Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
ENISA activities 2011-2012including ontology and taxonomies for resilience
www.enisa.europa.eu
including ontology and taxonomies for resilience
Slawomir Gorniak
18th January 2012
7th ETSI Security Workshop
o Introduction & context of the worko Activities in 2011o Plans for 2012o Activities related to privacy & trusto Ontology and taxonomies for resilienceo Final remarks
Overview
www.enisa.europa.eu
o Final remarks
2
About ENISA (European Network and Information Security Agency)
Created in 2004Located in Heraklion / GreeceAround 30 Experts
Centre of expertise
SupportsEU institutions and Member States
www.enisa.europa.eu
Member StatesFacilitator of information exchange
EU institutions, public sector & private sector
Has an advisory role the focus is
• on prevention and preparednessfor NIS topics
3
Activities
o The Agency’s principal activities are as follows:
• Advising and assisting the Commission and the Member States on information security.
• Collecting and analysing data on
www.enisa.europa.eu
• Collecting and analysing data on security practices in Europe and emerging risks.
• Promoting risk assessment and risk management methods.
• Awareness-raising and co-operation between different actors in the information security field.
o Goals: to ensure continuity between the former MTPs and the Work Streams (WS) of the future strategy.
o Work streams:• WS1 ENISA as a facilitator for improving cooperation• WS2 ENISA as a competence centre for securing current & future
technology
Work Streams 2011
www.enisa.europa.eu
technology• WS3 ENISA as a promoter of privacy, trust and awareness.
5
o Objective: to support EC and the MS in intensifying cooperation between MS in key areas
o Work Packages:• Supporting Member States in implementing Article 13a• Preparing the next pan-European exercise• Reinforcing CERTs in the Member States
2011 WS1 – Improving Cooperation
www.enisa.europa.eu
• Reinforcing CERTs in the Member States• Supporting CERT cooperation at the European level• Good practice for CERTs to address NIS aspects of Cybercrime
6
o Objective: to assist the Member States and the Commission in identifying and responding to security issues related to current and future technology
o Work Packages:• Security & privacy of Future Internet technologies• Interdependencies & interconnection• Secure architectures & technologies
2011 WS2 – Securing Technology
www.enisa.europa.eu
• Secure architectures & technologies• Early warning for NIS
7
o Objective: to promote trust in future information systems by all sections of the population.
o Work Packages:• Understanding and analysing economic incentives and barriers to
information security.• Deploying privacy and trust in operational environments.
2011 WS3 - Privacy and Trust
www.enisa.europa.eu
• Deploying privacy and trust in operational environments.• Supporting the implementation of article 4 of the ePrivacy Directive
(2002/58/EC).• Promoting the establishment of a European month of network and
information security for all.
8
o Improving Information Security Through Collaboratio n o WS1 – Identifying & Responding to the Evolving Threa t Environment
• WPK 1.1: Emerging Opportunities & Risks • WPK 1.2: Mitigation & Implementation Strategies• WPK 1.3: Knowledge Base
o WS2 – Improving Pan -European CIIP & Resilience
Work Streams 2012
www.enisa.europa.eu
o WS2 – Improving Pan -European CIIP & Resilience • WPK2.1: Further Securing EU’s Critical Information Infrastructure and
Services• WPK 2.2.: Cyber Exercises• WPK 2.3: European Public Private Partnership for Resilience (EP3R)
WPK 2.4.: Implementing Article 13a
9
o WS3 – Supporting the CERT and other Operational Comm unities• WPK3.1: Support and enhance CERTs operational capabilities • WPK3.2 Application of good practice • WPK3.3: Support and enhance cooperation between CERTs, and with
other communitieso WS4 – Securing the Digital Economy
Work Streams 2012
www.enisa.europa.eu
o WS4 – Securing the Digital Economy• WPK 4.1: Economics of Security • WPK 4.2 Security governance• WPK 4.3 Supporting the development of secure, interoperable
services
10
o “Everyone has the right to respect for his private and family life, his home and his correspondence.”
� Article 8 of The European Convention on Human Rights o adopted by states member of The Council of Europe
o “Everyone has the right to the protection of personal data concerning them”.
