Friday, 11 May 2012

To read: ENISA on 'National Cyber Security Strategies'

On May 08, 2012 ENISA published an National Cyber Security Strategies paper which the current status of cyber security strategies.
Here is their desciption:
"..The paper includes a short analysis of the current status of cyber security strategies within the European Union and elsewhere. It also identifies common themes and differences, and concludes with a series of observations and recommendations. The paper is based on the preliminary findings and analysis from an ENISA project that is working to develop a Good Practice Guide on how to develop, implement and maintain a national cyber security strategy. The Good Practice Guide is intended to be a useful tool and practical advice for those responsible and involved in cyber security strategies...."

Here is the PDF, any comments?

Btw, I had a quick look and found no reference to OWASP, shouldn't we be involved here? Or does Cyber-Security has nothing to do with Application Security?


Ludovic said...

So, "shouldn't we be involved here?": Yes, I think so.

"Or does Cyber-Security has nothing to do with Application Security?"
An Application being part of a digital context, whatever, is, as such and in my view, linked to what we consider as "Cyber". So Cyber Security means, somehow, Application Security as well.

Please find below just for information a reference document from the European Commission about a Proposal of Decree (last update dated 27 January 2012)

"Proposal for a regulation of the European Parliament and of the Council on the
protection of individuals with regard to the processing of personal data and on
the free movement of such data (General Data Protection Regulation)"

Among others, I would suggest to focus to the 2 following parts of this important document, with a focus on Article 79, you'll quickly understand why this is linked to Cyber Security:

- § 3.4. Detailed explanation of the proposal, for a brief description of each Article
- Article 79, Page 94, Administrative sanctions

Although this is a Proposal for a Regulation, you’ll understand that Article 79 is important, this in a possible perspective of cases of jurisprudence. Here is have the framework anyway.

We have to bear in mind that most European Regulatory bodies tend to reinforce the Legal frameworks, and as such, each member state has 18 months to ratify the European decisions to local law.

But, in the case of an European Decree, once this one official, it will be immediately applicable by all States members of the European Union.

That being said, bear in mind that most of Regulatory bodies around the world tend to reinforce their local Legal frameworks. That’s why I would suggest to keep a sharp eye close to the Legal Framework when talking about (Web) Application Security, so Cyber Security, because nowadays and more and more, Legal determines the technical means to implement for being compliant.

Well, to answer clearly to the question, in my view and although this is not stricto sensu in the scope of OWASP, a touch of Cyber Security AND Legal, occasionally during OWASP Conferences or Meetings would be welcome, for overall consistency, and because more and more Execs attend OWASP meetings as well. So in clear, this is our role at OWASP to take this (Cyber Security) into account as well.

Ludovic said...

It is said in the ENISA document "... The availability of cyberspace and the integrity, authenticity and confidentiality of data in cyberspace have become vital questions of the 21st century..."

So, Cyber Security is linked to Application Security.