Geneva, Switzerland, 15-16 September 2014

ENISA role in ICT standardization

Sławomir Górniak,ENISA

slawomir.gorniak@enisa.europa.eu

ITU Workshop on “ICT Security Standardizationfor Developing Countries”

(Geneva, Switzerland, 15-16 September 2014)

European Union Agencyfor Network and Information Security

Established in 2004Centre of expertise: Writing reports that analyse data on security practices in Europe and on emerging risks (e.g. cloud computing, exercises, national contingency plans) Supporting the European Commission & Member States in their policy initiatives (e.g. setting up and training CERTs, seminars for national exercises)Facilitating cross-border cooperation (e.g. supporting cyber security exercises)Ensuring a coherent pan-European approach (e.g. supporting the implementation of article 13a)

Geneva, Switzerland, 15-16 September 2014 2

ENISA activities

Hands on

Policy ImplementationRecommendations

Mobilising Communities

Geneva, Switzerland, 15-16 September 2014 3

ENISA efforts

Identification of risks associated with new technologies affecting the daily life of citizensCyber crisis cooperation at EU and international level and development of capabilitiesFacilitating Public-Private cooperationImproving transparency of security incidentsEnabling communities to improve NIS: capacity building with regard to the CERT community and application of good practice for CERTsEnsuring a strong EU response to cybercrimeSupporting R&D investments and strengthen the competitiveness of EU’s security industryPromote personal data protection

Geneva, Switzerland, 15-16 September 2014 4

ENISA and SDOsEstablished collaboration agreements with:

ISO SC27 (Liaison)ETSI (MoU)

Exchange of information of mutual interestOrganisation of joint meetings and workshops ENISA to channel standardisation activities to ETSI, if appropriateExchange of working documents, within well defined framesENISA to nominate observers for ETSI Technical Bodies

CEN CENELEC (MoU)ITU (MoU started!)

ENISA aligns key activities with the work of SDOsETSI TISPAN on CIIP, ESI on eID, CLOUD on cloud certificationCEN CENELEC on smart grids;ISO SC 27 in the area of privacy;

Geneva, Switzerland, 15-16 September 2014 5

Example: Security measures for smart grids - conceptual model

Milestones:1st version, ENISA publication, Dec 20122nd version, EG2 security measures, April 2014Mapping between security measures and M/490 SGIS security levels

ApproachRisk instead of compliance based approachThree level approach

Risk assessment (by operators)Appropriate measures (baseline)3 Sophistication levels per each measure (implementation sophistication)

11 control domains 42 measures

Control Domains - set of practices

CD1 – Security Governance CD2 CDN

Info

rmati

on

secu

rity

pol

icy

Org

aniz

ation

of

info

rmati

on

secu

rity

Info

rmati

on

secu

rity

pr

oced

ures

3

Soph

isti

cati

on le

vels

2

1

• Requirement 1• Requirement 2• ..

• ..• ..• ..

• ..• ..• ..

• ..• ..• ..

• ..• ..• ..

• ..• ..• ..

• ..• ..• ..

• ..• ..• ..

• ..• ..• ..

Requirements

Matrix applied for the method

to define Security

Measures

Secu

rity

Mea

sure

s

Geneva, Switzerland, 15-16 September 2014 6

European Union Agency for Network and Information SecurityScience and Technology Park of Crete P.O. Box 1309 71001 HeraklionCreteGreece

Follow ENISA

http://www.enisa.europa.eu