Login / Signup METRICA SEC
Reference number: 40966
Partner username : S4G7QXN9DL
Partner password : JLXMWDV86XZGEBP --> METRICASEC07
IN ORDER TO USE THEM, YOU CAN CONNECT DIRECTLY TO: https://www.epss-fp7.org
Coordination Action proposal Theme 4: ICT and Theme 10: Security Joint Call FP7-ICT-SEC-2007-1
Recommendations to measure and improve the level of protection
of critical infrastructures.
Proposal acronym: METRICASEC07
Type of funding scheme: Coordination action (CA)
Work programme topics addressed:
(if more than one, indicate their order of importance to the project)
ICT-SEC-200 -1.0-02 Modelling and simulation for training
Consortium details
Name of the coordinating person:
Manel Medina
List of participants:
| Participant no. | Participant organisation name | Participant short name | Country |
| 1 (Coordinator) |
| UPC or | ESP |
| 2 |
| TELEFONICA | ESP |
| 3 |
| ISDEFE | ESP |
| 4 |
| SYSGENIC | ROM |
| 5 |
| EFPC | GBR |
| 6 |
| MUFICATA | ESP |
| 7 |
| UPM | ESP |
| 8 |
|
|
|
| 9 |
| VESZPROG | HUN |
| 10 | IGD Security | IGD | BGR |
| 11 |
| ACROS | SLV |
| 12 |
| ITRUST | LUX |
| 13 |
| ? | FRA |
| 14 |
| ? | GER |
| 15 |
| ? | GRC |
| 16 |
| ? | POL |
| 17 |
| ? | FIN/SWE/NOR |
| 18 |
| ? | LIT/EST/LAV |
| 19 |
| ? | ISR |
| 20 |
| ? | PRT |
1 UPC medina@ac.upc.edu consen@consen.org
2 Telefónica benjamin.martingarcia@telefonica.es noelia.pedreiragarcia@telefonica.es juancarlos.gomezcastillo@telefonica.es
3 isdefe dfvazquez@isdefe.es
4 Sysgenic dumitru.radoiu@sysgenic.com
5 EFPC michael@efpconsulting.com
6 MUFICATA consen@consen.org
7 UPM jmanas@dit.upm.es
8
9 VESZPROG fleitold@veszprog.hu
10 IGD Security drago@unidentity.com
11 ACROS segurity
ICT Theme:ICT-SEC-200 .1.: Technology building blocks for creating, monitoring and managing secure,resilient and always available information infrastructures that link critical infrastructures See also the chance to opt to a Collaborative Project in the Topic: Security
Theme:ICT-SEC-200 -1.0-02 Modelling and simulation for training
AbsABSTRACT
Creation of a WG to reach an agreement about the metrics to be used to evaluate the IT security achieved by industry,enterprises and public administrations.
Define the model to evaluate the security of critical infrastructures, according to its security policy and the metrics indicators selected for each selected sector. The project will address specially the Telecommunications critical infrastructures, with in-depth case studies.
The project will also propose training material to teach relevant actors in the definition, adoption and implementation of security policies of critical infrastructures, making special focus on the impact of the security policy items on the metrics indicators, and simulating the results of the changes according to the adopted metrics.
ObjObjectives
Organisation of collaborative environment to collect contributions and initiatives raised in Europe to promote the application of IT Security measures. Identification of suitable indicators of the success of these initiatives,through commonly agreed metrics.
Production of recommendations to EU Member States to launch most suitable successful initiatives in their countries,according to metrics collected in previous successful experiences in other countries.
The proposal will be launched as a Collaborative and Supportive action,with a budget of 500K€ to share amongst all the partners.
LeaLeadership
So far,leadership is hold by tb-security,but since it is a SME,maybe we should encourage a larger organisation to act as such.Manel Medina could participate also as esCERT-UPC,and use this “independent ” head,representing an organisation with 12 years disseminating security and evaluating security advises to lead the proposal.
Telefonica and Isdefe have already declined the leadership.Nevertheless
Telefonica will check if one of its daughter Companies coud take this role.
Rati
EU vision on security
“Security is one particular global challenge that has recently come to the fore due to world events and societal changes. Europe needs to invest in a security culture that harnesses the combined and relatively untapped strengths of the security industry and the research community in order to effectively and innovatively address existing and future security challenges.”
