ENISA s Good Practice Guide on Exercises

Transcription

1 ENISA s Good Practice Guide on Exercises Share your experiences to assist EU member states in developing effective national exercises Introduction The European Network and Information Security Agency (ENISA) recently conducted stock-takingi research on the policies of EU member states with regard to the resilience of public ecommunications networks. This research identified resilience exercises as an important aspect of EU Member States national resilience policies. Many countries are interested in designing, piloting and implementing regularly exercises. The importance of national and cross country exercises is also underlined in the latest European Commission s Communication on CIIP. ENISA, upon request of its stakeholders, has been asked to develop a good practice guide on national exercises. The aim of the guide is to assist EU Member States in designing, developing and running good national exercises. Benefits of the Project Your participation to this stock taking of great importance to ENISA but hopefully also to your organisation! You will have the chance to contribute to the Good Practice Guide, helping EU member states to improve resilience of this crucial infrastructure. Hopefully the guide will also enable you to identify common approaches, confirm the appropriateness of your measures and activities, and be inspired by the initiatives of others. First Step: Taking Stock of Expert Views and Experiences As a first step, ENISA will take stock of private and public stakeholders experiences and recommendations on national exercises. The stock-taking will be performed electronically through targeted interviews based on a questionnaire (see below). The interviews will be conducted from July to September Participating stakeholders may also decide to optionally reply in writing. The questionnaire addresses your experiences and suggestions on identification, planning, execution and evaluation of the exercises. Additional Opportunities for Your Participation The results of the stock-taking will be validated by interview participants and other relevant experts in several ways: In a workshop that ENISA will organise in November In presentations that will be delivered at various workshops and conferences related to exercises and resilience. And during a one-month open electronic consultation procedure which will follow the release of the final version of the good practice guide. Getting Started Would you be so kind as to describe your experiences and views in the short questionnaire below? Should you require more information, please do not hesitate to contact ENISA (goodpractices@enisa.europa.eu)

2 ENISA has selected IDC, a global telecoms and IT market research and consulting firm, to coordinate the stock taking and analysis. Following completion of the questionnaire, IDC will then contact you to arrange a convenient time to discuss you views further

3 Organization Details Your name: Organization or Company: Country: Contact details (job position, phone number, ): IDENTIFICATION OF THE EXERCISE(S) Which type of exercise(s) are you (have you been) involved in (e.g. discussion based - seminar, workshop, game-, Operations-Based -drill, functional, full scale, etc.- What stakeholders are involved (e.g. vendors, owner/operators, public and private customers, emergency management community, etc.), What is the scope of the exercise, including: Geographic scope (regional, country wide, cross country) Sectors (e.g. network operators, service providers, power providers, etc.) And timing (frequency and duration) What measures are tested (preparedness measures, policies, procedures, agreements, etc.)? Pls. explain. ORGANIZATION OF THE EXERCISE(S) Please describe the planning process, such as: Who leads the planning process, and who participates? / What is the planning process and duration? / How is the concept of the exercise developed?

4 ORGANIZATION OF THE EXERCISE(S) Please describe selection of the participants. For example: How are stakeholders identified and recruited? / How is trust built between them? / Are there any incentives or assistance in any form (financial, technical)? / What is the involvement of the private sector? What background information is communicated to the participants (network resilience and other information) before the exercise, how is it prepared and in what format (training seminar, study material, etc.)? How are media relations handled and what is their role in the exercise? EVALUATION OF THE EXERCISE(S) What is the monitoring process that is used for the exercise? How is the exercise evaluated, what performance indicators are used, and how are gaps identified and solutions recommended? How does the outcome of the exercise improve the contingency plans and the overall resilience measures of participating organizations? How do you assess this? How are the results of the exercise communicated to the stakeholders and the media?

5 CONCLUSIONS AND SUGGESTIONS What were the major challenges faced in preparing and conducting the exercises? What recommendations do you have for others who want to prepare similar exercises? Please tell us if you feel we have missed out any important questions or subject areas which should be addressed when producing the good practice guide.

6 Glossary Overview In the context of this study, an exercise is a procedure that authorities can use to test hypothetical events that could harm or threaten critical communications network infrastructure and services, and to test the responses of those infrastructure, services, and other stakeholders affected by such an event. Benefits By conducting exercises that test different scenarios, authorities, network operators, and other stakeholders can examine and reveal gaps in planning procedures, unforeseen linkages and interdependencies, and problems in communication and responses to the scenario. By exposing these gaps, challenges, and interdependencies, the respective stakeholders can begin to take them into account more fully in their own planning. Exercises also help to break down barriers between the interdependent stakeholders, building trust among them, and helping to enable longer-term cooperation between them in their resilience planning. Such exercises are particularly useful for testing scenarios that are uncommon, and therefore that stakeholders may have never experienced, but that pose significant threats, such as natural disasters, cyber attacks, terrorist attacks, public health crises, etc. They are also particularly useful for testing cross-sectoral scenarios, such as a natural disaster that damages communications infrastructure, transport infrastructure, and power transmission while emergency services organizations and health workers that depend on the infrastructure struggle to cope with human and other effects. These kinds of exercises can be very helpful in revealing interdependencies between critical infrastructures and organizations that may not be taken into account in the business continuity plans of individual organizations. Types of Exercise There are many different types of exercise, and several different taxonomies for describing them. ENISA does not endorse any particular taxonomy, but one useful example is the US standard (HEESP), which lists seven types: Discussion-type exercises Seminars (group instruction) Workshops (collaborative discussion) Tabletops (examine a scenario in a discussion format) Games (simulation of a scenario, possibly with two or more teams) Operations-based exercises Drills (testing an operation, process or piece of equipment) Functional exercises Full-scale exercises (full scenarios with large numbers of participating organizations and personnel simulating their actual duties and procedures)

7 Electronic Communications (e-communication) Network Transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed [2002/21] (see below definition on public communication networks). Public communications network An electronic communications network used wholly or mainly for the provision of publicly available electronic communications services. [2002/21]. Resilience The ability of a system to provide & maintain an acceptable level of service in the face of faults (unintentional, intentional, or naturally caused) affecting normal operation. References [2002/21] Directive 2002/21/EC of the European Parliament and of the Council, of 7 March 2002, on a common regulatory framework for electronic communications networks and services, Framework Directive. i