ENISA: Interview with Dr Louis Marinos, Senior Expert on Risk Management
Inserito da Redazione il Ven, 2006-10-20 13:11
English | ENISA | IT Colloquia | Ottobre 2006 | Rischi
061020-enisa-marinos
Louis Marinos is coordinator of Ad-hoc
Working Group on Risk Assessment and Risk Management of ENISA
IsacaRoma (IR): Thanks for your collaboration Dr Marinos. Recently ENISA announced its first deliverable in the area of Risk Management: Inventory of Risk Management/Risk Assessment Methods and Tools. Can you present it?
Louis Marinos (LM): Right after the establishment of ENISA back in 2004, Risk Management has been identified as one of the most important issues when coping with Information Security. At that time the need to generate a knowledge base on methods, tools and best practices on Risk Management has been identified. Thus, after starting operations in Heraklion, we have concentrated on the establishment of an inventory of methods and tools. The purpose of this was to inform interested stakeholders about existing methods and tools, so as to help them in the selection process. In cooperation with the ENISA ad-hoc Working Group on Risk Assessment and Risk Management, we have assessed the most important methods and tools used in Europe. We know, that our inventories are not exhaustive. This happened mainly due to the restricted personnel capacities. Nevertheless, interested stakeholders will be in the position to submit their methods, tools and best practices. We hope that our knowledge base will emerge over the time and will become a valuable instrument in the area of Risk Management. The URL for this resource is http://www.enisa.europa.eu/rmra/rm_home.html
IR: What about RA/RM method about Small and Medium Sized Enterprise (SMEs)?
LM: As with most thinks in life, there is no "one size fits all" answer to this question. This is due to the wide variety of SMEs (from 500 to 2 employees) and the diversity of the processed information (from public to very confidential). Accordingly, the appropriate methods might range from complex ones to simplified best practices just covering the risks of common assets (e.g. PC-computers, offices and information objects of medium confidentiality). In order to utilize the use of the information in the inventories, we decided to use templates for the description of each method and tool. The templates consist of many attributes, with some of them being relevant for SMEs (like for example spread of the method, sector supported by the method, customizability of the method etc.). In order to decide for one method, Interested stakeholders have to weight these attributes and then find the most suitable method. In the future, ENISA will further elaborate on the expression of criteria for selection of methods and will release explicit aids (examples, best practices) for SMEs to support them in selecting an appropriate Risk Management approach.
IR: ENISA Ad-hoc Working Group on RA/RM identified several areas of investigation; what about the road map?
LM: The Risk Management road map as it can be found in the Risk Management web site has the accurate version of the road map. This road map has been developed in common with the Working Group and has already been anticipated in the ENISA Work Programme 2007 (the document has been submitted to the ENISA Management Board for final acceptance). Some items from the road map that lead to the Work Programme are, for example, the coverage of emerging risk and business continuity risks for next year. However, the road map is a living document. New emerging issues in Risk Management will be integrated to the road-map. User requirements, for example, raised within the ENISA Workshop in Rome will be included in future versions of the road-map.
IR: One of the most important issues of RA/RM is about emerging risks. What is your vision?
LM: Emerging risks is one of the aspects we currently work on. For this year (2006) there is no deliverable planed in this area. This does not mean that we are not active: some initial works have been performed or are under development. Some examples: an initial study on the current status of state-on-the-art in emerging risks, a road map for emerging risks, initial considerations on methods to gather and disseminate information on emerging risks. As foreseen in the ENISA regulation, emerging risks comprises a main field of activities. At that level, ENISA should play a central role in the collection, processing and distribution of information on emerging risks.
IR: RA/RM and Business Continuity Plan: what about their relationships?
LM: From the Risk Management point of view, business continuity is when coping with continuity risks. Thus, we include business continuity fully to our portfolio. For next year (2007), we plan to initiate inventories for Business Continuity. As always, we are going to mainly consider IT related continuity, as the role of ENISA is to concentrate on Information Technology.
IR: Last but not least: the ENISA Workshop on Risk Management in Rome in October; could you present it?
LM: ENISA organized in 13th of October 2006 a workshop on Risk Management. The purpose of the workshop was to present ENISA results of 2006 in the area of Risk Management, and also to gather user requirements and user feed back in that area. The interest of the related community has been manifested by more than 40 European experts who attended the workshop. They represented different areas and aspects of Risk Management, ranging from education and training to Risk Management needs for small and large companies. The interest of participants is reflected by the discussed issues and the feedback we gathered.
A report on the workshop, the discussed issues and the presentations held can be obtained in the URL http://www.enisa.europa.eu/rmra/events.html
IR: Thanks Dr Marinos
LM: I would like to thank you in the name of ENISA for the opportunity to give this interview.
(Italian version here - by Agatino Grillo)
IsacaRoma (IR): Thanks for your collaboration Dr Marinos. Recently ENISA announced its first deliverable in the area of Risk Management: Inventory of Risk Management/Risk Assessment Methods and Tools. Can you present it?
