enisa – nis is people · enisa – nis is people networks, people and technology in the 21st...

ENISA General Report 2007

ENISA – NIS is people

Networks, people and technologyIn the 21st century, we take for granted innovationssuch as mobile phones, computers, the Internet,online banking, e-Health and e-Commerce. TheInternet has become indispensable for individuals atwork, at home and in doing business. Network and

Information Security (NIS) is therefore crucial forbusinesses and home-users alike.

NIS – for Europe’s economyCommunication networks and information systemsare critical for the European digital economy andbusiness – both today and increasingly for tomorrow.There are millions of e-mails and transactions everyday. As networks grow more complex, they alsobecome more vulnerable. Security breaches cangenerate substantial economic damage. The EuropeanNetwork and Information Security Agency (ENISA) isthe European Union (EU)’s response to NISchallenges, especially as they affect the EU’seconomy.

Expertise and excellence in NISENISA’s role is to be an expert body and a Centre ofExcellence in NIS. Its mission is to facilitate andsupport the Members States in enhancing the level ofNIS in Europe.

As such, the Agency’s role includes:• Giving independent, expert advice to the EU, as the

first step towards the drafting of legislation• Responding to requests from Member States and

the EU• Collecting and analysing data on security incidents

and emerging risks• Promoting best practices in e.g. risk assessment &

risk management, awareness raising and

computer security incident response

General Report 2007European Network and Information Security Agency

ISSN: 1830-981X


Editing and design by Kingston Public Relations Ltd., UK (+44 1482 876229) www.kingstonpr.comPublished in July 2008

Luxembourg: Office for Official Publications of the European Communities, 2008

ISBN: 978-92-9204-004-8

ISSN: 1830-981X

Catalogue no.: TP-AB-08-001-EN-C

© European Communities and ENISA, 2008Reproduction is authorised provided the source is acknowledged.

PRINTED ON WHITE CHLORINE-FREE PAPER

Europe Direct is a service to help you find answers

to your questions about the European Union

*Freephone number:

00 800 6 7 8 9 10 11*Certain mobile telephone operators do not allow access to 00 800 numbers or these calls may be billed.

More information on the European Union is available on the Internet (http://europa.eu).


Table of Contents

1

3 CHAPTER 1 – INTRODUCTION44 EExxeeccuuttiivvee SSuummmmaarryy66 AA MMeessssaaggee ffrroomm tthhee EExxeeccuuttiivvee DDiirreeccttoorr

9 CHAPTER 2 – The 2007 WORK PROGRAMME: KEY SECURITY THEMES

1111 RRaaiissiinngg aawwaarreenneessss aanndd bbuuiillddiinngg ccoonnffiiddeennccee11 Identifying and promoting KPIs 12 Identifying best practices, current trends and

progress in awareness raising13 Dissemination13 Knowledgebase14 Assessment of Information Security Certification14 Surveying Electronic Communication Security

Measures1166 FFaacciilliittaattiinngg tthhee wwoorrkkiinngg ooff tthhee IInntteerrnnaall MMaarrkkeett ffoorr

ee--CCoommmmuunniiccaattiioonn16 Analysing barriers16 Assessing and managing current ICT risks1188 MMaasstteerriinngg eemmeerrggiinngg tteecchhnnoollooggyy aanndd sseerrvviicceess18 Tackling emerging and future ICT risks19 Security trends in emerging technologies andd

applications19 Position Papers on specific emerging security

issues2222 BBrriiddggiinngg sseeccuurriittyy ggaappss iinn EEuurrooppee 22 The NIS Brokerage22 Who is Who Directory on NIS23 Towards a Common Authentication System

Taxonomy24 Computer Emergency Response Teams (CERTs)

27 CHAPTER 3 – RELATIONS WITH ENISA STAKEHOLDERS

2288 CCoommmmuunniiccaattiioonn aanndd oouuttrreeaacchh28 The Communication Action Plan30 Conferences and joint events30 Thematic workshops3311 EExxtteerrnnaall ssttaakkeehhoollddeerrss,, EENNIISSAA bbooddiieess aanndd ggrroouuppss31 Creating a network of contacts31 The Permanent Stakeholders’ Group

31 Management Board3322 EEUU aanndd MMeemmbbeerr SSttaattee rreellaattiioonnss32 Relations with EU bodies33 Relations with Member States33 High Level Dialogue on Information Security33 The Network of National Liaison Officers3333 OOtthheerr rreellaattiioonnss wwiitthh iinndduussttrryy aanndd iinntteerrnnaattiioonnaall

rreellaattiioonnss33 Industry relations34 International relations 34 Measuring ENISA deliverables

35 CHAPTER 4 – RESPONDING TO REQUESTS

3377 PPaarrttnneerrsshhiipp ffoorr IICCTT SSeeccuurriittyy iinncciiddeenntt aanndd CCoonnssuummeerr ccoonnffiiddeennccee iinnffoorrmmaattiioonn EExxcchhaannggee ((PPIISSCCEE))

3399 EEIISSAASS -- NNIISS IInnffoorrmmaattiioonn ffoorr HHoommee--uusseerrss aanndd SSMMEEss

41 CHAPTER 5 – CHANGE AND THE PERSPECTIVES FOR 2008

4422 FFuuttuurree ppeerrssppeeccttiivveess

43 APPENDICES4444 AAccrroonnyymmss aanndd AAbbbbrreevviiaattiioonnss4455 WWoorrkk PPrrooggrraammmmee 22000077 PPrriioorriittiieess4477 MMeemmbbeerrss ooff tthhee MMaannaaggeemmeenntt BBooaarrdd5511 MMeemmbbeerrss ooff tthhee PPeerrmmaanneenntt SSttaakkeehhoollddeerrss’’ GGrroouupp

((PPSSGG))5511 MMeemmbbeerrss ooff AAdd HHoocc WWoorrkkiinngg GGrroouuppss5522 NNaattiioonnaall LLiiaaiissoonn OOffffiicceerrss 5533 AAddmmiinniissttrraattiioonn53 Organisation chart54 General administration, legal advice and

procurement55 Physical infrastructure55 Technical infrastructure56 Human Resources59 Finance and Accounting

CHAPTER 1 Introduction

3

• Executive Summary• A Message from the Executive Director


Introduction

Executive Summary

4

2007 posed considerable challenges for Europe withregard to network and information security (NIS). Inparticular, the cyber attack on Estonia in Junegenerated public and media attention, but severalother countries, including Sweden, France andGermany, also suffered major NIS incidents whichwere widely publicised. The attention which these NISattacks have attracted has pushed NIS up on thepolitical agenda. ENISA’s mission and operations,facilitating co-operation and offering support andadvice to the European Union (EU) Member States intheir efforts to build protective fences and toimplement countermeasures, have become morewidely recognised.

In the 21st century, virtually all aspects of everydaylife are dominated by information systems, in the formof practical devices and services such as mobilephones, computers, online banking, e-Health ande-Commerce. The Internet has become indispensablefor industry and individuals, at work and at home. TheEuropean economy, be it corporations or individuals,is highly reliant on NIS for the proper functioning ofthe Internal Market. Information systems and securenetworks in the Information Society have, in thatsense, become omnipresent. ENISA’s mission in NIS istherefore one of considerable importance for theeconomy of Europe.

ENISA is an EU Agency, which assists and facilitatesthe EU and its Member States in their efforts to makenetworks and information systems more secure. Byacting as a forum for the exchange of information forall stakeholders, and by increasing co-operation inNIS, the Agency supports the functioning of theInternal Market. ENISA acts to bridge NIS gaps, forexample between policy-makers and technicalcommunities, both in the public and the privatesectors. To this purpose, the Agency supports apublic-private dialogue regarding responsibilities,roles, problems and solutions to NIS risks and threats.The major NIS challenges facing Europe are commonto NIS policy-makers globally. ENISA therefore aims tosupport Europe’s policy-makers in giving Europe aleading role internationally in NIS issues.Consequently, European NIS policy-makers areincreasingly convinced of the need for enhanced NISco-operation in Europe.

The ENISA Work Programme for 2007 focused on thefollowing five priorities, to match and optimise theAgency’s available resources:• Raising awareness and building confidence• Facilitating the working of the Internal Market for

e-Communication• Mastering emerging technology and services• Bridging security gaps in Europe in electronic

identification (eID), authentication languages, Computer Emergency Response Teams (CERTs)

• Increasing communication and outreach activities.

In 2007 ENISA published a number of importantPosition Papers on topics that have been identified assignificant emerging risks or key securitycomponents, notably Social Networking, Botnets andReputation Based Systems. These reports provide anintroduction to security issues in specific areas,highlight the most important threats and makerecommendations for action and best practices toreduce the security risks to users. They have receivedhigh level, general media attention.


Introduction

5

Activities in pursuit of the five goals in the WorkProgramme were numerous but highlights include areport on the effectiveness of awareness raisingcampaigns with the aim of identifying best practice,together with a workshop to disseminate the results, asurvey of measures taken by ElectronicCommunication Service Providers to combat spam,the updating of ENISA’s inventory of risk assessmentand risk management methods and an analysis of thevarious types of home-users and their perceptions ofthe Internet and IT security, in order to better targetthem with NIS information.

The Agency is committed to being the leadingEuropean body for the provision of NIS data, reports,information and knowledge to NIS policy-makers, inshort, a Centre of Excellence, and completed all the

reports and projects laid down in its WorkProgramme. ENISA has also been well recognised forits advisory role, demonstrated by the number ofrequests for assistance or advice that it received fromthe Commission, Member States and EU bodies. In2007 examples included major studies into thefeasibility of a European Information Sharing and AlertSystem (EISAS) and the establishment of a DataCollection Framework. These requests are inthemselves a recognition of the value which theAgency adds.

Throughout 2007 ENISA’s Experts spread the wordabout its operations and findings around Europethrough seminars, conferences and workshops, andinternational media have reported the Agency’sactivities and achievements. ENISA has also enhancedits outreach and communication, for example byupgrading its website, co-organising and participatingin conferences and events all over Europe, andthrough its ENISA Quarterly magazine which providesa forum for European debate on NIS. By drawing onpolicy effectiveness studies and best practices acrossEurope, member countries can more swiftly takeadvantage of lessons learned in implementing NISpolicies. ENISA thus acts as a ‘clearing house’ todisseminate the shared knowledge of Europe.

During 2007, a new process was established fordrawing up the Agency’s Work Programme, based ona closer consultation process and involving allstakeholders to jointly identify the priorities forENISA’s operations. In this way, the Agency isensuring that its activities directly meet the needs ofusers.

As ENISA nears the end of its first mandate period in2009, it will of course undergo changes. A‘stocktaking’ evaluation of the Agency’s activitiesfeatured as an important process in 2007, withstrategic discussions regarding future development. Inits first three years of operation, ENISA has carved outa crucial position for itself in European NIS and it isnow well placed to respond to the challenges to come.


Introduction

A Message from the Executive Director

6

AAmmbbiittiioonn aanndd cchhaannggeeIf 2006 was a year of consolidation, 2007 has beendominated by the need to meet a number of ambitiouschallenges. The Agency has further stepped up itsoperations and is functioning effectively as a Centre ofExcellence in the field of Network and InformationSecurity (NIS).

The main focus of this General Report is to brieflypresent the operational tasks and activitiesundertaken by ENISA in 2007. I am delighted to inviteyou to take a closer look on the following pages at theactivities, reports and studies undertaken, all of whichwere completed within the deadlines set out in theWork Programme for 2007.

José Manuel Barroso

To sum up this year, ENISA is becoming anincreasingly recognised European partner and animportant player in NIS. As such, we have nowestablished relations with all major European NISstakeholders, in this way better positioning ENISA attheir service, as a ‘think tank’ and ‘broker’ in NIS.ENISA is well established in Heraklion, Crete, which isin line with the EU’s ambition to have Agenciesdistributed throughout the Member States, in thewords of EU President Barroso, ”from Stockholm toCrete and from Lisbon to Warsaw”.

The need for NIS is moving more and more into themedia limelight, and thus is also becoming betterunderstood by ordinary citizens and businesses inEurope. The interconnected information networkstouch upon fundamental areas of the economy andsociety. As a result, publication of the ENISA PositionPapers was noted not only in specialist NIS media, butalso in prominent general publications such as LeMonde, the International Herald Tribune, Der Spiegeland Fokus, to mention just a few.

Europe is now confronting a series of NIS issues that require actions across a number of sectors, andco-operation between both private actors andgovernments. The European capacity in and approachto NIS has traditionally been fragmented, sufferingfrom a diversity of, for example, systems, organisation,system architecture and technical implementations.This annual report shows that the approach of ENISA,Member States and the European Commission whichsupports closer co-operation, collaboration and co-ordination, while at the same time respecting thefundamental national differences, is vital for moresecure information systems and networks acrossEurope.

NNeeww ddeevveellooppmmeennttssA notable development since the beginning of the yearwas the welcoming of new members to the EuropeanNIS family and to the Management Board, withRomania and Bulgaria smoothly joining the EuropeanUnion on 1 January 2007.


Introduction

7

Looking ahead, ENISA’s Work Programme for 2008sets the compass direction for the Agency’s continuedoperations. The Agency will concentrate itsoperational activities on a few Multi-annual ThematicProgrammes (MTPs), which focus on:

1. Improving resilience in public European e-Communication networks

2. Developing and maintaining co-operation models

3. Identifying emerging risks for creating trust

and finally entails a ‘Preparatory Action’ regarding the NIS needs and expectations of micro-enterprises.

By applying these MTPs, our goal is to build onsynergies and increase our impact in the MemberStates.

With these priorities set and NIS increasingly beinghighlighted on the public agenda, the Agencyanticipates that the need for NIS will be a decisivepolitical and economic factor for the EU and itsMember States in the foreseeable future.

OOuurr vvaalluueedd ssuuppppoorrtteerrssENISA could not fulfil its role as the leading Europeanbody committed to providing NIS information to policy-makers in the public and private sectors without theactive support and collaboration of the MemberStates, the EU institutions, industry, research/academia and consumer/user organisations.

Therefore, as Executive Director, it has been apleasure to witness the Member States’ endorsementof the Agency by their actions. ENISA is dependent on

a close dialogue and partnership with all the keyplayers to function as a Centre of Excellence in NIS.The contributions from within the Member States andclose partnership with them is thus crucial for ourmission. I would therefore like to express my deepappreciation to all our stakeholders, in particular theEuropean Commission, the European Parliament,ENISA’s Management Board, our PermanentStakeholders’ Group, members of our Working Groups, the National Liaison Officers, the Greekgovernment and the local authorities in Crete and, lastbut not least, FORTH, the research centre in Crete thathosts and supports ENISA.

Finally, I would like to thank the ENISA staff for theirexcellent execution of the Agency’s Work Programme.

Please enjoy this General Report, which provides aconcise overview of ENISA’s work in 2007 and our roleand responsibility in network and information securityfor Europe.

Andrea PirottiExecutive Director

CHAPTER 2 The 2007 Work Programme: Key Security Themes

9

• Raising awareness and building confidence• Facilitating the working of the Internal Market for

e-Communication• Mastering emerging technology and services• Bridging security gaps in Europe


The 2007 Work Programme: Key Security Themes

10

The Agency’s work in 2007 built on results obtained in2005 and 2006, categorised into four themes deriveddirectly from the seminal joint workshop discussionsbetween ENISA’s Permanent Stakeholders’ Group(PSG) and the Management Board in London in June2006. These themes represent crucial network andinformation security (NIS) objectives for the whole ofEurope:

• Raising awareness and building confidence – This area of work is mainly user-oriented, with the aim of improving the safety of network and information security by encouraging the use of appropriate toolsand behaviour. In this way, the Agency helps to build the trust that is essential for the acceptance of new technology and the growth of the digital economy.

• Facilitating the working of the Internal Market for

e-Communication – This objective is oriented mainly towards the needs of business and includes the identification of obstacles to the growth of e-Commerce and assisting the EU to decide on an appropriate mix of regulation and other measures in response to NIS risks. It is in line with the aims

of the European Commission’s (EC’s) i2010 initiative. ENISA’s expertise and advice on these matters is considered crucial in achieving the goals laid down in the initiative.

• Mastering emerging technology and services – This technology-oriented task includes not only assessing the impact that emerging technology and services have on security and privacy but also enabling Europe as a competitive supplier of network and information products and services.

• Bridging security gaps in Europe – Bridging the gaps in the design and implementation of security tools and procedures throughout Europe remains a strong policy-oriented challenge. More precise Europe-wide capacity to measure the current NIS status will be needed. ENISA will help to analyse such gaps, propose ways to reduce them and will monitor their evolution.

ENISA’s expertise and knowledge are constantlyenhanced and adapted in order to achieve its goals inthe most effective way.



