Annual Activity Report of the authorising officer

2011

ENISA_AAR_2011_final Page 2 of 52

Table of Contents

PART 1. POLICY ACHIEVEMENTS................................................................. 4

1.1.1 WS1 - ENISA as a facilitator for improving cooperation ................................................ 5

1.1.2 WS2 - ENISA as a competence centre for securing future technology........................... 9

1.1.3 WS3 - ENISA as a promoter of privacy, trust and awareness ..................................... 14

1.1.4 Horizontal activities .................................................................................................. 19

PART 2. MANAGEMENT AND INTERNAL CONTROL SYSTEMS ...................20

2.1 INTRODUCTION TO EUROPEAN NETWORK AND INFORMATION SECURITY AGENCY ...............20

2.2 THE FUNCTIONING OF THE ENTIRE INTERNAL CONTROL SYSTEM ..................................24

2.2.1 Compliance with the requirements of the control standards ....................................... 24

2.2.2 Effectiveness of implementation of the prioritised control standards ............................................ 29

2.2.3 Conclusion ................................................................................................................ 30

PART 3. BUILDING BLOCKS TOWARDS THE DECLARATION OF ASSURANCE ....................................................................................................................30

3.1 BUILDING BLOCKS TOWARDS REASONABLE ASSURANCE ...........................................31

3.1.1 Building block 1: Assessment by management .......................................................... 31

3.1.2 Building block 2: Results from audits during the reporting year ................................. 37

3.1.3 Building block 3: Follow-up of previous years' reservations and action plans for audits

from previous years .................................................................................................. 38

3.1.4 Building block 4: Assurance received from other Authorising Officers in cases of crossed

sub-delegation .......................................................................................................... 39

3.1.5 Completeness and reliability of the information reported in the building blocks .......... 39

3.2 RESERVATIONS ........................................................................................40

3.3 OVERALL CONCLUSIONS ON THE COMBINED IMPACT OF THE RESERVATIONS ON THE

DECLARATION AS A WHOLE...........................................................................40

PART 4. DECLARATION OF ASSURANCE ....................................................41

ANNEX 1. STATEMENT OF THE RESOURCES DIRECTOR ............................42

ANNEX 2. HUMAN RESOURCES BY ABB ACTIVITY ....................................43

ANNEX 3. DRAFT ANNUAL ACCOUNTS AND FINANCIAL REPORTS...........44

ENISA_AAR_2011_final Page 3 of 52

Annual Activity Report 2011

This document is the Annual Activity Report of the Authorising Officer of the European

Network and Information Security Agency (ENISA) for the financial year 2011, in line with

the requirements set out in the ENISA Financial Regulation1

1 According to Art. 40 of the ENISA Financial Regulation adopted on 8 January 2009.

ENISA_AAR_2011_final Page 4 of 52

PART 1. POLICY ACHIEVEMENTS

Policy area

European Network and Information Security Agency (ENISA) is a centre of expertise for Network and Information Security (NIS). ENISA bridges the gap between citizens, industry and governments by acting as a knowledge broker in NIS matters and as a promoter of good NIS practices within EU Member States. ENISA’s objectives are to: 1. enhance the capability of the European Union (EU), the Member States and, as a consequence, the business community to prevent, address and to respond to network and information security problems 2. provide assistance and deliver advice to the European Commission (Commission) and the Member States on issues related to network and information security 3. building on national and EU level, develop a high level of expertise and to stimulate broad cooperation between actors from the public and private sectors 4. assist the Commission, where called upon, in the technical preparatory work for updating and developing EU legislation in the field of network and information security The ENISA work programme for 2011 reflected the technology evolution in information and communications technologies (ICT) and the threat situation in internet/cyber space, taking into account a number of factors including the entry into force of the Treaty of Lisbon2, the Digital Agenda for Europe3 and expectations of the Member States. In 2011 ENISA supported the Commission in the implementation of Critical Information Infrastructure Protection (CIIP) Action Plan (COM(2011)1634), notably in the areas of resilience of networks and critical information infrastructure protection.

Operational Activities

During the 2011, the background of policy context was changing and continued rapid evolution of information security-related threats. In order to reflect strategic discussions at the level of European Union, Agency’s working programme for 2011 was amended in July 2011. The need to address these changes has obliged to reallocate some resources (staff and budged) to new activities. The work programme was structured as three separate work streams, which were chosen to ensure continuity between the former Multi-Annual Thematic Programmes (MTPs) and the Work Streams (WS) that forms the basis for the future work of the

2 Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European

Community, signed at Lisbon, 13 December 2007, entered into force on 1 December 2009, 2007/C

306/01.December 2009, 2007/C 306/01. 3 Communication from the Commission to the European Parliament, the Council, the European Economic and

Social Committee and the Committee of the Regions, A Digital Agenda for Europe, Brussels, 19.5.2010,

COM(2010)245 final. 4 Communication from the Commission to the European Parliament, the Council, the European Economic and

Social Committee and the Committee of the Regions on Critical Information Infrastructure Protection

‘Achievements and next steps: towards global cyber-security’, Brussels, 31.3.2011, COM(2011) 163 final.

