1. Background and objectives
ENISA has been established to develop a culture of security by ensuring a high and effective level of network and information security. In order to achieve this goal the Agency shall enhance the capability of Community and Member States and the business community to prevent, address and respond to such network and information security issues.
The Agency shall be able to provide assistance and deliver advice to the Commission (e.g. in technical preparatory work for updating and developing Community legislation in the field of network and information security) and Member States. It shall further develop a high level of expertise, building on national and Community efforts and use this expertise to stimulate a broad cooperation between actors from public and private sectors.
Risk assessment and risk management are key tasks in the management of network and information security in general. The OECD Guidelines for the Security of Information Systems and Networks state that all organisations who develop, own, provide, manage service and use information systems and networks should conduct risk assessments in order to allow the determination of the acceptable level of risk and assist the selection of appropriate controls to manage the risk of potential harm to information systems and networks, considering also the potential harm that may originate from others or be caused to others.
ENISA’s tasks, as described in the 2005 Work Programme, include the collection of best practices, the sharing of information and the facilitation of co-operation of various European initiatives that contribute to reach a common superior level of security. Clearly, risk assessment and risk management form an essential part of this. To support ENISA in this task a special ad hoc Working Group will be set up.
Today, a number of different approaches to risk assessment and risk management exist, and in various countries (e.g. with BS7799 in the UK, EBIOS in France and the IT Baseline Protection handbook in Germany), there are methods for the management of information security that also include specific recommendations for the assessment of risks. While the various approaches have many things in common, there are also a number of important differences and it seems obvious that there is no general "one-size-fits-all" approach to risk assessment and risk management for organisations of different sizes and with different backgrounds.
Large organisations with dedicated security management teams usually also have the resources and the knowledge needed for selecting a suitable approach for risk assessment and risk management and for establishing the corresponding processes. On the other hand, smaller organisations and particularly SMEs often have neither the staff nor the resources to conduct a risk assessment on their own. Even selecting a suitable consulting company to assist in setting up a risk management can be a very challenging task for small organisations.
The working group shall help ENISA by providing expertise in different existing risk assessment and risk management methods.
The first task of the working group will be the compilation of an overview of existing risk assessment and risk management methods. These methods should then be compared and their similarities and differences should be described. Additionally, important organisations active in the field of risk assessment and risk management methodologies should be identified and their relationship should be described.
The Working Group shall choose 2-3 different types of organisations (notably SMEs) and suggest a suitable approach to risk assessment and risk management for these types. The goal shall be to allow the organisations to perform a risk assessment with reasonable effort and to establish an efficient system for managing risk related to information security.
Finally, the Working Group should develop a proposal for a roadmap on what steps need to be taken and by whom, in order to achieve the goal of enhancing the compatibility and interoperability of different methods of risk assessment and risk management. The objective shall be to improve the comparability of risk assessments between different organisations.
- Overview of existing risk assessment and risk management methodologies and the relevant players in this field, and comparison of the different methodologies.
Inventory of risk assessment and risk management methods
- Information packages for 2-3 types of organisations to help them in selecting and applying a suitable method for performing and managing information security related risks.
Information Packages for Small and Medium Sized Enterprises (SMEs)
- Roadmap document.
- Prepare report as input to the Management Board (11 November) on status of the work of the group and deliverables.