Editorial & Analysis
Popular
Technology Categories
- Security (280)
- Desktop Virtualization (235)
- Uncategorised (226)
- Public/Private clouds (222)
- Applications (218)
- Business Continuity (215)
- Server Virtualization (191)
- BYOD (189)
- Network Virtualization (182)
- Storage Virtualization (169)
- Big Data (155)
- Availability (149)
- Network Perfomance Management & Monitoring (145)
- Archiving & Back-Up (136)
- Consolidation (128)
- Wireless LAN (122)
- Performance Management (119)
- Systems Management (119)
- Software as a Service (SaaS) (114)
- Infrastructure as a Service (IaaS) (112)
- Network Capacity Planning & Management (112)
- Hosted solutions / applications (111)
- Network equipment, Repeaters, Hubs, Bridges, Switches, Routers (110)
- Governance, Risk & Compliance (104)
- Data Deduplication (103)
- Servers/Hardware (95)
- Mobile Security (92)
- Capacity Management (90)
- Virtualization Security (90)
- IP Convergence (90)
- Storage as a Service (87)
- Storage Networking – IP storage,Infiniband & iSCSi (86)
- Storage Area Networking (SAN) (86)
- Application Delivery Network (86)
- Disk Storage, Flash, SSD, Optical (85)
- Business Intelligence (82)
- Unified Communications (78)
- Wireless Security (77)
- Automation (77)
- Energy Efficiency (76)
- Enterprise Mobility Management (73)
- Flexible & Smarter Working (70)
- Mobile Device Management (70)
- Risk Management (68)
- Campus Networks (67)
- Recovery (65)
- Design & Build (64)
- Platform as a Service (PaaS) (63)
- Managed Security Services (60)
- Content Monitoring/Filtering (56)
- Risk Analysis (54)
- Identity & Network Access Control/Management (52)
- Managed Network Security Services (50)
- Business Impact Analysis (49)
- Managed Hosting (49)
- Email Archiving & Management (49)
- Smartphones/Tablets (49)
- Enterprise Content & Document Management (46)
- Storage Resource Management (SRM) (46)
- Collaboration Tools/Applications (44)
- Fibre Channel over Ethernet FCoE) (43)
- Mobile Enterprise Applications (43)
- Network Attached Storage / NAS (43)
- Cabling (41)
- Mobile Platforms (41)
- IPv6 (40)
- Penetration Testing/Risk & Vulnerability Assessment (38)
- Information Lifecycle Management (ILM) (38)
- Thin Provisioning (38)
- Workflow & Process (36)
- Load Balancing (36)
- Optical Networks (35)
- Forensics (34)
- E-Discovery (30)
- Regulation & legislation (30)
- IP Telephony (30)
- VPN/SSL (29)
- Unified Threat Management (29)
- Power & Protection (29)
- Communications-Enabled Business Process (27)
- Tape Storage (27)
- ISP's (26)
- Enterprise Search & retrieval (24)
- HPC (23)
- Video/Web Conferencing (22)
- Metropolitan Networks (22)
- Mesh Networks (21)
- Collaborative Communications servers (Exchange etc) (20)
- Encryption/PKI/Digital Certificates (20)
- Field Services (17)
- Audio Conferencing (16)
- IP PBX (16)
- Transparency (15)
- Openflow/Software Defined Networking (14)
- Classification (14)
- Risk frameworks (11)
- Instant Messaging (11)
- Wireless Expense Management (11)
- Fixed Mobile Convergence (10)
- Data Masking (9)
- SIP Trunking (8)
- Social Software (7)
- Data Erasure (6)
- Presence (6)
- BS25999 (5)
- HVAC (5)
Popular Categories
EU calls for greater data-breach transparency
29 Aug 2012
Wider, mandated incident reporting essential to “obtain a true cyber security picture”, say ENISA researchers.
| The reluctance of organisations to come clean about cyber attacks on their systems keeps customers in the dark and hampers regulatory authorities, according to ENISA, the EU’s information security agency. In response, it has called on businesses and governments to be more transparent about the nature and extent of data breaches. | |||
“Large outages and large data breaches receive extensive media coverage, showing the importance of cyber security in society,” it says in a new report . “Many breaches, however, remain undetected and, if detected, are not reported to the authorities and not known to the public.” The result is that there is, “now overall view across the digital society of the incidents, their root causes or their impact for users.”
Key to improved European cyber security, suggests ENISA, is more effective implementation, expansion and enforcement of Article 13a of the Telecommunications Regulatory Directive. This specifies that not only must providers take appropriate measures to manage the risks posed to the security of their networks and services, Member States must also ensure that those providers notify the national regulatory authorities of any significant breach of security or loss of integrity.
ENISA executive director, Professor Udo Helmbrecht, explains, “Incident reporting is essential to obtain a true cyber security picture. The EU’s cyber security strategy is an important step and one of its goals is to extend the scope of reporting provisions like Article 13a beyond the telecommunications sector.”
However, ENISA adds that services provided by business networking site LinkedIn, which had approximately 6.5 million user passwords stolen by hackers earlier this year, and RIM, which reported a “core switch failure” within its Blackberry network infrastructure last year, had not clearly fallen within the scope of the current EU rules. In the report, it urges the European Commission and national authorities to rethink how they interpret the meaning of ‘electronic communication services’ under the laws in order to ensure that gaps are plugged.
"This can be done without necessarily changing the text of existing legislation, such as the telecom regulatory framework, but rather the interpretation of what the services are, because the landscape of electronic communications is continuously changing (from landline telephones and Minitel in the past, to mobile phones, internet and VoIP)," say the report’s authors.
They also touch on issues around security breach reporting, with particular reference to whether there should be standard ways for setting out incident reports and assessing the impact of breaches, as well as whether a new classification system for rating the severity of breaches should be introduced.
As reported previously by IP EXPO Online, new data breach notifications have already been proposed under planned reforms to EU data protection laws. Under the European Commission’s draft General Data Protection Regulation, companies would have to ensure that any personal data processing is done securely and that they notify regulators and any individuals concerned with certain information about any data breach "without delay and, where feasible, not later than 24 hours after having become aware of it". The information should include recommendations over what people can do to "mitigate the possible adverse effects of the personal data breach".
