1. Background and objectives
ENISA has been established to develop a culture of security by ensuring a high and effective level of network and information security. In order to achieve this goal the Agency shall enhance the capability of Community and Member States and the business community to prevent, address and respond to such network and information security issues. Of major importance in the tasks of ENISA are Risk Management and Risk Assessment. They are both vital parts of Information Security Management and as such are essential for the establishment of security in organizations.
During its initialization period in 2005-2006 ENISA has established the "ad hoc Working Group on technical and policy aspects of Risk Management and Risk Assessment". The appointment of this working group terminated as of 8th March 2006. One of the deliverables of the previous Working Group (WG) was the generation of a road map for future activities within ENISA in the area of Risk Management, Risk Assessment and Emerging Risks.
Based on the road map of the 2005 ad hoc Working Group, these terms of reference identify numerous future tasks towards the enhancement of interoperability, comparability, and applicability of existing Risk Management and Risk Assessment methods for different types of organizations, with an emphasis on Small and Medium Enterprises (SMEs). The latter are explicitly emphasized since in most cases they lack the appropriate resources and expertise to properly perform the Risk Assessment and Risk Management tasks, as opposed to large companies and enterprises.
By taking into account the contents of:
- ENISA's Work Programme 2006
- the emerging issues in the area of Risk Management and Risk Assessment from previous studies (e.g., the European Commission – DG Information Society and Media, "Risk preparedness in Business in the field of Network and Information Security")
- the work conducted by ENISA’s 2005 ad hoc Working Group in the same area
the importance of comparability and interoperability of Risk Management and Risk Assessment methods is becoming clear. Basic work that has to be made is to identify the equivalences, but also the differences between existing methods.
One of the first steps towards this objective is to make sure, that Risk Assessments performed with different methods are based upon common understanding of threats and vulnerabilities applicable to the assets in question. Subsequently, additional inputs and outputs of existing methods that are subject to unification (i.e., through their correspondence relationships) have to be identified.
Another important issue for the quality, usefulness and validity of the established inventories is to guarantee the accuracy of the enlisted Risk Management and Risk Assessment methods and tools. For this purpose, this WG will generate a process for the submission of new methods and tools - together with the necessary review processes. Furthermore, Risk Management and Risk Assessment best practices will be included in the generated inventory. Similarly, a process for the submission of best practices has to be introduced.
Tasks to be carried out through the WG are:
- Provide the processes for submission, review and publication of existing Risk Management and Risk Assessment methods, tools and best practices. For the later, a logical connection to existing templates of the generated inventory of methods and tools has to be established, e.g., referencing schema and template for the description of best practices.
- Identify existing sources of threats and vulnerabilities; define a classification scheme for threats and vulnerabilities according to their nature and the type of assets they might affect. For each category the WG will identify corresponding threat agents, i.e., actors threatening an asset. The end result is expected to be a database with categories of threat and vulnerabilities, the relevant assets these apply to, the corresponding threat agents and references to existing sources (e.g., documents, URLs etc.). This will improve the comparability properties of the assessments performed with different methods and tools.
- Identify Input/Output types of Risk Management / Risk Assessment methods that can be unified towards improved interoperability and comparability of methods and tools (as additional information to the one mentioned in task 2 above).
An additional effort that will be performed in parallel to the above tasks is to gather sources of security information used by the involved experts. This information will be consolidated with similar material gathered by the other ENISA ad hoc Working Groups.
The deliverables of this WG are the direct outcome of the tasks mentioned above:
D.1: Three procedures for the submission or removal of a) methods, b) tools and c) best practices on Risk Management/Risk Assessment. The procedures describe the method for adoption of new products in the ENISA open inventory list. Besides the description of the procedures, input and output information for each activity will be defined.
D.2: Identification and categorization of input and output to and from Risk Management/Risk Assessment methods that can be subject of comparability (e.g. scales for qualitative, quantitative methods, scales for asset classifications etc.). Comment: For this purpose, we need to know the HOW of a method.
D.3: The knowledge-base based on categorization of input/output types that includes threat agents for each category, the relevant security needs of assets for each threat category, and references to other existing approaches, e.g., existing threats and vulnerability catalogues.
D.4: As a “side product” of the Working Group, a list of known sources for security information used by the involved experts will be generated.
- Dr. Lydia TSINTSIFA, Germany, (Chairperson)
- Mr. Serge LEBEL, France, (Vice Chairperson)
- Mr. Alain DE GREVE, Belgium
- Mr. Aljosa PASIC, Spain
- Mr. Giuseppe CARDUCCI ARTENISIO, Italy
- Dr. Ingrid SCHAUMUELLER-BICHL, Austria
- Mr. Jeremy WARD, UK
- Mr. Juhani SILLANPAA, Finland
- Mr. Marcel SPRUIT, The Netherlands