ENISA_AAR_2011_final Page 5 of 52

Agency. The Work Streams are:

WS1 ENISA as a facilitator for improving cooperation WS2 ENISA as a competence centre for securing future technolo gy

WS3 ENISA as a promoter of privacy, trust and awareness. A set of SMART5 goals has been defined for each Work Stream. These are related to the desired outcomes and impacts and are assessed and monitored during the duration of the work programme using Key Performance indicators (KPI). Each Work Stream consists of several Work Packages that implement SMART goals. This information is included at the end of respective subsection. To ensure Agency’s operational transparency all resulting activities in a fo rm of reports, brochures, guidelines or analyses can be access via ENISA web page (see www.enisa.europa.eu).

1.1.1 WS1 - ENISA as a facilitator for improving cooperation

The principle goal of the first Work Stream was to support the Commission and the Member States in building on current cooperation schemes to intensify the exchange of information and cooperation between Member States in a number of key areas. This work was organised taking into account the work of the European Forum for Member States (EFMS) and the European Public Private Partnership for Resilience (EP3R). In 2011 ENISA supported Member States’ efforts to deploy article 13a and 13b of

the Framework Directive 2002/21/EC6, develop the appropriate incident reporting mechanisms, collect and analyse data and report them back to ENISA. ENISA organised discussions with a working group of experts, from telecommunications regulatory authorities in the EU, in face-to-face workshops and teleconferences. These meetings led to a consensus on two technical guidelines - Technical guideline on incident reporting and Technical guideline for minimum security measures There was also substantial work done to assist the Commission and Member States in further developing the European Public Private Partnership for Resilience (EP3R) as well as to support the Computer emergency response team (CERT) community by developing and hosting a collaboration platform for the exchange of information at an

5 Specific, Measurable, Agreed, Realistic and time bound (SMART), is a set of goals to

implement objective based management; it was firstly described by Peter Drucker, The practice of Management (1954)

6 As amended by Telecom Package 2009 (directive 2009/140/EC) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2002L0021:20091219:EN:PDF

ENISA_AAR_2011_final Page 6 of 52

operational level and by facilitating cooperation with law enforcement agencies. During 2011, ENISA has supported the EP3R process, facilitating the establishment of three working groups (WGs) to address identification of key assets for the continuous and secure provisioning of e-communications across Member States; baseline requirements for the security and resilience of e-communications and coordination and cooperation needs and mechanisms to prepare for and respond to lar ge-scale disruptions (this area initially covers two important topics, namely Botnets and Cyber-Exercises). The working groups have produced three position papers containing recommendations covering the three areas of EP3R. Within the EP3R project, in 2011 ENISA conducted a Study on Cooperative models for effective Public Private Partnerships (PPPs). The aim of the study was to consolidate and validate a taxonomy revealing the main components required to create and maintain a PPP. ENISA has also published a Good Practice Guide, designed to help and support stakeholders in choosing options that will add value when they set up and run a PPP. To this end, a set of recommendations for good practice has been included in the guide. In addition, throughout the year, ENISA experts delivered seminars, and shared information and knowledge on how to plan, design, organise and conduct national cyber exercises. After the success in 2010 of the first ever pan-European cyber exercise, Cyber Europe 2010, the exercise evaluation report was published in 2011. Following an EU-US commitment to foster greater efforts and cooperation on cyber security, the first joint cyber security exercise between the EU and US was held in November 2011, with the support of ENISA and the US Department of Homeland Security (DHS). The exercise had a two-fold scenario. The first scenario revolved around a cyber incident that affected the EU, the second scenario involved cyber incidents in the US. In 2011, ENISA has also identified the lifecycle for the development and maintenance of NCPs. By following the steps within the cycle, a Member State is guided through the process of developing and continuously improving the contingency plan. As regard the ENISA activity to reinforce CERTs in the Member State, report was delivered in 2011, identifying ways to improve communication with the CERTs and other stakeholders. In addition to that, ENISA published a report on current CERT operational gaps and overlaps. The report analyses the operational gaps and overlaps of national and governmental CERTs and provides some recommendations. ENISA is in a unique position within Europe to break barriers in cooperation between various communities. That is why in 2011 the Agency organised its traditional workshop jointly with EUROPOL. The workshop was also supported by the national computer emergency response team in the Czech Republic (CSIRT.CZ). The event focused on supporting the cooperation between national/governmental CERTs and law

ENISA_AAR_2011_final Page 7 of 52

enforcement authorities in the fight against cybercrime. A first collection of practices on cooperation between CERTs and Law Enforcement Agencies in the fight against cybercrime was finalised and published in Q1/2012. The essential aim of this report was to improve the capability of CERTs, with a focus on the national/governmental CERTs, to address the network and information security (NIS) aspects of cybercrime.

