Ad hoc ENISA Working Group on National Risk Management Preparedness

The present page is the central location of information about the Terms of Reference for the ENISA Working Group on National Risk Management Preparedness (WG NRMP) and the generated deliverable.

Published under Risk Management

1.      Background and objectives

ENISA has been established to develop a culture of security by ensuring a high and effective level of network and information security. In order to achieve this goal the Agency shall enhance the capability of Community and Member States and the business community to prevent, address and respond to such network and information security issues.

Within the ENISA Work Program 2010, it is foreseen to investigate the issue of National Risk Management Preparedness. This task is described within Multiannual Program 3 (MTP3) and in particular within Work Package (WPK) 3.3. The main objectives of this task are:

  • to identify the national risk management elements and good practices throughout EU member states,
  • to analyze the level of maturity and Preparedness in different Members States,
  • to identify the relevant Stakeholders (both from Public and Private sector) and
  • to support other ENISA activities in the area of Critical Information Infrastructure Protection (CIIP) and in particular ENISA work in the definition of pan European resilience exercises (WPK1.4).

Proactive management of information risks is a key issue in building up and maintaining resilient information infrastructures. When looking at the elements of risks pertaining the assets of information infrastructure (both technical and organizational), different aspects have to be taken into account, depending on their nature, importance and impact. Furthermore, when considered at the level of a Member State, the establishment/enhancement of National Risk Management Preparedness (NRMP) has to involve multiple stakeholders from both private and public sectors. Such stakeholders are owners or participants in the protection of information infrastructure assets.

Given the strong focus of ENISA in the context of CIIP, issues like incident handling, emergency teams and procedures, cross-sector communication plans, escalation schemes, etc are to be primarily considered. Other, directly related areas will be considered as well (e.g. interfaces to other critical infrastructures and response teams). Important dependencies among all these areas, existing processes and components will be in focus. The final result will be a first picture of areas and components, involved stakeholders and their roles within National Risk Management Preparedness activities.

An ad hoc Working Group has been envisaged as main instrument for the collection of information to fulfill this task. The Working Group will consist of national experts in the area of Risk Management, covering public and private organizations. The task of this Working Group will be the identification and description of all relevant elements of National Risk Preparedness for public eCommunication network resilience. This will include various relevant elements, for example:

  • related components (e.g. types of infrastructures under protection),
  • related stakeholders (e.g. owners/operators of infrastructure, regulators, public/private emergency groups etc.),
  • users of the infrastructure,
  • related critical areas this infrastructure is used for (e.g. energy, health, etc.),
  • risk management responsibilities of each involved stakeholder,
  • necessary coordination activities,
  • necessary national escalation schemes, etc.

2. Tasks

Tasks to be carried out through the WG are:

  • Identification of state-of-play with regard to NRMP in Member States. This will be performed by means of an inventory of existing approaches. For this task, a set of criteria for the inventory to be created have to be developed. These criteria will concern areas of NRMP that will be considered in the stock taking activity. The list of criteria to be developed will be used as a raster/template for the stock taking.  The proposal for this task would be to consider the ENISA Study “STOCK TAKING OF POLICIES AND REGULATIONS, Resilience of communication networks” as initial input and find ways to collect additional information in order to achieve a better penetration of the Risk Management Preparedness topic.
  • Generation of a list of areas for NRMP. Based on the results of the previous task, the WG will generate a list of areas that are considered to be part of NRMP. This can be achieved by analyzing the identified national approaches. As result of this task, the WG will develop a collection of areas/issues that are considered to be part of NRMP (i.e. cartography of NRMP issues).
  • Identification of the most critical areas in the interdependent infrastructures. Based on the previous tasks, the WG will identify the most critical areas in the interdependent infrastructures. The focus will be on information infrastructure (i.e. eCommunication networks). For these areas, types of assets/components will be identified and will be prioritized according to their criticality. Beyond types of technical components, non technical ones will also be part of this prioritization, such as relevant operational processes (e.g. continuity plans, incident management and response plans), human infrastructure/roles (e.g. emergency teams, supervision roles), communication structures (e.g. inter-sector committees, response coordination) and supporting functions from other sectors (e.g. notification structures, common continuity efforts, redundancy schemes).

 3. Deliverables

 The deliverables of this WG are the direct outcome of the tasks mentioned above. The list of the deliverables is as follows:

Deliverable

Description

D1

Content of NRMP activities, input/output, players/organisations etc

D2

Development of a questionnaire based on the content of D1

D3

Answer collection from the Member States using the questionnaire defined in D2

D4

Data consolidation (painting big picture/the framework, paying attention to SMART Goals as formulated in ENISA Work Program 2010)

D5

Guidelines development (common framework) for the assessment of the NRMP (the method developed)

D6

 Issue recommendations for future exercises (chain of command of involved bodies/organisations/players, etc.)

 

D7

Report formulation with the content described in the above deliverables

 

All the above deliverables have been incorporated into a final report (D7) that can be found here.

In addition to the foreseen deliverable, we have developed a questionnaire in form of an Excel sheet that is based on the identified NRM processes and contains all maturity levels per process. This deliverable is an extra mile and can be found here.

4. Composition

The Working Group consisted of the following members:

  • Manuel de Barros: ANACOM, Portugal
  • Dr. Uwe Jendricke: BSI, Germany
  • Charalampos Koutsouris and Dr. Zoe Nivolianitou: NCSR, IIT, Greece
  • Drs. J.C. Oude Alink: Ministry of Economic Affairs, The Netherlands
  • Rytis Rainys: RRT, Lithuania
  • Prof. Ingrid Schaumueller-Bichl and Alexander Leitner: University of Applied Sciences, Hagenberg, Austria
  • Bjorn Scharin: pts, Sweden
  • Pascal Steichen: CIRCL, Luxemburg
  • Paul Theron: Thales Group, France
  • Marco Fernandez-Gonzalez, Observer INFSO, European Commission

 

ENISA staff involved in the Working Group:

  • Dr. Louis Marinos

Contact

 

 

 

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more