European Union Agency for Network and Information Security

Getting ready for the next European Cyber Security Challenge

Fri, 03/17/2017 - 10:20

The first meeting of the representatives that participate in the European Cyber Security Challenge 2017 (ECSC'2017) took place in Brussels on the 15th and16th March.

A number of topics were addressed during the two days relating to the governance of the ECSC competitions, the lessons learned from ECSC'2016 as well as the planning for the ECSC'2017 final event which will take place in November in Spain.

For further information on the European Cyber Security Challenge please refer to http://www.europeancybersecuritychallenge.eu/

 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Gaps in NIS standardisation: Mapping the requirements of the NIS Directive to specific standards

Wed, 03/15/2017 - 13:30

The aim of the study is to provide a mapping of the technical requirements of the NIS Directive to existing standards, to identify gaps and overlaps in related standardisation and provide recommendations for the future work in this area.

The report identifies a relatively small number of gaps and areas of overlap in standardisation where there is no clear best practice to be adopted partly due to the diversity of the current standardisation ecosystem. This allows for several recommendations:

a)      It is recommended that the European Commission adopt a standards based framework for the exchange of threat and defensive measure information, that impacts the functioning of Network Information Infrastructure (NII), with the support of the Member States pursuant to the NIS Directive. The capabilities from this framework underscore NII as a Critical Infrastructure of the EU and its Member States and can further act a manual and reference point.

b)     ENISA urges to adopt open standards in threat exchange. This translates into increased interoperability and improved cooperation and information sharing. In this context, the risk analysis and defensive measures capabilities defined in current standards should be extended, to allow Member States to address the Network Information Infrastructure and NIS provisions necessary to mitigate risk both at a national and regional level.

c)      At another level, it will be useful to highlight the similarities between the USA Cybersecurity Act and the NIS Directive and promote possible synergies in the application of standards.

The publication coincides with the announcement of the European Commission’s Rolling Plan for ICT Standardisation, which aims at providing a bridge between EU policies and standardisation activities in the area of ICT.

Full report available online
For more on the subject
and press enquiries please contact press@enisa.europa.eu  Tel. +302814409576

 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

#APF17: Call for Papers

Thu, 03/09/2017 - 10:15

This year’s edition is organised in the light of the implementation of the newly promulgated General Data Protection Regulation (GDPR), and, the recent EC proposal for a Regulation on Privacy and Electronic Communications. Even the best legislative efforts face the challenge of keeping up to speed with the pace of innovative technology and business models that challenge the way personal data is processed and privacy is protected across the EU and beyond; therefore examining what is at stake and where threats thereto originate from becomes of paramount importance.

Get involved to:

  • learn from the professionals in the field
  • participate in a high level debate
  • discover the trends for the future
  • network with key players in privacy and NIS

The call for papers is open until 31th March. To submit your paper please use the conference’s EasyChair page.

Call for papers: At APF 2017, we invite papers presenting original work on the themes of data protection and privacy and their repercussions on technology business, government, law, society, policy and on law enforcement. An inter-disciplinary approach is high in demand to contribute to bridging the gap between research, business models and policy much like proposing new models and interpretations are.

Multidisciplinary papers are particularly welcome, making explicit how the presented work can contribute to bridging the gap between research and policy.

Contributions from policy makers, representatives of competent authorities, such as Data Protection Authorities, industry experts, NGOs and civil society associations are particularly welcome. For detailed information and the aspects with which research and opinion papers should deal with are available at: http://privacyforum.eu/call-for-papers

Submissions must be written in English, should not succeed 8000 words and, need to comply with the Springer LNCS style guide. Authors must submit their papers by the deadline indicated on the conference web site and follow the requirements stated there. Papers will be published in the proceedings of the conference with a publishing house soon to be selected and announced.

Related material:

  • APF 2016 report
  • Last year in Frankfurt at APF 2016, ENISA and its partners proposed a technology readiness platform for privacy enhancing technologies. A report on the current situation and the roadmap of the ongoing project available online


To receive the latest news and updates sign up for the RSS feeds, follow #APF17  and #PrivacyForum_EU on twitter and the dedicated site http://privacyforum.eu/


About APF 2017:
ENISA, DG CONNECT, and the Law Faculty of the University of Vienna, Arbeitsgruppe Rechtsinformatikis jointly organise the two-day event with the objective of providing a forum to academia, industry and policy makers.