EU Council 12-13/12/2003 approved the «EU Security Strategy» proposed by the Secretary General/High representative (Mr. J. Solana), which focuses towards the following Strategic objectives:
–Addressing Threats (terrorism, regional conflicts, organised crime)
–Building security in our neighbourhood (consistent high level of security established across its enlarged and more diverse territory)
–An international order based on effective multilateralism (no single European country will be able to tackle present or future security problems on its own)
Towards a culture of security
?Effective security policies should be based on well developed risk assessment methodsin both public and private sectors, but presently there is no common practice for their efficient application;
?If requirements for the securityguarantee to be built into goods and serviceswere to differsubstantially from one Member State to another, they could ultimately lead to obstacles to free trade across the EU.
Key Principles:
Social
Individual users need to understand that their home systems are critical for the overall security chain
Legal
Privacy and security are a prerequisite for guaranteeing fundamental rights on-line
Public Administrations–to address the security of their own networks and serve as an example of best practicefor other players
Private sector enterprises–to address NIS as an asset and an element of competitive advantagean not as a “negative”cost
Individual users–to understand that their home systems are criticalfor the overall “security chain”
Security Governance
Adopt best practices in term of security management system (ISO 27001, NIST 800 series)to develop, sustain and improve security processes
Risk analysis and management using an home-made methodology using best of breed (EBIOS, ISO 13335, BS 7799-3, CRAMM, MEHARI)?
ecurity Controls from best standards (ISO 17799:2000, NIST 800-53, IT BPM (German BSI, COBIT, ISF …)
Alignment of business risks (identified through BIA) and controls by developing security baselines based on information systems classification (C,I,A)
Work Package
WP no WP title WP leader
| WP | Title | Leader | periode |
| WP1 | Study Awareness of current situation in EU | UPM | m1-m3 |
|
|
|
|
|
| WP2 | Sectorial Metrics Goals and Approaches |
| m2-m12 |
| WP3 | Dissemination: Best Practices repository and forum |
|
|
| WP5 | Recommendations of training strategies |
|
|
| WP4 | Conclusions and closing event | MUFICATA | m1-m18 |
| WP5 | Project Management and Coordination | UPC | m1-m18 |
Awareness of current situation in EU
Approach
Research of on-going work in this field in EU.
Identification of relevant standards and good practices recommendations:
-ISO 2 004,Telefonica has already contributed to this standard with some indicators,but they have been kept just as examples
-NIST,has recommended some benchmarking indicators,but they may change depending on the goals of the benchmark,maybe we should concentrate in some of them
Tasks:
T1.1: liaise with current standardisation bodies and critical infrastructures security teams: CSIRT, (CERT), abuse forum, ISMS forum, etc. working on these issues.
T1.2: Identify national government initiatives to promote IS security, as well as multi-national companies programmes.
T1.3: Organisation of a Workshop
Deliverable
Organization of a workshop to set up a common understanding of the current situation
Sectorial Metric goals and approaches
Approach
Production of a set of security indicators,rating them according to the intended interest of security parameter to measure and the population to which it is addressed.
This work will be done through ad-hoc working groups,each of them focused in a particular application scenario.They will identify the needs of each scenario and indicate the level of suitability of the general indicators for each of them. The project will address the identification of indicators to measure the following topics:
-User awareness level
-Risk Analysis results and deepness
-Anti-Malware update policy:frequency and wideness
-Network protection tools:use,update policy,etc.
-Legislation and regulation compliance strategy
-Business Resilience and Continuity protection plans
Tasks
There will be one task per sector:
Telecommunications
Aerospace
Healthcare
Government
…
Deliverable
Production of a good practices guidelines report. The report will provide tools to identify the largest number of security breaches, and it will also propose countermeasures to fix them.
The good practices will be classified according to the application scenario to which they are addressed.
Dissemination: Best practices dissemination and Forum
Liaison with standardisation bodies:
CEN
ISO
National bodies
Creation and maintenance of web-portal and Forums
Production of communications to events and magazines
Recommendations of training strategies
Tasks:
Organisation of training events addressed to relevant actors in the definition, adoption and implementation of security policies of critical infrastructures, making special focus on the impact of the security policy items on the metrics indicators.
Specification of tools to measure the relevant security metrics indicators in the selected sectors.
Simulate the impact of the changes on the security policies after the training events in the infrastructures managed by the attendees of the courses.
Conclusions and closing event
Tasks:
Organisation of a closing event to introduce project results: Sectorial best practices recommendations to measure and improve the level of protection of critical infrastructures.
Compile the conclusions of the event and incorporate the relevant contributions to the report (disposition of comments).
Publish the project report.
Login / Signup 
