Developing a risk management culture
advertisement
Developing a risk management culture:
a Regulatory perspective
2nd ISACA Athens Chapter Conference
Andrea SERVIDA
European Commission
Directorate General
Communications Networks, Content and
Technology - DG CONNECTED
Task Force "Legislation Team (eIDAS)"
andrea.servida@ec.europa.eu
Risk management in:
• Past EU NIS & CIIP policies (2001 –
2011)
• The e-communication market regulation
(2009)
• The proposed eIDAS Regulation (2012)
• The forthcoming legislative proposal on
NIS (2013)
towards a "true security risk
management market"
Risk management
in past EU policies
on NIS & CIIP
Main Initiatives on NIS & CIIP at EU level
• Establishment of ENISA - Regulation (EC) No 460/2004
• The Strategy for a Secure Information Society
(COM(2006)251)
• The Commission Communication on Critical Information
Infrastructure protection (COM(2009) 149) proposing an
Action Plan
• Trust and Security chapter of the Digital Agenda for Europe
(COM(2010)245)
• The proposal to modernise ENISA (COM(2010)521)
• The second Commission Communication on CIIP of March 2011
'Achievements and next steps: towards global cyber-security’
(COM(2011) 163)
• The revised Regulatory Framework for electronic
communications – new security provisions including security
breaches notifications (Art. 13 a and b)
The overall policy approach
• Focus on prevention, resilience and preparedness
(complementary to fighting cyber crime)
• Take into account the civilian & economic stakeholders’ role
and capability (role of private sector & the governance
challenge)
• Make security and resilience the frontline of defence
• Adopt an all-hazards approach
• Develop a risk management culture in the EU
• Focus on the role socio-economic incentives
• Promote openness, diversity, interoperability, usability,
competition as inherent security safeguards
• Boost a global collaborative policy and operational cooperation
across the EU, in particular on CIIP
Some examples
NIS policy 2001
• Develop a security culture in the EU
• Awareness as the mechanism to "understand" the risks
• Promote market oriented security standards & certification
Strategy for a secure Information Society (2006)
• Trusted framework for collection of security incident data
• Private sector to "involve the insurance sector in developing
appropriate risk management tools and methods to tackle
ICT-related risks and foster a culture of risk management in
organisations and business (in particular in SMEs)."
Some examples (2)
CIIP policy of 2009 and 2011
• National and EU contingency plans
• "Internet resilience and stability principles": Good risk
management
"Good risk management by both the public and private sector is
critical to internet resilience. All stakeholders have a role to play
in ensuring that risks are understood, measured and
mitigated against appropriately. Good risk management
includes, but is not limited to, being aware of societal
dependencies on the Internet; ensuring responsibility and
accountability of each stakeholder for the effects of its action
on the stability and resilience of the Internet; putting in place
reasonable and proper contingency and fall-back strategies;
striving for an appropriate diversity of sources in the supply
chain of the technologies used on the Internet."
Risk management in the
e-Communication
regulatory framework
Security and integrity
the risk management framework
Art. 13a (1) and (2):
“1. Member States shall ensure that undertakings providing public
communications networks or publicly available electronic communications
services take appropriate technical and organisational measures to
appropriately manage the risks posed to security of networks and
services. Having regard to the state of the art, these measures shall
ensure a level of security appropriate to the risk presented. In particular,
measures shall be taken to prevent and minimise the impact of
security incidents on users and interconnected networks.
2. Member States shall ensure that undertakings providing public
communications networks take all appropriate steps to guarantee the
integrity of their networks, and thus ensure the continuity of supply
of services provided over those networks.”
••• 9
Security and integrity
Reporting
Art. 13a(3):
“3. Member States shall ensure that undertakings providing public
communications networks or publicly available electronic
communications services notify the competent national regulatory
authority of a breach of security or loss of integrity that has had
a significant impact on the operation of networks or services.
Where appropriate, the national regulatory authority concerned
shall inform the national regulatory authorities in other Member
States and the European Network and Information Security
Agency (ENISA). The national regulatory authority concerned
may inform the public or require the undertakings to do so, where it
determines that disclosure of the breach is in the public interest.
Once a year, the national regulatory authority concerned shall
submit a summary report to the Commission and ENISA on the
notifications received and the action taken in accordance with this
paragraph.”
••• 10
Security and integrity
technical implementing measures
Art. 13a(4):
”4. The Commission, taking the utmost account of the opinion of
ENISA, may adopt appropriate technical implementing measures
with a view to harmonising the measures referred to in
paragraphs 1, 2, and 3, including measures defining the
circumstances, format and procedures applicable to notification
requirements. These technical implementing measures shall be
based on European and international standards to the greatest
extent possible, and shall not prevent Member States from adopting
additional requirements in order to pursue the objectives set out in
paragraphs 1 and 2.