For information please contact the APF Committee via the following link

For press enquiries please contact press@enisa.europa.eu,  Tel. 2814 409576

 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

ENISA and national supervisory bodies agree reporting scheme on security incidents for European TSPs

Wed, 03/01/2017 - 10:55

ENISA publishes its security incident reporting framework for TSPs (Trusted Service Providers)  in the context of the new European eIDAS regulation.

ENISA supports supervisory bodies with the implementation of national incident notification schemes. The objective of this proposal is to support efficient and harmonized incident notification schemes across the European Union.

 The document is produced in close collaboration with representatives from the European Commission, National supervisory bodies and other competent authorities in the field of trusted services.

The Agency has also developed a tool which enables supervisory bodies to submit their national reports to ENISA and the Commission. For the next year, ENISA will further work on the analysis of the collected data by developing a visualisation tool.

 

Full report available here

For interviews  and press enquiries please contact press@enisa.europa.eu , Tel. +30 2814 409576

 

 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Guidelines on Incident Notification for Digital Service Providers

Tue, 02/28/2017 - 10:42

The EU’s first DSP mandatory incident notification requirements as part of the first EU-wide set of rules on cyber-security, are a major step towards achieving a common level of cyber-security across the Union. ENISA’s comprehensive technical guideline supports stakeholders in addressing mandatory incident notification for Digital Service Providers (DSPs) in the context of the NIS Directive. Based on the requirements of the Directive and valuable input from Member States and DSPs directly impacted by the Directive, this guideline touches the following topics:

  • identifying types of incidents to be reported
  • definitions and clarifications on parameters and thresholds
  • defining substantial incidents
  • description of the incident reporting process and the stakeholders involved
  • cross border sharing of incidents
  •  identification of DSPs

This report represents an outline technical proposal used as input for the discussions regarding the implementation of article 16 of the NIS Directive, concerning mandatory incident notification for DSPs.

The full report is available here

For media and press enquiries please contact press@enisa.europa.eu, Tel: +30 2814 409576

 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

ENISA participates at first formal CSIRT Network Meeting

Thu, 02/23/2017 - 14:35

The CSIRT Network, as defined by the NIS Directive, conducts the first formal CSIRT Network Meeting, organised by the Maltese Presidency in Sliema Malta, on February 22nd and 23rd . ENISA along with representatives from the European CSIRT Community, CERT-EU and the European Commission:

  • Presented  work relevant to the group capabilities and betterment of these
  • Adopted the Terms or Reference and Rules of Procedures that define the group

Among others, the CSIRT Network adopted the short term goals that will be taking place in the next 18 months, and formed the Working Groups for the execution of these.

 More about the meeting available here.

 

 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Security Measures for Digital Service Providers

Thu, 02/16/2017 - 13:55

ENISA issues this report to assist Member States and DSPs in providing a common approach on the security measures for DSPs. The study describes the high-level security objectives by providing security measures and examples of implementation concerning DSPs and in particular:

  • Cloud computing service providers
  • Online marketplaces
  • Online search engines


With this study ENISA tries to:

  • Define common baseline security objectives for Digital Service Providers (DSPs). 
  • Describe different levels of sophistication of security measures which fulfil the abovementioned security objectives
  • Map the security objectives against well-known industry standards, national frameworks and certification schemes.

The report together with other relevant technical standards have been used as input to the discussions on the implementation of article 16(1) of the NIS Directive concerning the security measures of the DSPs.

The NIS Directive aims to develop cybersecurity capabilities across EU Member States. Commonly defined security measures can support harmonised security practices across Member States and potentially enhance the overall level of NIS in the EU.

 
Full report available online

For interviews and press enquiries please contact press@enisa.europa.eu Tel +302814409576

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

ENISA study on the security aspects of virtualization

Fri, 02/10/2017 - 13:32

The final objective is to provide the basis to understand the main issues and challenges related to the security in virtualization, and provide a look at common best practices to implement a secure virtualised environment.

Virtualization, is referred to as the set of activities aimed to create a virtual version of real components including, computer-hardware platforms, operating systems, storage, and networking. It is present nowadays at the basis of server and desktop infrastructures, cloud computing, networking, and containerization.

