ENISA report on the state of the Art of Network and Information Security in Europe

Objectives

From June to December 2008, ENISA (European Network and Information Security Agency) has conducted a research to produce a series of state of the art reports by countries Network and Information Security (NIS). The concerned countries are the 27 member countries of the European Union and 3 non-EU countries (Iceland, Liechtenstein and Norway), which nevertheless are members of the European Economic Community.

 
Organization of the report

The report presents for each country the collected information, divided into several sections: general information about the country, the country key factors, point on the actors, review of actors, activities, events and today's trends. The categorization and the relationship between the various actors were one of the main objectives of the project. The diagrams by country represent the most important areas for which the government agencies have an impact on NIS: development and implementation of security policy, privacy and data, electronic communications, critical infrastructure Protection (CIP/CIIP) and "Computer Emergency Response Team" (CERT).

The results show that institutions and responsibilities significantly vary from one country to another. However, the following trends can be identified:

Government agencies:
The most involved agencies defining policies NIS strategies are: the Ministry of Communication, the National Regulatory Agency for Electronic Communications, National Office for Data Protection, the Ministry of the Interior, Ministry of Defense, the Ministry (or Department) for public administrations.

NIS Public Entities:
Their main objective is to promote information security at the national level, to provide advice and recommendations, to analyze the situation of national security and to define plans and initiatives. These entities generally have very broad responsibilities. Their main tasks involve the collection of information for major security problems, the development of technical and scientific expertise and the provision of data for major government policies. These entities must in particular ensure, approve and certify the security of national information systems. They also participate in the development of security products and software for the public sector. They are present in about one third of the countries part of the study.

CERT:
There are approximately 100 active CERT in the European Union, but their geographical distribution is very uneven. Almost all countries have one or two CERT in the public sector, responsible for government or academic/research networks. In most countries, a CERT is the main contact for NIS security at the national level, working with its counterparts in other countries and managing crisis and other activities with other CERT of the country. This role is usually held by the governmental CERT.

The case of France

An overview of the adoption of information technologies in France is essential to fully understand this NIS study. Indeed, the more a country relies on this type of technology for its business and government and for private activities, the higher is the security risks.
Among the chosen indicators (percentage of population with Internet knowledge, percentage of online buyers and the Internet penetration rates), France is above the European average. France is also a leading country in terms of e-government initiatives.

NIS actors in France mentioned in the report:
DCSSI (Direction Centrale de la Sécurité des Systèmes d'Information) is recognized as the national security agency for development and implementation of security policy of national information.

CNIL (Commission Nationale de l'Informatique et des Libertés) has the responsibility for complying with data protection laws.

The three CERT mentioned in the report are the CERTA, the CERT-RENATER and the Cert-IST.

Security incidents:
The report points out, for most studied countries, the lack of statistics and the lack of common approach preventing to study recent security incidents. The incident frequency is still rising steadily in Europe (sensitive data theft/loss, human error, equipment failure, loss, piracy and problem related to access control).

Within the 12 previous months, no security incident has been reported in France.

Conclusion

This report allows to better understanding both the state of information and networks security in Europe and the strengths and weaknesses of each country which is part of the study.

For more information:

The ENISA report: http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_country_reports_2009.pdf