8/2/2019 ENISA_GORNIAK

1/20

ENISA activities 2011-2012

www.enisa.europa.eu

Slawomir Gorniak

18th January 2012

7th ETSI Security Workshop

8/2/2019 ENISA_GORNIAK

2/20

o Introduction & context of the work

o Activities in 2011

o Plans for 2012

o Activities related to privacy & trust

o Ontology and taxonomies for resilience

Overview

www.enisa.europa.eu

o

na remar s

2

8/2/2019 ENISA_GORNIAK

3/20

About ENISA(European Network and Information Security Agency)

Created in 2004Located in Heraklion / Greece

Around 30 ExpertsCentre of expertise

SupportsEU institutions andMember States

www.enisa.europa.eu

Facilitator of information exchangeEU institutions,public sector &private sector

Has an advisory role

the focus is on prevention and preparednessfor NIS topics

3

8/2/2019 ENISA_GORNIAK

4/20

Activities

o The Agencys principal activities are as follows:

Advising and assisting the Commissionand the Member States on informationsecurity.

www.enisa.europa.eu

security practices in Europe andemerging risks.

Promoting risk assessment and

risk management methods. Awareness-raising and co-operation

between different actors in theinformation security field.

8/2/2019 ENISA_GORNIAK

5/20

o Goals: to ensure continuity between the former MTPs and the WorkStreams (WS) of the future strategy.

o Work streams: WS1 ENISA as a facilitator for improving cooperation

WS2 ENISA as a competence centre for securing current & future

Work Streams 2011

www.enisa.europa.eu

WS3 ENISA as a promoter of privacy, trust and awareness.

5

8/2/2019 ENISA_GORNIAK

6/20

o Objective: to support EC and the MS in intensifying cooperation betweenMS in key areas

o Work Packages: Supporting Member States in implementing Article 13a

Preparing the next pan-European exercise

2011 WS1 Improving Cooperation

www.enisa.europa.eu

Supporting CERT cooperation at the European level

Good practice for CERTs to address NIS aspects of Cybercrime

6

8/2/2019 ENISA_GORNIAK

7/20

o Objective: to assist the Member States and the Commission in identifyingand responding to security issues related to current and future technology

o Work Packages: Security & privacy of Future Internet technologies

Interdependencies & interconnection

2011 WS2 Securing Technology

www.enisa.europa.eu

Early warning for NIS

7

8/2/2019 ENISA_GORNIAK

8/20

o Objective: to promote trust in future information systems by all sections ofthe population.

o Work Packages: Understanding and analysing economic incentives and barriers to

information security.

2011 WS3 - Privacy and Trust

www.enisa.europa.eu

.

Supporting the implementation of article 4 of the ePrivacy Directive(2002/58/EC).

Promoting the establishment of a European month of network andinformation security for all.

8

8/2/2019 ENISA_GORNIAK

9/20

o Improving Information Security Through Collaboration

o WS1 Identifying & Responding to the Evolving Threat Environment

WPK 1.1: Emerging Opportunities & Risks

WPK 1.2: Mitigation & Implementation Strategies

WPK 1.3: Knowledge Base

Work Streams 2012

www.enisa.europa.eu

o mprov ng an- uropean es ence

WPK2.1: Further Securing EUs Critical Information Infrastructure andServices

WPK 2.2.: Cyber Exercises

WPK 2.3: European Public Private Partnership for Resilience (EP3R)WPK 2.4.: Implementing Article 13a

9

8/2/2019 ENISA_GORNIAK

10/20

o WS3 Supporting the CERT and other Operational Communities

WPK3.1: Support and enhance CERTs operational capabilities

WPK3.2 Application of good practice

WPK3.3: Support and enhance cooperation between CERTs, and withother communities

Work Streams 2012

www.enisa.europa.eu

WPK 4.1: Economics of Security

WPK 4.2 Security governance

WPK 4.3 Supporting the development of secure, interoperableservices

10

8/2/2019 ENISA_GORNIAK

11/20

o Everyone has the right to respect for his private and family life, his homeand his correspondence.

Article 8 of The European Convention on Human Rightso adopted by states member of The Council of Europe

o Everyone has the right to the protection of personal data concerningthem.