Virtualized environments are pervasively adopted and therefore increasingly becoming targets of cyber-attacks. More and more elaborated and specialized attacks are currently devised to exploit vulnerabilities and weaknesses at the virtualization layer. The recent and widespread adoption of virtualization technologies has changed the traditional view of ICT, as virtualization can provide a dramatic increase in the efficiency and effectiveness of complex organizations and communities. It is also expected to constitute an important technological pillar of a thriving data-driven economy and the European single digital market.

However, virtualization technologies bear a number of different security risks, some of them shared with traditional computing environments including issues affecting operating systems, communication protocols, and applications, which can be even exacerbated by the presence of virtualized components, producing a greater security impact.  On the other side, virtualization also introduces a number of specific security issues requiring ad hoc solutions.


Full report
 is available online

For interviews and press enquiries please contact press@enisa.europa.eu Tel. +30 2814409576

 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

ENISA issues Smartphone Development Guidelines

Fri, 02/10/2017 - 08:42

The document is written for developers of smartphone applications as a guide for developing secure mobile applications and defending against mobile attacks.

Every day, new applications are built for different mobile platforms, bringing along also new attacks.

Poorly built applications could lead to a data theft and/or financial loss[1] . To secure end users, and to ensure safe and secure communications, security of mobile applications is one key priority for mobile application developers.

Following the success of the first edition of the Smartphone Development Guidelines, ENISA publishes an update to the document, and adds new sections to address recent developments, such as the use of biometric sensors, application integrity, and client side injections.  The guidelines aim to cover the entire spectrum of attacks which developers of smartphone applications should consider when building mobile apps. These include:

  • Identify and protect sensitive data
  • User authentication, authorization and session management
  • Handle authentication and authorization factors securely on the device
  • Ensure sensitive data protection in transit
  • Secure the backend services and the platform server and APIs
  • Secure data integration with third party code
  • Consent and privacy protection
  • Protect paid resources
  • Secure software distribution
  • Handle runtime code interpretation

In addition, new sections have been added to cover new attacks, abusing biometrics and clients:

  • Device and application integrity
  • Protection from client side injections
  • Correct usage of biometric sensors

 

Full report is available online

For interviews and press enquiries please contact press@enisa.europa.eu Tel. +30 2814409576


[1] https://www.hackread.com/starbucks-mobile-app-hacked-data-stolen/

 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Analysis of security measures deployed by e-communication providers

Thu, 02/09/2017 - 12:32

This document focuses on the security measures providers have deployed to protect networks for the provision of services, and equally important, for the personal and operational data of their customers. The report is targeted primarily at e-communication providers, and at a second level, to National Regulatory Authorities as members of ENISA’s Article 13a Experts Group.

Most of the providers, report a very good level of using ENISA recommendations on security requirements, while virtually all providers have deployed a good level of basic security controls. In some security domains, the level of maturity reported, is high as well as the sophistication of implemented controls.

It is important that providers of electronic communications take the appropriate measures to address major security concerns. A key conclusion seems to be that while all IT security basics are covered, the achievement of the next level of maturity is impeded mostly by lack of sustainability mechanisms, i.e. repeatable processes and the regularly maintained documentation.

The main recommendation for the providers - based on the reported deployment of security measures - is to pay additional attention to sustainability and efficiency. This is best achieved by the adoption of Service Management frameworks and creating a series of processes that include measurement and periodic reviews of security controls and capabilities in all domains.

Full report is available here

For interviews and press enquiries please contact press@enisa.europa.eu  Tel.+30 2814 409576

 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

#SaferInternetDay: Be the change - Unite for a better internet

Tue, 02/07/2017 - 11:35

Find out what is happening in your country by checking Safer Internet Day website.

Follow the activities on twitter #SID2017 #SaferInternetDay

For online resources visit www.betterinternetforkids.eu and check the European Commission's activities on Better Internet for Kids and Information by the EC.

                                                     ----------------------------

Furthermore, on the occasion of the day, ENISA issues its new studies on privacy and security in personal data clouds, cyber hygiene practices and a report on the deployment of the 2016 European Cyber Security Month. To find out more in specific areas of interest go through ENISA’s reports and training material.

 

 

Privacy and Security in Personal Data Clouds

Under its 2016 work programme, a new study on privacy and security in Personal Data Clouds, also known as Personal Data Vaults or Personal Data Stores, aims to identify the different architectures and components of PDCs and lay out their privacy and security challenges.

Personal data clouds (PDCs) aim to provide end-users the typical data collection and storage capabilities of data management systems, and also to help end-users regain control over their data. PDCs are ideally embedded by privacy-enhancing elements allowing users to determine on their own how they want their data to be managed - in and outside of the solution - and with whom these should be shared.

