The various committees of the European Parliament have now published their response to the Commission’s draft Network and Information Security Directive. Their proposal is much more narrowly focussed than the Commission’s: public administrations are excluded (though individual Member States are allowed to opt theirs in), as they already “have to exert due diligence in the […]
Tag: Breach Notification
Posts relating to requirements to notify security breaches
The Department for Business, Innovation and Skills has published a summary of the responses to its consultation on the proposed EU Directive on Network and Information Security (NIS) (JANET’s response). Summarising that summary (!): There seems to be agreement that there is a role for the EU in Network and Information Security, in particular in […]
Two talks on the first day of the FIRST conference highlighted the increasing range of equipment and data that can be found on the Internet, and the challenges that this presents both for risk assessment and, if incidents do happen, assessing the severity of the possible breach and what measures need to be taken. Eireann […]
Critical Cloud Computing
ENISA’s Critical Cloud Computing report examines cloud from a Critical Information Infrastructure Protection (CIIP) perspective: what is the impact on society of outages or attacks? The increasing adoption of the cloud model has both benefits and risks. A previous ENISA report noted that the massive scale of cloud providers makes state of the art security […]
EU Cyber Security Strategy
The European Commission’s Cyber Security Strategy aims to ensure that Europe benefits from a “robust and innovative Internet”. The Strategy has five priorities: Achieving cyber resilience Drastically reducing cybercrime Developing cyberdefence policy and capabilities related to the Common Security and Defence Policy (CSDP) Develop the industrial and technological resources for cybersecurity Establish a coherent international […]
Reporting Information Security Breaches
An interesting, though depressing, figure from Verizon’s 2012 Data Breach Investigations Report is that 92% of information security breaches were discovered and reported by a third party. Not by the organisation that suffered the breach, nor by its customers who are likely to be the victims of any loss of personal data, but by someone […]
I’ve submitted a Janet response to a European consultation on a future EU Network and Information Security legislative initiative. The consultation itself seems to suffer from “if you only have a hammer” syndrome: if you’re a legislator then it must be tempting to think that all problems (lack of reporting of “cybercrimes”, insecure end-user computers, […]
ENISA on cyber incident reporting
ENISA have published an interesting report on cyber incident reporting. Their scope is wide – incidents range from the failure of a certificate agency to storms creating widespread power (and therefore connectivity) outages. In each of these areas they find a common pattern, where governments are trying to encourage (or mandate) notification of incidents in […]
MoJ Summary of Data Protection Responses
The Ministry of Justice have published a summary of the responses to their consultation on European Data Protection proposals. On the issues we raised around Internet Identifiers, Breach Notification and Cloud Computing there seems to be general agreement with our concerns. No one else seems to have mentioned Incident Response specifically, but there was a […]
Draft EU Regulation on eIdentities
The European Commission have proposed a draft eIdentity Regulation, to replace the current eSignatures Directive (99/93/EC). While the proposal is mostly concerned with inter-operability of national electronic IDs and improving the legal significance of digital signatures, timestamps, documents, etc. there are also some new requirements on “trust service providers”. According to Article 3(12), Trust Services […]