Raising Awareness and Building Confidence

11

Raising awareness and building the confidence ofusers of electronic communications is widelyrecognised as a key element for improving the level ofinformation security in Europe. In 2007, ENISAcontinued its work promoting awareness raisingmethods and content, disseminating best practicesand promoting security certification schemes. Therewas a particular focus on countermeasures to combatthe threat of spam as an important tool in raisingusers’ confidence.

During 2007 the Awareness Raising section analysedsecurity awareness practices and the metrics that areavailable to measure awareness, drawing onexperiences in the Member States and focusing oncase studies of local government and Internet ServiceProviders (ISPs). In doing this, ENISA is contributing tothe development of a culture of network andinformation security.

Recent work in this area has focussed, among otherthings, on what governments and private companiesare currently doing to assess the impact and successof awareness raising activities, on how these metricsand indicators can benefit organisations, and on howinformation security awareness programmes havebeen undertaken by government (national and/orlocal) in an effort to reach out to ISPs within theMember countries.

Identifying and Promoting Key Performance

Indicators (KPIs) for Awareness Raising

CampaignsAt the end of 2005, a review of some aspects of theeffectiveness of awareness raising initiativeshighlighted a need for a more strategic approach toensure that campaign results are properly measuredand evaluated. Until now, this had received onlyminimal attention in most European countries, whichhas limited the effectiveness of campaign planning. In2007 ENISA aimed to improve the effectiveness andefficiency of awareness raising initiatives and, morespecifically, to promote the importance of usingmetrics and indicators.

The challenge for the Member States is to ensure thatthe effectiveness of any initiative intended to raiseinformation security awareness is assessed. ENISAhelps the Member States to understand the importance of using metrics and key performanceindicators, illustrating the benefits of such activity.

During 2007, ENISA’s Awareness Raising Sectionundertook a study to explore the methods used (bothqualitative and quantitative) to measure theperformance and success of awareness raising

campaigns. The work involved an analysis of casestudies, particularly of practices adopted in localgovernment and by Internet Service Providers (ISPs).

The results were published in July 2007, asInformation Security Awareness Initiatives: CurrentPractice and the Measurement of Success – the firstmajor report offering a perspective on whatgovernments and private companies are doingcurrently to assess the impact and success ofawareness raising activities. This report is intendedfor professionals within organisations and publicbodies who are responsible for the planning,organisation and delivery of information securityawareness initiatives.

The publication focuses on cultural change, thebenefits offered by sets of metrics and keyperformance indicators, and how the assessment ofqualitative and quantitative methods can contribute tothe development of a wider culture of security. Bygathering information on the current practices of anumber of European government departments andcompanies, ENISA has been able to:• Provide an outline analysis of recommended

security awareness practice and metrics to measure awareness

• Provide an outline of key metrics that can be used to effectively assess awareness, as well as some high level metrics

• Provide an overview of current practices with regardto information security awareness

• Provide case studies of good practice for awarenessraising and the measurement of its effectiveness, highlighting the benefits thereof, and

• Contribute to the development of an information security culture in Member States by encouraging organisations to act responsibly and thus operate more securely.

The publication is now available in all officiallanguages of the European Union.



12

Identifying Best Practices, Current Trends

and Progress in Awareness Raising – Local

Government and Internet Service ProvidersSince its inception, ENISA has produced severaldocuments providing details of information securityawareness raising initiatives conducted in the MemberStates. These offer insight into the types of problemsbeing faced by different kinds of users, as well asguidelines and possible solutions. In 2007, the Agencygathered new information on current trends andprogress in this area, including a detailed inventory ofinitiatives focusing on additional target groups: localgovernments and ISPs.

ENISA examined the information security initiativesundertaken by governments (national and/or local)with an outreach to ISPs. Data were gathered on goodpractices, techniques, strategies and lessons learned,

and the results were published as InformationSecurity Awareness: Local Government and InternetService Providers.

This report:• Analyses and helps monitor the progress made in

national approaches to awareness raising• Provides an inventory of good practices from the

Member States and other organisations• Provides good practice guidelines that can be

customised and presented to the Member States to help facilitate their work on awareness raising

• Identifies and promotes the exchange of good practices and fosters synergy between public and private sector initiatives

• Contributes to the development of an information security culture in the Member States.

The publication also contains good practice guidelines,comprising recommendations, checklists and aroadmap, that can be customised in the MemberStates to facilitate their work on awareness raising.

This publication is now available in all officiallanguages of the European Union.

The research was carried out from May to July2007 using a structured questionnaire. This wasmade available on a self-select basis to peopleresponsible for information security in Europeangovernment departments and companies. In total,67 organisations headquartered in nine differentEuropean countries responded. This report,therefore, gives a comprehensive overview ofwhat European organisations are doing currentlyto measure and improve information securityawareness. Case studies based on interviewsconducted with 12 organisations are included inthe report.

The study found that local government and ISPsregard information security as a high priority, astheir level of knowledge of the subject is generallyeither limited or low. It also highlighted the fact thatmost of the organisations and public bodies plan,organise and deliver information securityawareness initiatives for a period of at least 12months. In particular, within local governmentorganisations, information security awarenessraising activities are often part of a largerInformation and Communication Technologies (ICT)campaign. Furthermore, training is considered themost effective technique for awareness raising:setting out comprehensive computer-based trainingplans and communication tools can help employeesto ensure the effectiveness of security programmes.Finally, the analysis of European initiatives foundthat public-private partnerships can be a highlyeffective means of delivering campaigns, especiallyif each organisation involved uses its respectivestrengths and mobilises appropriate resources.

It was also clear from the findings that ENISA, theMember States and stakeholder organisations mustcontinue their efforts to influence the public’sbehaviour towards information security in a positiveway, changing the mindset of the human element inorder to achieve greater self-awareness.



13

Dissemination – a Key Factor in Raising

AwarenessDisseminating its findings and facilitating discussionsand the exchange of knowledge and good practice arecrucial aspects of ENISA’s work. A disseminationstrategy was developed in 2007. As a result, and inorder to allow ENISA to promote its material fasterand more effectively, supporting citizens with theskills needed in the Information Society, an importantstep in 2007 was the release in different languages ofENISA’s widely read publication, A Users’ Guide: Howto Raise Information Security Awareness. More than2000 copies of awareness publications were given out.A survey assessing the quality and impact of reportswas also distributed.

The Awareness Raising Section is strengthening itsrelationship with the Member States throughcollaborative efforts, regular dialogue and theexchange of good practices. The Section organisedmonthly conference calls in 2007 to promote regulardiscussion and knowledge-sharing among expertsworking on raising information security awareness.

In the course of the year, the Awareness RaisingSection released a unique edition containing all of its2006 publications and incorporating its main findings.

The 3rd Awareness Raising Dissemination Workshop

Finally, ENISA sought to disseminate its findings byorganising a workshop. The 3rd Awareness RaisingDissemination Workshop, held in Lisbon in September2007 under the aegis of the Portuguese ManagementBoard members, brought together professionalsresponsible for or involved in awareness raisingactivities in different countries. Through a combinationof presentations, case studies and panel debates,participants explored cutting-edge topics, key issuesand emerging good practices in awareness raising.

Particular attention was paid to private-publicpartnerships, recent and successful initiatives of ISPs,mobile operators and banks. Participants alsoidentified key next steps.

The Agency will track progress on these issues in2008 and beyond.

KnowledgebaseIn 2006, ENISA collected, analysed, stored and madeavailable a number of best practices on informationsecurity, particularly information security policies,through its ‘Knowledgebase’. This was made availableto all kinds of users to disseminate best practices tothe widest possible extent, thus strengtheningconfidence in ICT systems. The database is storedcentrally, but can be shared and reused by others. In2007 ENISA sought to extend this work by customisingthe database for more specific audiences.

The Agency has tested several commercial policymanagement tools and assessed their functionality. Adynamic area with several new products coming ontothe market, policy management tools enableorganisations to define complex policies and, incertain cases, to deploy or enforce them remotely.However, most of these tools are comparativelyexpensive and therefore unsuitable for small ormedium-sized enterprises.

To enable a broader range of organisations to employsuch a tool, ENISA had transformed a documentmanagement tool into a simple security policymanagement tool. The tool was tested in 2007 by amedium-sized organisation for its functionality, andimprovements were made. ENISA now intends tomake this tool available over the Internet to a wideraudience. This will enable organisations to insertsecurity policies into the tool, combine existingpolicies and develop new, complex ones. A simpleuser manual and a series of examples will help usersto deploy the tool quickly.



14

Assessment of Information Security

CertificationThe availability of accreditation and certificationschemes can contribute to the trustworthiness ofelectronic products and services by raising the level ofsecurity. Certification is an important factor increating confidence in users of electroniccommunication tools, and the use of certificates isoften a good indicator of the level of security achieved.In an effort to improve the knowledge, skills andconfidence of users, especially non-experts, theAgency has been working to promote certificationschemes.

ENISA has made an assessment of the need tofacilitate the functioning and accessibility ofaccreditation and certification schemes and how thiscould be done in co-operation with the relevantstandardisation bodies. This work includedconsideration of management system certification aswell as product certification and the certification of anindividual’s IT security knowledge. The Agency broughttogether organisations that are active in the field ofinformation security certifications to present anddiscuss their schemes, and identified thecommonalities and differences between them. Thiswas achieved through a mailing list and onlinecollaboration platform, about a dozen position papers,a questionnaire-based survey collecting answers from30 certification experts and finally a workshop held inNovember 2006 with more than 20 contributions.

The findings were analysed during 2007. The resultsdemonstrate that certification schemes can actuallyimprove the ability of organisations to address thesecurity of IT systems, products, services andnetworks. Certified companies are not immune to NISrisks and threats. However, they seem to be fullyaware of the problems and quite well prepared toaddress them. Certified organisations have developeda systematic approach to deal with risks and haveestablished the necessary processes to managepossible NIS breaches. Their personnel are welltrained and informed about what needs to be doneduring a period of NIS breach. Another importantfactor is management’s engagement andcommitment. Prevention pays, and certification isactually a way to ensure that organisations employappropriate prevention mechanisms.

Other findings of this analysis concentrated on the useof certain NIS-related standards and certificationschemes, such as the Common Criteria and ISO27001. Both standards are quite widely accepted andused extensively by the certification industry and other

organisations. Despite criticisms that they are rathergeneric, such schemes have proved suitable for theneeds of organisations and professionals. If CommonCriteria become mandatory in different MemberStates, then it would be worth analysing the mutualrecognition of Common Criteria in all Member States.A mutually agreed scheme might contributesignificantly to the widespread adoption of the schemeby the market and organisations.

Finally, strengthening accreditation schemes relatedto people’s IT security certification, as well as moresystematic reference to recognised standards, mightsignificantly improve the ability of professionals todeal with NIS-related issues. Pan European ITcertification schemes (such as the EuropeanComputer Driving Licence, ECDL) should pay moreattention to NIS issues and develop specialisedcourses for IT professionals. Additionally, it wassuggested that European academic institutions andresearch bodies should co-operate to reinforce thebridges between education (schools and universities)and the certification industry (private training andcertificate providers).

Surveying Electronic Communication

Security Measures

Security and Anti-Spam Measures of Electronic

Communication Service Providers

Providers of electronic communication services are avital element of the security chain when individualusers and enterprises connect to the Internet. In 2007ENISA conducted a study into the measures serviceproviders take to secure their services and to combatspam. This was the second year that ENISA hadconducted such a survey1. The study was based on 30very detailed replies to a questionnaire circulated toproviders in 19 different countries, mainly in Europe.The observations, facts, trends analysis andcomments produced as a result of these replies havebeen grouped under two main themes: securitymeasures and anti-spam measures. These themeshave then been subdivided into organisational andtechnical aspects.

1 The previous studies can be downloaded from: www.enisa.europa.eu/pages/spam/index.htm



15

Some of the findings of this study include an increasein training or awareness campaigns by providers,more efforts on Business Contingency (BC) and/orDisaster Recovery plans (DR) and the wide adoption ofingress filtering. Regarding anti-spam measures,providers deploy more than five different anti-spambest practice methods.

Based on the findings of the study, ENISA alsoorganised a workshop on anti-spam measures as partof the Inbox-Outbox event held in London in November2007. The aim of the workshop was to bring togetherkey European stakeholders to debate the effectivenessof current and future anti-spam measures and theircompatibility with existing privacy regulations. Morespecifically, the workshop addressed filteringmethods, emerging anti-spam approaches, spammingtrends and the privacy of users. Invited speakersrepresented the European Commission, regulators,ISP providers, anti-spam software vendors, researchinstitutes and privacy experts. ENISA’s sessionattracted more than 160 attendees. The contributionsduring panel debates and questions following thepresentations will provide input for next year’s tasks.

Findings of the study

Security

Organisational aspects: Nowadays almost everyprovider publishes contact details to reportsecurity violations and e-mail abuse. Nearly half ofthe providers who responded provide training orawareness campaigns. Two-thirds of the providershave either a BC or a DR. Implementation of thesemeasures has increased since 2006. There are twointeresting changes from last year’s study resultsas to how Internet Service Providers (ISPs) ensurean appropriate level of security. Firstly, there hasbeen a huge increase (from 38% to 65%) in theextent to which providers follow the guidancecontained in national legislation. This has beenparalleled by a notable reduction in the percentagewhich follow the guidance laid down ininternational standards, which has dropped from46% to 35%. ENISA encourages providers to beinvolved in information-sharing by joiningproviders’ associations or working groups and byattending and presenting at security conferencesso that they become better informed about newtrends and best practices.

Technical aspects: Basic ingress filtering isapplied by every provider. Basic egress filtering isnow widely deployed, with nearly 90% of providerssaying they deploy it. This has nearly doubled since2006, when it was only used by 46% of theproviders. ENISA welcomes this developmentwhich illustrates that providers are investingresources in the interest of the whole community.Last year, providers relied mainly on complaintsfrom customers or other providers to detectanomalies. It was a reactive process. This year thedecrease in tracking complaints and the increasein monitoring traffic peaks could be seen as amove from purely reactive behaviour to integratemore proactive initiatives.

Anti-spam

Organisational aspects: About 73% of all providersprocess abuse reports manually. Almost half of theproviders contact an ISP directly when receivingspam from that network. Different laws, timezones and languages make communicationscomplex for providers seeking to combat spam.ENISA supports the SpotSpam project which aimsto collect and share information about spam andhelps mitigate the problem by acting as anintermediary.

Technical aspects: On average, providers combinefive different anti-spam methods. Although thebest practice recommended by all providers’associations is to manage port 25, only 50% of theproviders do so. ENISA is convinced that applyingbest practices will significantly reduce the amountof spam both sent and received, and thereforeencourages providers to implement e-mailmanagement best practices.

Recommendations

Based on its analysis of facts and trends from thestudy, ENISA has made a series ofrecommendations to providers, the EC, MemberStates and standardisation bodies. In addition, forits own part, ENISA will examine specifically thestatus of DNSSEC (Domain Name System (DNS)Security Extensions), which has been designed toprotect the Internet from attacks such as DNScache poisoning. It will also follow thedevelopments of the SpotSpam project and SignalSpam which provides best practices for users,bulk e-mail senders and service providers in orderto reduce spam).



Facilitating the Working of the Internal Market for e-Communication

16

Secure electronic communication systems are a major factor governing the development of theInternal Market and ENISA has a key role to play inimproving the general level of e-Communicationsecurity. The Agency’s tasks include identifyingobstacles (technical, organisational and cultural) tosecure e-Communication and ways to overcome them.

Analysing barriers – a price tag on NIS?On 10 December 2007, the Agency organised aworkshop in Brussels on "Barriers and Incentives for Network and Information Security (NIS) in theInternal Market for e-Communication". About 100stakeholders from industry, consumer organisations,EU institutions and Member States attended theWorkshop and discussed the obstacles that hinder the drive for NIS in the Internal Market for e-Communication and the incentives which encouragegood practice.

The workshop sought to launch a discussion amongrelevant stakeholders to collect their input for a reportcommissioned by ENISA which is aimed at making theeconomics of security and NIS more visible on thepolitical agenda by putting a ‘price tag’ on the value ofensuring NIS. One of the leading scholars on SecurityEconomics, Professor Ross Anderson (University ofCambridge, UK), outlined the main objectives of thereport he is preparing and gave some thought-provoking examples. The OECD’s work on NISeconomics added an international perspective to NISsecurity economics.

The Workshop achieved the following results:• Identification of existing economic barriers to

addressing NIS issues in a single, open and competitive Internal Market for e-Communication

• Assessment of the potential impact of these barriers on the smooth functioning of the Internal Market for e-Communication

• Identification and analysis of incentives (regulatory, non-regulatory, technical, educational etc.) for lifting these barriers

• Recommended policy options, possible follow-up actions and initiatives.

