drafted. The remediation lifecycle for application layer vulnerabilities will be operationalised based on the drafted policy.

3

Cloud security enhancements

In Q1 2023, we outlined the core areas where cloud security enhancements are required and engaged with relevant experts. The execution of the outlined security improvements is planned for the rest of 2023. Additionally, in Q1, further cloud configuration checks were implemented to enhance security visibility.

4 Enterprise risk management modernisation

In Q1 2023, we established an internal Risk & Compliance function. In order to modernise our risk management methodology in a robust manner, a Risk Management policy has been drafted and industry risk management frameworks have been evaluated.

In Q2 2023, we will be updating our Risk Management framework and establishing the relevant internal governance structure.

We expect the work for the enterprise risk management modernisation to be executed throughout 2023.

5 Security Awareness Programme

In Q2 2023, we will be launching our internal security awareness program. The program will encompass security awareness training for new joiners, current staff and people in high-risk roles.

Community Input
Reference Input RIPE NCC Reaction
IS-2022-#01 - -

Q1 2023 Plans and Community Input

Plans
Item Activity Description
1 Compliance with ISO/IEC 27000

Define our operations within the ISO/IEC 27001 framework and ensure that we are at the level of ISO 27001 certification, with the Plan/Do/Check/Act cycle fully in place.

In Q1 2023, we are completing the gap analysis against the ISO 27001 standard, which was initiated in Q4 2022. The analysis will provide us with the necessary insights to plan appropriately, from a people, process and technology perspective, the implementation of ISO 27001 throughout 2023 and 2024.

2 Vulnerability management framework

In 2023 we are guiding organisation-wide efforts to streamline our patch management and vulnerability management processes. 

In Q1 2023, we will be focusing on drafting the relevant policies and procedures.

3 Cloud security enhancements

In Q1 2023, we will be enhancing the design of our cloud security controls for services migrating to the cloud as well as our cloud security monitoring capabilities.

4 Enterprise risk management modernisation

In Q1 2023, we are establishing an internal Risk & Compliance function. One of the first focus areas for the new function will be the modernisation of the risk management methodology in order to assess risk using an agile and collaborative approach. 

We expect the work for the enterprise risk management modernisation to be executed throughout 2023.

Community Input
Reference Input RIPE NCC Reaction
IS-2022-#01 - -

Q4 2022 Plans and Community Input

Plans
Item Activity Description
1 Compliance with ISO/IEC 27000

This work item was migrated from the Information Security Quarterly Planning.

Define our operations within the ISO/IEC 27000 framework and ensure that we are at the level of ISO 27001 certification, with the Plan/Do/Check/Act cycle fully in place.

The work started in 2022 and is expected to be completed in 2023-2024.

2 Bug bounty programme

This work item was migrated from the Information Security Quarterly Planning.

To supplement our existing responsible disclosure policy, we have implemented a private bug bounty programme with the vendor Intigriti for our external facing services.

Researchers are invited to participate in the RIPE NCC programme and identify security vulnerabilities for our external perimeter and services. The identified vulnerabilities are triaged internally and according to their criticality, a bug bounty is paid out.

The work was completed in Q4 2022.

Community Input
Reference Input RIPE NCC Reaction
IS-2022-#01 - -

Q3 2022 Plans and Community Input

Plans
Item Activity Description
1 Compliance with ISO/IEC 27000

This work item was migrated from the Information Security Quarterly Planning.

Define our operations within the ISO/IEC 27000 framework and ensure that we are at the level of ISO 27001 certification, with the Plan/Do/Check/Act cycle fully in place.

The work started in 2022 and is expected to be completed in 2023-2024.

2 Bug bounty programme

This work item was migrated from the Information Security Quarterly Planning.

To supplement our existing responsible disclosure policy, we are planning to implement a public bug bounty programme for our external facing services.

3 Cooperation with security organisations

This work item was migrated from the Information Security Quarterly Planning.

We are supporting the development of an independent TF-CSIRT and intend to join the Supervisory Board of the new Dutch foundation.

This work was completed in Q3 2023. 

Community Input
Reference Input RIPE NCC Reaction
IS-2022-#01 - -

Q2 2022 Plans and Community Input

Plans
Item Activity Description
1 Compliance with ISO/IEC 27000

This work item was migrated from the Information Security Quarterly Planning.

Define our operations within the ISO/IEC 27000 framework and ensure that we are at the level of ISO 27001 certification, with the Plan/Do/Check/Act cycle fully in place.

The work is expected to be completed in 2023-2024.

Community Input
Reference Input RIPE NCC Reaction
IS-2022-#01 - -