These implementing measures, designed to amend non-essential
elements of this Directive by supplementing it, shall be adopted in
accordance with the regulatory procedure with scrutiny referred to in
Article 22(3).”
••• 11
Implementation and enforcement
Art. 13(b):
1.Member States shall ensure that in order to implement Article 13a,
competent national regulatory authorities have the power to
issue binding instructions, including those regarding time limits for
implementation, to undertakings providing public communications
networks or publicly available electronic communications services.
2. Member States shall ensure that competent national regulatory
authorities have the power to require undertakings providing public
communications networks or publicly available electronic
communications services to:
a) provide information needed to assess the security and/or integrity of
their services and networks, including documented security policies; and
b) submit to a security audit carried out by a qualified independent body or a
competent national authority and make the results thereof available to the
national regulatory authority. The cost of the audit shall be paid by the
undertaking.
3. Member States shall ensure that national regulatory authorities have
all the powers necessary to investigate cases of non-compliance and the
••• 12
effects thereof on the security and integrity of the networks.
Technical guidelines on reporting security
breaches by ENISA
••• 13
e-Communications security and resilience
ENISA good practices
• Technical Guidelines on Reporting Incidents – Guidance on
incident reporting scheme in Article 13a
• Shortlisting network and information security standards and
good practices
• Technical for Minimum Security Measures – Guidance on the
security measures in Article 13a
• Implementation of Article 4 - Recommendations for the
technical implementation of the Article 4 of the ePrivacy Directive
• Incentives and barriers of the cyber insurance market in Europe
• Annual incidents reports 2011
• Inter-X: Resilience of the Internet Interconnection
Ecosystem
• …
Risk management
EU policy on electronic identification,
authentication and signature
(eIDAS)
What is the economic interest in
electronic identity?
A recent view from "The Value of our Digital Identity" by Liberty Global, Inc. With
permission of Boston Consulting Group, Inc.*
"Digital Identity"
Individual
preferences
What do
you like?
Acquired attributes
What did
you do?
Inherent
characteristics
Where do
you come
from?
Digital
Identity
sum of all
digitally
available
information
about an
individual
Economic value of applications built on the use of digital identity for both publicand private-sector organisations
€330 billion in Europe by 2020
Consumer benefit
annually by 2020
more than double the organisational value - €670 billion
Combined total digital identity value could amount to roughly 8% of the EU-27 GDP
* http://www.lgi.com/PDF/public-policy/The-Value-of-Our-Digital-Identity.pdf
16
What is the economic interest in electronic
identity?
Why is this question important?
"Personal data is the currency of today's
digital market."*
*Speech by Viviane Reding Vice-President of the European Commission, EU Justice
Commissioner “The EU Data Protection Reform 2012: Making Europe the Standard Setter
for Modern Data Protection Rules in the Digital Age” Innovation Conference Digital, Life,
Design Munich, 22 January 2012
http://ec.europa.eu/commission_2010-2014/reding/pdf/speeches/s1226_en.pdf
17
"Digital identity" vs electronic identification
and trust services (eIDAS)
Personal
data = digital
currency
Digital identity
USER
ENABLEMENT
"economic" drive
vs
eIDAS
"trust-building"
drive
Trusted
assertions/
credentials
USER
EMPOWERMENT
Personal
data = private
asset
18
Rolling out eIDAS: the EU approach
Technical
interoperability
2 tiers
approach
Legal
certainty
WHY?
19
Large Scale Pilots (LSPs)
Interoperable eprocurement
19 partners
11 countries
Total Budget
30.8M€
Electronic Identity
32 partners
14 countries
Total Budget
26M€
Patient
Summary/ePrescri
bing
47 partners
23 countries
Total Budget
23M€
Business mobility
33 partners
16 countries
Total Budget
24M€
eJustice
17 partners
15 countries
Total Budget
14M€
20
European Commission legislative proposal
on eIDAS
Proposal for a Regulation of the European Parliament
and of the Council on
"Electronic identification and trust services for
electronic transactions in the internal market"
(COM(2012) 238 final)
{SWD(2012) 135 final}
{SWD(2012) 136 final}
21
eIDAS in the EU
• Electronic ID cards exist in 7 MS: Belgium, Estonia,
Finland, Germany, Italy, Portugal and Spain.
• Other forms of e-ID, like citizen cards, service cards
and access tokens are used in 10 MS: Austria, Czech
Republic, Denmark, Estonia, Ireland, Lithuania,
Luxembourg, The Netherlands, Slovenia and
Sweden.
• e-Signature: Directive 1999/93/EC transposed in all
MS
22
What is the Commission proposal's
ambition?
• Provide legal framework for the development
of a trustworthy environment to facilitate and
enable cross-border secure services and to
stimulate business opportunities
23
How?