Assessing and Managing Current ICT RisksENISA’s work on Network and Information Security(NIS) addresses both current and emerging risks.Current risks refer to the management ofcontemporary risks that have to be managed by usingexisting Risk Management/Risk Assessment (RM/RA)methods and tools. In this domain ENISA continuedthe work initiated in 2006 by updating its inventory ofRM/RA methods, by looking at additional kinds of

current risks in the area of business continuity and byexamining the possible integration of RM/RA withother relevant disciplines in the area of technologyand governance processes.

Update of the RM/RA methods inventory and

demonstrators: ENISA implemented a process forupdating the existing inventory of RM/RA methods andtools, based on a submission process that involvessets of templates for organisations to submit newmethods and tools. During 2007, the availability of thismaterial led to the submission of three new methodsand three new tools. As further submissions areadded, the inventory will become increasinglycomplete and accurate and ever more helpful toexternal users.

As part of this task, ENISA addressed possibleapproaches to the integration of RM/RA with overallbusiness processes by generating demonstrators forthe deployment of RM/RA in real-life situations. Thiswork has demonstrated how de facto standardprocesses (e.g. project management, applicationdevelopment, configuration management, incidentmanagement etc.) are connected to Risk Management.It has also led to the establishment of good practiceswhich will help users to integrate their RiskManagement strategies with the existing operationalprocesses related to their IT systems. ENISA focusedon the completeness of the interface definitions (e.g.input part, output part and the conditions or eventsthat would lead to an activation of the interface, aswell as the parts played by different members of theorganisation and the exchange of data). This materialwill serve as a solid basis for professional users tosupport them in the configuration of their RiskManagement processes.



17

Inventory of business continuity risk analysis

methods: From the security point of view, BusinessContinuity involves the availability and integrityrequirements for assets connected to the majoroperations of an organisation. Based on suchrequirements, continuity risks are identified by meansof Risk Assessments that cover the most criticaloperations. The most critical operations, in turn, areusually identified by means of a Business ImpactAnalysis (BIA). Risk Management/Risk Assessmentthus performs a crucial role within the establishmentand the management of a Business Continuity Plan(BCP). While important for many organisations,business continuity is vital for the resilience of ITsystems and their components. ENISA has initiated aseries of activities in the area of Business Continuityfor the years to come which will contribute to thegeneration of a publicly available information base inthis area with inventories, good practices andapplicability guides. The work is aimed at providingsolutions to the following general problemsencountered in the area of Continuity Management inEurope:• No overview of the contents and structure of

methods, tools and good practices• The absence of a ‘common language’ for IT

Continuity Management to facilitate communication between stakeholders and

• A lack of surveys on existing methods, tools and good practices.

In addition, ENISA will help establish a dialogueamong the relevant stakeholders to exchangeexperiences in Business Continuity and generatemomentum for synergies.

Integration of RM/RA with business governance:

ENISA is also looking at possibilities for integrationbetween Operational Risks and IT Risks. Themanagement of Operational Risks includesinformation, system and computer risks. Thusintegrating Operational Risks with IT Risks alsoinvolves security (both IT and physical) as well as thedevelopment and maintenance of informationsystems. However, the integration of OperationalRisks and IT Risks in organisations still causesproblems for Chief Information Security Officers(CISOs). The contributions from different sectors ofthe organisation and the nature of their involvementwith Operational Risks must be clarified.

ENISA’s work will generate material suggestingvarious possible integration dimensions of IT RiskManagement/Risk Assessment with OperationalRisks. This will be demonstrated by means of process

interfaces, an analysis of the parts played by differentmembers of the organisation, input/output informationand, if relevant, various conditions related to theparticular context under which the interfaces will beused. If the timeframe allows, statements concerningthe possible integration of the underlying IT serviceswill also be delivered.

Besides serving as a good practice guide forintegration, the results produced should assistorganisations participating in supply chains, wheresuppliers may be forced to comply with riskmanagement requirements imposed by theircustomers. The material delivered will serve as thebasis for measuring compliance with existingOperational Risks and Corporate Governanceframeworks (e.g. to fulfil SAS70 requirements).

RM/RA methods for SMEs: In addition to the taskslaid out in the Work Programme 2007, ENISAsupported the adoption of its 2006 results in the areaof Risk Management for SMEs by the UK-basedInternational Association of Accountants Innovationand Technology Consultants (IAAITC). IAAITC has usedENISA’s results to generate a comprehensive guide fortraining and usage by their members (accountantsand small businesses). The work has been supportedby the Micro Enterprise Acceleration Institute (MAE-I)and has led to the deployment of ENISA’s findings to awide community of users. Building on this work, in2008 ENISA will run a number of pilot projects tofurther validate the results generated in smallbusinesses.



Mastering Emerging Technologies and Services

18

The challenge for Europe is not only to reduce currentweaknesses in NIS but also to anticipate futuredifficulties, both in evolving technology and newapplications. Throughout 2007, ENISA continued toidentify emerging risks, to analyse the R&Dcapabilities in Europe and to map them with the newtechnology and service trends. A number of PositionPapers were provided on current security issues,which make recommendations to reduce the securityrisks to users.

Tackling Emerging and Future ICT RisksIn years to come, new application scenarios andtechnologies are expected to emerge within theEuropean Union. These are likely to generate new riskfactors for IT assets and dependent processes,systems, products and services. An early and accurateidentification of such risk factors will increase ourcapability to reduce and control their impact. However,the majority of Risk Management/Risk Assessment(RM/RA) methods and tools are designed to tacklerisks within the timeframe of contemporary risks.RM/RA experts have to use variations of existingmethods as well as mixed or new approaches toidentify and calculate impacts and mitigate emergingand future risks (EFR).

Methods for Emerging and Future Risks: In order todeal with this development, ENISA has initiated aproject to develop an appropriate understanding of therequirements for tackling emerging and future riskand to evaluate current risk assessment andmanagement methods for their suitability. Acomprehensive set of evaluation criteria has beendeveloped using Soft Systems Methodology. Thecriteria were used to assess 18 existing methods forrisk assessment and management. Based on theresults of this assessment, a detailed requirementsdefinition document has been produced that

establishes the foundation for the extension anddevelopment of current or new methods to deal withemerging and future risks.

In a further step, a possible scenario-based extensionof existing methods for emerging and future risks hasbeen formulated. To provide maximum flexibility andto facilitate its integration into existing methods, amodular approach was taken which outlines clearlydefined stages and interfaces. The approach has beentested with a specimen future risk scenario todemonstrate its validity and its suitability for theextension of existing risk assessment andmanagement methods.

Workflow/Process model for assessing emerging

and future risks: Expanding on this work and basedon the findings of its earlier study, ENISA isdeveloping a workflow/process model for theassessment and management of emerging and futurerisks. In this way, the Agency will support theproactive and prospective information securityactivities of its stakeholders. The results will also beused to identify further action required to assess andmanage emerging and future risks.

Dissemination of information on emerging risks: Inco-operation with the Spanish Institute INTECO,ENISA organised a major event on Risk Managementin Barcelona in November 2007. Entitled “RiskManagement: Why Business Needs It?”, the eventincluded presentations on the different approaches toRisk Management/Risk Assessment adopted byvarious business sectors from five Europeancountries. The event provided ENISA with valuableinput for future developments in the area of RiskManagement, especially concerning the deployment ofmethods and tools for SMEs.



19

Security Trends in Emerging Technologies

and ApplicationsAnalysing trends and developments in NIS

Observing and analysing trends and developments inNIS continued throughout 2007. Importantdevelopments in standardisation and research werefollowed, particularly in the area of NIS technologies,security tools and strategies, as well as emerginginformation and communication technologies andapplications, with a view to identifying the securitychallenges they present and the solutions theyrequire. The resulting Report, which updated anearlier one issued by ENISA in 2006, is now availablein web format. The ENISA website offers easy accessto the Agency’s activities in Security Technologies andalso provides a window on external information andevents.

Technology Cabinet

The Technology Cabinet was established to serve as aplatform to gain hands-on experience with systemsrelevant to security (such as software, hardware,devices, services etc.). Administered by the RiskManagement section, it also provides a means ofdemonstrating existing technologies, methods andgood practices to interested stakeholders. Inparticular, the demonstration capacity built into theTechnology Cabinet is expected to have a significantimpact.

In the second half of 2007, the Technology Cabinet wasboosted by the appointment of a new staff memberand it was agreed that its design and implementationshould be based on Virtualisation Technology. Afterthe design phase, several procurements (hardwareand software) were completed to enable it to serve theoperational departments of ENISA with a hands-on ITinfrastructure: security policy, tools, methodology,vendor and visitors demonstrations…

A functional platform was deployed with all necessaryprimary functions: virtualisation facility, Internetaccess, firewall, WLAN, security policies andadministration/maintenance tools. By the end of theyear, the implementation of the Technology Cabinetreached a beta version.

Many requests have already been made to the service;for example, testing environments have been set up,demonstrations of vendors have been performed forthe Security Policy Section, and technical support hasbeen provided for the Knowledgebase.

ICT Security Standards Roadmap

The monitoring of NIS standardisation also continued,building on previous work. ENISA has combined forceswith the ITU Telecommunication StandardizationSector (ITU-T) and the Network and InformationSecurity Steering Group (NISSG), to produce an ICTSecurity Standards Roadmap, a new portal givingEurope a single access point for IT security standards.The site offers a repository for recent activities in NISstandardisation, and contains an extensive list of keystandardisation organisations with their descriptionsand the standards they have published (also availableaccording to a topical categorisation). One of theobjectives of this security standards portal is toprovide a central tracking facility for NIS standards. Itfacilitates the identification of standards andstandardisation activities, as well as co-ordinationamong standardisation bodies, the reduction ofduplicate work and easier identification of gaps.

Position Papers on Specific Emerging

Security Issues Virtual Groups of Experts

ENISA has engaged its stakeholders in ‘Virtual Groupsof Experts’, working through wiki, mailing lists andtelephone conferences to collect together expertopinion on topics it considers important emergingrisks or key security components.

The topics covered in 2007 were Social Networking,Botnets and Reputation Systems, and three PositionPapers have been published. The virtual groups haveachieved considerable impact for ENISA since theylend weight and independence to the opinionsexpressed and the conclusions reached.

These papers (www.enisa.europa.eu/pages/position_papers.htm) provide an in-depth analysis oftechnology-related risks and threats to emergingapplications, and each has generated considerableinterest in the media. The Position Paper on Botnetsled to direct questions in Parliament being put to theSwedish Prime Minister2 . Further to the two Paperson Online Reputation and Social Networking, ENISAhas been invited to present at the EuropeanParliament and to chair a session at Infosec 2008alongside Facebook and LinkedIn.

Open consultations have also been initiated to collectthe views of ENISA’s stakeholders in response to thesepapers.

2 See: www.riksdagen.se/webbnav/index.aspx?nid=101&bet=2007/08:38



20

Security Issues and Recommendations for Online

Social Networks

Social Networking Sites (SNSs) are expanding at adramatic rate. This position paper starts from thepremise that Social Networking is a positive socialphenomenon, provides an introduction to securityissues in the area of Social Networking, highlights themost important threats and makes recommendationsfor action and best practices to reduce the securityrisks to users. In the light of recent security alerts onthe privacy issues related to Social Networks, thispaper has attracted considerable press interest.

Threats: The commercial success of the multi-billioneuro SNS industry depends heavily on the number ofusers it attracts. Combined with the strong humandesire to connect, this encourages design and onlinebehaviour where security and privacy are not alwaysthe first priority. Users are often not aware of the sizeof the audience accessing their content. The sense ofintimacy created by being among digital ‘friends’ oftenleads to inappropriate or damaging disclosures. SocialNetworking may be seen as a ‘digital cocktail party’.However, compared with a real-world cocktail party,SNS members broadcast information much morewidely and sometimes unadvisedly, either by choice orunwittingly.

Some of the main threats that have been identified aredigital dossiers, face recognition and socialengineering attacks on enterprises using SNS. OtherSNS threats include spear phishing using SNSs,reputation damage through ID theft, stalking andcyber-bullying.

Recommendations: This paper makes 19recommendations – some of the most important onesinclude:

• Review and reinterpret the regulatory framework• Increase transparency of data handling practices• Awareness raising & education• Discourage the banning of SNSs in schools• Promote portable networks

The paper also recognises that important emergingtrends in convergence with virtual worlds and 3Drepresentation, misuse by criminal groups and thedevelopment of online presence deserve furtherresearch.

Reputation-based Systems

Reputation-based systems are used by an increasingnumber of applications as risk managementmechanisms to facilitate trust. Electronic reputation isbecoming as valuable an asset as traditional offlinereputation. As new applications embrace reputation-based systems, the value of online reputation isincreasing – and is becoming the target of attacks.Reputation allows users to form an expectation ofbehaviour based on the judgements of others,bringing the significant economic and social benefitsof being able to trust people (or systems) not directlyknown to the user.

This paper provides an introduction to the concept ofreputation-based systems, cites cases where they areused successfully, identifies a number of possiblethreats and attacks to them and the securityrequirements they should fulfil, and providesrecommendations for action and best practices toreduce the security risks to users.

On 12 November 2007, my group and another USNGO wrote to the chair of the US Federal TradeCommission asking for an investigation into therecently announced expanded data collection andtargeting systems of both Facebook and MySpace.

I just read with great interest – and appreciation –your thoughtful analysis from October (as well asthe June conference proceedings). It did a veryexcellent job raising the range of concerns, placingthese networks in the proper intellectual context(as identity systems). Yesterday, I sent off yourreport to the FTC (Federal Trade Commission) anda number of news outlets.

Extract from a letter of appreciation from a non-governmental organisation (NGO) in the US



21

Four use-cases for reputation are described in thispaper: online markets (such as eBay), peer-to-peernetworks (for example for bandwidth management),anti-spam techniques and public key authentication(web-of-trust). From these, the main threats andattacks against reputation systems have been derived.The most important threats described are:• Whitewash attack• Sybil attack (i.e. pseudospoofing)• Impersonation and reputation theft• Denial-of-reputation• Privacy threats for voters and for reputation owners• Threats to ratings

The analysis of threats has led to a set of corerecommendations for best practice to counter them,including:• Develop reputation systems which respect privacy

requirements• Provide open descriptions of metrics• Differentiate by attribute and individualisation as to

how the reputation is presented• Encourage research into:

a. Common solutions to threats against reputation-based systems

b. The management of global reputationc. Use of weightings in reputation metrics

• Research into and standardisation of portable reputation systems

• The importance of automated reputation systems for e-Government

Botnets – the Silent Threat

With the support of a consultant, a third position paperwas written, on botnets. The paper describes the rolesand structures of criminal organisations in creatingand controlling botnets, and identifies trends in thistype of cyber crime. The paper also identifies onlinetools to identify and counter malicious code.

Typically botnets are used for identity theft, unsolicitedcommercial e-mail, scams, Distributed Denial of

Service (DDoS) attacks and other frauds. It isestimated that more than six million infectedcomputers worldwide are connected to a botnet. Mostowners of infected computers do not even know thattheir machines have been compromised.

The criminal organisations behind the implementationof this new online threat are well organised. Theyemploy software developers, they buy and sellinfrastructure for their criminal activities and theyrecruit people (mules) for money laundering to hidetheir identities. They have the technical resources tocontinually improve their attacks – conditions thatmake online frauds more successful than offline ones.Lack of user security awareness combined with thecommon habit of using old (sometimes pirated) andunpatched operating systems increase the success ofcriminal exploitation.

Botnets represent a steadily growing problemthreatening governments, industries, companies andindividual users with devastating consequences thatmust be avoided. Urgent preventive measures must begiven the highest priority if this criminal activity is tobe defeated. Otherwise the effect on the basicworldwide network infrastructures could bedisastrous.

This paper makes a number of recommendations todeal with the non-technical problems:• Government involvement• Better co-operation between law enforcement

agencies and private companies• User awareness

Technical solutions to the problem of botnets havebeen identified, including:• Secure operating systems and software applications• ISP co-operation• Give law enforcement agencies the capability to

clean botnets



Bridging Security Gaps in Europe

22

Throughout 2007, ENISA was engaged in activities tobridge the security gaps in Europe, making networkand information security policies more efficient andeffective at the national as well as European level. TheAgency’s work involved facilitating the exchange ofknowledge about incidents and consumer confidence,the exchange of best practices between MemberStates, the interoperability of electronic authenticationsystems and gaps in the provision of ComputerEmergency Response Teams (CERTs) and similarfacilities.

The NIS BrokerageExchanging experiences with others helps extend theoverall capability of Europe to address security issues.

ENISA’s network of National Liaison Officers (NLOs)and other national experts in NIS from Member Statesmet on 22 February 2007 in Brussels, where ENISA, inco-operation with the German EU Presidency,organised a Kick-off Workshop on a “EuropeanNetwork and Information Security (NIS) Good PracticeBrokerage”.

