ENISA activities 2011-2012including ontology and taxonomies for resilience

www.enisa.europa.eu

including ontology and taxonomies for resilience

Slawomir Gorniak

18th January 2012

7th ETSI Security Workshop

o Introduction & context of the worko Activities in 2011o Plans for 2012o Activities related to privacy & trusto Ontology and taxonomies for resilienceo Final remarks

Overview

www.enisa.europa.eu

o Final remarks

2

About ENISA (European Network and Information Security Agency)

Created in 2004Located in Heraklion / GreeceAround 30 Experts

Centre of expertise

SupportsEU institutions and Member States

www.enisa.europa.eu

Member StatesFacilitator of information exchange

EU institutions, public sector & private sector

Has an advisory role the focus is

• on prevention and preparednessfor NIS topics

3

Activities

o The Agency’s principal activities are as follows:

• Advising and assisting the Commission and the Member States on information security.

• Collecting and analysing data on

www.enisa.europa.eu

• Collecting and analysing data on security practices in Europe and emerging risks.

• Promoting risk assessment and risk management methods.

• Awareness-raising and co-operation between different actors in the information security field.

o Goals: to ensure continuity between the former MTPs and the Work Streams (WS) of the future strategy.

o Work streams:• WS1 ENISA as a facilitator for improving cooperation• WS2 ENISA as a competence centre for securing current & future

technology

Work Streams 2011

www.enisa.europa.eu

technology• WS3 ENISA as a promoter of privacy, trust and awareness.

5

o Objective: to support EC and the MS in intensifying cooperation between MS in key areas

o Work Packages:• Supporting Member States in implementing Article 13a• Preparing the next pan-European exercise• Reinforcing CERTs in the Member States

2011 WS1 – Improving Cooperation

www.enisa.europa.eu

• Reinforcing CERTs in the Member States• Supporting CERT cooperation at the European level• Good practice for CERTs to address NIS aspects of Cybercrime

6

o Objective: to assist the Member States and the Commission in identifying and responding to security issues related to current and future technology

o Work Packages:• Security & privacy of Future Internet technologies• Interdependencies & interconnection• Secure architectures & technologies

2011 WS2 – Securing Technology

www.enisa.europa.eu

• Secure architectures & technologies• Early warning for NIS

7

o Objective: to promote trust in future information systems by all sections of the population.

o Work Packages:• Understanding and analysing economic incentives and barriers to

information security.• Deploying privacy and trust in operational environments.

2011 WS3 - Privacy and Trust

www.enisa.europa.eu

• Deploying privacy and trust in operational environments.• Supporting the implementation of article 4 of the ePrivacy Directive

(2002/58/EC).• Promoting the establishment of a European month of network and

information security for all.

8

o Improving Information Security Through Collaboratio n o WS1 – Identifying & Responding to the Evolving Threa t Environment

• WPK 1.1: Emerging Opportunities & Risks • WPK 1.2: Mitigation & Implementation Strategies• WPK 1.3: Knowledge Base

o WS2 – Improving Pan -European CIIP & Resilience

Work Streams 2012

www.enisa.europa.eu

o WS2 – Improving Pan -European CIIP & Resilience • WPK2.1: Further Securing EU’s Critical Information Infrastructure and

Services• WPK 2.2.: Cyber Exercises• WPK 2.3: European Public Private Partnership for Resilience (EP3R)

WPK 2.4.: Implementing Article 13a

9

o WS3 – Supporting the CERT and other Operational Comm unities• WPK3.1: Support and enhance CERTs operational capabilities • WPK3.2 Application of good practice • WPK3.3: Support and enhance cooperation between CERTs, and with

other communitieso WS4 – Securing the Digital Economy

Work Streams 2012

www.enisa.europa.eu

o WS4 – Securing the Digital Economy• WPK 4.1: Economics of Security • WPK 4.2 Security governance• WPK 4.3 Supporting the development of secure, interoperable

services

10

o “Everyone has the right to respect for his private and family life, his home and his correspondence.”

� Article 8 of The European Convention on Human Rights o adopted by states member of The Council of Europe

o “Everyone has the right to the protection of personal data concerning them”.