Analyses of SMART Goals at work package level of WS1

WPK / SMART goal KPI KPI status

WPK 1.1: Supporting Member States in implementing article 13a DESIRED IMPACT (KPIs linked to S.M.A.R.T. goals):

SMART goal: By end of Q4 2011, at least 18 Member States take part in ENISA efforts to support harmonised implementation of article 13 a

Number of Member States

All Member States

SMART goal: By end of Q4 2011, at least 10 providers take part in ENISA efforts to support harmonised implementation of article 13 a

Number of providers

12

SMART goal: By end of Q4 2011, at least 15 Member States adopt the proposed annual incident reporting scheme to ENISA

Number of Member States

All Member States adopted

ENISA’s incident

reporting scheme

WPK 1.2: Preparing the Next Pan-European Exercise DESIRED IMPACT (KPIs linked to S.M.A.R.T. goals):

SMART goal: By end of Q4 2011, at least 12 Member States take part in the development of the roadmap and the future scenarios

Number of Member States

More than 20 MS

SMART goal: By end of Q4 2011, at least 12 Member States take part in ENISA efforts towards the second pan European exercise

Number of Member States

225% (All Member

States)

SMART goal: By end of Q4 2011, at least 5 Member States organise seminars and prepare plans for national exercises

Number of Member States

11 seminars in Member States were delivered

WPK 1.3: Reinforcing CERTs in the Member States DESIRED IMPACT (KPIs linked to S.M.A.R.T. goals):

SMART goal: By Q4 2011, 80% of updates in CERT inventory are confirmed

% confirmed updates

100%

SMART goal: By Q4 2011 at least two TRANSITS trainings have been organised with support by ENISA14

Number of trainings supported

100% (2 trainings

WPK 1.4: Support CERT (co)operation on European level DESIRED IMPACT (KPIs linked to S.M.A.R.T. goals):

SMART goal: By Q4 2011, at least 10 references to cross-border information sharing study from external websites, official publications, discussions on mailing lists or other means.

Number of references

100% (more than 10

downloads) Number of download

100% (300

downloads) SMART goal: By Q4 2011, at least 10 references to operational gaps and overlaps report from external websites, official

Number of references

100% (more than 10

ENISA_AAR_2011_final Page 8 of 52

publications, discussions on mailing lists or other means references)

Number of download

100% (More than 100

downloads)

WPK 1.5: Good practice for CERTs to address NIS aspects of cybercrime DESIRED IMPACT (KPIs linked to S.M.A.R.T. goals):

SMART goal: By Q4 2011, at least 10 references to each report from external websites, official publications, discussions on mailing lists or other means. (cybercrime report)

Number of references

100% (more than ten

references)

SMART goal: At least 50% of the EU population is represented at the workshops (6th ENISA CERT workshop)

% of EU population represented

100% (89% of EU population)

SMART goal: Workshop participants score at least as 3 on a scale of 1-5 (6th ENISA CERT workshop)

Average feedback on scale of 1-5 per workshop

100% (4,053140097)

Published reports, papers and web:

Technical Guideline on Reporting Incidents http://www.enisa.europa.eu/act/res/reporting-incidents/incidents-reporting-to-enisa/technical-guideline-on-incident-reporting

Technical Guideline for Minimum Security Measures http://www.enisa.europa.eu/act/res/reporting-incidents/minimum-security-requirements

Exercise Scenario Development Handbook (available upon request please contact Panagiotis.Trimintzios@enisa.europa.eu )

Status of CYBER EUROPE 2012 – the ExPlan (Exercise Plan) https://resilience.enisa.europa.eu/eu-exercises/

Cyber Exercise Seminars Report in 2011 (available upon request please contact Panagiotis.Trimintzios@enisa.europa.eu )

Proactive detection of network security incidents report http://www.enisa.europa.eu/act/cert/support/proactive-detection

Updated ENISA inventory of CERT in Europe: http://www.enisa.europa.eu/act/cert/background/inv

