ENISA activities 2011-2012

including ontology and taxonomies for resilience

Slawomir Gorniak 18th January 2012 7th ETSI Security Workshop

www.enisa.europa.eu

Overview
o o o o o o Introduction & context of the work Activities in 2011 Plans for 2012 Activities related to privacy & trust Ontology and taxonomies for resilience Final remarks

www.enisa.europa.eu

About ENISA
(European Network and Information Security Agency)
Created in 2004 Located in Heraklion / Greece Around 30 Experts
Centre of expertise

Supports
EU institutions and Member States

Facilitator of information exchange

EU institutions, public sector & private sector

Has an advisory role

the focus is
on prevention and preparedness

for NIS topics

www.enisa.europa.eu

Activities
o The Agencys principal activities are as follows:
Advising and assisting the Commission and the Member States on information security. Collecting and analysing data on security practices in Europe and emerging risks. Promoting risk assessment and risk management methods. Awareness-raising and co-operation between different actors in the information security field.
www.enisa.europa.eu

Work Streams 2011

o Goals: to ensure continuity between the former MTPs and the Work Streams (WS) of the future strategy. o Work streams: WS1 ENISA as a facilitator for improving cooperation WS2 ENISA as a competence centre for securing current & future technology WS3 ENISA as a promoter of privacy, trust and awareness.

www.enisa.europa.eu

2011 WS1 Improving Cooperation

o Objective: to support EC and the MS in intensifying cooperation between MS in key areas o Work Packages: Supporting Member States in implementing Article 13a Preparing the next pan-European exercise Reinforcing CERTs in the Member States Supporting CERT cooperation at the European level Good practice for CERTs to address NIS aspects of Cybercrime

www.enisa.europa.eu

2011 WS2 Securing Technology

o Objective: to assist the Member States and the Commission in identifying and responding to security issues related to current and future technology o Work Packages: Security & privacy of Future Internet technologies Interdependencies & interconnection Secure architectures & technologies Early warning for NIS

www.enisa.europa.eu

2011 WS3 - Privacy and Trust

o Objective: to promote trust in future information systems by all sections of the population. o Work Packages: Understanding and analysing economic incentives and barriers to information security. Deploying privacy and trust in operational environments. Supporting the implementation of article 4 of the ePrivacy Directive (2002/58/EC). Promoting the establishment of a European month of network and information security for all.

www.enisa.europa.eu

Work Streams 2012

o Improving Information Security Through Collaboration o WS1 Identifying & Responding to the Evolving Threat Environment WPK 1.1: Emerging Opportunities & Risks WPK 1.2: Mitigation & Implementation Strategies WPK 1.3: Knowledge Base o WS2 Improving Pan-European CIIP & Resilience WPK2.1: Further Securing EUs Critical Information Infrastructure and Services WPK 2.2.: Cyber Exercises WPK 2.3: European Public Private Partnership for Resilience (EP3R) WPK 2.4.: Implementing Article 13a

www.enisa.europa.eu

Work Streams 2012

o WS3 Supporting the CERT and other Operational Communities WPK3.1: Support and enhance CERTs operational capabilities WPK3.2 Application of good practice WPK3.3: Support and enhance cooperation between CERTs, and with other communities o WS4 Securing the Digital Economy WPK 4.1: Economics of Security WPK 4.2 Security governance WPK 4.3 Supporting the development of secure, interoperable services

www.enisa.europa.eu

10

Privacy is a human right

o Everyone has the right to respect for his private and family life, his home and his correspondence.
Article 8 of The European Convention on Human Rights
o adopted by states member of The Council of Europe

o Everyone has the right to the protection of personal data concerning them.
Article 16, The Treaty of Lisbon, The Treaty on the Functioning of the European Union states

o Everyone has the right to the protection of personal data concerning him or her [..] Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
Article 8, the Charter of Fundamental Rights of the European Union
www.enisa.europa.eu 11

Privacy & Trust Context

o Internet is open and distributed without authoritative control o In terms of privacy a number of challenges are posed Data pollution - data disseminated without control and is replicated on multiple servers Contrary to humans, data lives forever
emails (not only web mail), social networking sites, online collaborative spaces (e.g. Google docs)

o Contradictory positions Governments

Demand accountability, data protection, data minimization, better privacy protection But also more access control to data, data retention, lawful interception

Users
Expressing concerns regarding privacy Some users willing to drop the concerns when benefits are offered
www.enisa.europa.eu

Privacy & Trust in WP2011

o WPK 3.2 - Deploying Privacy & Trust in Operational Environments Report on minimal disclosure and other principles supporting privacy and security requirements Report on trust and reputation models. Evaluation and guidelines Study on monetizing privacy o WPK 3.3 - Supporting the implementation of the ePrivacy Directive (2002/58/EC) o Activities linked to Digital Agenda
Policy dimension

FI Initiative
Research dimension

www.enisa.europa.eu

Data Breach Notifications

o Review of ePrivacy Directive (2002/58/EC) o Article 4 In the case of a personal data breach, the provider of publicly available electronic communications services shall, without undue delay, notify the personal data breach to the competent national authority. o ENISA activities 2010 Review of current practices among MS 2011 Consultation workshop on DBN (24th January) 2011 Technological guidelines for implementation of Art. 4
Practical and usable definition of a breach Criteria for determining a breach National and pan-European approaches Appropriate technological protection measures Identification and assessment of risks of breaches Procedures of notification

www.enisa.europa.eu

Privacy & Trust in 2012

o Activities in collaboration with EC supporting actions of the Digital Agenda for the EU o WPK 4.2 - Security governance Supply Chain Integrity Art 4, DBN continuation o WPK 4.3 - Supporting the development of secure, interoperable services State of the art of certification schemes in the EU and beyond.
Exploring the feasibility of implementing a pan-European scheme for trustmarks

Privacy-by-design, promoting PETs and their possible economic benefits, smart metering and privacy

www.enisa.europa.eu

15

Resilience key concepts

o Definition from UK CPNI The equipment and architecture used are inherently reliable, secured against obvious external threats and capable of withstanding some degree of damage o Ability to withstand stress and recover from it Non- telecommunications examples
Tennis ball compresses under stress (being hit) but recovers during flight Aircraft wing flexes when stationary becomes more rigid when giving lift, able to withstand transient stress from turbulence and maintain function

Telecommunications examples
Dual parenting, diverse routing, redundancy ...

www.enisa.europa.eu

The role of taxonomy

o Classification Grouping like with like Common characteristics without view of individuals o Exposing inheritance and differentiation What makes a tiger a tiger and not just a cat

www.enisa.europa.eu

Representing a taxonomy

"The wonderful thing about standards is that there are so many of them to choose from." Grace Hopper
www.enisa.europa.eu

Ontology and taxonomies next steps

o Extraction of a telecommunications technology taxonomy scheme to be published as a standard (European and Global) A first draft was prepared in the ENISA report on resilience o Develop guidance and tools to allow standards developers to use taxonomy and ontology Within security domain this will be part of the activity (planned) with ETSI TC MTS SIG Security o Recommendation to use taxonomy and ontology at root of definition of complex systems: Resilience Privacy Cloud systems o Guidance material through ETSI TC MTS o Deployment through the Future Networks initiative in ETSI (TISPAN)
www.enisa.europa.eu

Contact
European Network and Information Security Agency Science and Technology Park of Crete (ITE) P.O. Box 1309 71001 Heraklion - Crete Greece http://www.enisa.europa.eu

www.enisa.europa.eu

20