This NIS Brokerage provides a structured approach,bringing supply and demand together. In this way, inaccordance with the requirements of its WorkProgramme 2007, ENISA facilitates a European NIS‘market place’ by acting as a ‘broker’ between thoseMember States that have developed good practicesand are willing to share them and those which canlearn from the experience of others.

For example, in 2007 ENISA supported theestablishment of a co-operation initiative betweenHungary and Bulgaria whereby, following a requestfrom Bulgaria, ENISA is facilitating the transfer ofHungarian hands-on experience to Bulgaria inestablishing a governmental CERT.

With the support of the NLOs, ENISA is well placed toidentify and facilitate different types of co-operation(exchange of views, meetings, topical exchangegroups, traineeships, site visits, dispatch of experts…).The work of the Brokerage involves:• Developing models to spread newly gained

knowledge • Providing a central repository for good practices

(including links to useful documents and outlines on how particular problems were tackled)

• Compiling a list of projects and funding (e.g. information about COM-initiatives etc.)

• Promoting existing EU initiatives as well as non-EU ideas within the EU

• Making a sustainable long-term commitment• Helping bridge the language gap

There already exists a certain degree of co-operation,primarily in the fields of:• CERTs (information exchange, quarterly meetings,

annual fora)• Awareness Raising (information exchange, formal

and informal meetings, preparation of national campaigns)

• Spam (contact network of spam authorities, sharingof information and best practices)

• Electronic Signatures (fora, exchange of experience,expert groups).

Despite all this, there is still considerable scope toincrease cross-border co-operation, as what currentlyexists is limited to a few countries. Significantimprovements in efficiency and synergy, together withreduced costs, are therefore likely to be found byextending co-operation beyond national boundaries.

During 2007, a platform was developed to support theGood Practice Brokerage by making available onlinegeneral information about the various co-operationmodels and the activities that have been carried out,together with other useful related information. TheBrokerage will go online, as a pilot project initially, in2008.

Who is Who Directory on NISA major tool for the interested NIS community is theannually produced Who is Who Directory on NIS – nowin its third edition3. This was updated in 2007 withassistance from the National Liaison Officers (NLOs)and extended this year with the addition of contacts inthe European Institutions, industry and internationalorganisations. The directory serves as the ‘YellowPages’ of Network and Information Security in Europe.

3 www.enisa.europa.eu/doc/pdf/deliverables/who_is_who_dr_20080121.pdf



23

Towards a Common Authentication System

TaxonomyTo ensure a common understanding of what is offeredby various authentication systems and to provide abasis for EU-wide harmonisation and alignment ofauthentication system requirements, a taxonomy forauthentication systems is needed to classify methodson the basis of their characteristics. In 2007 ENISAcontinued to promote the establishment of compatibleand interoperable authentication methods throughpresentations, the publication of papers, a workshopand the creation of an eID directory.

eIDs

ENISA chaired a panel at the pan European eIDconference in Leuven, Belgium, and collaborated withthe ITU Focus Group on Identity Management toproduce a directory of identity management standards,legislation and projects which will be made public,hosted on ENISA servers from 2008. ENISA willcontinue its work in this area in 2008.

As part of its contribution to the review of IDABC's eIDInteroperability specifications, ENISA has written aproposal for work on extensions/updates to SAML4

Authentication Context, based on a set of use-casesgathered from an Interest Group run by ENISA. This isbeing reviewed within the SAML SSTC5.

Workshop on Authentication Interoperability

In June 2007 ENISA organised a workshop onAuthentication Interoperability as part of theENISA/EEMA European eIdentity conference, whichwas held in Paris, France, and attended by over 100delegates. During the workshop, a number ofconclusions were reached which are now guidingENISA’s work in this area.

The workshop concluded that, although manymodels exist for interoperability, within national andcommercial infrastructures, these can be dividedinto three main areas:• Government issued credentials (e.g. national ID

cards, passports)• Commercial and banking systems’ credentials

(e.g. Identrust, SEPA – the Single European Payment Area)

• Tokens conforming to international standards (e.g. European Citizen Card).

The most successful interoperability models in allareas have the following features:• A central authority collecting specifications and

mandating certain features (i.e. essentially a standardisation body)

• A body which is willing to accept liability for acts of certification and testing interoperability.

The workshop concluded that interoperability at thelegal, policy and technical levels should be jointly analysed and considered. On the legal level, mutualrecognition, transparency of issuance processes andprivacy were recognised as significant factors. It isalso important to take into account the influence ofcompetition on interoperability (it often worksagainst it). Solutions should be found which retainbrand differentiation.

4 Security Assertion Markup Language5 Security Services Technical Committee of the standards organisation, OASIS (the Organization for the Advancement of Structured

Information Standards)

All critical components of an authentication system(including middleware) should be included incertification processes. Banking (in particular SEPA)and the 2006 e-Services directive are major driverswhich require international interoperability.Standards issued for authentication interoperabilityshould be free of charge at least to not-for-profitdevelopers.



24

Computer Emergency Response Teams

(CERTs)Know Your User – A Study

As everyday life is increasingly conducted online,information and the security of information systemsare increasingly becoming a focus of concern for thepublic at large. Information system security hasalways been an important issue in military andcorporate settings. Now home-users are becomingconcerned too. Networked computer systems havebecome critical not only for conventional commercialand financial transactions, but also for ad hocinformal, social interactions.

There is a pressing need to address the question ofhow best to approach home-users with NISinformation and other means of IT security both toreach out to this target group with (CERT) securityservices and to achieve real impact by changing theirbehaviour. ENISA has begun to address this problemby initiating a study into the various types of home-users and their perception of the Internet in generaland IT security in particular.

The issue can be simplified into questions about howpeople experience security as part of their daily lives,how they routinely decide “is this system secureenough for what I want to do?”, and about how tomake the relevant features of security situationsvisible to users so that they can make informeddecisions about potential security problems and thepotential implications of their actions.

Facilitating the setting up of CERTs

To reduce areas of weakness in incident response inEurope, ENISA encourages the setting up of CERTs. In2007, the Agency extended the impact of last year’s“CERT setting-up guide” by preparing a set of

presentation slides. In a lecture of two-three hours,this presentation provides an introduction to the wholeprocess of establishing a national response team inthe Member States.

The CERT setting-up guide was used in a number ofCERT projects in the EU Member States and wasinstrumental, for example, in the establishment of theSpanish governmental CERT (CCN-CERT).

CERT certification – a way for enhanced trust

building?

Quality assurance is an important issue for CERTs,and one which ENISA supports in helping to enhancethe general level of CERT performance in Europe.

During 2007, the Agency conducted a preparatorystudy on how certification of CERTs could act as amechanism for building trust among the teams. Amore enhanced level of trust among CERTs wouldstimulate communication between them – inparticular the exchange of information aboutincidents.



25

But what is trust? What makes a CERT trustworthy?Where does trust come from?

For the establishment of trust, the followingrequirements – listed here in no particular order –play an important role:• Availability of a CERT – to know that a CERT is still

operating• Sound business practices – in particular Incident

Management processes• Security of the CERT’s operational systems –

especially protection against unauthorised access, system and information integrity and secure communications

• The CERT’s Information Security Management Systems – including risk management and contingency planning

• Expert knowledge and experience of the CERT’s staff

A mechanism for trust building will include adefinition of trust building criteria, the kind ofassessment to be undertaken (self-assessment orexternal assessment) and the anticipated assessmentresult (self-attestation, certification, accreditation ortrust seal). Some mechanisms for trust buildingamong CERTs already exist, and an enhanced trustmechanism should build upon these; existing trustbuilding mechanisms are analysed in ENISA’s pre-study.

The pre-study defines trust as a set of trust buildingcriteria which must be fulfilled in order to promotetrust in communication and co-operation with a CERT.

A catalogue is therefore needed which contains themajor security controls: the management, operationaland technical safeguards or countermeasuresprescribed for an information system to protect theconfidentiality, integrity and availability of the systemand its information. The pre-study identifies existingapplicable standards containing security controlswhich may be (re)used as trust building criteria for aCERT. All security controls of the existing applicablestandards are extracted and mapped as far aspossible to one single set of security controls.

Promoting best practices for CERTs

• Be prepared – CERT exercises

The concept of CERTs and their services has been evolving for more than twelve years. However, each team seems to have its own distinct set of services provided and levels at which it provides them to their constituencies. As a consequence, co-operation between CERTs relies mostly on informal relations acquired through various forums and meetings. The level of help that can be obtained from a team with which there has been no previous contact is therefore often unpredictable.

By establishing a more or less standard set of exercises, it is hoped that staff in different CERTs can be trained in similar ways so that they begin to implement the same mechanisms in their everyday work. This would pave the way for close co-operation in an emergency situation, which requires established and tested communication channels and procedures to enable the mitigation ofincidents.



26

In 2007 ENISA conducted a preparatory study for the compilation of CERT exercises that will be drawn up in 2008.

• Good practices for running a CERT

As a follow-up to the ENISA CERT setting-up guide produced in 2006, in 2007 ENISA prepared a good practice collection on how to run a CERT successfully. This collection provides guidance on what a CERT needs in order to enhance its functions and to deliver the services that progressively meet its constituency’s expectations.

The primary target groups for this collection are governmental and other institutions that have already established a CERT and are ready to take the initial capabilities to the next level as well established teams. The collection focuses especially on the various kinds of connections and communication channels a CERT has externally, outside its management and its constituency, and internally among its team members, and demonstrates methods of coping with various difficult situations.

• Mitigation of massive cyber attacks – CERTs to the

rescue!

ENISA organised its 3rd Workshop for CERTs in Europe. This time ENISA’s CERT experts teamed up with the most experienced people from the CERT Coordination Centre (CERT/CC) from Carnegie Mellon University in Pittsburgh/Pennsylvania (USA) to discuss the cyber attacks on Estonia earlier in 2007.

Estonia, with its population of 1.3 million, is one of the smallest, yet one of the most knowledgeable EUMember States with regard to IT, but it was hit by massive, politically motivated Distributed Denial of Service attacks early in 2007. Estonia relies heavily on its Internet infrastructure. Most Estonians use online banking; 85% of all the tax declarations in Estonia in 2006 were submitted online and 94% of declarers received their returns in their bank accounts five working days later. In addition, Estonia runs a number of other eGovernment services that were heavily affected by these attacks.Estonia was fortunate to have established a nationallevel CERT team a year previously to co-ordinate the mitigation of these attacks. Hillar Aarelaid from CERT Estonia summed up the events at the ENISA workshop.

The workshop gathered together representatives of 25European countries, including 22 EU Member Stateswith a wide mix of established and new CERTs andCERTs yet-to-be set up. The day was divided into foursessions: “Overview of the threat environment”; “Keyplayers in building a framework for managing cyberactivities before, during and after the event”; “Legalissues that prevent or facilitate co-operation”; “Shortscenario in responding”.

The very positive reaction to this event in 2007encourages ENISA to continue with its (now almosttraditional) workshops in 2008!

ENISA meets the international CERT community

ENISA supported the 19th Annual Forum ofIncident Response and Security Teams (FIRST)conference, that took place from 17-22 June inSeville, Spain, as a gold sponsor. At the event, theExecutive Director of ENISA, Andrea Pirotti, gave akeynote speech.

FIRST is the premier organisation and recognisedglobal leader in incident response. The Forumbrings together a variety of computer securityincident response teams from government,commercial and educational organisations, andaims to foster co-operation and co-ordination inincident prevention, to stimulate rapid reaction toincidents and to promote information sharingamong members and the community at large.

CHAPTER 3Relations with ENISA Stakeholders

27

• Communication and outreach• External stakeholders, ENISA bodies and groups• EU and Member State relations• Other relations with industry and international relations• Measuring ENISA deliverables


Relations with ENISA Stakeholders

Communication and Outreach

28

Just as communications has become a policy of itsown for the EU, ENISA recognises the strategic valueof communications as critical for the achievement ofits key operational objectives. Communication andvisibility contribute in very real terms to the fulfilmentof the Agency’s objective to foster a ‘culture ofnetwork and information security’. Communicationand outreach to stakeholders are essential to increasethe impact of the Agency’s work and meet the goalslaid down in its Regulations.

The Press and Communication Section is responsiblefor the corporate communications of ENISA. At ahorizontal level, the Section enhances, advises, guidesand supports other sections of the Agency in theiroutreach and communication activities, be it instakeholder relations, public conferences orcommunication planning for projects. The Section’sendeavours include the drive for consistency andcoherence in all its communication channels (web,press releases, the ENISA Quarterly, otherpublications etc.) to promote the Agency’s knowledgeand expertise and to strengthen the impact of itsreports, studies and operations.

A reorganisation in 2007, bringing the day-to-dayoperations of corporate communication under theHead of the Co-operation Department, has alignedcorporate communications more closely with theoperational activities and departments of the Agency.This has enabled the available resources to beoptimised and has improved the effectiveness ofcommunications planning.

The Communication Action Plan 2007In 2007, ENISA adopted a strategic approach toincrease communication planning across all theAgency’s operations and a Communication Action Planwas drawn up. This document has clarified roles,responsibilities and tasks, and steered communicationactivities throughout the year. As a result,communication is considered a vital part of alloperational activities – from their inception. This stepis proving decisive in achieving results, maintainingthe high quality of ENISA’s relations with otherstakeholders and enhancing both the visibility andimpact of the Agency. Advance planning also enablesthe Agency to integrate better with its stakeholders’information and communication channels, thusincreasing general outreach still further.

Implementing the Communication Action Plan –

the three pillars

Internal communication is the founding pillar forsecuring good external communication. In 2007,ENISA’s internal communications were strengthenedby the development of the Agency’s Intranet, alongsidestaff meetings, departmental meetings and ENISAInside, the Agency’s internal newsletter.

The ENISA website, the central pillar for outreach,which remains a top priority and the main externalcommunication channel, was boosted with therecruitment of a Web Developer and a Web Masterduring the year. Publications and media relations arealso being given more emphasis in parallel with otherpriorities. With additional funding, brand marketing

Media Relations Website Publications

External Communications

Internal Communications

External Relations and Communication



29

material and (repetitive) brand recognition advertisinghave also been commissioned, and pilot eventmarketing through advertisements was allocatedbudget to obtain wider visibility for the Agency and itsactivities, as recommended in the EuropeanCommission’s mid-term review.

The ENISA website: The website is being developedthrough restructuring and improving the informationavailable, making it simpler and more efficient. At thesame time, it is being expanded and made moreaccessible with new, thematic portals in order to makeit a European ‘hub’ for NIS information. To increasetraffic to the website, the new structure will reflect amore rational division between the areas serving thebroad target audience of the website, where non-technical visitors can find information about ENISA’sgoals and activities easily, and areas where expertscan obtain more detailed information quickly. A newelement will be a ‘Content Management System’(CMS), which will allow authorised staff to publisharticles and contribute input easily. In this way, theCMS will make the site easier to maintain and keeppublished information up to date. In addition,interaction between ENISA and its target audiencesshould gradually be improved by further developinginteractive tools, such as public forums, surveys andpolls, and by making online, visual material available.

Publications: The ENISA General Report and fourissues per year of the ENISA Quarterly are keypublications produced during the year. Moreover,corporate materials including Fact Sheets, leaflets, anENISA brochure, ENISA material folders etc. were

produced in order to widen the range of publiclyavailable material and increase the transparency ofthe Agency’s operations. In this way ENISA is usingcommunication not only as a tool for spreadinginformation, but also to influence policy change.

A general overview of how to improve corporate andsectional publications (the ENISA Quarterly, printedreports, the General Report, Fact Sheets, Folders etc.)is being undertaken, aimed at producing guidelines toensure consistency of style and corporate image andto facilitate production and co-ordination with theEuropean Community’s Official Publications Office,OPOCE.

Procurements for other support services were alsocommissioned, including brand guidelines and brand-building materials, in accordance with ENISA’sCommunication Plan.

The Media: 18 press releases were issued in 2007 topublicise the Agency’s deliverables, in conjunctionwith web publication of several other Agency newsitems, feature articles and FAQs presenting itsoperations. Media is, of course, well recognised as akey component and supreme multiplier to spreadknowledge about the Agency’s accomplishments andto set NIS on the political agenda. Existingrelationships with media contacts were strengthenedin 2007, and new steps were taken to increase suchcontacts, in line with the high priority attached to themedia in the Communication Action Plan. ENISA wasfeatured in Le Monde, Der Spiegel, Fokus, theInternational Herald Tribune and other major generalmedia in various countries, as well as in NIS media.

The first modules in a media training programme,introducing media landscape and media relations,were held with most of the operational staff members.This programme is intended to enhance the staff’sknowledge of how to increase the visibility and impactof the Agency through consistency and coherency inall communication channels. At the same time, as anEU Agency, it also underpins the EU’s policy ofincreasing and enhancing communication, to raisevisibility and explain its operations to the citizens ofEurope in a clear language.

