enisa_gorniak
TRANSCRIPT
-
8/2/2019 ENISA_GORNIAK
1/20
ENISA activities 2011-2012
www.enisa.europa.eu
Slawomir Gorniak
18th January 2012
7th ETSI Security Workshop
-
8/2/2019 ENISA_GORNIAK
2/20
o Introduction & context of the work
o Activities in 2011
o Plans for 2012
o Activities related to privacy & trust
o Ontology and taxonomies for resilience
Overview
www.enisa.europa.eu
o
na remar s
2
-
8/2/2019 ENISA_GORNIAK
3/20
About ENISA(European Network and Information Security Agency)
Created in 2004Located in Heraklion / Greece
Around 30 ExpertsCentre of expertise
SupportsEU institutions andMember States
www.enisa.europa.eu
Facilitator of information exchangeEU institutions,public sector &private sector
Has an advisory role
the focus is on prevention and preparednessfor NIS topics
3
-
8/2/2019 ENISA_GORNIAK
4/20
Activities
o The Agencys principal activities are as follows:
Advising and assisting the Commissionand the Member States on informationsecurity.
www.enisa.europa.eu
security practices in Europe andemerging risks.
Promoting risk assessment and
risk management methods. Awareness-raising and co-operation
between different actors in theinformation security field.
-
8/2/2019 ENISA_GORNIAK
5/20
o Goals: to ensure continuity between the former MTPs and the WorkStreams (WS) of the future strategy.
o Work streams: WS1 ENISA as a facilitator for improving cooperation
WS2 ENISA as a competence centre for securing current & future
Work Streams 2011
www.enisa.europa.eu
WS3 ENISA as a promoter of privacy, trust and awareness.
5
-
8/2/2019 ENISA_GORNIAK
6/20
o Objective: to support EC and the MS in intensifying cooperation betweenMS in key areas
o Work Packages: Supporting Member States in implementing Article 13a
Preparing the next pan-European exercise
2011 WS1 Improving Cooperation
www.enisa.europa.eu
Supporting CERT cooperation at the European level
Good practice for CERTs to address NIS aspects of Cybercrime
6
-
8/2/2019 ENISA_GORNIAK
7/20
o Objective: to assist the Member States and the Commission in identifyingand responding to security issues related to current and future technology
o Work Packages: Security & privacy of Future Internet technologies
Interdependencies & interconnection
2011 WS2 Securing Technology
www.enisa.europa.eu
Early warning for NIS
7
-
8/2/2019 ENISA_GORNIAK
8/20
o Objective: to promote trust in future information systems by all sections ofthe population.
o Work Packages: Understanding and analysing economic incentives and barriers to
information security.
2011 WS3 - Privacy and Trust
www.enisa.europa.eu
.
Supporting the implementation of article 4 of the ePrivacy Directive(2002/58/EC).
Promoting the establishment of a European month of network andinformation security for all.
8
-
8/2/2019 ENISA_GORNIAK
9/20
o Improving Information Security Through Collaboration
o WS1 Identifying & Responding to the Evolving Threat Environment
WPK 1.1: Emerging Opportunities & Risks
WPK 1.2: Mitigation & Implementation Strategies
WPK 1.3: Knowledge Base
Work Streams 2012
www.enisa.europa.eu
o mprov ng an- uropean es ence
WPK2.1: Further Securing EUs Critical Information Infrastructure andServices
WPK 2.2.: Cyber Exercises
WPK 2.3: European Public Private Partnership for Resilience (EP3R)WPK 2.4.: Implementing Article 13a
9
-
8/2/2019 ENISA_GORNIAK
10/20
o WS3 Supporting the CERT and other Operational Communities
WPK3.1: Support and enhance CERTs operational capabilities
WPK3.2 Application of good practice
WPK3.3: Support and enhance cooperation between CERTs, and withother communities
Work Streams 2012
www.enisa.europa.eu
WPK 4.1: Economics of Security
WPK 4.2 Security governance
WPK 4.3 Supporting the development of secure, interoperableservices
10
-
8/2/2019 ENISA_GORNIAK
11/20
o Everyone has the right to respect for his private and family life, his homeand his correspondence.
Article 8 of The European Convention on Human Rightso adopted by states member of The Council of Europe
o Everyone has the right to the protection of personal data concerningthem.
