Standards & Legislation

Making standards in support of cybersecurity legislation

Monday 12 June 2017 - Amphi Athena (240 pax)

Scope

The NIS Directive, General Data Protection Regulation, and the proposals for a Regulation on Privacy and Electronic Communications and the Directive establishing the European Electronic Communications Code are just a few examples of regulations designed to support a strong digital economy. Policy makers are taking up ambitious legislative initiatives for a secure digital economy for Europe and beyond. While there is broad understanding concerning the goals of these initiatives, what they actually mean for business has yet to come to the fore. The industry is challenged to provide products and services which comply with such legislation. As standards are expected to play an increasingly important role, adopting an integrated security approach from an early stage in the specification of any product or service, i.e. "security-by-design", as well as appropriate certification of products and services become of paramount importance while the cost and benefits need to be carefully balanced. Diverse global aspects also need to be taken into account to match the ambition of the Digital Single Market.

This workshop will gather policy makers and industrial players to discuss how and when standards can best support the above legislative initiatives, what type of standards, and how to ensure an effective collaboration between diverse interested parties.

The workshop will include four separate sessions covering the following topics

  1. Information security risk management across sectors in the context of the NIS Directive as well as data confidentiality in the context of the GDPR.
    In light of the implementation of the NIS Directive across the EU and the prospect of the GDPR entry into force in May 2018, information security risk management is receiving a lot of attention from regulators and in boardrooms across a wide variety of sectors (financial services, health, transport, energy, digital service providers, government and more) both in the EU and globally. Both pieces of legislation refer to the need to take "appropriate technical and organisational measures" in accordance with the risks encountered.
    What role can the standardization community play in ensuring a coherent and continuously effective approach to information security risk management across these very diverse sectors and in the evolving threats landscape? Are existing standards and risk management approaches still fit for purpose or does the pace of digitization and interconnectivity require a different approach?

  2. Ensuring secure and private electronic communications: the proposals for an e-Privacy Regulation and an Electronic Communications Code.
    The recent proposals on the Electronic Communications Code and the e-Privacy Regulation reinforce the need for secure and private electronic communication services as appropriate while extending the regulatory scope to interpersonal communication service providers, the so-called OTTs (Over-The-Top). The e-Privacy Regulation also reinforces the privacy-by-design concept in electronic communication and introduces new rules as to the protection of information stored in and related to end-users' terminal equipment.
    How can standards assist service providers to demonstrate compliance to these regulations? How does the digital global nature of many OTTs influence security standards and the standardization process?
    How can standardisation support the requirements set out in the proposed e-Privacy regulation as regards "Information and options for privacy settings"?

  3. Measuring and assessing ICT security - The role of security labels and certification of products, processes and services.
    Recent well publicized cyber-attacks and significant data breaches may significantly undermine European citizens' trust in the Digital Single Market. Lack of confidence in the security of ICT solutions may also impede business owners or their regulators from fully benefitting from the potential productivity gains and increased competitiveness that ICT may offer.
    How can standards best support the need to measure and assess ICT security properties? What roles can security labels and certification schemes play in increasing trust in ICT and how can standards shape the way to measure and assess what the appropriate level of security is in different operating environments and for different products and services? How best can security risk be addressed in product specific market regulation in healthcare, transport and other sectors? Which categories of products could benefit from a "lightweight" certification scheme?

  4. Cybersecurity world tour: what about legislation and relevant initiatives beyond Europe and supporting standards? Possible cooperation with EU initiatives.
    Cybersecurity is a global concern. As such, the issue is being addressed by legislators and regulators from across the world. A good understanding of developments outside of the EU is an important prerequisite in avoiding unnecessarily divergent approaches to cybersecurity risk management that may then lead, amongst others, to market inefficiencies, increased regulatory burdens and compliance costs in a global market.
    Our international partners are invited to inform participants and share their views on important emerging legislative, regulatory and standardisation initiatives on cybersecurity. Opportunities to collaborate across standardisation activities and re-use existing standards can also be discussed.
    Organisations active in the European Market are also invited to discuss their view on how regional or global developments in cybersecurity standardisation impacts their activities in a positive or perhaps even negative way.

Agenda

The Programme Committee is pleased to present the following programme.