Privacy is a human right

www.enisa.europa.eu

Article 16, The Treaty of Lisbon, The Treaty on the Functioning of theEuropean Union states

o Everyone has the right to the protection of personal data concerning himor her [..] Such data must be processed fairly for specified purposes andon the basis of the consent of the person concerned or some otherlegitimate basis laid down by law. Everyone has the right of access todata which has been collected concerning him or her, and the right tohave it rectified.

Article 8, the Charter of Fundamental Rights of the European Union

11

8/2/2019 ENISA_GORNIAK

12/20

o Internet is open and distributed without authoritative control

o In terms of privacy a number of challenges are posed

Data pollution - data disseminated without control and is replicatedon multiple servers

Contrary to humans, data lives forever

Privacy & Trust Context

www.enisa.europa.eu

, ,

spaces (e.g. Google docs)

o Contradictory positions

Governments

Demand accountability, data protection, data minimization, better privacy

protectionBut also more access control to data, data retention, lawful interception

Users

Expressing concerns regarding privacy

Some users willing to drop the concerns when benefits are offered

8/2/2019 ENISA_GORNIAK

13/20

o WPK 3.2 - Deploying Privacy & Trust in Operational Environments

Report on minimal disclosure and other principles supporting privacy

and security requirements Report on trust and reputation models. Evaluation and guidelines

Study on monetizing privacy

Privacy & Trust in WP2011

www.enisa.europa.eu

. -

(2002/58/EC)

o Activities linked to

Digital Agenda

Policy dimension

FI Initiative

Research dimension

8/2/2019 ENISA_GORNIAK

14/20

o Review of ePrivacy Directive (2002/58/EC)

o Article 4

In the case of a personal data breach, the provider of publiclyavailable electronic communications services shall, without unduedelay, notify the personal data breach to the competent nationalauthorit .

Data Breach Notifications

www.enisa.europa.eu

o ENISA activities 2010 Review of current practices among MS

2011 Consultation workshop on DBN (24th January)

2011 Technological guidelines for implementation of Art. 4 Practical and usable definition of a breach

Criteria for determining a breach

National and pan-European approaches

Appropriate technological protection measures

Identification and assessment of risks of breaches Procedures of notification

8/2/2019 ENISA_GORNIAK

15/20

o Activities in collaboration with EC supporting actions of the Digital Agendafor the EU

o WPK 4.2 - Security governance Supply Chain Integrity

Art 4, DBN continuation

Privacy & Trust in 2012

www.enisa.europa.eu

. - ,

State of the art of certification schemes in the EU and beyond.

Exploring the feasibility of implementing a pan-European scheme fortrustmarks

Privacy-by-design, promoting PETs and their possible economic

benefits, smart metering and privacy

15

8/2/2019 ENISA_GORNIAK

16/20

Resilience key concepts

o Definition from UK CPNI

The equipment and architecture used are inherently reliable, secured

against obvious external threats and capable of withstanding somedegree of damage

o Ability to withstand stress and recover from it

-

www.enisa.europa.eu

Tennis ball compresses under stress (being hit) but recovers duringflight

Aircraft wing flexes when stationary becomes more rigid when giving lift,able to withstand transient stress from turbulence and maintain function

Telecommunications examplesDual parenting, diverse routing, redundancy ...

8/2/2019 ENISA_GORNIAK

17/20

The role of taxonomy

o Classification

Grouping like with like

Common characteristics without view of individuals

o Exposing inheritance and differentiation

www.enisa.europa.eu

8/2/2019 ENISA_GORNIAK

18/20

Representing a taxonomy

www.enisa.europa.eu

"The wonderful thing aboutstandards is that there are somany of them to choose from."Grace Hopper

8/2/2019 ENISA_GORNIAK

19/20

Ontology and taxonomies next steps

o Extraction of a telecommunications technology taxonomy scheme to bepublished as a standard (European and Global)

A first draft was prepared in the ENISA report on resilienceo Develop guidance and tools to allow standards developers to use

taxonomy and ontology

Within security domain this will be part of the activity (planned) with

www.enisa.europa.eu

o Recommendation to use taxonomy and ontology at root of definition ofcomplex systems:

Resilience

Privacy

Cloud systemso Guidance material through ETSI TC MTS

o Deployment through the Future Networks initiative in ETSI (TISPAN)

8/2/2019 ENISA_GORNIAK

20/20

Contact

European Network and Information Security Agency

www.enisa.europa.eu

P.O. Box 130971001 Heraklion - Crete Greece

http://www.enisa.europa.eu

20