Secure communication with the CERT & the other stakeholders: http://www.enisa.europa.eu/act/cert/other-work

A flair for sharing - encouraging information exchange between CERTs – A study into the legal and regulatory aspects of information sharing and cross-border collaboration of national/governmental CERTs in Europe : http://www.enisa.europa.eu/act/cert/support/legal-information-

ENISA_AAR_2011_final Page 9 of 52

sharing

CERT operational gaps and overlaps report: http://www.enisa.europa.eu/act/cert/other-work

Good practice guide on national contingency plans (published Q1 2012) http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cyber-crisis-cooperation/national-contingency-plans

Report on Cyber Atlantic 2011 (Q1 2012) (available upon request please contact Panagiotis.Trimintzios@enisa.europa.eu)

First collection of practices of a good practice collection on CERTs and law

enforcement (published Q1 2012) http://www.enisa.europa.eu/activities/cert/support/supporting-fight-against-cybercrime/cooperation-between-certs-and-law-enforcement-agencies-in-the-fight-against-cybercrime-a-first-collection-of-practices

Workshops, meetings and events: The 18th TRANSITS-I Training Workshop, 25-26.01.2011. at the

European Central Bank (ECB) in Frankfurt am Main, Germany

The 19th TRANSITS-I Training Workshop, 8-9.09.2011. at the Irish Reporting and Information Security Service (IRISS) headquarters in Dublin, Ireland

6th CERT Workshop on cybercrime, 3-4.10.2011, Prague, Czech Republic http://www.enisa.europa.eu/act/cert/events/6th-workshop-cybercrime

1.1.2 WS2 - ENISA as a competence centre for securing future

technology

The overall objective of the second Work Stream is to assist the Member States and the Commission in identifying and responding to security issues related to current and future technology. This will be achieved by promoting methods and tools for recognisin g and responding to threats at both the infrastructure and application levels. Smartphones will outnumber PCs by 2013 and they will be the most common devices for accessing the Internet. In 2011 the Agency has launched a report Smartphone developer guidelines which gives the top 10 controls for mobile users, among those how to protect sensitive data, and how to handle password credentials securely. Over the course of 2011 numerous malicious apps were found, across a variety of

ENISA_AAR_2011_final Page 10 of 52

smartphone models. Starting from a threat model for appstores, ENISA produced a paper App-stores – the five lines of defence, which identifies five lines of defence that must be in place to address malware in appstores: app review, reputation, kill-switches, device security and jails. The web browser is arguably the most security-critical component in our information infrastructure. It has become the channel through which most of our information passes. In its report Security analysis of next generation web standards, issued in the middle of 2011, ENISA made detailed recommendations for improvements to browser security. In total, 51 security threats and issues have been identified and detailed in this report. In 2011, ENISA published a study Analysis of Cyber Security Aspects in The Maritime Sector that analyses cyber security in the maritime sector and identifies key insights and considerations. It also touches on the policy context at the European level and situates the topic in the context of the global protection of ICT infrastructure. In addition to that, ENISA addressed the needs of network operators to be able to provide their customers with connectivity to the Internet. ENISA prepared the first study on the subject: Inter-X: resilience of the Internet interconnection ecosystem, and published it in April 2011. This study provides a better understanding of what is needed for a more secure and resilient interconnected network environment. The study identified a number of concerns and recommended the investigation of incidents by an independent body, in order to understand the nature of successes and failures. As a follow up, ENISA launched a project on Good practices for resilient Internet interconnections, assessing technical issues (e.g. logical, physical, application layers, replication and diversity of services and data, data centres), peering and transit issues (e.g. service level agreements), and market, policy and regulatory issues. Smart grids could be described as an upgraded electricity network to which two -way digital communication between supplier and consumer, intelligent metering, and monitoring systems have been added. ENISA produced a research study Analysis of the Cyber Security Aspects of Smart Grids, resulting in recommendations for all stakeholders to improve the security, safety and resilience of future smart grid deployments. During 2011, ENISA launched a series of activities that aim to bring together the relevant stakeholders and engage them in an open discussion on Industrial Control Systems (ICS) protection. As a result ENISA published a report Protecting Industrial Control Systems, recommendations for Europe and Member States that contains a set of recommendations for the public and private sector. The recommendations call for the creation of national and pan-European ICS security strategies, the development of a Good practices guide on ICS security, fostering awareness and education as well as research activities or the establishment of a common test bed, and the development of ICS-computer emergency response capabilities. ENISA’s Work programme for 2011 covered also the topic of Mutual Aid Agreements as an advanced means of emergency preparedness. ENISA report on Mutual Aid for Resilient Infrastructure in Europe (MARIE) was divided into two phases. Phase 1 presents twelve key observations about Mutual Aid Agreements and in so doing lays the