Conferences and (Joint) EventsBuilding on previous experience, the Agency continuedto organise a selection of independent, not-for-profit,high-level European conferences, often in partnershipwith a third party such as a conference organiser orthe EU Presidency. These events allow the Agency tonetwork and promote its work in a cost-effective way,while at the same time keeping track of developmentsin the field.

Thematic WorkshopsIn addition, the Agency organised a number ofthematic workshops to discuss Position Papers, theoutcome of specific projects or studies etc., or topresent opportunities for a first exchange of ideas toraise stakeholder interest before the launch of newWorking Groups (see chapter 2).



30

During 2007, ENISA participated in or co-ordinated almost 40 events and conferences throughout Europe andfurther afield. In addition staff attended conferences and other events to fulfil ENISA’s role in gathering anddisseminating information about Network and Information Security.

20

15

10

5

0

Events

2005 2006 2007

7

1917

Events supported or co-organised by ENISA 2005-2007

Requests for ENISA speakers at external events

50

40

30

20

10

0

Events

2005 2006 2007

1

28

45

ENISA events

Speaking engagements

Geographical Distribution of ENISA Events and Speaking Engagements in 2007

In addition, a presentationwas made at the WorldInformation TechnologyForum (WITFOR) Conferencein Addis Ababa, Ethiopia.



External Stakeholders, ENISA Bodies and Groups

31

Creating a Network of ContactsENISA is a centre of Network and Information Security(NIS) expertise. This is required in its mandate, and isessential if the Agency is to effectively fulfil itsadvisory role.

The communities and activities involved in NIS inEurope are many. ENISA has created a good networkof contacts, primarily by participating in key NIS andinformation society events in Europe and world-wide,liaising with experts in different fields, introducingthem to ENISA and its activities, and promoting futurecollaboration.

Strengthening this network of contacts has two mainadvantages: firstly, it can help ENISA maintain closecontact with NIS stakeholders and is a valuable sourceof information to keep its knowledge of relevanttechnologies updated; secondly, it facilitates outreachto the communities with technical expertise and topromote the take-up of products and services.

ENISA’s network of contacts includes key people instandardisation bodies, national industry associationsand EU-level interest organisations, as well assecurity experts within the private and public sectorsand academia. This network will be further developedduring 2008 and groups of experts will be establishedto write position papers on selected security topics.

The Permanent Stakeholders’ Group (PSG)In 2007, after an open call, the Executive Directorappointed the members of the second ENISAPermanent Stakeholders’ Group (PSG), for the years2007-2009. The PSG facilitates the Agency’s regulardialogue with the private sector, academia, consumerorganisations and other relevant stakeholders. TheGroup comprises 30 independent experts who areappointed ad personam, (i.e. representing neither acountry nor a company, but selected for their personalskills), each with proven abilities and expertise infields relevant to the PSG mandate and with thecapacity to contribute to ENISA’s activities and toadvise the Executive Director.

PSG Members represent a broad range ofstakeholders including the Information andCommunication Technology industry and research andacademia in the field of Network and InformationSecurity, as well as representatives from differentuser and consumer communities.

In 2007, PSG Members formally met four times, inFebruary, April, September and December. Main itemson the agenda of these meetings included advising ondrafting the ENISA Work Programme 2008 andproviding insights into future and emerging issues in

NIS, the selection of topics for ENISA Position Papersand defining the terms of reference for workinggroups. In addition, the PSG discussed the mid-termreview of ENISA commissioned by the EuropeanCommission, and provided feedback on the evaluationof the impact of ENISA deliverables. As individuals,PSG Members have contributed to ENISA’s operationsby writing for the ENISA Quarterly and undertakingspeaking engagements at different ENISA events.

The PSG, Management Board and the ENISA Strategy

2008-2011

To elaborate the strategic orientation of future ENISAactivities, PSG Members and Members of theManagement Board, together with ENISA staff, metfor an informal workshop in Berlin, Germany, in June2007. This was a follow-up meeting to last year’ssuccessful bringing together of two ENISA bodies thathave clearly defined, distinct roles within the overallENISA structure: the Permanent Stakeholders’ Groupis the source of input and advice to ENISA’s ExecutiveDirector, while the Members of the ManagementBoard are the decision-making body of ENISA. Theevent proved extremely useful both in achieving acommon understanding and providing strategicorientation for ENISA. Both groups agreed to continuethese informal workshops in the future.

For a list of the members of the PSG, see Appendix 4.

Management Board In brief, the Management Board’s task is to define thegeneral strategic orientation for the operation ofENISA, to ensure consistency between the Agency'swork and activities conducted by Member States aswell as at Community level, as laid down in the ENISAfounding regulation. The Management Board alsoapproves ENISA’s Work Programme, ensuring it is inline with the Agency’s scope, objectives and tasks, aswell as with the Community’s legislative and policypriorities for network and information security. It alsoestablishes and oversees the budget.

A key pillar of ENISA, along with the ExecutiveDirector and the Permanent Stakeholders’ Group(PSG), the Management Board includes onerepresentative of each EU Member State and threerepresentatives appointed by the EuropeanCommission. There are also three members, proposedby the Commission and appointed by the Council,without the right to vote, who represent respectively:• The information and communication technologies

industry• Consumer groups• Academic experts in network and information

security.



32

Finally, there are also three observers from theEuropean Economic Area (EEA) Member States,Liechtenstein, Norway and Iceland.

In 2007 the Management Board elected Prof. Dr.Reinhard Posch (Austria) as its new Chair. Prof. Poschsucceeds Kristiina Pietikäinen (Finland) who servedtwo and a half years as Chair of the Board.

The full Management Board met three times in 2007:in Brussels, Belgium, in Heraklion, Greece, and inPorto, Portugal.

The preparation and subsequent adoption of the WorkProgramme for 2008 and the (amended 2007) and2008 budgets were important activities.

However, in 2007 the Management Board received themid-term evaluation of ENISA and defined the generalorientation for the operation of the Agency in theshort- and long-term.

On the initiative of the Management Board, changeswere also made to the way in which the WorkProgramme is drawn up. The work programmes are

now being set up to accommodate multi-annualprogrammes, which represent mid- and long-termtargets. At the informal joint meeting between theManagement Board and the PSG in June 2007 inBerlin, Germany, four main topics were defined andimplemented in the Work Programme 2008.

In addition, some key Management Board decisionswere taken in 2007, for example, on the setting ofminimum standards for the Agency. These standardsare based largely on those laid down by theCommission and are required under the ENISAFinancial Regulation. These baseline standards reflectthe organisational structure and the internalmanagement and control systems and proceduressuited for carrying out the duties of the AuthorisingOfficer including, where appropriate, ex postverifications.

All minutes and decisions of the Management Boardare available on the ENISA website.

For a list of members of the Management Board, seeAppendix 3.

EU and Member State RelationsRelations with EU Bodies

Relations with the relevant committees in theEuropean Parliament, in the Council of the EU as wellas with the European Commission were furtherstrengthened in 2007. The Agency organised variousmeetings with different representatives of EUInstitutions, and meetings were held between ENISA’sExecutive Director and Information Society and MediaCommissioner Viviane Reding.

As NIS is not only dealt with in the Directorate-General for Information Society and Media (DGINFSO), but also other DGs which have an interest invarious NIS-related issues, ENISA arranged meetingsand exchanges with representatives of DG InternalMarket and Services, DG Enterprise and DG Justice,Freedom and Security. By strengthening itsrelationships with these major DGs, ENISA hasopened up promising opportunities for co-operation.

On 27 March 2007, the Executive Director delivered apresentation to the Committee for Industry, Researchand Energy (ITRE) at the European Parliament, wherehe presented ENISA’s role in NIS and introducedspecific activities.

Members of ENISA also attended various meetings ofthe Working Group on Telecommunications at theEuropean Council and are establishing potentiallybeneficial relationships with the members of thisGroup.



33

Relations with Member StatesVarious meetings were organised in the EU MemberStates, focussing at the beginning of 2007 on visits toBulgaria and Romania, the new Member States. Thesevisits provided an opportunity for an exchange ofinformation on NIS with high level representatives anddiscussions as to how the new Member States mightbenefit from ENISA’s knowledge and expertise. Thenew Member States have now become activeMembers of the Management Board as well as in theNational Liaison Officers’ network.

High Level Dialogue on Information SecurityThe Portuguese Presidency and ENISA co-organised a high-level dialogue on Information Security (11 October 2007 in Porto) to enable an informalexchange of views on the future activities of theAgency. Topics discussed included ways in whichNational Competent Bodies, EU institutions andindustry could better benefit from ENISA and how

ENISA might work with these different stakeholders toenhance the impact of its activities.

The Network of National Liaison OfficersAlthough not formally based on any ENISA Regulation,the network of National Liaison Officers (NLOs) set upby the Agency is of great value and importance: on theone hand, the NLOs serve as ENISA’s primary contactpoint within the Member States; on the other, they arewell placed to reinforce the work of the Agency in theMember States, and to exchange information amongstthemselves.

In addition, with input from the Member Statesthrough the NLOs’ network, ENISA was able to updatethe ‘Country Pages’ on its website in 2007, to providestakeholders with the latest information aboutcontacts and activities in the Member States.

For a list of the NLOs, see Appendix 6.

Other Relations with Industry and International Relations

Industry RelationsIn addition to the regular dialogue held with theMembers of its Permanent Stakeholders’ Group,ENISA has established relationships with relevantnational industry associations in EU Member States aswell as with a number of pan-European industryrepresentative organisations. These organisations areimportant partners for ENISA in its drive to foster aculture of NIS in Europe.

Liaison has been maintained with organisations suchas the Business Software Alliance (BSA), the EuropeanInformation & Communications Technology IndustryAssociation (EICTA), the EuropeanTelecommunications Network Operators Association(ETNO), the European Internet Service ProvidersAssociation (EuroISPA), the Association of EuropeanChambers of Commerce and Industry(EUROCHAMBRES) and CENTR, the Association ofInternet Country Code Top-Level Domain Registries.

In addition, ENISA has an ‘open door’ policy to allrelevant stakeholder groups and in 2007 held anumber of bilateral discussions with stakeholders atits headquarters in Heraklion, Greece.

During 2007, ENISA extended its relationship-buildingactivity to the national industry multiplierorganisations through personal visits and discussions

with the vast majority of the EU’s 27 Member States aswell as EEA countries. Through its ‘Road Show’project the Agency presented its role and activities tonational organisations, but the campaign also enabledENISA to learn more about the work carried out at thenational level in Member States and to investigatemodels and platforms for possible co-operation onNIS-related issues. The Road Show will continue in2008, until all the Member States have been visited.This activity is one way in which the Agency facilitatescloser co-operation with its stakeholders, findingopportunities to engage them in partnership in theplanning and implementation of future WorkProgrammes.



34

International RelationsNIS is a global challenge and does not recogniseborders. In its task to foster best European practice,ENISA has regularly participated as a technical expertin different working bodies of internationalorganisations such as the Organisation for theEconomic Co-operation and Development’s (OECD’s)Working Party on Information Security and Privacy(WPISP). ENISA experts have also participated in themeetings and work of the European Council and ITU-Tand ITU-D groups by presenting ENISA deliverablesfor example in the field of awareness raising andCERT co-operation. In addition, in close co-operationunder the ITU framework, ENISA experts haveengaged in a collaborative effort between the ITU-Tand the Network and Information Security SteeringGroup (NISSG). This resulted in a portal, hosting aroadmap and inventory to vital information securitystandards.

ENISA experts have continued to meet and discussglobal challenges in NIS with representatives fromthird countries, such as China, Japan and SouthAfrica. In 2008, the Agency will continue buildingcontacts with third countries by co-operating with IDC6

on joint road show activities targeted at the countriesbordering the EU.

EU institutional support

Drawing on its knowledge of appropriate and availableexpertise, ENISA was able to assist the European DataProtection Supervisor (EDPS) by suggesting a coupleof national organisations which might help with asecurity audit of its EURODAC system (its centralsystem consisting of a central unit, a businesscontinuity system and terminal units at four differentlocations). The audit team was composed of membersof the EDPS, together with representatives from theBSI (the Federal Office for Information Security inGermany) and the DCSSI (Direction centrale de lasécurité des systèmes d'information) in France. ENISAreviewed the quality standards of the report and itsadvice was taken into account7.

Speaking engagements of the Executive Director

Speeches were prepared for the Executive Director fora number of high level speaking engagements invarious Member States. Among the most prominent ofthese events were the IT Security ConferenceInnovation and Responsibility (4–5 June 2007, Berlin,Germany), the 19th Annual FIRST conference (17-22June 2007, Seville, Spain), the High Level Dialogue onInformation Security (11 October 2007, Porto,

Portugal), the ISSE conference (25–27 September2007, Warsaw, Poland) and the Third EuropeanNetwork and Information Security Conference (20-22November 2007, Vilnius, Lithuania).

Measuring ENISA DeliverablesIn fulfilling its main objectives, ENISA has producedmultiple deliverables. In 2007, the Agency conducted a“Survey to assess the practical usability of ENISA’sdeliverables” in the Member States. For thisdeliverable – as laid down in ENISA’s WorkProgramme 2007 – various ENISA stakeholders werequestioned. Invitations were sent out to about 1000stakeholders; respondents were mainly fromgovernments and industry. The focus of the surveywas to establish awareness, attitudes, acceptance andaction related to the 22 deliverables that ENISA hasproduced since its inception until September 2007.

Stakeholders assigned ENISA’s deliverables highmarks in terms of content and approach and thesurvey suggests that the outreach has not yet reachedits full potential. These first findings of the surveywere presented at a meeting in January 2008 inAthens, where ENISA’s stakeholders were invited. Thefindings of this survey will enable ENISA to maximisethe impact of its contribution to creating a moresecure e-environment for Europe.

6 International Data Consultants: www.idc.com/about/about.jsp7 www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Eurodac/07-11-09_Eurodac_audit_summary_EN.pdf

The Executive Director speaking in December 2007 atthe workshop on 'Barriers and Incentives for NIS in theInternal Market for e-Communication' in Brussels

CHAPTER 4Responding to Requests

35

• Partnership for ICT Security Incident and Consumer Confidence Information Exchange (PISCE)

• EISAS – NIS Information for Home-users and SMEs


Responding to Requests

36

In 2007, ENISA received five new calls for advice andassistance from: • The Greek Ministry of Justice concerning the use of

voice telephony encryption• The Austrian Federal Chancellery

• in the field of risk management • in the field of research, development and

dissemination with regard to security and risk management in NIS

• The Bulgarian State Agency for Information Technology and Communications for assistance in the establishment of their Gov-CERT

• The Greek Ministry of Development concerning CERTs.

ENISA finalised responses to most of these requestsin 2007.

The information requested by the Greek Ministry ofJustice was sent in May 2007.

ENISA replied to numerous questions posed by theAustrian Federal Chancellery covering the wholerange of IT Risk Management, and a report wasdelivered in July. Following this, an expert acting asproject manager of the Austrian project visited ENISAfor a few days in September to discuss additional andmore detailed aspects of Risk Management and, as aresult, ENISA prepared and delivered supplementaryinformation on existing methods to the Austrianproject team.

ENISA was unable to respond positively to the otherrequest from Austria (the work requested was outsidethe Agency’s remit).

In response to the Bulgarian request, the Agency heldmeetings with representatives from the BulgarianGov-CERT and CERT-Hungary and initiated a trainingprogramme in which ENISA will offer its expertise tothe Bulgarians, and CERT-Hungary will contribute itshand-on experience in the establishment of agovernmental CERT.

In addition to these new requests for advice andassistance, throughout 2007 ENISA worked on itsresponse to a two-part request received in 2006 fromthe European Commission. This involved preparationof a report on “Developing a trusted partnership for adata collection framework”, and a feasibility study intoan EU-wide information sharing and alert system.



Partnership for ICT Security Incident and Consumer ConfidenceInformation Exchange (PISCE)

37

ENISA was asked by the European Commission toexamine whether it would be feasible to create a datacollection framework for security incidents andconsumer confidence. The objective would be tocreate a partnership of public and private entities,which would benefit from or contribute to a data-sharing initiative. This partnership would establish aconcrete framework for data-sharing activities. Datashared within this framework would relate to securityincidents and consumer confidence. Such data wouldallow public and private, European and nationalorganisations to base their decisions with respect toinformation security and consumer confidence ondetailed knowledge of the risk situation, to combinevarious aspects to obtain a ‘big picture’, to harmonisedifferent data collection approaches and finally tomeasure the success of previously implemented legal,regulatory, organisational and technical measures.

In 2007 ENISA presented this idea in various forumsand publications and gathered feedback over severalmonths. The concept of a data collection partnershipand framework is complex, because it touches on fourrelated dimensions, namely the partners, the dataowners, the data users and data collectionmechanisms. All four aspects depend on each other,so ENISA decided to address them together in severalconsecutive iterations.

