[Global_industry_committee] EC consultation on risk management and breach reporting

Colin Watson colin.watson at owasp.org
Wed Aug 1 17:35:19 UTC 2012


GIC members

The European Commission has published a consultation document called
"Improving Network and Information Security (NIS) in the EU" but
essentially relating to future risk management and breach reporting
requirements. Currently in the EU only telecomms companies and ISPs
are subject to breach reporting.

   Background information
   http://ec.europa.eu/information_society/digital-agenda/actions/infosec-consultation/docs/Background-document.pdf

   Consultation
     As PDF
     http://ec.europa.eu/yourvoice/ipm/forms/formpdf/securitystrategy2en.pdf

     As online form
     http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=securitystrategy2

Some of the questions appear to be a good fit for OWASP to respond to,
for example:

---------------------------------------------------

   3.9. Information exchange between private companies and between the
public and private sector on incidents, threats and risks is key to
share best practices, build capabilities, develop trend analysis ,
manage risks effectively or reduce the impacts of incidents. What are
the most effective ways to facilitate such exchanges at EU level
(please explain)?

   3.16. Everybody (business, consumers and governments) should ensure
a minimum level of protection against cyber threats. Do you agree?

   3.17. Which actions can be reasonably be expected to be taken
respectively by business, consumers and governments to better protect
themselves on-line?

   3.18. It is key to empower consumers and help them identify
companies with good levels of cyber security protection. Which is the
best way to achieve this objective?
       - Stimulate the development of industry-led standards at EU level [or]
       - Give guidance at EU level to enable consumers to
differentiate good security products and services [or]
       - Define compulsory security standards for goods and services
at EU level [or]
       - Other

   3.19. If you chose other [in 3.18], please specify

   3.22. People driving a car are required to take security measures
to protect themselves and others.Do you consider that people using the
Internet should also be subject to security obligations? If yes, which
ones?

   3.23. It is important to ensure security throughout the supply
chain. Which is the most effective way to encourage all actors in the
value chain (e.g. product manufacturers, software developers and
Internet companies) to invest in security solutions at an appropriate
level?

   4.1.7. Would you in principle be favourable to the introduction of
a regulatory requirement to manage NIS risks?

---------------------------------------------------

And perhaps some US experience of breach reporting would be useful input.

Do you think OWASP should submit a response? If so I'd like to float
the idea on the Leaders list to see who might run with it. It will
take more than one person. Responses have to be submitted by 15
October 2012.

Colin


More information about the Global_industry_committee mailing list