Privacy is a human right
www.enisa.europa.eu
� Article 16, The Treaty of Lisbon, The Treaty on the Functioning of the European Union states
o “Everyone has the right to the protection of personal data concerning him or her” [..] “Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”
� Article 8, the Charter of Fundamental Rights of the European Union
11
o Internet is open and distributed without authoritative controlo In terms of privacy a number of challenges are posed
• Data ‘pollution’ - data disseminated without control and is replicated on multiple servers
• Contrary to humans, data lives forever� emails (not only web mail), social networking sites, online collaborative
Privacy & Trust – Context
www.enisa.europa.eu
� emails (not only web mail), social networking sites, online collaborative spaces (e.g. Google docs)
o Contradictory positions• Governments
� Demand accountability, data protection, data minimization, better privacy protection
� But also more access control to data, data retention, lawful interception
• Users� Expressing concerns regarding privacy� Some users willing to drop the concerns when benefits are offered
o WPK 3.2 - Deploying Privacy & Trust in Operational Environments• Report on minimal disclosure and other principles supporting privacy
and security requirements • Report on trust and reputation models. Evaluation and guidelines • Study on monetizing privacy
o WPK 3.3 - Supporting the implementation of the ePrivacy Directive
Privacy & Trust in WP2011
www.enisa.europa.eu
o WPK 3.3 - Supporting the implementation of the ePrivacy Directive (2002/58/EC)
o Activities linked to• Digital Agenda
� Policy dimension
• FI Initiative� Research dimension
o Review of ePrivacy Directive (2002/58/EC)o Article 4
• In the case of a personal data breach, the provider of publicly available electronic communications services shall, without undue delay, notify the personal data breach to the competent national authority.
Data Breach Notifications
www.enisa.europa.eu
authority.o ENISA activities
• 2010 – Review of current practices among MS• 2011 – Consultation workshop on DBN (24th January)• 2011 – Technological guidelines for implementation of Art. 4
� Practical and usable definition of a breach� Criteria for determining a breach� National and pan-European approaches� Appropriate technological protection measures� Identification and assessment of risks of breaches� Procedures of notification
o Activities in collaboration with EC supporting actions of the Digital Agenda for the EU
o WPK 4.2 - Security governance• Supply Chain Integrity• Art 4, DBN continuation
o WPK 4.3 - Supporting the development of secure, interoperable services
Privacy & Trust in 2012
www.enisa.europa.eu
o WPK 4.3 - Supporting the development of secure, interoperable services• State of the art of certification schemes in the EU and beyond.
� Exploring the feasibility of implementing a pan-European scheme for trustmarks
• Privacy-by-design, promoting PETs and their possible economic benefits, smart metering and privacy
15
Resilience – key concepts
o Definition from UK CPNI• The equipment and architecture used are inherently reliable, secured
against obvious external threats and capable of withstanding some degree of damage
o Ability to withstand stress and recover from it• Non- telecommunications examples
www.enisa.europa.eu
• Non- telecommunications examples� Tennis ball – compresses under stress (being hit) but recovers during
flight� Aircraft wing – flexes when stationary becomes more rigid when giving lift,
able to withstand transient stress from turbulence and maintain function
• Telecommunications examples� Dual parenting, diverse routing, redundancy ...
The role of taxonomy
o Classification• Grouping like with like• Common characteristics without view of individuals
o Exposing inheritance and differentiation• What makes a tiger a tiger and not just a cat
www.enisa.europa.eu
• What makes a tiger a tiger and not just a cat
Representing a taxonomy
www.enisa.europa.eu
"The wonderful thing about standards is that there are so many of them to choose from." Grace Hopper
Ontology and taxonomies – next steps
o Extraction of a “telecommunications technology taxonomy scheme” to be published as a standard (European and Global)• A first draft was prepared in the ENISA report on resilience
o Develop guidance and tools to allow standards developers to use taxonomy and ontology• Within security domain this will be part of the activity (planned) with
ETSI TC MTS SIG Security
www.enisa.europa.eu
ETSI TC MTS SIG Securityo Recommendation to use taxonomy and ontology at root of definition of
complex systems:• Resilience• Privacy• Cloud systems
o Guidance material through ETSI TC MTSo Deployment through the Future Networks initiative in ETSI (TISPAN)
Contact
European Network and Information Security Agency
Science and Technology Park of Crete (ITE)
www.enisa.europa.eu
Science and Technology Park of Crete (ITE)
P.O. Box 1309
71001 Heraklion - Crete – Greece
http://www.enisa.europa.eu
20