A guideline for critical information infrastructure governance

ENISA launched a new publication on National Risk Management (NRM) preparedness. The report sets out the essential elements as a guideline for the governance of NRM in relation to a country’s Critical Information Infrastructure (CII). In particular, the report presents a workflow to develop and implement an NRM processes.

The relationship between NRM and the management of information security risk in individual CII stakeholder organisations is identified in this new Agency report. It determines three essential NRM processes that need to be implemented by national governments, as follows:

Process 1: Define NRM Policy.
Process 2: Coordinate and Support Implementation [of risk management in CII stakeholder organisations].
Process 3: Review, Reassess and Report [on NRM].

Each of these three processes is supported by a number of activities. The report identifies a total of twelve detailed activities. These activities include among others; to set the vision, establish the NRM organisation, promote standards, create awareness, as well as to analyse errors and incidents.

The framework for the governance of NRM enables governments and other national CII stakeholders to gain an overview of the elements that are required to build such a programme; and to understand the relationships between these elements.

The guidelines feature a questionnaire that allows governments to assess their strengths and weaknesses in relation to NRM preparedness by using a use a five-level capability maturity measurement.

The report can be used in practice by national governments to:

• Identify strengths and weaknesses in the implementation of NRM in their Member State
• Assist in the development of a framework for the governance of NRM
• Help the government to assist CII stakeholder organisations in developing their own risk management processes
• Assess the Member State’s NRM preparedness through the use of a defined testing process.

The complete report is available here.