Privacy is a human right

www.enisa.europa.eu

� Article 16, The Treaty of Lisbon, The Treaty on the Functioning of the European Union states

o “Everyone has the right to the protection of personal data concerning him or her” [..] “Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”

� Article 8, the Charter of Fundamental Rights of the European Union

11

o Internet is open and distributed without authoritative controlo In terms of privacy a number of challenges are posed

• Data ‘pollution’ - data disseminated without control and is replicated on multiple servers

• Contrary to humans, data lives forever� emails (not only web mail), social networking sites, online collaborative

Privacy & Trust – Context

www.enisa.europa.eu

� emails (not only web mail), social networking sites, online collaborative spaces (e.g. Google docs)

o Contradictory positions• Governments

� Demand accountability, data protection, data minimization, better privacy protection

� But also more access control to data, data retention, lawful interception

• Users� Expressing concerns regarding privacy� Some users willing to drop the concerns when benefits are offered

o WPK 3.2 - Deploying Privacy & Trust in Operational Environments• Report on minimal disclosure and other principles supporting privacy

and security requirements • Report on trust and reputation models. Evaluation and guidelines • Study on monetizing privacy

o WPK 3.3 - Supporting the implementation of the ePrivacy Directive

Privacy & Trust in WP2011

www.enisa.europa.eu

o WPK 3.3 - Supporting the implementation of the ePrivacy Directive (2002/58/EC)

o Activities linked to• Digital Agenda

� Policy dimension

• FI Initiative� Research dimension

o Review of ePrivacy Directive (2002/58/EC)o Article 4

• In the case of a personal data breach, the provider of publicly available electronic communications services shall, without undue delay, notify the personal data breach to the competent national authority.

Data Breach Notifications

www.enisa.europa.eu

authority.o ENISA activities

• 2010 – Review of current practices among MS• 2011 – Consultation workshop on DBN (24th January)• 2011 – Technological guidelines for implementation of Art. 4

� Practical and usable definition of a breach� Criteria for determining a breach� National and pan-European approaches� Appropriate technological protection measures� Identification and assessment of risks of breaches� Procedures of notification

o Activities in collaboration with EC supporting actions of the Digital Agenda for the EU

o WPK 4.2 - Security governance• Supply Chain Integrity• Art 4, DBN continuation

o WPK 4.3 - Supporting the development of secure, interoperable services

Privacy & Trust in 2012

www.enisa.europa.eu

o WPK 4.3 - Supporting the development of secure, interoperable services• State of the art of certification schemes in the EU and beyond.

� Exploring the feasibility of implementing a pan-European scheme for trustmarks

• Privacy-by-design, promoting PETs and their possible economic benefits, smart metering and privacy

15

Resilience – key concepts

o Definition from UK CPNI• The equipment and architecture used are inherently reliable, secured

against obvious external threats and capable of withstanding some degree of damage

o Ability to withstand stress and recover from it• Non- telecommunications examples

www.enisa.europa.eu

• Non- telecommunications examples� Tennis ball – compresses under stress (being hit) but recovers during

flight� Aircraft wing – flexes when stationary becomes more rigid when giving lift,

able to withstand transient stress from turbulence and maintain function

• Telecommunications examples� Dual parenting, diverse routing, redundancy ...

The role of taxonomy

o Classification• Grouping like with like• Common characteristics without view of individuals

o Exposing inheritance and differentiation• What makes a tiger a tiger and not just a cat

www.enisa.europa.eu

• What makes a tiger a tiger and not just a cat

Representing a taxonomy

www.enisa.europa.eu

"The wonderful thing about standards is that there are so many of them to choose from." Grace Hopper

Ontology and taxonomies – next steps

o Extraction of a “telecommunications technology taxonomy scheme” to be published as a standard (European and Global)• A first draft was prepared in the ENISA report on resilience

o Develop guidance and tools to allow standards developers to use taxonomy and ontology• Within security domain this will be part of the activity (planned) with

ETSI TC MTS SIG Security

www.enisa.europa.eu

ETSI TC MTS SIG Securityo Recommendation to use taxonomy and ontology at root of definition of

complex systems:• Resilience• Privacy• Cloud systems

o Guidance material through ETSI TC MTSo Deployment through the Future Networks initiative in ETSI (TISPAN)

Contact

European Network and Information Security Agency

Science and Technology Park of Crete (ITE)

www.enisa.europa.eu

Science and Technology Park of Crete (ITE)

P.O. Box 1309

71001 Heraklion - Crete – Greece

http://www.enisa.europa.eu

20