ENISA_AAR_2011_final Page 11 of 52

foundation for actionable recommendations which are planned for the MARIE Phase 2 report, which is expected to be finished in the 2012 Under second Work Stream ENISA developed an ontology of resilience that embeds a taxonomy of resilience. The proposed ontology introduces tools for understanding resilience as a network design target and the output of those tools when applied to resilience. The tools are classification using taxonomy, and relationship modelling using ontology, with taxonomy at its core. The ontology presented is an open, interoperable and scalable framework that is intended to lead to further developments in standardisation. Ontology and taxonomy were addressed as methods that extend the role of standards in complex areas. They do so by allowing more complex scenarios to be addressed than are normally considered by standardisation. Resilience falls into this class of complex scenarios as it covers many different technologies and strategies compared with many other simpler – though still complex – protocols. The Internet’s architecture can be divided into GAN (Global Area Network), WAN (Wide Area Network), LAN (Local Area Network) and SAN (Storage Area Network) networks. Between 2008 and 2010, ENISA studied the potential of several technologies (mainly used in GAN) to improve the resilience characteristics of the Internet’s infrastructure and enhance how this potential was perceived by network operators, based on their deployment status. During 2011, ENISA examined the deployment status of these technologies, and identified four others with the most relevant characteristics. The following redundancy technologies employed in these parts of the Internet were selected for the survey: IS-IS (WAN), VRRP (LAN/WAN), RSTP (LAN), Fibre Channel). These were described in detail and research was conducted on their deployment status, resulting in the Review of technologies enhancing resilience and their status of deployment Supply chain integrity in the ICT industry is a topic that receives attention from both the public and private sectors. Currently, it is addressed differently in different industries. Important solutions have been developed in various areas of ICT, which have led to considerable progress and highlighted the need for a comprehensive research study dealing with supply chain integrity. In 2011 ENISA launched a study on good practices among various industry segments, investigating the feasibility of bridging the gaps in developing common guidelines. The increasing use of e-government services has led to significant growth in the amount of citizens’ sensitive data being transmitted over public networks (e.g. the Internet) and stored within applications that are accessible from anywhere on the Internet. The study performed by ENISA surveyed cryptographic guidelines and requirements, as well as specifications defined and used by the Member States. It was based on answers received from 13 Member States, covering almost 75% of the European Union’s population. ENISA has found that many cryptographic specifications or recommendations prepared and used for e-government services recommend good practice encryption algorithms. However, according to the IT industry, many of the cryptographic solutions that they audit and test are poorly deployed; in many cases, the deployment teams for systems or services handling unclassified information lack cryptographic expertise. As for the European Information Sharing and Alert System (EISAS) in 2011 ENISA produced two documents - EISAS Roadmap, providing the direction to further the development and deployment of this system, and EISAS basic toolset. The EISAS (enhanced) report was published at the end of the year as an implementation plan for

ENISA_AAR_2011_final Page 12 of 52

further development and deployment of EISAS concept. It's a 'how-to' method for implementing a fully functional EISAS framework until 2013 in the European Union Member States. Analyses of SMART Goals at work package level of WS2

WPK / SMART goal KPI KPI status

WPK 2.1: Security & privacy of Future Internet technologies DESIRED IMPACT (KPIs linked to S.M.A.R.T. goals):

SMART goal: Number of contributions made in the deliverables of the Internet of Things Expert Group (IoT EG)

Number of Contributions

2

SMART goal: At least 5 citations of smartphone paper in reputable journals.

Number of Citations

5

WPK 2.2: Interdependencies and interconnection DESIRED IMPACT (KPIs linked to S.M.A.R.T. goals):

SMART goal: By end of Q4 2011, at least 10 financial companies and 10 energy providers take part in the study on inter-dependent networks

Number of financial companies # energy providers

100% for energy providers (20 energy providers); Finance sector was not included due to the reallocation of the resources

SMART goal: By end of Q4 2011, at least 10 providers and IXPs contribute to the study on interconnected networks

Number of providers and IXPs

100% (15 ISPs and IXPs took part in the study)

SMART goal: By end of Q4 2011, at least 10 providers and 5 Member States contribute to the study on mutual aid assistance

Number of providers Number of Member States

Due to the reallocation of the resources, stock taking was performed. The rest is planned for 2012

WPK 2.3: Secure architectures and technologies DESIRED IMPACT (KPIs linked to S.M.A.R.T. goals):

SMART goal: At least 5 sector actors (i.e. representatives of industry, regulators, academia, etc.)validating the report on the use of advanced cryptographic techniques, through contributions in the review process, participation in relevant WG‘s, quotations and references in publications, etc.

