Ο ENISA, the European Network and Information Security Agency based in Crete publishes its recommendations on secure procurement to secure electronic communication as well as electronic communications services. It thus seeks to reduce the risks posed by 2013 to European fixed and mobile telephony networks, since it also finds that providers are increasingly reliant on third-party services.
The European Network and Information Security Agency (ENISA) today publishes two reports:
(a) the report "Safe signing of secure electronic communications contracts", highlighting the increasing reliance of providers on outsourced ICT products and services, and it also analyzes the associated security risks involved in this process.
b) the "Guide to safe procurement of ICT for providers of electronic communications services", which aims to be a practical tool for providers to better address security risks when dealing with vendors and suppliers of ICT products and outsourcing services.
The report, entitled Secure ICT Contracting for Secure Electronic Communications, follows the latest edition of the Annual Incident Report, which provides aggregated analysis of security incidents leading to serious business disruptions, with products and outsourced services as the primary cause Third party IT, especially in the area of hardware failures and code errors software.
This year's exhibition is the result of the cowork of ENISA with providers and vendors in an effort to address these issues.
The main issues posed by electronic communications providers are, among other things:
- The lack of security controls on the part of the seller
- Software vulnerabilities in ICT products or services
- Non-compliance with contract security requirements
- The lack supports from the sellers in case of incidents
- The small bargaining power of the providers
- The lack of framework or guidance for providers in contracting and outsourcing
In this context, ENISA provides general recommendations and includes the results researchs carried out to electronic communications providers and ICT vendors. Recommendations to Member States include raising awareness of the security risks associated with contracting for ICT products and outsourcing services. In addition, vendors and providers are encouraged to develop a collaborative approach with respect to defining security requirements, sharing information about vulnerabilities and security threats, and mitigating incidents.
Guide to safe procurement of ICT for providers of electronic communications services
The Guide assigns security risks to the full framework of security requirements that vendors can use as a procurement tool while examining security risks for core services in communications networks and services.
Professor Udo Helmbrecht, Executive Director of ENISA, commented: "Every year we see from the annual incident report that third-party ICT products and services are a major cause of downtime. A simple software code error can have a serious impact on the availability of internet and telephony services, and providers are not always able to solve such issues quickly. The ICT Security Guide we publish today is a practical tool that will help providers to buy ICT products and services from vendors and suppliers with the necessary security requirements. "
- Full reports are available at https://www.enisa.europa.eu/activities/Resilience-and-CIIP/Incidents-reporting/requirements-ecomms-vendors