Having regard to the rapid evolution of the prevailing risk environment and the lack of an overall knowledge base for the mitigation of the respective risks in the area of COIT, ENISA conducted this assessment in order to provide guidance to the competent actors in developing effective strategies and policies for mitigating the underlying risks (identified in the previous ENISA report).
The analysis took account of three areas aspects of mitigation that should be considered in concert. These are: technical considerations, governance aspects and the prevailing regulatory environment. Together, these areas have led us to establish the basis on which - depending on the requirements - each organisation should create an effective blend for the mitigation strategies of COIT risks.
Through this work ENISA contributes towards securing the elements that are part of the current Consumerization trend in IT. Particular focus was on the device part, while aspects of security of the services have been addressed as well. Relevant security controls have been identified that could facilitate the efforts of stakeholders to develop and implement effective risk mitigation plans suitable to their operational setting. The proposed controls and the presented good practices mitigate the assessed risks.
It is evident that there is no “one size fits all” solution. Nevertheless, the findings provide a solid basis for appropriate actors to analyse their working environment and apply a combination of controls that is the most suitable in terms of strategy and policy requirements.
Six key messages for decision makers (e.g. Chief Information Officers, Chief Executives) that have been derived from this report are:
1. Ensure that governance aspects are derived from business processes and protection requirements and are defined before dealing with technology.
2. End-user involvement can effectively mitigate risks. Awareness raising on COIT programmes is highly effective for the enforcement of security policies.
3. Periodic risk assessment on COIT programmes should be undertaken to ensure that security policies remain compatible with evolving technologies.
4. Keep in mind that encryption complements but does not replaces strategic risk management within a COIT programme.
5. Perform small steps initially and proceed with more complex policies when sufficient experience has been gained.
6. It is important to identify which COIT risks need to be mitigated within your organisation while the window of opportunity till remains open.
This report has been produced by ENISA using input and comments from a group of experts from industry and academia and public organisations.
The contributors are listed below in alphabetical order:
• Jim Clarke, Waterford Institute of Technology, IR
• Marcos Gomez Hidalgo, INTECO, ES
• Antonio Lioy, Politecnico di Torino, IT
• Milan Petkovic, Eindhoven University of Technology, Philips Research, NL
• Claire Vishik, Intel Corporation, UK, US
• Jeremy Ward, HP Enterprise Services, UK
The Risk and Opportunity assessment in the area of COIT can be found HERE.
The proposed Riks Mitigation Strategies and Good Practices for COIT can be found HERE.