1. Background and objectives
ENISA has been established to develop a culture of security by ensuring a high and effective level of network and information security. In order to achieve this goal the Agency shall enhance the capability of Community and Member States and the business community to prevent, address and respond to such network and information security issues. Of major importance in the tasks of ENISA are Risk Management (RM) and Risk Assessment (RA). They are both vital parts of Information Security Management and as such are essential for the establishment of security in organizations.
Since its establishment in Heraklion in Sept. 2005, ENISA has appointed two Working Groups (WG) in that area. The first WG started in 2005 and ended March 2006. The second WG started on June 2006 and terminated in March 2007. The second WG appointment led to the generation of a benchmarking for measuring the contents of RA and RM methods and assessments.
Based on the results of the previous WG these terms of reference identify numerous future tasks towards the usage of the benchmarking to express the requirements of users. It is expected that these results will be of particular value for non-experts, as they will facilitate the identification of user needs. Subsequently this will allow to expert users to find the solutions best suited for the needs of customers.
By taking into account the contents of:
- The results of the previous WG (2006-2007),
- ENISA’s Work Programme 2007,
- the emerging issues in the area of Risk Management and Risk Assessment from previous studies (e.g., the European Commission – DG Information Society and Media, " Risk preparedness in Business in the field of Network and Information Security").
The importance of comparability and interoperability of RM and RA methods is becoming clear. Equal importance must be assigned to the use of RM and RA methods by all kinds of enterprises. To achieve this material available has to be communicated in a way that non-expert decision makers can understand and use in their businesses.
The first step towards this objective is to identify the security context of an organization according to the kind of business they operate. Next, the security context of the organization has to be translated into a set of requirements that will express its real requirement for RM/RA. The next step is to translate this user requirements into the elements of the benchmarking framework developed by the previous WG.
Once their user requirement has been defined in terms of the benchmarking framework, this can be matched against the individual benchmarks of existing methods, tools and good practices. Such a match will allow selection of the most appropriate methods, tools and good practices.
Tasks to be carried out through the WG are:
- Generate a set of qualification questions for non-experts to understand the security context of their organization. The questions will identify the organization’s area of businesses, its dependency on IT, its risk tolerance, compliance needs and the market conditions in which it operates.
- Identify the relationship between the answers to the qualification questions and the level of maturity required by the organization in relation to its information security. If necessary the qualification questions will be augmented with other questions to determine the organization’s current maturity level.
- Identify the profile of the organization in relation to the benchmarking framework established by the previous WG and
- Generate a mapping of RA/RM requirements for the organization in relation to the benchmarking framework.
An additional effort that will be performed in parallel to the above tasks is to maintain a specific example that will be used throughout the tasks mentioned above.
The deliverables of this WG are the direct outcome of the tasks mentioned above:
D.1: A set of qualification questions structured around issues of relevance to understanding the RA/RM requirements of the organization (e.g. business sector, dependency on IT, risk tolerance, compliance needs, and the type of market and market conditions in which it operates). This deliverable includes a graphical representation of the answers in relation to a risk exposure and impact profile.
D.2: A matrix enabling answers to the qualification questions to be related to the RA/RM benchmarking framework established by the previous ENISA WG. This will be expressed in terms of requirements for RA/RM phases, activities and outputs as given in the benchmarking framework. The output will be presented in terms of the benchmarking elements by means of scoring and graphical representation.
- Determining Your Organization’s Information Risk Assessment and Management Requirements and Selecting Appropriate Methodologies
- Dr. Jeremy WARD, UK (Chairperson)
- Serge LEBEL, France, (Vice Chairperson)
- Prof. Dr. Ingrid SCHAUMULLER-BICHL, Austria
- Dr. Lydia TSINTSIFA, Germany
- Luigi CARROZZI, Italy
- Alain DE GREVE, Belgium
- Aljosa PASIC, Spain
- Reijo SAVOLA, Finland
- Prof. Marcel SPRUIT, The Netherlands
- Andrew WILSON, ISF, UK (observer)
ENISA staff involved in the Working Group:
- Dr. Louis Marinos