New Report on National Risk Management Preparedness: a Guideline for Critical Information Infrastructure Governance

BRUSSELS and HERAKLION, Greece, May 19, 2011 /PRNewswire/ -- ENISA (the European Network and Information Security Agency ENISA) has launched a new publication on National Risk Management (NRM) preparedness. The report sets out the essential elements as a guideline for the governance of NRM in relation to a country's Critical Information Infrastructure (CII). In particular, the report presents a workflow to develop and implement an NRM processes.

The relationship between NRM and the management of information security risk in individual CII stakeholder organisations is identified in this new Agency report. It determines three essential NRM processes that need to be implemented by national governments, as follows:

- Process 1: Define NRM Policy.

- Process 2: Coordinate and Support Implementation [of risk management in CII stakeholder organisations].

- Process 3: Review, Reassess and Report [on NRM].

Each of these three processes is supported by a number of activities. The report identifies a total of twelve detailed activities. These activities include among others; to set the vision, establish the NRM organisation, promote standards, create awareness, as well as to analyse errors and incidents. The framework for the governance of NRM enables governments and other national CII stakeholders to gain an overview of the elements that are required to build such a programme; and to understand the relationships between these elements.

The guidelines feature a questionnaire that allows governments to assess their strengths and weaknesses in relation to NRM preparedness by using a use a five-level capability maturity measurement.

The report can be used in practice by national governments to:

- Identify strengths and weaknesses in the implementation of NRM in their country;

- Assist in the development of a framework for the governance of NRM;

- Help the government to assist CII stakeholder organisations in developing their own risk management processes; and

- Assess the country's NRM preparedness through the use of a defined testing process.

Background: CIIP Communication by the European Commission ( http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm).

For full paper ( http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm)

(Due to the length of these URLs, it may be necessary to copy and paste these hyperlinks into your Internet browser's URL address field. Remove the space if one exists.)

SOURCE ENISA - European Network and Information Security Agency