Privacy is a human right
www.enisa.europa.eu
Article 16, The Treaty of Lisbon, The Treaty on the Functioning of theEuropean Union states
o Everyone has the right to the protection of personal data concerning himor her [..] Such data must be processed fairly for specified purposes andon the basis of the consent of the person concerned or some otherlegitimate basis laid down by law. Everyone has the right of access todata which has been collected concerning him or her, and the right tohave it rectified.
Article 8, the Charter of Fundamental Rights of the European Union
11
-
8/2/2019 ENISA_GORNIAK
12/20
o Internet is open and distributed without authoritative control
o In terms of privacy a number of challenges are posed
Data pollution - data disseminated without control and is replicatedon multiple servers
Contrary to humans, data lives forever
Privacy & Trust Context
www.enisa.europa.eu
, ,
spaces (e.g. Google docs)
o Contradictory positions
Governments
Demand accountability, data protection, data minimization, better privacy
protectionBut also more access control to data, data retention, lawful interception
Users
Expressing concerns regarding privacy
Some users willing to drop the concerns when benefits are offered
-
8/2/2019 ENISA_GORNIAK
13/20
o WPK 3.2 - Deploying Privacy & Trust in Operational Environments
Report on minimal disclosure and other principles supporting privacy
and security requirements Report on trust and reputation models. Evaluation and guidelines
Study on monetizing privacy
Privacy & Trust in WP2011
www.enisa.europa.eu
. -
(2002/58/EC)
o Activities linked to
Digital Agenda
Policy dimension
FI Initiative
Research dimension
-
8/2/2019 ENISA_GORNIAK
14/20
o Review of ePrivacy Directive (2002/58/EC)
o Article 4
In the case of a personal data breach, the provider of publiclyavailable electronic communications services shall, without unduedelay, notify the personal data breach to the competent nationalauthorit .
Data Breach Notifications
www.enisa.europa.eu
o ENISA activities 2010 Review of current practices among MS
2011 Consultation workshop on DBN (24th January)
2011 Technological guidelines for implementation of Art. 4 Practical and usable definition of a breach
Criteria for determining a breach
National and pan-European approaches
Appropriate technological protection measures
Identification and assessment of risks of breaches Procedures of notification
-
8/2/2019 ENISA_GORNIAK
15/20
o Activities in collaboration with EC supporting actions of the Digital Agendafor the EU
o WPK 4.2 - Security governance Supply Chain Integrity
Art 4, DBN continuation
Privacy & Trust in 2012
www.enisa.europa.eu
. - ,
State of the art of certification schemes in the EU and beyond.
Exploring the feasibility of implementing a pan-European scheme fortrustmarks
Privacy-by-design, promoting PETs and their possible economic
benefits, smart metering and privacy
15
-
8/2/2019 ENISA_GORNIAK
16/20
Resilience key concepts
o Definition from UK CPNI
The equipment and architecture used are inherently reliable, secured
against obvious external threats and capable of withstanding somedegree of damage
o Ability to withstand stress and recover from it
-
www.enisa.europa.eu
Tennis ball compresses under stress (being hit) but recovers duringflight
Aircraft wing flexes when stationary becomes more rigid when giving lift,able to withstand transient stress from turbulence and maintain function
Telecommunications examplesDual parenting, diverse routing, redundancy ...
-
8/2/2019 ENISA_GORNIAK
17/20
The role of taxonomy
o Classification
Grouping like with like
Common characteristics without view of individuals
o Exposing inheritance and differentiation
www.enisa.europa.eu
-
8/2/2019 ENISA_GORNIAK
18/20
Representing a taxonomy
www.enisa.europa.eu
"The wonderful thing aboutstandards is that there are somany of them to choose from."Grace Hopper
-
8/2/2019 ENISA_GORNIAK
19/20
Ontology and taxonomies next steps
o Extraction of a telecommunications technology taxonomy scheme to bepublished as a standard (European and Global)
A first draft was prepared in the ENISA report on resilienceo Develop guidance and tools to allow standards developers to use
taxonomy and ontology
Within security domain this will be part of the activity (planned) with
www.enisa.europa.eu
o Recommendation to use taxonomy and ontology at root of definition ofcomplex systems:
Resilience
Privacy
Cloud systemso Guidance material through ETSI TC MTS
o Deployment through the Future Networks initiative in ETSI (TISPAN)
-
8/2/2019 ENISA_GORNIAK
20/20
Contact
European Network and Information Security Agency
www.enisa.europa.eu
P.O. Box 130971001 Heraklion - Crete Greece
http://www.enisa.europa.eu
20