Network and Information Security - forthcoming Commission proposal on a security unit, resolution on a "culture of security" (Extract from: Provisional Version, Telecoms Council, 5 Dec)

Brussels, 06 Dec 2002

ΠProposal for a European network and information security unit
The Council heard a report from the Commission on a proposal for a Regulation that it intends to present in the near future, in the context of the eEurope 2005 action plan, aimed at establishing a European network and information security unit.

ΠEuropean approach towards a culture of security

The Council approved the following Resolution aimed on a European approach towards a culture of network and information security.

"the Council of the European Union,

Recalling

1. the Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee, and the Committee of the Regions ΠNetwork and Information Security: Proposal for a European Policy Approach

2. the Council Resolution of 30 May 2001 on the "e-Europe Action Plan: Information and Network Security"

3. the Council Resolution of 28 January 2002 on a common approach and specific actions in the area of network and information security

4. the e-Europe 2005 action plan endorsed by the Sevilla European Council in June 2002

5. the Opinion of the European Parliament on the European Commission Communication on Network and Information Security: Proposal for a European Policy Approach

Accordingly stresses that

1. with the development of information society services, network and information security is an increasingly vital issue for the daily life of citizens, businesses and public administrations contributing to the proper functioning of the Internal Market;

2. Member States and the European institutions must further develop a comprehensive European strategy for network and information security and strive towards ioa culture of securitylo taking into account the importance of international co-operation;

3. the OECD Guidelines for the security of Information Systems and Networks are considered a valuable model for developing policies which achieve a culture of security while respecting democratic values and the importance of personal data protection;

4. care must be taken to respect privacy rights. Citizens and enterprises must have confidence that information is handled accurately, confidentially and reliably;

5. in developing a culture of security a significant a task will be to clarify by the responsibility for the security of networks and information systems for all stakeholders;

6. Europe needs to ensure the development and deployment of an appropriate skillbase in the field of network and information security;

7. there is a need for increased transparency, information exchange and co-operation between Member States, European institutions and the private sector;

8. a coherent security policy development at European level requires cross-pillar transparency and co-operation;

9. the ongoing work to fulfil the commitments made in the Council Resolution of 28 January 2002 on a common approach and specific actions in the area of network and information society has to be continued.

Therefore invites Member States to

1. promote security as an essential component in public and private governance, in particular by encouraging assignment of responsibilities;

2. provide for appropriate education and vocational training, as well as awareness-raising, particularly among young people, to security issues;

3. take adequate measures to prevent and respond to security incidents, in particular through :

a) the continuous improvement of the identification and assessment of security problems and the application of appropriate controls;

b) the establishment of effective ways of communicating the need for action to all stakeholders by reinforcing the dialogue at European and national levels and, where appropriate, international levels in particular with those supplying information society technology and services;

c) addressing appropriate information exchange corresponding to the needs of society to remain informed on good practices related to security;

4. encourage co-operation and partnerships between academia and enterprises to provide secure technologies and services and to encourage development of recognised standards.

Welcomes the intention of the Commission to

1. apply the open method of co-ordination in relation to Member States' ongoing actions and to assess their impact on security;

2. set up a temporary interdisciplinary working group in close co-operation with and composed of Member States representatives to conduct preparatory actions with a view to the establishment of a Cyber- Security Task Force as referred to in the Council Resolution of 28 January 2002;

3. further develop, in co-operation with Member States, a dialogue with industry to improve security in the development of hardware and software products and ensure the availability of services and data;

4. establish contacts with relevant international partners and international organisations with a view to co-operation and exchange of information in this area and to report to the Council on a regular basis ;

5. establish the Cyber-Security Task Force referred to above.

Calls upon

1. industry to integrate the management of security risks into the mainstream of management thinking and business engineering;

2. all users to take a holistic view of the risks associated with information systems and look at the threats arising from physical events, human failings as well as technological vulnerabilities and deliberate attacks;

3. industry and all users to enter into dialogue with governments in developing a culture of security."

http://ue.eu.int/pressData/en/trans/7351 5.pdf