First, ENISA conducted a comprehensive survey,followed by a number of presentations anddiscussions. It complemented the results of thissurvey with extensive web research. Finally the workwas completed with a workshop, where ENISA invitedpotential partners, presented the results of thefeasibility study and initiated a partnership for data-sharing.

ENISA solicited information from all European partieswho potentially have something to contribute, mostnotably Managed Security Service Providers,Computer Emergency Response Teams, nationalsecurity organisations, statistics offices (e.g. Eurostat),IT security vendors, communication service providersand universities and other researchers.

The Agency also identified several indicators used inthese data collections, surveys and reports, theconditions for sharing – or not sharing – sensitivedata, the motivations for doing so (for example whenreporting of incidents is required by law) and thecontributions that partners might be willing to offer.

Which data?

Who needsthe data?

Who collectsthe data?

Where doesthe data

come from?



38

With these results, and given the scope of theproblem, it is clear that one partnership for datacollection (a ‘one-size-fits-all’ approach) is notfeasible. It will be necessary to create new (orpromote existing) partnerships of different kinds andon different levels. An additional co-ordinatingpartnership could tie together specific existing or newpartnerships by supporting information and dataexchange, harmonising collection methodologies ormediating trust.

ENISA organised a workshop in November 2007,bringing together many potential partners to kick off ageneral partnership which could then evaluate anddecide subsequent activities. Participants in thisworkshop had the opportunity to decide in which waythey would like to support data collection activities inthe future: by pursuing a high-level, non-operationaldata-sharing partnership; by supporting existing andencouraging new operational data collectioninitiatives, or by initiating a co-ordinating partnership.Workshop participants finally opted for a phasedapproach, where a high-level partnership betweenthose present along with some additional participantswould start immediately. This would then evolve overtime to support existing data collection initiatives.Since trust is an important element of such apartnership and can best be established andmaintained face-to-face (which is more difficult foroverseas partners), the workshop agreed that thepartnership should be restricted mostly to Europeanparticipants.

This initiative is now called ‘Partnership for ICTSecurity Incident and Consumer ConfidenceInformation Exchange (PISCE)’. Its purpose is tocreate an information exchange on IT security andconsumer confidence trend data. A primary goal ofthis partnership is to encourage the involvement ofpolicy- and decision-makers. This assumes theircurrent need is to deal with emerging threats to theresilience of and confidence in ICT in Europe.

The partnership will evolve in several steps: • Increase visibility of existing data collections and

mediate supply and demand (implemented with a wiki at http://wiki.enisa.europa.eu)

• Categorise reports, e.g. by developing a useful template, including sample size, source, time of collection (presented at a later stage in the wiki)

• Facilitate an understanding of reports, without revealing details unless in a separate trusted partnership (with a closed list and ideally with a conference)

• Develop summary reports for decision-makers (if/when/where resources allow)

• Enlarge and deepen this partnership.

The partnership was supported initially by ENISA in aminimal way until the end of 2007, with the provisionof a public wiki and the hosting of a closed mailinglist.



EISAS – NIS Information for Home-users and SMEs

39

Several publications point out that, for variousreasons, the computers of home-users and SMEs arethe most popular victims of targeted attacks. It iscomparatively easy to incorporate these users’computers into botnets, use them as obfuscated pathsfor launching attacks by hackers, as proxies to sendspam or to enrol them as repositories for spreadingviruses and worms. At the same time SMEs areimportant to Europe’s economic growth. However, dueto their size, SMEs rarely employ dedicated securitypersonnel so the protection of their information assetsis often left to non-security experts.

In its Communication to the Council, Parliament, theEconomic and Social Committee and the Committee ofthe Regions (COM(2006) 251)8, the EuropeanCommission emphasised that public authorities inMember States and at EU-level have a key role to playin keeping home-users properly informed so that theycan contribute to their own safety and security.

NIS information for citizens and SMEs is important

There is already a lot going on in the

Member States, but ...

Systems and initiatives already exist in Europe and inthe EU Member States which target home-users andSMEs with NIS-related, appropriate and timelyinformation on vulnerabilities, threats, risks andalerts, as well as good practices. However it is clearthat not all Member States take advantage of suchmechanisms, and that gaps exist in the overall

coverage. So the European Commission asked ENISAto “examine the feasibility of a European informationsharing and alert system (EISAS)”, highlighting theAgency’s role in fostering a culture of network andinformation security in Europe. ENISA thus embarkedon a study into the feasibility of an EISAS.

• Setting the scene

In order to provide thorough and responsible advice to the European Commission, ENISA first conductedan analysis of the current state of play in both public and private sectors in all EU Member States, and identified possible sources of security information which could potentially contribute to an EISAS. The findings of this analysis led to the development of a scenario to address both the lack of available NIS information in some Member States and provide a (yet-to-be determined) added value to existing information sharing systems in other Member States. Ideally such an EISAS would also build on these existing systems, firstly to avoid the duplication of effort and competition and secondly to benefit from the lessons learned and the good practices that these (national) systems canprovide.

8 COM (251)2006 – http://ec.europa.eu/information_society/doc/com2006251.pdf

48%19%

33%

MS with dedicated ISASMS with non-dedicated ISASMS without ISAS

48% of the EU Member States do not have anyinformation sharing activity for home-users andSMEs.



40

• Feasible or not?

The study focused on the technical feasibility of an EISAS and also adopted a broader approach to ensure acceptance of such a system by EU Member States. Last but not least, the target audiences wereconsidered. Thus, the study examined the question of feasibility from three angles:• Technical/organisational aspect: the

technical/organisational feasibility of an EISAS, including components and workflows etc.

• Political aspect: the political feasibility of an EISAS, i.e. will Member States accept and supportthe proposed solution?

• Social/cultural aspect: the feasibility of achievingreal impact by successfully, effectively and sustainably raising NIS awareness among home-users and SMEs. This is the most crucial consideration, as the intended target groups have special perceptions and needs (e.g. language), most importantly the fact that in most cases they are not security experts.

• Results

A centralised Europe-wide Information Sharing System is not encouraged by the findings of the study as the most feasible scenario. Instead the European Union should use its position and build onexisting resources to foster the establishment of information sharing systems at the national level in Member States. The study concludes with four recommendations for a potential role for the European Union:• Act as a clearing house for good practice for

national Information Sharing and Alert Systems (ISASs)

• Support new national ISASs• Foster dialogue among existing national ISASs• Analyse and review practice, components and

processes to optimise information sharing for existing ISASs.

• But what about the user?

The feasibility study provided some interesting insight into the problems of how to adequately address home-users in order to achieve real impact. These problems have not yet been solved completely.

Some of the findings of the study are listed below:• End-users and SMEs should be addressed in their

native language.• Messages (warnings, good practice documents

etc.) should be phrased semantically in an understandable way (addressing the non-expert).

• The method of information dissemination should be thoroughly planned (i.e. other ways besides web pages and mailing lists should be examined such as podcasts, RSS feeds, traditional media etc.) to make it as convenient as possible for the end-user/SME to obtain information.

• Information overflow should be avoided; what andwhen to publish should be thoroughly planned.

• Information disseminated to end-users/SMEs must be trusted by the recipients if it is to be accepted (on average, end-users and SMEs already trust national governments).

• To be accepted, information should be disseminated as close as possible to end-users/SMEs.

ENISA followed up these results with a study into UserNeeds for CERT Services (see page 24).

Act as a clearing house for good practice and supportinformation sharing in the Member States

CHAPTER 5Change and the Perspectives for 2008

41

• Future Perspectives


Change and the Perspectives for 2008

Future Perspectives

42

Looking at 2008, ENISA’s work programme is full ofcontinued activities in NIS. The Agency alsoanticipates that 2008 will shed more light on ENISA’sfuture role, mandate and potential changes. We lookforward to these developments as a means ofequipping the Agency for new NIS challenges, and wewill follow any process in the European Parliamentand Council closely throughout 2008.

Our main focus, however, will be on the WorkProgramme 2008, where the Agency is driving forgreater impact through our new Multi-AnnualThematic Programmes (MTPs). These MTPs will runfor the next three years (2008-2010).

• MTP 1 ‘Improving resilience in European

e-Communication networks’ focuses on the identification of current best practices, gap analysis, analysing Internet integrity technologies, and the stability of networks. This MTP will support the review of the EU Electronic Communication Directives.

• MTP 2 will develop and maintain co-operation

models, in order to use and enhance the existing networks of actors in NIS. In 2008 this MTP will be devoted to:

a) the identification of Europe-wide security competence circles in Awareness Raising & Incident Response

b) co-operation on the interoperability of pan European eID and

c) the European NIS good practice Brokerage.

• MTP 3 will identify emerging risks for creating

trust and confidence. The Agency will develop a ‘proof of concept’ of a European capacity for the evaluation of emerging risks, linked to a Multi-Stakeholder Dialogue Forum for public and private sector decision-makers.

Finally, the Agency will undertake a ‘Preparatory

Action’, which includes a feasibility study into theneeds of and expectations for NIS in micro-enterprises.

The Agency is confident that the importance of NIS forthe economy and for the citizens of Europe willbecome increasingly apparent in the coming years.Therefore, it is with considerable optimism that weanticipate the development of ENISA and the approachto NIS in the European context.

APPENDICES

43

• Acronyms and Abbreviations• Work Programme 2007 Priorities• Members of the Management Board• Members of the Permanent Stakeholders’ Group• Members of the Ad Hoc Working Groups• National Liaison Officers • Administration


Appendix 1Acronyms and Abbreviations

44

BC

BSA

CERT

CERT/CC

CSIRT

Contract Agent

DCSSI

DR

EDPS

EEMA

EFTA

eID

EISAS

FIRST

FORTH

ICT

IDABC

ISAS

ISP

ISSE

ITU

ITU-D

ITU-T

KPI

MTP

NIS

NLO

OECD

PSG

RM/RA

RSS

SEPA

SME

SNS

WG

Business Contingency

Business Software Alliance

Computer Emergency Response Teams. ’CERT’ is an organisation that studies computer and network security in order toprovide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and to offerother information to help improve computer and network security. (see also: CSIRT)

Computer Emergency Response Team Coordination Center (USA)

CSIRT (Computer Security and Incident Response Team). Over time, the CERTs (see above) extended their services frombeing a reaction force to a more complete security service provider, including preventative services such as alerting,advisory and security management. Therefore, the term ’CERT’ was not considered to be sufficient. As a result, the newterm ’CSIRT’ was established at the end of the ‘90s. Currently, both terms (CERT and CSIRT) are used in a synonymousmanner, with CSIRT being the more precise term.

Staff assigned to a post which is not included in the list of posts appended to the section of the budget relating to each EUinstitution (as opposed to a Temporary Agent, which is included in the list)

Direction centrale de la sécurité des systèmes d'information

Disaster Recovery

European Data Protection Supervisor

European Association for e-Identity and Security

European Free Trade Association

Electronic Identification

European Information Sharing and Alert System

Forum of Incident Response and Security Teams – a global CERT organisation

Foundation for Research and Technology – Hellas

Information and Communication Technology

Interoperable Delivery of European eGovernment Services to Public Administrations, Businesses and Citizens(http://europa.eu.int/idabc/)

Information Sharing and Alert System

Internet Service Provider

Information Security Solutions Europe – Europe's only independent, interdisciplinary security conference and exhibition

International Telecommunication Union

ITU Telecommunication Development Sector

ITU Telecommunication Standardization Sector

Key Performance Indicator

Multi-Annual Thematic Programme

Network and Information Security

National Liaison Officer

Organisation for Economic Co-operation and Development

Permanent Stakeholders’ Group

Risk Management/Risk Assessment

RSS (Really Simple Syndication) is a family of web feed formats used to publish frequently updated content such as blogentries, news headlines or podcasts.

Single European Payment Area

Small and Medium Enterprise

Social Networking Site

Working Group, ENISA Ad hoc Working Group on specific technical issue.


Appendix 2Work Programme 2007 Priorities

45

The following tasks were stipulated in the Work Programme for 2007 – all the deliverables were completed.

Ref.

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

Deliverable

Awareness Raising Information package 2007

Written report on KPIs for awareness raising

Dissemination workshop on awareness raising

Operational Knowledgebase accessible to the public

Presentations, papers and other contributions topromote security certificates

Yearly report on electronic communication securitymeasures

Report on barriers and incentives for NIS in the internal market for e-Communication

Workshop on barriers and incentives for NIS in theinternal market for e-Communication

Report on demonstrations of RM/RA methods andfeasibility of integration in overall business process

Report on business continuity risk analysis methods for SMEs

Report on how to integrate risk assessment and risk management into business governance

List of information material, methods and tools needed to perform analysis of emerging risks

Report on mechanisms to process and disseminateinformation on emerging risks

Report on technological developments and trends

Workshop on technological developments and trends

Position papers on specific emerging applications and recent technologies

New activity

for ENISA

No

Yes

No

No

No

No

Yes

Yes

Yes

No

Yes

Yes

Yes

No

No

Yes

Output achieved

Inventory of good practice for localgovernment and ISP awarenessinitiatives published. Recommendations made.

Survey and case studies undertaken,report published with inventory ofcurrent practice and measurement ofsuccess. Metrics of KPIs produced.

One-day thematic workshop for 80delegates.

Knowledgebase made available to the public.

Presentations at conferences andworkshops, papers published, andpublication via online and print media.

Publication of yearly report, detailingmeasures implemented.

Report produced.

Workshop held – ‘Analysing barriers: aprice Tag on NIS?’

Report produced.

Report produced.

Report produced.

List produced.

Report produced, includingidentification of relevant stakeholdersand their roles.

Report produced.

Workshop held.

Publication of 3 Position Papers: onSocial Networking, Reputation-basedSystems and Botnets.


46

Appendix 2Work Programme 2007 Priorities

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.4.10

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.2.1

3.3.1

Establishment of a European NIS good practiceBrokerage

Online platform for knowledge exchange on European NIS good practice Brokerage

New printed version of the Who is Who Directory

Presentations, papers and other contributions topromote a common authentication system taxonomy

eID Directory

Workshop on eID

Report on user needs for security services (“CERTservices”)

Reviewed and updated report and checklist for setting up of CERTs and similar facilities

Collection of best practices for quality assurance forCERTs and similar facilities

Workshop on CERTs

Communication Action Plan 2007

Up-to-date ENISA website

Four issues of the ENISA Quarterly

Annual report on ENISA activities 2007

Other deliverables to implement the CommunicationAction Plan 2007

Increased outreach through Member States’ information channels

Conferences and (joint) events

Thematic workshops

Feasibility study on a data collection framework

Feasibility study on an EU-wide information sharing and alert system

Yes

Yes

No

No

Yes

Yes

Yes

No

Yes

No

No

No

No

No

No

No

No

No

n.a.

n.a.

NIS good practice Brokerage established.

Online platform established.

New printed version published.

Workshop on authentication interoperabilityheld; presentations at conferences; papersto be published; contributions to online andprint media.

Report ‘Towards a Common AuthenticationSystem Taxonomy’ published. eID Directoryproduced with overview of relevant playersin Europe.

Workshop held.

Report produced.

Report reviewed and updated, with checklistfor setting up a CERT and similar facilities.

Collection completed; report produced.

Third workshop on CERTs in Europe held;‘Be prepared’ CERT exercises prepared;good practices for running a CERTcompiled.

Plan produced.

Website updated.

4 issues produced.

Annual Report published.

Procurements of brand guidelines, updatedCommunication Strategy, brand material etc

Continuous

ENISA supported or co-organised 17 events

Half a dozen workshops organised.

Feasibility study produced.

Feasibility study produced.


