EU Collaboration in Network and Information Security

Transcription

1 EU Collaboration in Network and Information Security Evolution or breakthrough? Dr. Ronald de Bruin, ENISA Secure 2006 Conference Warsaw, 17 October

2 Context for ENISA Today s society and and economy depend heavily on on networks and and information systems. Users Users experience serious serious problems when when using using electronic networks and and software and and find find little little help. help. Information security is is a concern for for everybody. We need to to achieve a culture of of network and information security. 2

3 ENISA s tasks Risk assessment and risk management Track standardisation Becoming a centre of expertise Promote CERTs Information exchange and cooperation Promote best practices Awareness raising Giving advice and assistance to EU Bodies and Member States 3

4 ENISA scope of activity To be a and not no be a Catalyst Stimulator Promoter Adviser Analyst service CSIRT Scientific lab Evaluation body Nevertheless, need to maintain internal expertise, also at disposal for EU and competent national bodies (requests and calls for assistance) 4

5 Awareness Raising findings Lots of initiatives have been taken in Member States Measurement often lacking Knowledge sharing is key Different approaches to different target groups necessary Positive message is important 5

6 Awareness Raising achievements Managing Working Group on Awareness Raising ( 05) Developing CD-ROM with Information Package for Member States (Dec 05) Customised information packages for different target groups (SME, home user and media) Including country case studies Communication plan for Member States Revisited: adding ISPs and local government (Nov 06) A users guide: How to raise information security awareness (Jun 06) Disseminating the main findings among the Member States by organising a focused workshop (Dec 05 and Oct 06) 6

7 CERTs findings CERTs/CSIRTs already exist for more than a decade Most countries have some sort of CERT/CSIRT, but not all areas are covered There are simpler models where a CERT is too advanced e.g., WARP Cooperation between CERTs can be enhanced 7

8 CERTs achievements Managing Working Group on CERTs ( 05) Developing a CD-ROM with Inventory on CERT activities in Europe (Dec 05) Step-by-step plan on how to set-up a CERT (Sep 06) Report on how to enhance cooperation between CERTs (Nov 06) Organising information sharing workshop to promote best practices (Dec 05 and Oct 06) 8

9 Risk Management findings Various approaches developed in different Member States e.g., BS7799, EBIOS, ITbaseline protection, etc. No one-size fits all solution best practices have to be adapted to specific user/sector Not clear for everyone which method to use Emphasis needs to be put on SMEs 9

10 10

11 Coordination of activities with MS and EU bodies Managing the Network of National Liaison Officers ( 05 and 06) Developing the Who-is-Who Directory (Dec 05 and Nov 06) Updating country pages Preparatory work on establishing a European NIS best practice brokerage (foreseen in 07) Managing handling of requests and calls for advice and assistance 11

12 ENISA was called upon by 1) EDPS 2) Commission 3) NRA Lithuania 4) Commission 5) Commission 6) Commission 7) Czech Republic 8a) Commission 8b) Commission Facilitating audit of EURODAC System Assessment of security measures taken by electronic communication providers Assistance in setting-up of CERTs through organising a CERT training in Lithuania Providing feedback on Impact Assessment on planned Communication Advice on mid-term review of Directive on Electronic Signatures Advice on eid management in Commission services Assessment of security requirements for Public Administration Information Systems Feasibility study on a trusted partnership for a data collection framework Examining the feasibility of a EU-wide information and alert system 12

13 ENISA Outreach Go to our website: Subscribe to our Quarterly Newsletter: To susbscribe to the ENISA Quarterly, please mail to and clearly state NEWS (!) as subject. 13

14 One of ENISA s challenges is to solve the impact dilemma ENISA advices and assists MS and EU Bodies? ENISA should increase the level of (end user) security 14

15 In the emerging ubiquitous Information Society people can be connected with everything, whenever and wherever. Ms. Susanna Huovinen Minister of Transport and Communications of Finland 15

16 The ambition is to further develop a dynamic, global strategy in Europe, based on a culture of security and founded on dialogue, partnership and empowerment. [ ] to be achieved by reinforcing a multi-stakeholder approach. Commission Communication (2006) 251 A strategy for a Secure Information Society 16

17 ISPs are ideally placed to greatly improve the end user experience by offering security services to consumers and SMEs. Risto Siilasmaa President and CEO F-Secure 17

18 Do not use ISPs as man in the middle to fix security. This may work in the short term, but not in the long term. Michael Rotert President EuroISPA 18

19 We should ask ourselves: Will it feel good and who is in control? [ ] Privacy and security should be delivered, in act and verified. Peter Hustinx European Data Protection Supervisor 19

20 The role of the government is to foster transparency, but it is up to the market to provide that. Paul Dorey VP Digital Security BP 20

21 If something is not working in security, just look at the economics of it and you ll mostly find the answer why. Bruce Schneier Founder and CTO Counterpane 21

22 Odyseus 22

23 We will achieve a breakthrough if we are able to harness concerted actions with relevant stakeholders, based on a sound analysis of the issues. Ronald de Bruin ENISA 23