[cabfpub] RV: NIS-Platform: WG2 further work on Chapter 3

i-barreira at izenpe.net i-barreira at izenpe.net
Thu Oct 30 08:38:19 UTC 2014

For the sharing information WG info. I´m in these ENISA WGs



Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net




ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.


De: Waldemar.Grudzien at bdb.de [mailto:Waldemar.Grudzien at bdb.de] 
Enviado el: lunes, 27 de octubre de 2014 18:26
Para: bmhaemmerli at acris.ch; Maciej.Choczaj at asseco.pl; ogonda at checkpoint.com; alena.havlova at cer.be; Ulrich.Meuser at deutschebahn.com; pbrownel at redhat.com; ebltrustwin at gmail.com; gilbers at vnoncw-mkb.nl; johan.rambi at alliander.com; idontas at aratos.gr; Anne.Spoelstra at eneco.com; markatos at ics.forth.gr; ignacio.paredes at cci-es.org; pekka.jappinen at lut.fi; Joachim.Brandt at teliasonera.com; rob.kloots at trustingthecloud.eu; fenz at xylem-technologies.com; ulrich at lsec.be; ulrich at leadersinsecurity.org; dan.tofan at cert-ro.eu; cesma.vanwijnen at planet.nl; Donald_Edwards at Dell.com; Rainer.Koch02 at telekom.de; mikko.karikyto at ericsson.com; adam.palmer at FireEye.com; iluengo at hi-iberia.es; martins at itrust.lu; Barreira Iglesias, Iñigo; hasse.degraaff at ncsc.nl; jramon.martinez at orange.com; rachael.bishop at bis.gsi.gov.uk; manel.medina at gmail.com; pascal.steichen at smile.public.lu; David.Francis at huawei.com; Csaba.Marosfai at humansoft.hu; christophe.gransart at ifsttar.fr; rafael.ortega at i4s.com; nikolaos.tsouroulas at telefonica.com; bouras at ubitech.eu; john.harris at vodafone.com; andy.de.petter at belgacom.be; ritab at bsa.org; jsalomon at fsisac.eu; merike.kaeo at mail.internetidentity.com; p at multiven.com; christoph.zurheide at deutschepost.de; RTD at rfsat.com; villagra at dit.upm.es; Margaret.ford at chyp.com; ashley.jelleyman at bt.com; leonardo.fiocchetti at selex-es.com; paolo.venturoni at Finmeccanica.com; fetler at itrust.lu; stefan at lew.ro; michael.montag at nsn.com; martin.peylo at nsn.com; mhargis at strategyanalytics.com; Inah.Omoronyia at glasgow.ac.uk
CC: Aristotelis.TZAFALIAS at ec.europa.eu; Ann-Sofie.RONNLUND at ec.europa.eu
Asunto: NIS-Platform: WG2 further work on Chapter 3


Dear WG2 Colleagues, 
Below you receive question of which we want to know your opinion, such that the final chapter 3 of WG2 can be drafted. Please answer to the points A .. E by stating what should be added or suppressed. Please propose also additional points or suggest to eleiminate points. 
Furthermore, please answer also the Question in capitals “WHY, WHAT, WHO, HOW, HOW to JOIN) for Blue Chips and SME. Without your active participation our chapter will not represent Europeans expert opinion.
Please answer soon, but no later than Friday Oct 31, 2014 24:00h. Your Answer might be just a few well selected words and do not need to be long! 
We are very grateful, for your active contribution such that we can close down the activity in time by the end of the year, with a good and representative chapter. 
Kind regards and until soon via email or in Person in Brussels at our meeting Nov 24/25, 2014. 
Waldemar Grudzien 
ð  Please put your answer in line – when short, or as text file (WRD) when longer. Send these file to our rapporteur Prof. Dr. Bernhard M. Hämmerli (drafting the report) and to me.
The two emails are: bmhaemmerli at acris.ch <mailto:bmhaemmerli at acris.ch> ; Waldemar.Grudzien at bdb.de <mailto:Waldemar.Grudzien at bdb.de>  

Chapter 3 Voluntary information sharing 

Setup: Voluntary information sharing can be seen as a part of good risk management. Being informed about the evolution of threats and vulnerabilities enables organisations to take appropriate preventive measures. The voluntary information sharing is particularly developed in the financial and banking sector. The recommendation could therefore build upon good practices identified within NISP, with the financial sectors serving as a pilot (FS-ISAC/FI-ISAC and other relevant initiatives). This would be beneficial in extending those practices across the value chain within the financial sector, from mainly big organisations today to involving also smaller organisations, but also in looking at how good practices could be spread to other sectors that are currently looking at how to better share information and to engage in real-time sharing of information. 
The Chapter will have at least these five parts: 
Please comment with your expert opinion! 
A.     Management Summary for Politician and CISO 
-        Introduction in information sharing 
B.     General 
-        Introduction in information sharing 
-        Classification and forms of information sharing 
-        Prerequisites and ruling of information sharing 
-        Borders of information sharing 
-        Background on benefits of information sharing 
-        Motivation for joining scheme 
-        Voluntary vs. Mandatory information sharing: In which case which one is the preferred one? 
-        … (The points which you as expert bring in) 
C.     Blue Chip Information sharing 
-        WHY: Highlight good practices that have emerged and proven to work in the financial and banking sector over the past years with regard to voluntary information sharing; give examples of cases; quantify the benefit, or the losses that could have been avoided with good information sharing mechanisms. 
-        WHAT: Are there particular kinds of information that are more useful than others to focus information sharing on: threat actors or patterns, or vulnerabilities, or O-days, or all. 
-        WHO: Who are the necessary actors for information sharing mechanisms: operators, vendors, researchers, CSIRTs; role of regulators/authorities? 
-        HOW: How could financial and banking sector good practices be extended to other sectors; how to overcome barriers to information sharing (trust, reputation, resource constraint, governance, non-standardised formats etc.); what about the tools used to engage in information sharing and their configuration. 
-        Use-case (pilot financial sector) 
-        … (The points which you as expert bring in) 
D.     SME specific information sharing 
-        WHY: What is the benefit for SMEs for participating in information sharing mechanisms; what is the benefit for bigger companies of SME participation? 
-        WHAT: Do SMEs need all the information that is circulating; how to channel it? 
-        HOW: What particular arrangements need to be done to accommodate SME participation; free membership; irregular participation; clustering; directly or via their downstream clients/system integrators etc. 
-        HOW TO JOIN: Who should SMEs turn to join a scheme.
on benefits of information sharing. Motivation for joining scheme. 
-        … (The points which you as expert bring in) 
E.      Findings / Recommendation 
-        … 

Mit freundlichen Grüßen

Dr. Waldemar Grudzien
Bundesverband deutscher Banken e.V. (Association of German Banks)
Geschäftsbereich Retail Banking und Banktechnologie
Burgstraße 28
10178 Berlin

Tel: 030-1663-2314
Fax: 030-1663-2399
E-mail: Waldemar.Grudzien at bdb.de
Internet: http://www.bankenverband.de <http://www.bankenverband.de/>  (www.germanbanks.org)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141030/a2403225/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 19121 bytes
Desc: image001.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141030/a2403225/attachment-0002.png>

More information about the Public mailing list