Number of Sector Actors

100% (base on

answers from 13 MS,

covering about 75% of

EU population)

ENISA_AAR_2011_final Page 13 of 52

SMART goal: Coverage of at least 150 M users by operators surveyed in the study on the expectations and deployment status of technologies by network operators

Number of Users 100% (50

interviews)

SMART goal: At least 5 sector actors (i.e. representatives of industry, regulators, academia, etc.)validating the study on technologies with potential to improve the security of the internet infrastructure, through contributions in the review process, participation in relevant WG‘s, quotations and references in publications, etc.

Number of Sector Actors

100%

WPK 2.4: Early warning for NIS DESIRED IMPACT (KPIs linked to S.M.A.R.T. goals):

SMART goal: By Q4 2011, at least 10 references to each report or toolset from external websites, official publications, discussions on mailing lists or other means. (Proactive detection of security incidents report)

Number of references

100% (more than

10references)

SMART goal: By Q4 2011, at least 10 references to each report or toolset from external websites, official publications, discussions on mailing lists or other means. (EISAS basic toolset, EISAS report on implementation (enhanced))

Number of references

50% (5

references)

Published reports, papers and web: Survey and analysis of security parameters in cloud SLAs across the

European public sector http://www.enisa.europa.eu/act/application-security/test/survey-and-analysis-of-security-parameters-in-cloud-slas-across-the-european-public-sector

Top Ten Smartphone Controls for Developers http://www.enisa.europa.eu/media/news-items/top-ten-smartphone-security-controls-for-developers

Interdependencies of ICT on Maritime Sector www.enisa.europa.eu/act/res/other-areas/cyber-security-aspects-in-the-maritime-sector

Protecting Industrial Control Systems. Recommendations for Europe and Member States https://www.enisa.europa.eu/act/Resilience%20and%20CIIP/critical-infrastructure-and-interdependencies/scada-industrial-control-systems

Good practices on mutual aid assistance and co-ordinated response and recovery measures www.enisa.europa.eu/act/res/other-areas/mutual-aid-agreements

Review of technologies enhancing resilience and their status of deployment http://www.enisa.europa.eu/act/it/technology-for-resilience/tech

ENISA_AAR_2011_final Page 14 of 52

Ontology and taxonomies for resilience http://www.enisa.europa.eu/activities/identity-and-trust/technology-for-resilience/ontology

Use of advanced cryptographic techniques in Europe http://www.enisa.europa.eu/act/it/library/the-use-of-cryptographic-techniques-in-europe

EISAS roadmap http://www.enisa.europa.eu/act/cert/other-work/eisas_folder/eisas

EISAS basic toolset report http://www.enisa.europa.eu/act/cert/other-work/eisas_folder/eisas

EISAS ‘enhanced’ report: http://www.enisa.europa.eu/act/cert/other-work/eisas_folder/eisas

Workshops, meetings and events: High-Level Internet of Things expert group meetings, 08.02.2011., 30.06.2011.,

30.09.2011., 15.-16.11.2011., Brussels, Belgium.

1.1.3 WS3 - ENISA as a promoter of privacy, trust and

awareness

The third element of the ENISA activities during the 2011 was to promote trust in future information systems by all sections of the population. There are four main activities in this area: Understanding and analysing economic incentives and barriers to information security. Ensuring that privacy, identity and trust are correctly integrated into new services. Supporting the implementation of article 4 of the ePrivacy Directive (2002/58/EC). Promoting the establishment of a European month of network and information security for all. As for the Economics of Security, ENISA work encompassed a number of activities, ranging from information on risk management and risk assessment to the economic implications of managerial decisions on the implementation of security measures and tools. In order to accomplish this activity, ENISA organised a working group with a view to identify, analyse and present the most prominent topics on Economics of Security. The main output of this work is the report "Economics of Security: Facing the Challenges", launched in 2011. The work conducted also elaborates on economic issues (e.g. behavioural

economics, return on investment, risk management, the economics of resilience, etc.) arising from the fulfilment of such requirements. In this way, this work package contributes to the points announced in the Digital Agenda for Europe, such as boosting Europe’s economic performance

ENISA_AAR_2011_final Page 15 of 52

and the introduction of measures to reinforce the benefits of the Single Market. In addition to this ENISA has produced Economic Efficiency of Security Breach Notification Schemes. Reputation systems are a key success factor for many websites, enabling users and customers to have a better understanding of the information, products and services being provided. However, by using reputation systems, citizens of the European Union place themselves at additional risk. A study “Trust and reputation models” carried out by ENISA in 2011 revealed that there is a significant difference between the real-life implementation of reputation systems and the academic research that is currently being conducted. The reputation systems currently being deployed primarily facilitate and promote business transactions. They appear not to take into account or further develop academic research into privacy and trust solutions; they do not embed the research in operational systems. ENISA also identified conclusions in five core areas that covered the following points:

Risks to users of reputation systems and the trustworthiness of risk assessment scores

Customer communications regarding reputation systems Lack of clarity regarding governing legislation While the importance of the privacy by design principle is widely accepted, lax data protection practices are a reality among many online service providers. In view of this state of affairs the study data collection and storage in the EU was launched to present an analysis of the legal framework applied by Member States. The framework is based on the principles of minimal disclosure and the storage of personal data for the shortest possible duration. The study does not delve deeply into the legal complexities of data protection legislation. Instead it focuses on a limited number of actual cases. It then documents how the aforementioned principles were applied in concrete legal or regulatory provisions, and how they were observed in practice. In a 2011 Eurobarometer Survey, 74% of Europeans stated that they see disclosing personal data as part of modern life and 43% said that they have been asked for more information than necessary when using a service or trying to access it. Understanding the economic issues concerning online privacy is a step toward defending the individual’s rights. ENISA’s analysis of the monetization of privacy examined the consumer’s decision about disclosure or non-disclosure of personal data within a transaction to obtain a good. The results were based upon theoretical and experimental insights. The findings rely on research results that use a new economic model. ENISA gave advice for the general public and for experts, and provided research background and the theoretical modelling. ENISA took an active role in supporting the implementation of the ePrivacy Directive (2002/58/EC), workshop and technical recommendations was issued. A Data breach notifications workshop organised by ENISA had two goals – to disseminate a study on data breach notifications performed under the umbrella of the Agency Work Programme, and to gather opinions on ENISA’s future work in this field. The workshop was very successful and attracted over 80 participants from all over Europe. In addition to this during 2011, the Agency developed specific technical recommendations for the implementation of Article 4 of the e-Privacy Directive, including a practical and usable definition of a “data breach”, and in particular its

ENISA_AAR_2011_final Page 16 of 52

relationship to the definition of an “information security incident”. ENISA also de veloped criteria for: Determining when a data breach has occurred

Identifying and assessing security controls that help determine when a breach has occurred

Identifying and assessing the risks regarding data breaches Developing procedures for notification when data breaches occur, in either the private or public sectors. The work also addressed the online processing of data breaches, the definition of “undue delay”, and other issues. The expert group that helped ENISA in this task was composed of representatives from the EU institutions, the Art.29 Working Party, national Data Protection Authorities and industry. The work constituted ENISA’s input to the consultations on new European data protection rules. As part of its ongoing awareness raising mission, ENISA assessed the establishment and organisation of a European Month of Network and Information Security for All . To this end, ENISA established a virtual working group to gather information with regard to Member States’ experiences on organising security events, and assess the feasibility with regard to the organisation of a European security month. Furthermore, ENISA supported public and private organisations in their effort to raise information security awareness of employees and/or customers of organisations, by providing attractive material through a ready-to-use set that is easy to use such as posters, illustrations, screensavers and video clips. This material is available for download for use in any information security tr aining programme, awareness activity or company website. ENISA also supported organisations by providing designed and customised material and by identifying key awareness messages and areas for which information security awareness should be raised. Report Information Security in Education comes at a time when education and ICT are more interrelated and interconnected than ever. The challenge of the digitally active citizen is to remain informed about the news coming from the dynamic field of ICT and of Information Security in particular. Long life learning, formal, non-formal and informal education are all on the agenda of policymakers. Children, youth and their peers, parents and educators are all part of the discussion and ENISA recommends that they cooperate and get involved as much as possible. The material available is facilitates the easy transfer of knowledge between stakeholders. This material is a contribution towards the objective of the Digital Agenda for Europe, which states: “Youth engagement will make the Digital Agenda a reality.” ENISA’s intention is to start the knowledge transfer process between all involved actors in order to achieve sustainable results that have a real impact on the European digital citizen. One way to achieve this is by disseminating the work done in the last few years by ENISA using a language that can be understood by the target group. The Agency, therefore, has summarised the findings of ENISA reports in the form of fiches. Interested parties can read and use this material and, if necessary, look for further details in the full documents. The selection of the reports was done in order to deliver content that can be directly used for educational purposes.