The study presents a “state of the art” analysis of the security and privacy features of PDCs based on an empirical analysis of various applications that fall under or are close to the definition of PDCs. The report assesses to what extent current PDC solutions - either available on the market or in a research and development phase - are supported by functionalities that enhance the level of security and privacy offered, by enabling  users to take decisions over their data and, ideally, apply them (user centric model). Given that mobile health applications have been gaining considerable attention nowadays, the study particularly identifies privacy-enhancing features adopted by certain PDCs in the health sector.

For the full report

                                             -------------------------------


Cyber hygiene practices

Cyber hygiene is a fundamental principle relating to information security and, as the analogy with personal hygiene shows, is the equivalent of establishing simple routine measures to minimise the risks from cyber threats, specifically for SME’s. Good cyber hygiene practices can drive increased immunity across businesses. However, the variation between national practices leads to uncertainty and confusion over what needs to be implemented. A uniform approach to cyber hygiene which allows businesses to establish security trust across national borders would drive improvements across the board.

Full report available online

                                        -------------------------------


European Cyber Security Month 2016 – Deployment report

The European Cyber Security Month (ECSM) is a key part of the EU's Cybersecurity Strategy to increase people's awareness of the key role they can play in ensuring the security of networks and information systems. The primary purpose of cyber security awareness campaigns is to influence the adoption of secure behaviour online. Last year’s ECSM took place across 32 countries focusing on security in banking, cyber safety, cyber training and mobile malware.

For more info visit https://www.enisa.europa.eu/news/enisa-news/ecsm and https://cybersecuritymonth.eu/

"Cyber security is a shared responsibility – Stop. Think. Connect."

 Full report available online

 

For press enquiries please contact press@enisa.europa.eu Tel. +302814409576

 

 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Challenges of security certification in emerging ICT environments

Mon, 02/06/2017 - 15:03

ENISA issues today its report on the Challenges of security certification in emerging ICT environments. The report is targeted at EU Member States (MS), the Commission, certification bodies and the private sector, and provides a thorough description of the cyber security certification status concerning the most critical equipment in various critical business sectors.

The study contains information on the certification of devices in five business sectors namely, electricity, healthcare, information and communication technology, railway and water transport. It describes the situation in the EU, and discusses the advantages and challenges towards a more harmonised certification practice.

The key finding of the report, is that every sector has its own functional and security challenges, which makes the target of a common certification framework a challenge in itself. Based on desk research and expert validation, an analysis is done to study the existing frameworks and standards, and to identify certification drivers, best practices and candidate products for certification of the five selected sectors. Finally an aggregated table is provided, which shortly reflects the certification drivers, the market situation and the recommendation for certification for each identified device.

For the full report

For  interviews and press inquiries please contact press@enisa.europa.eu , Tel. +30 2814 409576

 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

The power of sharing: ENISA report on cyber security information sharing in the energy sector

Fri, 02/03/2017 - 14:22

The report first identifies existing CSIRTs (Computer Security Incident Response Teams), ISACs (Information Sharing and Analysis Centres) and information sharing initiatives in the energy sector, analyses problems and shortcomings, and identifies good practices to facilitate the cyber security information sharing in this sector. Furthermore the report provides recommendations to address identified problems and shortcomings.

Key findings include:

• Trust is a key component of information sharing.

• Participants in information sharing initiatives, are more committed and willing to contribute with information when their organisation backs them. Time, resources and knowledge, are some of the constraints faced by the participants that may hinder information sharing.

• Only few energy sector specialists have in-depth understanding of both the complexities of the energy systems and cyber security.

• Energy security issues are often addressed only at the Member State level, maintaining for example a national focus only, without taking into account the complexity of the interdependence of Member States in multiple aspects of the energy area, including cyber security.

• The legal and policy context is complex and fragmented.

• The quality of the shared information is not always at the required level, due to inconsistent use of the applicable taxonomy for example.

• There is a need to create public-private partnerships when sharing information.  

• Information is shared between heterogeneous players.

• Many companies in the sector give more importance to the safety of their physical infrastructure than to the security of their computer, process systems and data.

• Few good practices have been identified on the subject, and the current information sharing initiatives lack visibility within companies in the energy sector.