Louis Marinos (LM): Right after the establishment of ENISA back in 2004, Risk Management has been identified as one of the most important issues when coping with Information Security. At that time the need to generate a knowledge base on methods, tools and best practices on Risk Management has been identified. Thus, after starting operations in Heraklion, we have concentrated on the establishment of an inventory of methods and tools. The purpose of this was to inform interested stakeholders about existing methods and tools, so as to help them in the selection process. In cooperation with the ENISA ad-hoc Working Group on Risk Assessment and Risk Management, we have assessed the most important methods and tools used in Europe. We know, that our inventories are not exhaustive. This happened mainly due to the restricted personnel capacities. Nevertheless, interested stakeholders will be in the position to submit their methods, tools and best practices. We hope that our knowledge base will emerge over the time and will become a valuable instrument in the area of Risk Management. The URL for this resource is http://www.enisa.europa.eu/rmra/rm_home.html
IR: What about RA/RM method about Small and Medium Sized Enterprise (SMEs)?
LM: As with most thinks in life, there is no "one size fits all" answer to this question. This is due to the wide variety of SMEs (from 500 to 2 employees) and the diversity of the processed information (from public to very confidential). Accordingly, the appropriate methods might range from complex ones to simplified best practices just covering the risks of common assets (e.g. PC-computers, offices and information objects of medium confidentiality). In order to utilize the use of the information in the inventories, we decided to use templates for the description of each method and tool. The templates consist of many attributes, with some of them being relevant for SMEs (like for example spread of the method, sector supported by the method, customizability of the method etc.). In order to decide for one method, Interested stakeholders have to weight these attributes and then find the most suitable method. In the future, ENISA will further elaborate on the expression of criteria for selection of methods and will release explicit aids (examples, best practices) for SMEs to support them in selecting an appropriate Risk Management approach.
IR: ENISA Ad-hoc Working Group on RA/RM identified several areas of investigation; what about the road map?
LM: The Risk Management road map as it can be found in the Risk Management web site has the accurate version of the road map. This road map has been developed in common with the Working Group and has already been anticipated in the ENISA Work Programme 2007 (the document has been submitted to the ENISA Management Board for final acceptance). Some items from the road map that lead to the Work Programme are, for example, the coverage of emerging risk and business continuity risks for next year. However, the road map is a living document. New emerging issues in Risk Management will be integrated to the road-map. User requirements, for example, raised within the ENISA Workshop in Rome will be included in future versions of the road-map.
IR: One of the most important issues of RA/RM is about emerging risks. What is your vision?
LM: Emerging risks is one of the aspects we currently work on. For this year (2006) there is no deliverable planed in this area. This does not mean that we are not active: some initial works have been performed or are under development. Some examples: an initial study on the current status of state-on-the-art in emerging risks, a road map for emerging risks, initial considerations on methods to gather and disseminate information on emerging risks. As foreseen in the ENISA regulation, emerging risks comprises a main field of activities. At that level, ENISA should play a central role in the collection, processing and distribution of information on emerging risks.
IR: RA/RM and Business Continuity Plan: what about their relationships?
LM: From the Risk Management point of view, business continuity is when coping with continuity risks. Thus, we include business continuity fully to our portfolio. For next year (2007), we plan to initiate inventories for Business Continuity. As always, we are going to mainly consider IT related continuity, as the role of ENISA is to concentrate on Information Technology.
IR: Last but not least: the ENISA Workshop on Risk Management in Rome in October; could you present it?
LM: ENISA organized in 13th of October 2006 a workshop on Risk Management. The purpose of the workshop was to present ENISA results of 2006 in the area of Risk Management, and also to gather user requirements and user feed back in that area. The interest of the related community has been manifested by more than 40 European experts who attended the workshop. They represented different areas and aspects of Risk Management, ranging from education and training to Risk Management needs for small and large companies. The interest of participants is reflected by the discussed issues and the feedback we gathered.
A report on the workshop, the discussed issues and the presentations held can be obtained in the URL http://www.enisa.europa.eu/rmra/events.html
IR: Thanks Dr Marinos
LM: I would like to thank you in the name of ENISA for the opportunity to give this interview.
(Italian version here - by Agatino Grillo)
IsacaRoma link
ENISA
- ENISA:
la guida per costituire un CERT
ENISA: il glossario del Risk Management (lettere S - Z) - ENISA: il glossario del Risk Management (lettere N - R)
- ENISA: il glossario del Risk Management (lettere F - M)
- ENISA:
Inventario delle metodologie di Risk Management / Risk Assessment
- ENISA: il glossario del Risk Management (lettere A - E)
- ENISA: il sito dedicato al Risk management ed assessment
- ENISA
Risk Management Workshop, 13 ottobre 2006, Roma
- ENISA – Intervista ad Isabella Santa, Awareness Raising Working Group Coordinator
- ENISA: nuovi rischi e minacce per la sicurezza delle reti e delle informazioni e piano di azione per il 2008
- ENISA, l’agenzia di sicurezza europea
- Intervista ad Andrea Pirotti, Executive Director di ENISA
- La visione di ENISA
- ENISA: raccolta di informazioni sulle certificazioni di sicurezza – invito a collaborare
ENISA Quarterly
- ENISA Quarterly – Messaggio dal Direttore Esecutivo
- Guida internazionale per la protezione delle infrastrutture critiche informatizzate
- ENISA Quarterly - Come innalzare la Information Security Awareness
» email this story | printer friendly version | 1828 reads
