ENISA publishes two reports today. The “Secure ICT Procurement in Electronic Communications” report which highlights the growing dependency of providers on ICT products and outsourced services, and analyses the associated security risks involved in the process. The “Security Guide for ICT Procurement” aims to be a practical tool for providers to better manage security risks when dealing with vendors and suppliers of ICT products and outsourced services.
Secure ICT Procurement in Electronic Communications
The study, follows the last edition of the Annual Incidents report which gives an aggregated analysis of the security incidents resulting to severe outages, with a primary cause being third party ICT products and outsourced services especially in the area of hardware failures and software bugs. This year’s report is the result of ENISA’s collaboration with providers and vendors in an effort to address these issues.
The key issues raised by electronic communication providers include:
- Lack of security controls on the vendor’s side
- Software vulnerabilities in ICT products or services
- Non-compliance with security requirements in contracts
- Lack of support from vendors in case of incidents
- Weak negotiation power for providers
- Lack of a framework or guidance for providers during procurement and outsourcing
In this context ENISA provides general recommendations and includes the results of a survey it conducted across electronic communication providers and ICT vendors. Recommendations to Member States involve raising awareness on the security risks related to the procurement of ICT products and outsourcing services. In addition, vendors and providers are encouraged to develop a collaborative approach in setting security requirements, sharing information on security vulnerabilities and threats, and mitigating incidents.
Security Guide for ICT Procurement
The Guide maps security risks to the full framework of security requirements which can be used as a tool during procurement by vendors, and addresses security risks for core services in communication networks and services.
The Executive Director of ENISA, Professor Udo Helmbrecht commented: “Every year we see from the annual incident reporting that third-party ICT products and managed services are a major cause of outages. A simple software bug can have a severe impact on the availability of the internet and telephony services, and providers are not always able to fix such issues quickly on their own. The Security Guide for ICT Procurement we publish today is a practical tool to help providers buy ICT products and services from vendors and suppliers, with the necessary security requirements.”
Background: ENISA Annual Incident Reports
For interviews; Christoffer Karsberg, Expert, resilience[at]enisa.europa.eu
Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!