The report is primarily addressed at national and governmental CSIRTs and other types of CSIRTs with activities and constituencies in the energy sector. Policy and lawmakers, notably the European Commission at the EU level, public and private organisations with an interest in NIS, and interested parties engaged in information sharing initiatives within the energy sector - including energy operators -  are also intended audiences.

Full report available here

For press enquiries please contact press@enisa.europa.eu, Tel. +30 2814 409 576

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

ENISA online training material updated and extended

Thu, 02/02/2017 - 12:25

The new training material provides a step-by-step guide on how to address and respond to incidents, as an incident handler and investigator, teaching best practices and covering both sides of the breach. The material is technical and aims to provide a guided training both to incident handlers and investigators, while providing lifelike conditions. The training material mainly uses open source and free tools.

New topics in the training material cover the following aspects of Forensic Analysis:

  • Local Incident Response
  • Network Incident Response
  • Webserver analysis

The material can be found online.

Furthermore, the updated training material provides material necessary to perform table top exercises in the areas of:

  • Incident Handling Management
  • Developing CSIRT Infrastructure
  • Recruitment of CSIRT Staff

More info available online.

 


For interviews and press enquiries please contact press@enisa.europa.eu Tel. 2814 409576

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

ENISA study into taxonomies for incident detection and prevention

Mon, 01/30/2017 - 12:45

The study i) performs a qualitative assessment on an indicative taxonomy landscape, ii) identifies use cases that would benefit from the use of taxonomies iii) provides a comparison among a variety of related and unrelated taxonomies in order to identify commonalities and differences iv) analyses the complexity of taxonomies in terms of malware incidents in order to illustrate the different ways of describing the same context available in the current landscape.

In particular, for each use case a requirement that a taxonomy should fulfil was identified. These use cases include: i) recording events from different sources, ii) automatic de-duplication, iii) ability to export in other taxonomies, iv) ability to aggregate and search events in the data, v) ability to exchange data with other CSIRTs, vi) feeding threat intelligence and vii) incident report management.

Good practices and recommendations

A set of good practices which take into account the shortcomings of taxonomies, as identified by CSIRTs during the study, highlight that:

  • the top level categorisation of a taxonomy should be simple
  • the categories within a taxonomy should be mutually exclusive
  • taxonomies should support performance measurement
  • taxonomies should have an appropriate level of ease of use

Key recommendations include:

  •A centralised repository for hosting all relevant taxonomies along with their versions should be set up by ENISA. This would be a great benefit to the CSIRTs community as it would not only allow the selection of appropriate taxonomies for specific use cases, but it may also provide a general overview of what taxonomies or variations thereof are used by CSIRTs, which may be particularly useful in keeping statistics.

 •A small set of common taxonomies should be agreed upon by CSIRTs at the EU level for specific use cases. This would provide examples of taxonomies based on the requirements of the CSIRTs network, which can be either implemented or used to implement a modified version of the taxonomy, saving time and effort that would be spent into researching taxonomies.

 • “Other” or “Unknown”, “Tag” field should be used by the owners of taxonomies as an indicator to revise taxonomies, or if there is an increase in that category with incidents or events of the same type. For example, in a case involving ransomware, it is relevant that it should be categorised as ransomware, but also the type of ransomware (such as crypto locker, etc.), if the same tag is repeatedly used then it might also indicate the need for a new field.

 •A roadmap towards standardised exchange formats in the CSIRTs community should be established at the EU level by the CSIRTs network. Such a roadmap should at least consider having CSIRTs agree use cases, definitions and concepts from an operational point of view for each use case; perform quantitative assessment (in addition to the qualitative assessment in this study) on the taxonomies used, a centralised repository for taxonomies, and a list of tags/values that can apply across taxonomies.

Key conclusions of the study, highly relevant for CSIRTs, indicate that:

  •  Taxonomies currently lack terms to properly handle the following: the impact of an incident, incidents with no malice intended, explicit fields for ransomware, whether the incident is confirmed, and the differentiation between intrusion attempts and intrusions.
  • The identified areas for potential improvement of existing taxonomies are based on the complexity, contextual information, mutual exclusivity or ambiguity, performance measurement, impact, sensitivity, confidentiality, and purpose of taxonomies

  • There is currently no consensus on concepts and definitions related to taxonomies. Clear definitions reflecting the operational interpretation of the CSIRTs should be considered as a key success factor towards increasing cooperation between EU Member States.

 

Full report available online

For interviews and press enquiries please contact press@enisa.europa.eu Tel. +302814409576

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Security for Privacy on Data Protection Day

Fri, 01/27/2017 - 14:12

The date marks the anniversary of the Council of Europe's Convention 108 on the protection of personal information, the first legally binding international law in the field of data protection.


Guidelines for SMEs on the security of personal data processing

ENISA shares some of its work in the field of data protection and privacy, with a focus on the  security of personal data processing. The latest report on 'Guidelines for SMEs on the security of personal data processing' attempts to assist in the implementation of the personal data protection regulatory framework by promoting the adoption of security measures to protect privacy.

According to the General Data Protection Regulation, security equally covers confidentiality, integrity and availability, and should be considered following a risk-based approach: the higher the risk, the more rigorous the measures that the controller or the processor needs to take, in order to manage the risk. On this basis and as part of its continuous support on EU policy implementation, the report focuses on SME’s, acting either as data controllers or data processors, and facilitates their understanding on personal data processing operations, and subsequently, on the assessment of the associated security risks.

The objectives of the study are to facilitate SMEs in understanding the context of the personal data processing operation and subsequently assess the associated security risks. Based on that, the study also proposes possible organizational and technical security measures for the protection of personal data, which are appropriate to the risk presented. These measures can be adopted by SMEs in order to achieve compliance with the General Data Protection Regulation (GDPR).

Full report available online 


Further work on privacy and data protection by ENISA include:


PETs controls matrix

PETs controls matrix, a systematic approach and tool for assessing online and mobile privacy tools for end users. The ‘PETs control matrix’ can facilitate a standardized and clear presentation of different privacy tools, supporting in this way the possibility of comparative assessments. More in the following link.

Annual Privacy Forum

ENISA’s Annual Privacy Forum (APF) is to be held on the 7th and 8th June 2017 in Vienna, at the University of Vienna, Faculty of Law. The event provides a forum to academia, industry and policy makers for discussions on privacy and data protection topics. The Call for papers for the 2017 APF is now open. Submission until 31st of March 2017.

Stay connected through the RSS feeds, #PrivacyForum_EU on twitter, and the dedicated site http://privacyforum.eu/

 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Being smart about cybersecurity: ENISA at Omnisecure conference

Wed, 01/18/2017 - 15:15

Image source courtesy Omnisecure

ENISA participated this year in a number of sessions throughout the conference in the areas of National Cyber Security Strategies (NCSS), the NIS Directive, the Payment Service Directive (PSD2). The Agency also related these areas to other policy areas through its approach to Cybersecurity Stakeholders and EU cooperation, taking into account the financial impact on the various actors.

ENISA’s key role in NCSS include leveraging existing knowledge and expertise the area, assisting the MS in evaluating current strategies and the development of new. Furthermore the agency promotes EU cooperation through the CSIRTS network and the EU Cooperation Group on NIS. The agency also assists EOS and DSPs on the smooth implementation of the NIS Directive. 

Smart areas studied by ENISA this past year include automotive cyber security, putting forward specific recommendations for the cyber security and resilience of smart cars, and the launch of the CaRSEC (Cars and Roads SECurity) expert group. The Agency has produced a study on securing smart airports as a guide to airport decision makers and airport information security professionals.  The study aims to provide airport operators with a start-up kit to enhance cybersecurity in smart airports, identifies gaps in different areas, and future steps to enhance cybersecurity in the field.

In the finance sector ENISA has looked into the most used payment applications to identify good practices and help the industry in secure mobile payment applications. A report on blockchain looks into the cyber security benefits and challenges of the technology taking into account the most promising implementations and use cases.

In the area of privacy, ENISA has developed the ‘PETs control matrix’ which works as an assessment framework and tool for the systematic presentation and evaluation of online and mobile privacy tools for end users.

Other relevant studies and recommendations by ENISA on the themes of the conference include securing smart homes, secure adoption of cloud for Governments, smart transport and smart cities.

 

For interviews and media enquiries please contact press@enisa.europa.eu, Tel. +30 2814 409576

More about Omnisecure and event images

 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

PETs control matrix: A systematic approach for assessing online privacy tools

Tue, 12/20/2016 - 13:26

The defined framework relies on a set of assessment criteria, which can be broken down into specific parameters and assessment points, acting as indicators of certain properties and features of the tools. A distinction is made between generic criteria (applicable to all tools) and specific criteria (addressing technical characteristics of different categories of tools). For the purpose of this work, the following categories of PETs have been considered: secure messaging, virtual private networks (VPNs), anonymizing networks, and anti-tracking tools (for online browsing).

The ‘PETs control matrix’ is the implementation of the proposed methodology into a practical tool that can be used for performing the assessment of a PET and presenting the relevant results. As such, it comprises different sets of detailed assessment questions (and relevant closed sets of answers) corresponding to the predefined assessment criteria.  In this way, the ‘PETs control matrix’ can facilitate a standardized and clear presentation of different privacy tools, supporting in this way the possibility of comparative assessments.


For the full report

For Annex 1 (assessment questions)

For Annex 2 (Excel tool - WIN version)

 


For press enquiries
please cotact press@enisa.europa.eu Tel. 2814 409 576

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Annual Privacy Forum 2017: Call for papers

Tue, 12/20/2016 - 13:04

 

ENISA’s Annual Privacy Forum (APF) is to be held on the 7th and 8th June 2017 in Vienna, at the University of Vienna, Faculty of Law.

Call for papers for APF 2017 is now open. Submission until 31st of March 2017.

Papers presenting original work on the themes of data protection and privacy and their repercussions on technology business, government, law, society, policy and on law enforcement. An inter-disciplinary approach is high in demand for APF2017 to contribute to bridging the gap between research, business models and policy much like proposing new models and interpretations. APF2017 seeks contributions from policy makers and implementers, Data Protection Authorities, industry, consultants, NGOs and civil society as well as law enforcement representatives.

For detailed information and the aspects with which research and opinion papers should deal with are available at:

Student Papers. In order to promote participation of young researchers, the submission of papers by students is encouraged. These papers will be treated as thoroughly as full papers, but can be shorter (up to 4000 words) and reflect novel thinking that might not have been fully elaborated just yet.

Short Papers. In addition to student papers, short papers are invited as this call is open to anyone who has a sketch of an idea, opinion or a call for collaboration. Short papers should be up to 4000 words and should not overlap with work published elsewhere.


For more information
please visit: Annual Privacy Forum 2017 - Call for papers


Previous APF editions
:

Privacy tools, security measures and evaluation of current technologies under the spotlight at this year’s Annual Privacy Forum

2015 Annual Privacy Forum focusing on Privacy Enhancing Technologies

Annual Privacy Forum 2nd edition starts today in Athens

Successful conclusion for the First Annual Privacy Forum


Stay connected
through the RSS feeds, #PrivacyForum_EU on twitter, and the dedicated site http://privacyforum.eu/

For press enquiries please contact press@enisa.europa.eu

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Cyber security key for the successful adoption of mobile payments

Mon, 12/19/2016 - 09:33

ENISA assessed the most widely used payment applications and their security models to identify good practices. The identified results, validated in a workshop in November 2016, provide some key recommendations included in this report. These include:

  • Customers should adopt minimum security measures when using mobile payment      applications
  • Vendors should provide more visibility of the security measures in applications
  • The mobile payment chain must maintain its security posture irrespectively of  the players involved

Mobile payments provide convenience of use; as it allows customers the freedom to make payments at any given time without the use cards. Mobile payments are expected to grow by 80% percent[1] on a yearly basis in the next five years, but the security of mobile payments applications still remains a key concern.

A key challenge identified is maintaining the security of mobile operating systems at a sufficient level. Mobile OS provide good security when applied, but many customers are not aware of these, and therefore do not use them. Another challenge is the security of the mobile payment chain, the assurance of which is paramount for the successful adoption of mobile payments.

In the context of the NIS Directive[2], ENISA assists Member States and the European Commission by providing expertise and advice, as well as developing and facilitating the exchange of good practices, with the ultimate goal to enable higher level of security for Europe’s critical infrastructure, including finance.

ENISA continues its work with the European Central Bank and the European Banking Authority providing its assistance and expertise on information security issues in the finance sector.  The Agency is also engages with industry through various working groups in the area of finance to exchange information and good practices in information security.

  Full report available online
For interviews and press enquiries please contact press@enisa.europa.eu Tel. 2814 409576    

[1] http://www.businessinsider.com/the-mobile-payments-report-market-forecasts-consumer-trends-and-the-barriers-and-benefits-that-will-influence-adoption-2016-5

[2] https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive

 

 

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS

Pages