ENISA: Secure ICT Procurement for Secure Electronic Communications
December 2014 by ENISA
ENISA publishes two reports today. The “Secure Procurement for Secure Electronic Communications” report which highlights the growing dependency of providers on ICT products and outsourced services, and analyses the associated security risks involved in the process. The “Secure ICT Procurement Guide for Electronic Communications Service Providers” aims to be a practical tool for providers to better manage security risks when dealing with vendors and suppliers of ICT products and outsourced services.
Secure Procurement for Secure Electronic Communications
The study, follows the last edition of the Annual Incidents report which gives an aggregated analysis of the security incidents resulting to severe outages, with a primary cause being third party ICT products and outsourced services especially in the area of hardware failures and software bugs. This year’s report is the result of ENISA’s collaboration with providers and vendors in an effort to address these issues.
The key issues raised by electronic communication providers include:
Lack of security controls on the vendor’s side Software vulnerabilities in ICT products or services Non-compliance with security requirements in contracts Lack of support from vendors in case of incidents Weak negotiation power for providers Lack of a framework or guidance for providers during procurement and outsourcing
In this context ENISA provides general recommendations and includes the results of a survey it conducted across electronic communication providers and ICT vendors. Recommendations to Member States involve raising awareness on the security risks related to the procurement of ICT products and outsourcing services. In addition, vendors and providers are encouraged to develop a collaborative approach in setting security requirements, sharing information on security vulnerabilities and threats, and mitigating incidents.
Secure ICT Procurement Guide for Electronic Communications Service Providers
The Guide maps security risks to the full framework of security requirements which can be used as a tool during procurement by vendors, and addresses security risks for core services in communication networks and services.
The Executive Director of ENISA, Professor Udo Helmbrecht commented: “Every year we see from the annual incident reporting that third-party ICT products and managed services are a major cause of outages. A simple software bug can have a severe impact on the availability of the internet and telephony services, and providers are not always able to fix such issues quickly on their own. The Security Guide for ICT Procurement we publish today is a practical tool to help providers buy ICT products and services from vendors and suppliers, with the necessary security requirements.”
For full reports: https://www.enisa.europa.eu/activit...