1. By ensuring that people and businesses
can use and leverage across borders their
national eIDs to access at least public
services in other EU countries.
24
How?
2. By removing the barriers to the internal
market for e-Signatures and related online
trust services across borders
i.e. by ensuring that trust services have
the same legal value as in traditional
paper based processes.
25
What is the scope of the proposed
Regulation?
1. Mutual recognition of electronic identification
2. Electronic trust services:
1. Electronic signatures interoperability and usability
2. Electronic seals interoperability and usability
3. Cross-border dimension of:
1. Time stamping,
2. Electronic delivery service,
3. Electronic documents admissibility,
4. Website authentication.
26
Article 15 "Security requirements applicable to trust service
providers"
1. Trust service providers who are established in the territory of the
Union shall take appropriate technical and organisational
measures to manage the risks posed to the security of the trust
services they provide. Having regard to state of the art, these
measures shall ensure that the level of security is appropriate
to the degree of risk. In particular, measures shall be taken to
prevent and minimise the impact of security incidents and
inform stakeholders of adverse effects of any incidents.
Without prejudice to Article 16(1), any trust service provider may
submit the report of a security audit carried out by a recognised
independent body to the supervisory body to confirm that appropriate
security measures have been taken.
Article 15 "Security requirements applicable to trust service
providers"
2. Trust service providers shall, without undue delay and where
feasible not later than 24 hours after having become aware of it,
notify the competent supervisory body, the competent
national body for information security and other relevant third
parties such as data protection authorities of any breach of
security or loss of integrity that has a significant impact on
the trust service provided and on the personal data maintained
therein.
[…..]
3. The supervisory body shall provide to ENISA and to the
Commission once a year with a summary of breach notifications
received from trust service providers.
Risk management in the forthcoming
legislative proposal on
Network and Information security
Legislative proposal on Network and Information
Security (NIS) – Article 114 TFEU
PREPAREDNESS
National capabilities
EU-LEVEL
COOPERATION
comparable
capabilities and
mutual trust
A high level of NIS and
smooth functioning of
the internal market
A CULTURE OF NIS ACROSS SECTORS
NIS risk management and Public-Private cooperation
Legislative proposal on Network and Information
Security (NIS) – Article 114 TFEU
Key elements (1/3)
• Common NIS requirements at national level
National NIS strategy and NIS cooperation
plan
National NIS competent authority
Computer Emergency Response Team (CERT)
Legislative proposal on Network and Information
Security (NIS) – Article 114 TFEU
Key elements (2/3)
• NIS competent authorities to cooperate within
a network at EU level – NIS cooperation plan
Early warnings and coordinated response
Capacity building and peer reviews
NIS exercises at EU level
Legislative proposal on Network and Information
Security (NIS) – Article 114 TFEU
Key elements (3/3)
• Risk management requirements and obligation
to report significant incidents to the NIS
competent authorities for players in:
Energy – electricity and gas
Credit institutions and stock exchanges
Transport – air, maritime, rail
Healthcare
Enablers of key Internet services
Public administrations
Thanks!
For further information and feedback
http://ec.europa.eu/information_society/policy/esignature/eu_legislation/r
egulation
http://ec.europa.eu/information_society/policy/esignature
CNECT-TF-eIDAS-LT@ec.europa.eu
Web Sites
• EU policy on Critical Information Infrastructure Protection
– CIIP
http://ec.europa.eu/information_society/policy/nis/strat
egy/activities/ciip/index_en.htm
• A Digital Agenda for Europe
http://ec.europa.eu/information_society/digitalagenda/index_en.htm
• EU policy on promoting a secure Information Society
http://ec.europa.eu/information_society/policy/nis/index
_en.htm
• European principles and guidelines for Internet resilience
and stability
http://ec.europa.eu/information_society/policy/nis/docs
/principles_ciip/guidelines_internet_fin.pdf
Links to policy documents
• Council conclusions on Critical Information Infrastructure Protection
http://register.consilium.europa.eu/pdf/en/11/st10/st10299.en11.pdf
• Commission Communication on Critical Information Infrastructure
Protection – "Achievements and next steps: towards global cyber-security"
- COM(2011) 163
http://ec.europa.eu/information_society/policy/nis/docs/comm_2011/co
mm_163_en.pdf
• Digital Agenda for Europe - COM(2010)245 of 19 May 2010
http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0245:FIN:EN:PDF
• The EU Internal Security Strategy in Action: Five steps towards a more
secure Europe COM(2010)673
http://ec.europa.eu/commission_20102014/malmstrom/archive/internal_security_strategy_in_action_en.pdf
• Commission Communication on Critical Information Infrastructure
Protection – "Protecting Europe from large scale cyber-attacks and
disruptions: enhancing preparedness, security and resilience" - COM(2009)
149
http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF
