www.enisa.europa.eu 1

Dr. Vangelis OUZOUNISSenior Expert Security Policies

ENISA

evangelos.ouzounis@enisa.europa.eu

5th German Anti-Spam SummitKoeln, 5th of Sept. 2007

www.enisa.europa.eu 2

Agenda

NIS a Challenge for the Internal Market

ENISA

Network Security Policies

Work Programme 2008 (draft)

Conclusions

www.enisa.europa.eu 3

NIS Challenges for the Internal Market

Communication Unlimited!ICT boosts productivity in all sectors of the economyICT a critical enabler of all services, virtual and physical Proliferation of technologies but also of disruptions,

more sophisticated and organisedtake advantage of rapid penetration of new technologies and/or improper implementation of security measuresdifferent underlying motives including moneybeyond national boarders a global phenomenonmajor threat for the proper functioning of the Internal market

NIS requires pan European (global) co-operation

www.enisa.europa.eu 4

EU NIS Policy - History

1997- COM(97) 503 on ensuring security & trust in electronic communications1999 - Electronic Signature Directive (1999/93/EC)1999 - eEurope 2002 Action Plan smart card & secure access2001- COM(2001) 298 an EU policy on NIS2002 & 2003 - Council Resolutions EU SecurityStrategy2002 - eEurope 2005 Action Plan a task force proposed2004 - ENISA is established2005 - i2010 initiative a security strategy is announced2006 - COM(2006) a new NIS strategy

www.enisa.europa.eu 5

ENISA

An EU Agency - created on 14th of March 2004

Located in Heraklion, Crete, Greece

Main Objectives

enhance the capabilities of EC and MS to address and respond to NIS problems

provide assistance and advice to the EC and MS on issues related to NIS (e.g. updating Community legislation in NIS)

develop high level of expertise building on EU and MS efforts (e.g. analyze current and emerging risks, track the development of standards, etc.)

stimulate broad cooperation between actors from public and private sectors

www.enisa.europa.eu 6

Network Security Policies 2006 & 07 Activities

best practices of security policies - knowledgebase of best practices

assessing the implementation of security and anti-spam measures

eIDs and authentication Interoperability

assessment of accreditation and certification schemes

Original InfosecGuide(e.g.

Documents)

Infosec Control

1. Collect Best Practice Guides, Best Practice Policies and Best Practice Controls

Infosec Policy

Infosec ControlInfosec

ControlInfosec Control

Infosec Policy

Infosec ControlInfosec

ControlInfosec Control

Gen.Infosec Guide

Gen. Infosec Policy

Infosec ControlInfosec

ControlInfosec Control

Gen.Infosec PolicyInfosec ControlInfosec

ControlInfosec Control

Infosec ControlInfosec ControlInfosec ControlInfosec ControlInfosec Control

Infosec ControlInfosec ControlInfosec ControlInfosec ControlInfosec ControlInfosec Control

Original InfosecControl

(e.g. Ideas)

Original Infosec Policy(e.g.

Chapters)

Gen. Infosec Policy

Infosec

Control

Infosec

Control

Infosec

Control

4. Store these pieces of

Guides, Policies and Controls

also in the Knowledgebase

Best Practice Knowledgebase

2. Store Guides, Policies and Controls (or references to them) in the Knowledgebase

5. Create new brief, simple, broadly accepted Guides and Policies

3. Extract most relevant & valuable pieces

www.enisa.europa.eu 7

Highlights Security Policies

tacit knowledge on security measures difficulty in using formal languages

SMEs lack expertise and resources to deploy tools and formal methods

security policies directly relate to the size of organisations

interoperability of security policies is a challenge mostly for chains of multi-domain networks

customisable templates of best practice security policies would be of real value

www.enisa.europa.eu 8

Highlights - eIDs

lack of interoperability of mutually recognised eIDsacross organisational boundaries

online (cross-country) eGov applications manifest the lack of interoperable eIDs

EC and MS developed a roadmap and work on cross-country interoperability pilots

availability of eID technologies - lack of standards and trust infrastructure for the real take up

ENISA works on a language for interoperable trust properties

www.enisa.europa.eu 9

New WP 2008 (draft)

Cooperation among MS

Risk Management

Resilience of Public Networks

SMEsBuilding

Confidence

Horizontal Activities (requests, media, etc.)

Build on Synergies Achieve Impact

www.enisa.europa.eu 10

WP 08 Selected Topics

Resilience of Public Communication Networkssurvey on legal and regulatory measures in MSsurvey on good practices in resilience of public networksreport(s) on resilient backbone and Internet technologies

Cooperation among MSfaster take up of interoperable eIDs in Europe

eID best practices including legal and regulatory issuesposition papers on emerging technology trends, privacy and data handling and/or usability aspects of eIDsanalysis of standards related to pan-European eID initiative

Risk ManagementEmerging Technology Threats Position Papers

Two topics (e.g. mobile eIDs, Interoperability of Policies, VOIP, IPv6, Priority Communication, ad-hoc networks, etc.)Reports produced by a group of experts using electronic means

www.enisa.europa.eu 11

Conclusions

Availability of services and integrity of networks is key to the proper functioning of the internal market

Investments in Good NIS practices is a competitive advantage, not an expenditure

Cooperation in NIS among MS and Community is necessary

ENISA, a new Agency of the EU, builds on MS and Community initiatives and expertise

New WP follows a multi-year approach, aims at achieving impact

www.enisa.europa.eu 12

Stay in Touch with ENISA

http://www.enisa.europa.eu

Go to our website Visit the Trends and Development Site

http://www.enisa.europa.eu/pages/Technologies/index.htm

Dr. Vangelis OUZOUNISSenior Expert Security Policies

ENISAevangelos.ouzounis@enisa.europa.eu

http://www.enisa.europa.eu/rmra

Visit the Risk Management Site