The European Network and Information Security Agency's (ENISA) has launched a stock taking exercise using a questionnaire to establish an Inventory of publicly available sources on Information Security. Using already existing information in an aggregated format will lead to faster assessments with less effort.
Therefore, collection and aggregation of existing data and sources is an effective tool to raise information security.
A main objective of this work is to include publicly available data on information security risks and opportunities, to be used in all upcoming assessments. The result of the stock-taking exercise/questionnaire is an online inventory.
In the framework of the Agency’s work on “Identifying and Responding to the Evolving Threat Environment” in 2012, ENISA assesses emerging risks and opportunities. This forward-looking activity is an essential step to address future information security challenges. Collection and aggregation of existing quantitative data is a long-term objective that will be refined in future versions of the Agency Work Programme.
The questionnaire is among other things looking at organisational issues, security risks, opportunities, and security trends.
How to contribute? Fill in the stock-taking questionnaire.
This template should be filled by operators of publicly available information sources on information security. The source provides data on information security risks and opportunities, including relevant detailed information.
Moreover, the template assesses additional data on the information source regarding general issues and scope, as well as organisational issues, target groups, communication channels, publication policies and copyright and any other points.
According to the widely accepted ISO 27005 definition risks emerge when: “Threats abuse vulnerabilities of assets to generate harm for the organization”. In more detailed terms, we consider risk as taking into account the following elements:
Asset (Vulnerabilities, Controls), Threat (Threat Agent Profile, Likelihood) and Impact
As regards opportunities, due to missing standardised definitions we are considering opportunity as being “An opportunity is an uncertainty that will enhance ability to achieve objectives” . An opportunity can include savings from increased organisational efficiency. In addition, an (business) opportunity is a gain for the organization as the result of a better exploitation of market /business conditions.
In order to achieve opportunity management, elements that have to be considered are : driving improvements in an operational environment, balancing return and investment, obtaining change buy-in and manage reward.
In addition, some resources argue that opportunity management might be the result of a risk management by focussing on positive consequences of a risk. Due to the our focus on Information Security issues, the elements of opportunities should have an ICT context and be directly or indirectly related to Information Security.
Based on the material of this template, ENISA will perform a stock-taking of existing publicly available sources on information risks and opportunities, as well as detailed information hereof.