09:00 - 09:05 Welcome
Simon Hicks, ETSI General Assembly Chairman
09:05 - 11:00 Session 1: Setting the Scene
Session Chair: Claire Vishik, Intel
 
  • 09:05 NIS Directive, Critical sectors, Best Practices and Certification
    Florent Frederix, European Commission, DG CONNECT
  • 09:25 ENISA Activities in Standardization
    Andreas Mitrakas, ENISA
  • 09:45 TILT - Modalities of Technical Standardization Supporting EU Data Protection Legislation
    Irene Kamara, Tilburg Institute for Law, Technology and Society
  • 10:05 TC CYBER: Activity in Developing the Technical Framework for Securing DSM, GDPR, NIS
    Scott Cadzow, C3L & Tony Rutkowski, Yaana Ltd
  • 10:25 ISO/IEC JTC 1/SC27 Work in Support of Legislation
    Laura Lindsay, ISO/IEC JTC 1/SC27
  • 10:45 Q&A
11:00 - 11:30 Coffee Break
11:30 - 13:15 Session 2: Cybersecurity World Tour: From Regional to International Perspectives
Session Chair: Dominique Lazanski, GSMA
  Discover what countries are doing for security of network and information systems and data protection / privacy, stressing the related standardization initiatives they have nationally.
 
  • 11:30 How to Reconcile the Protection of Privacy with the Efficient Use of Information Systems: a French Approach
    Sophie Coutor, French Ministry of Interior
  • 11:50 CISPA - From a National Competence Center to a World-Renowned Research Center
    Sebastian Gerling, CISPA, Saarland University
  • 12:10 Enabling the Elements of a Security Strategy
    Ed Griffor, NIST
  • 12:30 IT Security Requirements for Estonian Public Sector
    Mark Erlich, Information System Authority
  • 12:50 Q&A
13:15 - 14:30 Lunch and Networking 
14:30 - 15:30 Session 3: Measuring and Assessing ICT Security - The Role of Security Labels and Certification of Products, Processes and Services 
Session Chair: Charles Brookson, Zeata
  How can standards best support the need to measure and assess ICT security properties? What roles can security labels and certification schemes play in increasing trust in ICT and how can standards shape the way to measure and assess what the appropriate level of security is in different operating environments and for different products and services?
 
  • 14:30 Supporting the Development of a Global TEE Certification Program
    Gil Bernabeu, GlobalPlatform
  • 14:50 Trusted Computing Group 
    Claire Vishik, Intel
  • 15:10 IoT Security Self-Assessment Framework
    Dominique Lazanski, GSMA
15:30- 16:00

Coffee Break

16:00 -17:00

 

 

 

 

Session 3: Panel Discussion
How can standards best support the need to measure and assess ICT security properties? What roles can security labels and certification schemes play in increasing trust in ICT and how can standards shape the way to measure and assess what the appropriate level of security is in different operating environments and for different products and services?

  • Gil Bernabeu, GlobalPlatform
  • Florent Frederix, European Commission, DG CONNECT
  • Ed Griffor, NIST
  • Andreas Mitrakas, ENISA
  • Claire Vishik, Intel 
17:00 - 18:15 Session 4: Feedback from Implementations
Session chair: Colin Whorlow, NCSC
  How industry is implementing products complying with European cybersecurity legislation (e.g. GDPR, NIS Directive).
How they do in practice, focusing on which standards they're using and what they think is missing in terms of standards, best practices, certification and labels.
 
  • 17:00 Security Standards and Legislation from a Secure Product Manufacturer's Perspective
    Dirk Stegemann, Robert Bosch GmbH
  • 17:20 GDPR - More than 125 years in the making 
    Mark Chaplin, Information Security Forum
  • 17:40 Incident Notification Obligations and Risk Management Frameworks
    Mark Smitham, Microsoft
  • 18:00 Q&A
18:15 - 18:30

Concluding Remarks
By Simon Hicks, ETSI General Assembly Chairman

18:30 - 20:00

Cocktail

 

 

PC

The Programme Committee is composed of the following members:

  • Sonia Compans, ETSI
  • Marijke De Soete, Security4Biz
  • Alan Hayward, NCSC
  • Andreas Mitrakas, ENISA
  • Aristotelis Tzafalias, European Commission
  • Svetlana Schuster, European Commission
  • Florent Frederix, European Comission
  • Claire Vishik, INTEL
  • Dirk Weiler, Nokia 

The Programme Committee is in charge of selecting the presentations that fit the event objectives and build the programme on Standards and Legislation.