47

Appendix 3Members of the Management Board

EEuurrooppeeaann CCoommmmiissssiioonn rreepprreesseennttaattiivveess

Alternate

Michael NIEBELHead of Unit Information Society and Media DG – “Internet; Network and Information Security”

Lotte KNUDSENHead of Unit“Fight against Economic, Financial and Cyber Crime”Acting Director, Internal Security and Criminal JusticeDG Justice, Freedom and Security

Marcel JORTAYHead of UnitInformatics DG – “Telecommunications and Networks”

Representative

Fabio COLASANTIDirector GeneralInformation Society and Media DG

Gregory PAULGERDirectorInformation Society and Media DG – “Audiovisual, Media, Internet”

Francisco GARCIA MORÁNDirector GeneralInformatics DG

MMeemmbbeerr SSttaatteess’’ rreepprreesseennttaattiivveess

Alternate

Herbert LEITOLDInstitute for Applied Information Processingand Communication

Rudi SMETIngénieur-ConseillerIBPT

Slavcho MANOLOVAdvisor to the Chairman of the State Agencyfor Information Technologies andCommunications (SAITC)

Markellos POTAMITISOfficer of Electronic Communications andPostal Regulation

Marie SVOBODOVÁSenior CounsellorCommunication Infrastructure Department,Ministry of Interior of the Czech Republic

Jaak TEPANDIHead of the Chair of Knowledge-BasedSystems, Department of Informatics, TallinnUniversity of Technology

Representative

Prof. Dr. Reinhard POSCHCHAIR OF ENISA MANAGEMENT BOARDChief Information Officer

Georges DENEFMembre du Conseil de l'IBPT

Stoicho STOIKOVDeputy Chairman of the State Agency forInformation Technologies andCommunications (SAITC)

Antonis ANTONIADESSenior Officer of Electronic Communicationsand Postal Regulation

David KOTRISActing Deputy Minister of the eGovernmentSection, Ministry of Informatics of the CzechRepublic

Flemming FABERHead of the IT-Security DivisionNational IT and Telecom Agency

Mait HEIDELBERGIT-Counsellor of the Ministry of EconomicAffairs and Communications of Estonia

Member

State

Austria

Belgium

Bulgaria

Cyprus

Czech

Republic

Denmark

Estonia

At 10 January 2008


48


Mikael KIVINIEMIMinistry of Finance

Isabelle VALENTINICentral Directorate of Information Systems’SecurityPrime Minister/General Secretariat of NationalDefence/DCSSI

Jörn-Uwe HEYDERFederal Office for Information Security (BSI)International Relations

Prof. Constantine STEPHANIDISDirectorInstitute of Computer Science, Foundation forResearch and Technology (FORTH)

András GERENCSÉRDeputy Head of Department Ministry of Informatics and Communications ofthe Republic of Hungary

Ciro ESPOSITOHead of Department for Innovation andTechnology of the Italian Presidency of theCouncil

Ingrida GAILUMEHead of General and International Issues DivisionDepartment of CommunicationsMinistry of Transport

Tomas BARAKAUSKASDirector of Communication Regulation Authority

Pascal STEICHENMinistère de l'Economie et du Commerceextérieur, Direction des Communications CASES

Colin CAMILLERIChief Technical OfficerMalta Communications Authority

Mari HERRANENMinisterial AdviserMinistry of Transport and Communications

Patrick PAILLOUXCentral Director of Information Systems’SecurityPrime Minister/General Secretariat ofNational Defence/DCSSI

Michael HANGEVice President of the Federal Office forInformation Security (BSI)

Nikolaos VLASSOPOULOSHellenic Telecommunications and PostCommission

Dr. Ferenc SUBAVICE-CHAIR OF ENISA MANAGEMENT BOARDGeneral Manager of CERT-Hungary

Aidan RYANTelecommunications AdviserDepartment of Communications

Prof. Giandonato CAGGIANOLegal Adviser of the Ministry ofCommunications

Raimonds BERGMANISDirector, Department of Communications

Valdemaras SALAUSKASSecretary of Ministry of Transport andCommunications

François THILLAccréditation, notification et surveillance desPSC

Joseph N. TABONEChairman Malta Communications Authority

Finland

France

Germany

Greece

Hungary

Ireland

Italy

Latvia

Lithuania

Luxembourg

Malta


49


Ronald M. VAN DER LUITSenior Policy AdviserMinistry of Economic Affairs

Edward SELIGAMinistry of Interior and AdministrationInformation DepartmentInformation Society Division

Manuel Filipe PEDROSA DE BARROSDirector de Tecnologias e Equipamentos daAutoridade Nacional das Comunicações(ANACOM)

Cristina STANChief of DepartmentMinistry of Communications and InformationTechnology

Ján HOCHMANNInformation Society DivisionMinistry of Finance of the Slovak Republic

Marko BONACDirectorARNES SI-CERT

Antonio ALCOLEA MUÑOZSenior Officer – Information Society ServicesSecretariat of State for Telecommunications andInformation Society

Anders JOHANSONNational Post and Telecom AgencyDirector of the Network Security Department

Peter BURNETTCorporate Strategy and Policy Centre for the Protection of NationalInfrastructure (CPNI)

Edgar R. DE LANGEMinistry of Economic AffairsDirector-General for Energy andTelecommunications

Krzysztof SILICKITechnical DirectorResearch and Academic Computer Network(NASK)

Pedro Manuel BARBOSA VEIGAPresidente da Fundação para a ComputaçãoCientifica Nacional (FCCN)

Liviu NICOLESCUDirector General for Information Technologywithin the Ministry of Communications andInformation Technology

Peter BIROInformation Society DivisionMinistry of Finance of the Slovak Republic

Gorazd BOZICHeadARNES SI-CERT

Salvador SORIANO MALDONADODeputy Director – Information SocietyServicesSecretariat of State for Telecommunicationsand Information Society

Pernilla SKANTZEHead of Section Ministry of Enterprise, Energy andCommunications

Geoff SMITH Head of Information Security PolicyInformation Security Policy Team

The

Netherlands

Poland

Portugal

Romania

Slovakia

Slovenia

Spain

Sweden

United

Kingdom


50


SSttaakkeehhoollddeerrss’’ rreepprreesseennttaattiivveess

Alternate

Berit SVENDSENExecutive Vice President Technology/CTO of Telenor ASA and Chairman ofTelenor R&D

Jim MURRAYBEUC, Director

Niko SCHLAMBERGERStatistical Office of the Republic ofSlovenia, Secretary

Representative

Mark MACGANNDirector General, European ICT &Consumer Electronics Industry (EICTA)

Markus BAUTSCHStiftung Warentest, Deputy Head ofDepartment

Kai RANNENBERGT-Mobile Chair of Mobile Commerce &Multilateral Security, Department ofInformation and CommunicationSystems, Goethe University Frankfurt,(CEPIS)

Group

Information andCommunicationTechnologies industry

Consumer groups

Academic experts innetwork and informationsecurity

EEEEAA--ccoouunnttrryy rreepprreesseennttaattiivveess ((oobbsseerrvveerrss))

Eivind JAHRENDeputy Director GeneralDepartment of IT PolicyMinistry of Modernisation

Björn GEIRSSONLegal Counsel Post and Telecom Administration in Iceland

Kurt BÜHLERDirectorOffice for Communications

Jörn RINGLUNDDeputy Director GeneralMinistry of Transport and CommunicationsDepartment of Civil AviationPostal Services and Telecommunications

Iceland

Liechtenstein

Norway


51

Appendix 4Members of the Permanent Stakeholders’ Group

Charles BROOKSON British DTIIlias CHANTZOS Greek Symantec/Business Software Alliance (BSA)James CLARKE Irish WITNick COLEMAN British IBM EuropeAndrew CORMACK British JANET/UKERNA/TerenaRoger DEAN British EEMAPaul DOREY British BPPhilippe DULUC French France TelecomAndreas EBERT Austrian MicrosoftKurt EINZINGER Austrian ISPA AustriaAlfred EISNER Dutch ABM ConsultancyGiusella FINOCCHIARO Italian University of BolognaWim HAFKAMP Dutch RabobankJaap-Henk HOEPMAN Dutch Radboud University Nijmegen/TNOUrho ILMONEN Finnish NokiaGajewski JACEK Polish Consultant for NATO Public Diplomacy Division Paul KING British CiscoCornelia KUTTERER German BEUCAntonio LIOY Italian Politecnico di Torino Evangelos MARKATOS Greek FORTH InstituteVilma MISIUKONIENE Lithuanian Infobald AssociationMagnus NYSTROM Swedish RSA SecurityJan ORUAAS Estonian Estonian Information Technology Society, Gelsenkirchen Olivier PARIDEANS Belgian AlcatelSachar PAULUS German University of Brandenburg/SAPNorbert POHLMANN German University of Applied Sciences Yves LE ROUX French Computer AssociatesHoward SCHMIDT US RH ConsultancyJacques STERN French ENSClaire VISHIK US Intel

Luigi CARROZZI Italy DG Public Contracts ObservatoryAlain DE GREVE Belgium Fortis Serge LEBEL France Premier Ministre, Direction, Centrale de la

Sécurité des Systèmes d'informationAljosa PASIC Spain Atos Origin Reijo SAVOLA Finland VTT Technical Research Centre of FinlandDr. Ingrid SCHAUMULLER-BICHL Austria Univ.-Doz. University of Applied Sciences, HagenbergMarcel SPRUIT The Netherlands Haagse Hogeschool Dr. Lydia TSINTSIFA Germany Federal Office for Information Security (BSI) Dr. Jeremy WARD (Chair) UK Symantec Andrew WILSON (Observer) UK Information Security Forum (ISF)

AAdd HHoocc WWoorrkkiinngg GGrroouupp oonn RRiisskk AAsssseessssmmeenntt aanndd RRiisskk MMaannaaggeemmeenntt

AAdd HHoocc WWoorrkkiinngg GGrroouupp oonn PPrriivvaaccyy aanndd TTeecchhnnoollooggyy

Mema ROUSSOPOULOS (Chair) Greece FORTH Laurent BESLAY European Data Protection Supervisor (EDPS)Caspar BOWDEN UK Microsoft Giusella FINOCCHIARO Italy University of BolognaMarit HANSEN Germany ULD Kiel Marc LANGHEINRICH Switzerland ETH Zurich Gwendal LE GRAND France CNIL Katerina TSAKONA Greece FORTH

Appendix 5Members of the Ad Hoc Working Groups


52

At 5 December 2007

Austria Gerald TROSTBundeskanzleramt, Büro der Informationssicherheitskommission

Belgium Rudi SMETBelgian Institute for Postal Services and Telecommunications

Bulgaria Vasil GRANCHAROV Director of Crisis Management and Defence and Mobilisation Preparation Directorate, SAITC

Cyprus Neophytos PAPADOPOULOSDirector of the Commissioner’s Office for the Control of the Telecommunications and Postal Services

Antonis ANTONIADESSenior Officer of the Commissioner’s Office for the Control of the Telecommunications and Postal Services

Czech Marie SVOBODOVÁRepublic Communication Infrastructure

Department, Ministry of the Interior of the Czech Republic

Denmark Charlotte JACOBYIT-og TelestyrelsenNational IT and Telecom Agency

Estonia Toomas VIIRAEstonian Informatics Centre

Finland Mari HERRANENMinistry of Transport and Communications

France Benedicte SUZANCentral Directorate for Information Systems’ Security, General Secretariat of National Defence

Germany Jörn-Uwe HEYDERBundesamt für Sicherheit in der Informationstechnik

Greece Georgios DROSSOSHellenic Ministry of Transport and Communications, General Directorate of Communications, Directorate of Radio Frequency Management

Hungary Ferenc SUBAHead of Department, Ministry of Informatics and Communications

Ireland Aiden RYANTelecommunications AdviserDepartment of Communications

Iceland Björn GEIRSSON Legal Counsel

Italy Giandonato CAGGIANOLegal Adviser of the Ministry of Communications

Latvia Ingrida GAILUME Head of General and International Issues Division, Department of Communications, Ministry of Transport

Liechtenstein Kurt BUEHLERDirector, Office for Communications

Lithuania Rytis RAINYSHead of Network and Information Security Division Communications Regulatory Authority

Luxembourg Pascal STEICHENMinistère de l'Economie et du Commerceextérieur, Direction des Communications Commerce électronique

Malta Joanna BORGSenior Technical SpecialistMalta Communications Authority

The Edgar DE LANGENetherlands Ministry of Economic Affairs

Director-General for Energy and Telecommunications

Norway Heidi KARLSEN Adviser, Ministry of Transport and Communications

Poland Miroslaw MAJNASK/CERT Team ManagerResearch and Academic Computer Network, CERT Polska

Portugal Paulo FERREIRAFundação para a Computação Científica Nacional

Romania Liviu NICOLESCUDirector General for Information Technology, Ministry of Communications and IT

Slovakia Rastislav MACHELCISSP

Slovenia Radovan PAJNTARMinistry of Higher Education, Science and Technology, Directorate Information Society, Directorate Trg

Spain Salvador SORIANO MALDONADOSubdirector General de Servicios de la Sociedad de la Información

Sweden Björn SCHARINAdviser, National Post and Telecom Agency, Network Security Department

United Alice REEVESKingdom Assistant Director,

Communications Security and Resilience, Department for Business, Enterprise and Regulatory Reform

Appendix 6National Liaison Officers


53

Appendix 7Administration

Administration Department

Head of Department

Finance

Budget OfficerFinancial AssistantFinancial Assistant

Mission Co-ordinator

Human Resources

HR OfficerHR Assistant - Recruitment

HR Assistant - Individual RightsHR Junior Assistant

Legal Services

Legal AdviserProcurement Officer

IT Infrastructure

IT OfficerSenior IT Assistant

IT Assistant

Secretary to the Head of DepartmentAdministrative Secretary

Office Clerk

Technical Department

Head of Department

Risk Analysis and Management

Senior ExpertJunior Expert

Security Tools and Architecture


Expert

Network and Information

Security Policies

Senior ExpertJunior ExpertJunior Expert


Technology Cabinet

Assistant to the Technology CabinetWeb Developer

Co-operation & Support

Department

Head of Department

Awareness Raising


Co-ordination of Activities with

Member States and EU Bodies


Computer Incident and

Response Handling Policy


Relations with Industry and

International Institutions



Press and Communications OfficerPress and Communications Assistant

Web Master

Policy Adviser

Assistant to the Executive Director

Secretary to the Executive DirectorAdministrative Secretary

Security Officer

Accounting OfficerFinancial AssistantFinancial Assistant

Directorate

Executive Director

Organisation chart for 2007


54


General Administration, Legal Advice and

ProcurementIn 2007 the goal of the Administration Departmentwas twofold: complying with the requirements forEuropean Agencies and simplifying administrativeprocedures where necessary.

In the first of these tasks, ENISA built on the excellentgroundwork carried out during the initial set-up phaseof the Agency over the previous two years. In 2007ENISA focused on the feedback that had been receivedthrough statutory audits. To date, all the requirementsof the Internal Audit Service of the Commission havebeen met in full, and the Agency has maintained aclean record with the Court of Auditors and inreporting to the European Data Protection Supervisor(EDPS).

In terms of simplifying administrative procedures, theAdministration Department focused on reducingunnecessary red tape where appropriate, by reviewingtransaction work flows. As a result, although theannual budget of the Agency increased by about 21%,the total number of transactions completed remainedalmost unchanged.

In terms of budget execution, the overall target for2007 was to exceed 95% of the significantly higherbudget available (the actual figure achieved was97,76%). Budget execution was channelled through 47procurement projects. Additionally the Agency signed63 agreements for services, supplies and co-operationwith third parties.

In 2007, the Department carried out its tasks in full,keeping its original headcount unchanged. In other

words, the same administrative resources now servicean Agency that has increased its overall staff from 47in 2006 to 59 occupied posts in 2007.

Highlights of the year include the 100% execution ofthe establishment plan in early 2007, continuousvigilance to respond to staff turnover and thetemporary needs of the operational departments, andproviding an average of about 10 hours of training foreach staff member during the year.

The priorities of 2007 – striving for a leanadministration, optimising the work flow and adoptingelectronic working tools and working methods – willbe carried forward into 2008.

Internal Control Co-ordination

As a small Agency, ENISA only operates with anInternal Control Co-ordination function that ensuresthe needs of the service are met in terms ofcompliance with internal control standards and thoughthe outsourcing of tasks. In 2007 ENISA joined theFramework Agreement on Internal Control which willallow it to enhance its level of compliance in years tocome.

In 2007 the Report of the European Commission’sInternal Audit Service assessed the adequacy,effectiveness and efficiency of ENISA’s internal controlsystem. Of the 14 comments received in 2006, 11 wereclosed in 2007; and the remaining 3 are planned toclose by Q3 in 2008 when the risk assessment of theAgency by an external firm will have been concluded.

Audits

In 2007 the Agency underwent a scheduled internalaudit. Carried out by the European Commission’sInternal Audit Service, the audit focused on theorganisational and compliance background againstwhich the Agency operates. A scheduled external auditwas carried out by the Court of Auditors to obtainreasonable assurance that the Agency’s accounts arereliable and that the underlying transactions are legaland regular. The recommendations of both audits alsoaddressed aspects of compliance raised in 2006. Theaudits mark a positive trend in improving theorganisational basis of the Agency, as well as itscommitment to compliance with applicable rules.Activities for 2008 include establishing a panel tohandle reported irregularities and to move towards anintegrated accounting system (ABAC).


55


Physical Infrastructure

Many things that we take for granted are absolutelyvital to keeping an Agency running. To mention but afew examples: procuring security services, generalmaintenance and office fixtures and fittings, movingwalls to accommodate new staff, purchasing fuel andnew equipment, tools, furniture, office supplies,plants, procuring travel agency services for all thestaff’s missions, providing electricity and installingsound/smoke isolation systems, installing fire safetysystems, and meeting working conditions and safetystandards for the staff.

One significant achievement this year was preparingthe new wing of the building for the Agency, whichwas taken into use to accommodate new staff,requiring several new fittings and practicalarrangements.

These general services are indispensable to optimisethe operations of the Agency, to allow it to functionand at the same time to ensure the best possibleworking environment for its staff. It also requires asubstantial amount of administrative work, practicaleffort and cross-departmental meetings to make thebuilding, the Agency and its staff ‘run’.

Technical InfrastructureIn the first half of 2007 a Listserv service wasinstalled. To date, several many-to-many distributionlists have been set up for user communities. Inaddition a one-to-many distribution list was set up forthe automated distribution of the ENISA Quarterly.This also allows users to subscribe and un-subscribethemselves.

To increase the efficiency and quality of meetingsinvolving external parties, the services of GenesysMeeting Centre were selected. This service givesusers an online tool which is integrated into their e-mail client for setting up and conducting meetings;it has proved very efficient.

The second half of the year saw the arrival of the thirdmember of the IT Section. This allowed for theimplementation of ‘Intra-ENISA’, the Intranet ofENISA. In the first phase of development, generaldocuments have been made available, as well as anevents calendar, announcements list, news pages anda site for recreational activities for staff. A site for theIT Section was also launched, offering users a user-friendly interface to obtain IT help and support.Another new system, Centurio, was put into pilotphase. This system will allow the Human ResourcesSection to manage staff leave and allow staff to viewtheir leave-related data online.

Apart from the usual ongoing maintenance andsupport services, the IT Section implemented acentralised network monitoring tool which gives a‘global’ view of the various services offered and earlywarning of any potential problems. In addition, theinstallation of an Uninterrupted Power Supply (UPS)dedicated to the server room, as well as a fireextinguishing system, were completed.


56


Human ResourcesIn 2007 ENISA faced a number of challenges in termsof Human Resources (HR) management. Substantialresources were allocated to the recruitment andinduction of new staff due to personnel turnover aswell as to training activities that grew considerably incomparison with 2006 (mainly for management andorganisational training). Particular emphasis was alsoplaced on staff performance appraisal, payroll andstaffing costs. As a consequence of the integration ofthe HR and budget liaison office into the HR Section,the monthly management of salaries and allowancesbecame an integral part of the management tasks ofHuman Resources.

Recruitment

In 2007 several recruitment procedures were carriedout both for statutory staff (temporary agents andcontract agents) and non-statutory staff (secondednational experts and trainees) in order to ensure thefull functioning of all departments. Out of 18recruitment procedures launched in Quarters one andthree of 2007, 80% were successfully completed andsuitable candidates were consequently appointed. Alimited number of procedures will be completed at thebeginning of 2008.

Statutory staff: A total of 441 applications werereceived for all advertised statutory positions.Candidates from all over Europe showed their interestin working for ENISA. The highest number ofapplications arrived from the old EU countries such asGreece, Italy, Germany and France. An increasinginterest for assistant positions was shown bycandidates from the new Member States such asRomania, Bulgaria and Poland. The gender balancewas almost equal with a consistent majority of maleapplicants for technical posts and female applicantsfor secretarial and assistant jobs. The age indicatorpresented in the graphs below shows that the Agencycontinues to attract relatively young professionalsaged between 31 and 40 years, which reflects thedynamic environment of NIS.

Non-statutory staff: In 2007 two procedures werecarried out for the selection of five National Experts tobe seconded to the Agency’s operational departments.The national administrations continued todemonstrate an encouraging degree of co-operationwith ENISA and facilitated the secondment of highlyqualified professional experts.

Two additional selection procedures were concluded inorder to offer 5-month traineeship grants to younguniversity graduates in the field of network and

information security. Thanks to the implementation ofits second and third traineeship programme, ENISAwelcomed four young trainees from Austria, Greece,Lithuania and Italy, and benefited from their up-to-date academic knowledge and professionalenthusiasm.

The HR team also completed the selection of a localemployment agency to enable ENISA to hireappropriate support staff to meet short-term need.

With regard to the recruitment procedures completedin 2007, the following graphs show statistics about theapplicants, based on the following indicators:

1) Gender: In comparison with 2006, the number offemale applicants has slightly diminished; the fact thatthe majority of advertised vacancies in 2007 was fortechnical posts may have been a factor in this.

2) Nationality: ENISA has continued to attract femaleand male applicants from the older and moresouthern Member States, in particular from Greece,Italy, Belgium, Spain and France. The number ofapplicants from the countries which have joined theEU recently has increased considerably (particularlyfrom Romania and Bulgaria).

Females21749%

Males22451%

0

20

40

60

80

100

120

140

BE DE DK ES FI FR GB GR HU IT LU SK EE IE AT CZ LT LV PL PT SI SE MT NL RO BG CY Dual NonEU

29

16

1

22

9

22

12

131

12

55

18

3 3 72 4 5

14 11

3 6 2 1

2014

2

25

0

Applicants by Nationality

Applicants by Gender


57


3) Age: The Agency continues to attract youngprofessionals aged between 30 and 40 years.

4) Function group: The percentage of applicants forthe assistants’ function group has increased by 10%compared with 2006. This shows a new tendency,indicating the difficulties which the Agency isexperiencing in attracting highly experienced staff foradministrators’ posts.

Staff MembersAt 31 December 2007

In 2007 73% of the posts foreseen in theestablishment plan were filled. The number of newstaff appointed remained quite high. However, incomparison with 2006, the high rate was not due to anincrease in the number of posts but to the re-publication of vacancies and staff departures. The HR team welcomed 15 new staff members andensured their smooth relocation into their newworking and living environment.

By the end of 2007 the Agency’s staff comprised 53statutory staff members (made up of 42 temporaryagents and 11 contract agents) compared with thetarget anticipated in the Agency’s budget of 56statutory positions.

An analysis of the ENISA staff, looking at four mainindicators (gender, nationality, age and functiongroup) produces the following conclusions:

1) Gender: The separation between males andfemales remains balanced, as in 2006. There is aslight increase in female staff; however male staffcontinue to make up the majority, with a highpercentage of males in the administrators’ functiongroup.

2) Nationality: 16 out of 27 nationalities of theEuropean Union are represented with a highpercentage from the ‘old’ Member States (Greece,Italy, Belgium, France and Germany).

4

30

114

234

59

0

50

100

150

200

250

1940-1949(57-66)

1950-1959(47-56)

1960-1969(37-46)

1970-1979(27-36)

1980-1989(17-26)

Applicants by Age

Assistant 29467%

Administration 14733%

Applicants by Function Group

Females43%

Males57%

Staff Members by Gender

0

2

4

6

8

10

12

14

BE DE ES FI FR GB GR IT SK EE IE AT PT SE NL CY Dual

43

1 1

4

2

15

7

12

16

1 1 1 1 1 1

7

Staff Members by Nationality

Females25% Males

75%

Administration Staff Members by Gender

Females64%

Males36%

Assistant Staff Members by Gender


58


3) Age: The majority of staff continues to be agedbetween 31 and 40 years. Since its establishment, theAgency has attracted mainly young professionalsoriented to achieving objectives and increasing theirperformance.

The Agency’s location and the grading of theadvertised posts have a direct impact on the age of theapplicants and the composition of the Agency’s staff.

4) Function group: The majority of staff membersoccupy posts at administrator level with a highpercentage of male staff. The majority of female staffoccupies assistants’ positions.

Recruitment policy: All calls for expression of interestin ENISA posts were published on the Agency’swebsite as well as on the website of the EuropeanPersonnel Selection Office. Technical posts were alsoadvertised in the specialised press.

ENISA takes great care in its recruitment proceduresto avoid any form of discrimination based on age, race,political, philosophical or religious conviction, genderor sexual orientation, disabilities, marital status orfamily situation. The Agency strictly applies the rulesof the Staff Regulations of the European Communitiesin respect of the principles of equal treatment,transparency and objectivity.

Training

In 2007 enhanced emphasis was put on the trainingactivities that have increased considerably since the

Agency was set up. ENISA considers training anintegral part of its human resources policy. Trainingexpands and improves individuals’ competencies sothat each staff member can contribute optimallytowards achieving the Agency’s goals and can reflectits core values of excellence, professionalism andservice.

Language courses in Greek, English, French andGerman continued to be delivered throughout the year.This training is aimed at facilitating the integration ofthe staff into the local environment and improvingcommunication skills. Additional training inorganisational and personal development, as well asmanagement training, were successfully delivered onthe Agency’s premises by highly experienced trainers.

In 2007 ENISA reached the overall objective ofproviding an average of 10 days of training per personper year, in accordance with the guidelines set by theCommission’s Learning and Development Framework.

Additionally HR supported the staff in theirparticipation in individual training courses atspecialised training centres outside Heraklion. Thesetraining courses, organised through individualinitiative, enable the staff to enhance theirprofessional knowledge.

Other HR Developments

A number of HR policies were also introduced toimprove the working conditions of ENISA’s staff suchas the code of conduct and the appraisal system. Withspecific attention to the latter, the first yearly careerdevelopment report (CDR) exercise was launched in2007 and contributed to the performance assessmentof the entire staff. Career objectives and training pathswere also set for the professional development ofeach staff member. The overall appraisal evaluationconfirmed the high level of ability, efficiency andintegrity of the Agency’s staff.

HR worked in close co-operation with ENISA’s StaffCommittee in order to establish and maintain an openand constructive bilateral dialogue between staff andmanagement. Among its activities, the StaffCommittee was involved in recruitment procedures and nominated a full member of the selectioninterviews for all interviews organised for temporaryand contract agents. The Staff Committee was alsoconsulted on the finalisation of the implementingrules of the Staff Regulations and on any relevantmatter related to staff welfare.

The HR team also dealt with general HR activities thatentail recurrent daily tasks, such as leave and absencemanagement, financial operations, the follow up ofspecific budget lines linked to training, medical visits,expenses for interviewing candidates and hiring ofinterim staff.

2

4

16

28

3

0

5

10

15

20

25

1940-1949(57-66)

1950-1959(47-56)

1960-1969(37-46)

1970-1979(27-36)

1980-1989(17-26)

30

Staff Members by Age

Assistant47%

Administration53%

Staff Members by Function Group

Administration-Assistant


59


Finance and AccountingThe Finance and Accounting Sections carry outfunctions associated with the management of theAgency’s Budget, the preparation of the FinancialStatements in line with its Financial Regulation andthe Audits conducted by the Court of Auditors.

Specific activities of the two sections include:• Implementation of the approved budget• Establishment of Internal Controls, as appropriate,

in order to address possible financial risks• Reporting on the Annual Budget, including budget

status reports and providing an analysis of key aspects

• Budget revision and execution of budgetary transfers

• Planning of the Budget and presentation to the Management Board and the Budgetary Authority foradoption, as appropriate

• Ensuring adherence to the accounting rules• Validation of the new systems put in place and

continuous checking of existing ones• Keeping the Accounts • Preparation of the Annual Financial Statements • Preparation of the Reporting Package for

consolidation purposes with the European Commission’s Accounts

• Regular financial reporting to the European Commission and the Court of Auditors

Budget Execution

The Budget 2007, as amended on 25 September 2007,reached €8.416.928, which represents an increase of21% compared with 2006 (€6.940.080). Appropriationswere committed at a rate of 97,76% (compared with90% committed in 2006) to honour obligations relatedto the operational costs of the Agency and theactivities required under the Work Programme 2007.Payments reached the level of 73,51% of the totalappropriations managed. This is an indication of verypositive performance, showing an upward trend in thecapacity of the Agency to use the budget with which itis entrusted. This was achieved in conditions ofincreased efficiency, as the total number oftransactions required has remained relativelyunchanged since 2006 and, at the same time, 17,5% ofthe budget was only made available in the fourthquarter of the year. This explains the high rate ofappropriations carried over and the relatively low rateof appropriations paid in 2007.

The Agency’s budget is divided into three parts or‘titles’:

• Title 1 – Staff expenditure: Staff expenditure was as foreseen, with 97,41% of appropriations committed at the end of the year. The respective rate of payments was 94,34%. The management of Title 1 funds improved when compared with 2006, where the respective rates demonstrated commitments of 92,54% and payments of 87,75% onappropriations.

• Title 2 – Administrative expenditure (Functioning

of the Agency): The funds allocated to administrative expenditure were used as planned, with 97,22% of appropriations being committed by the end of the year, and 77,82% paid. The respectivefigures for 2006 were 92% and 77,11%.

• Title 3 – Operating Expenditure: 98,42% of the funds allocated to the operating expenditure of the Agency, i.e. the funds directed to the core business of the Agency according to the 2007 Work Programme, were committed, with the total rate of paid appropriations reaching 43,71%. The respective figures for 2006 were 82,80% and 53.63%.

Financial Reporting

According to Article 82 of the Financial Regulation, theAgency’s Accounting Officer sent to the Commission’sAccounting Officer the Provisional Accounts, togetherwith the Report on Budgetary and FinancialManagement. Subsequently the Commission sent theProvisional Accounts to the Court of Auditors.

Based on the observations of the Court of Auditors,the Executive Director sent the Final Accounts to theManagement Board which gave its opinion on them.Finally the Executive Director submitted FinalAccounts along with the opinion of the ManagementBoard to the Commission, the Budgetary Authority andthe Court of Auditors.

The Final Annual Accounts will be published in theOfficial Journal of the European Communitiestogether with the statement of assurance which willbe given by the Court of Auditors.

The Financial Statements included in the AnnualAccounts are the following:


60


I. Non Current Assets

Intangible fixed assetsTangible fixed assets

II. Current Assets

Short-term receivablesCash and cash equivalents

Total Assets

III. Non Current Liabilities

IV. Current Liabilities

EC pre-financing receivedEC interest payableAccounts payableAccrued liabilitiesProvisions

Total Liabilities

V. Net Assets

Accumulated result

Total Net Assets

31.12.2006

344.932

32.564312.368

2.575.036

55.8432.519.193

2.919.968

2.289.543

1.124.13888.829

432.531578.173

65.872

2.289.543

630.425

630.425

630.425

31.12.2007

373.352

36.176337.176

2.480.483

101.3572.379.126

2.853.835

1.410.260

328.971125.560113.977686.535155.216

1.410.260

1.443.575

1.443.575

1.443.575

Balance Sheet

Revenue from theCommunity SubsidyOther revenue

Total Operating Revenue

Administrative expensesStaff expensesFixed asset related

expensesOther administrative

expensesOperational expenses

Total Operating Expenses

Surplus/(deficit) from

operating activities

Financial expenses


ordinary activities

Economic Result for

the Year

2006

5.475.862

12.309

5.488.171

-4.717.893-3.100.024

-103.279

-1.514.590

-1.236.173

-5.954.066

-465.895

-1.932

-467.827

-467.827

2007

7.987.957

202.642

8.190.599

-5.176.051-3.572.833

-125.837

-1.477.381

-2.198.765

-7.374.816

815.783

-2.633

813.151

813.151

Economic Out-turn Account


ordinary activities

Operating activities

Amortisation (intangiblefixed assets)Depreciation (tangiblefixed assets)Increase in provisionsfor liabilities Increase in short termreceivablesDecrease in accountspayableIncrease in liabilities toconsolidated entitiesNet cash flow from

operating activities

Cash flows from

investing activities

Purchase of tangible andintangible fixed assetsNet cash flow from

investing activities

Net increase in cash andcash equivalentsCash at the beginning ofthe periodCash at the end of the

period

2006

-467.827

9.392

93.887

0

-42.566

-606.436

1.126.736

113.186

-104.043

-104.043

9.143

2.510.050

2.519.193

2007

813.151

12.516

113.322

89.344

-27.361

-121.991

-864.790

14.190

-154.257

-154.257

-140.067

2.519.193

2.379.126

Cash Flow Statement

Balance as of

1 January

2007

Allocation ofthe EconomicResult ofPrevious Year

Economicresult of theyear

Balance as of

31 December

2007

ReservesAccumulated

Surplus/

Deficit

Economic

result of

the year

Capital

-467.827

467.827

813.151

813.151

630.425

0

813.151

1.443.575

1.098.252

-467.827

630.425

0

0

Statement of Changes in Capital


European Commission

General Report 2007European Network and Information Security Agency

Luxembourg: Office for Official Publications of the European Communities

2008 – 64 pp. – 21cm x 29.7cm

ISBN: 978-92-9204-004-8ISSN: 1830-981X

Catalogue no.: TP-AB-08-001-EN-C

The report is also available on mini disk:

ISBN: 978-92-9204-005-5ISSN: 1830-9828

Catalogue no.: TP-AB-08-001-EN-Z


How to obtain EU publications

Priced publications are available from the EU Bookshop (http://bookshop.europa.eu/), where you can place an order with the sales agent of your choice.

The Publications Office has a worldwide network of sales agents. You can obtain their contact details by sending a fax to (352) 29 29-42758.

ENISA – European Network and Information Security AgencyPO Box 1309, 710 01, Heraklion, GreeceTel: +30 2810 39 12 80, Fax: +30 2801 39 14 10www.enisa.europa.eu

01/07_08

TP-A

B-08-001-EN

-C