ENISA_AAR_2011_final Page 17 of 52

In addition to easy to use materials, the issues in the area of Risk Management that have been addressed in 2011 include results achieved in the area of emerging risks and have been delivered in the reporting period. In particular:

“To log or not to log?”: The Agency uses a fictional family’s day-to-day lives to examine the impact on their privacy, the “family wallet”, psychology, and other issues, as they put ever more personal information online. The report includes recommendations for addressing security and privacy risks. To enjoy the benefits of life-logging technologies, people need to upload personal information – be it personal thoughts, videos, or financial data – to Internet locations over which they have little control. For individuals, that implies threats to privacy, loss of personal data control, harm to one’s reputation and the possibility of psychological damage from exclusion or the feeling of constant surveillance. For commercial organisations, there is the risk of breaching data protection laws, resulting in legal sanctions and irreversible damage to the organisation’s reputation. Governments may suffer the loss of public confidence if they are perceived not to be properly protecting their citizens’ personal information. Cyber bullying & online grooming: the report identifies the top emerging risks and makes 18 non-technical recommendations for their mitigation. Digital devices and the Internet now play a significant role in children’s lives. Today’s young people live their online lives in both private and educational settings. This is an environment radically different from that of their parents, during their childhood years. Risks in a child’s online environment can be detrimental to their physical development and social skills, argues the ENISA Expert Group on Internet risks. The report details a scenario of 13-year old Kristie’s changed behaviour, poor grades and negative attitudes due to abuse in her online life. Many parents lose control, as they lack the knowledge and tools to support their children, the report argues. The Agency thus issues 18 recommendations to mitigate identified risks. Analyses of SMART Goals at work package level of WS3

WPK / SMART goal KPI KPI status

WPK 3.1: Identifying and promoting economically efficient approaches to information security DESIRED IMPACT (KPIs linked to S.M.A.R.T. goals):

SMART goal: By end of Q4 2011, at least 50 downloads of each report

Number of download

1490% Downloads of

report: 745 Downloads of

Working Group

Contributions: 124

WPK 3.2 : Deploying privacy & trust in operational environments DESIRED IMPACT (KPIs linked to S.M.A.R.T. goals):

SMART goal: At least 5 sector actors (i.e. representatives of industry, regulators, academia, etc.) validating the report on minimal disclosure, through contributions in the review process, participation in relevant WG‘s, quotations and references in publications, etc.

Number of Sector Actors

100% (3 types of

service providers in

all 27MS covered)

ENISA_AAR_2011_final Page 18 of 52

SMART goal: At least 5 sector actors (i.e. representatives of industry, regulators, academia, etc.) validating the report on trust and reputation models, through contributions in the review process, participation in relevant WG‘s, quotations and references in publications, etc.

Number of Sector Actors

100% (more than 5

sectors covered)

SMART goal: At least 5 sector actors (i.e. representatives of industry, regulators, academia, etc.) validating the report on monetizing privacy, through contributions in the review process, participation in relevant WG‘s, quotations and references in publications, etc.

Number of Sector Actors

100% (numerous

references in media about

the study)

WP 3.3 : Supporting the implementation of the ePrivacy Directive (2002/58/EC) DESIRED IMPACT (KPIs linked to S.M.A.R.T. goals):

SMART goal: At least 5 sector actors (i.e. representatives of industry, regulators, academia, etc.) validating the study on extending the obligation of notifications about data breaches, through contributions in the review process, participation in relevant WG‘s, quotations and references in publications, etc.21

Number of Sector Actors

100%

SMART goal: Representatives of 10 DPAs from EU MS attend the workshop

Number of DPA‘s 100% (more than 90

persons attending the

workshop)

WPK 3.4: European month of network and information security for all DESIRED IMPACT (KPIs linked to S.M.A.R.T. goals):

SMART goal: By end of Q4 2011, at least 50 downloads of each report

Number of download

100% (380

downloads) SMART goal: At least 50% of the EU population is represented at the workshops

% of EU population represented

No workshop organised due to due to the reallocation of the resources

SMART goal: Event participants score the event at least as 3 on a scale of 1-5

Average feedback on scale of 1-5

No workshop organised due to due to the reallocation of the resources

Published reports, papers and web:

Economics of Security: Facing the Challenges - A multidisciplinary assessment http://www.enisa.europa.eu/act/rm/Economics-of-Security

Trust and reputation models http://www.enisa.europa.eu/act/it/library/trust-and-reputation-models

Technical recommendations for the implementation of the Art.4 of ePrivacy Directive http://www.enisa.europa.eu/act/it/risks-and-data-breaches/dbn

Technical implementation guidelines on Article 4 implementation http://www.enisa.europa.eu/activities/identity-and-trust/risks-and-data-

ENISA_AAR_2011_final Page 19 of 52

breaches/dbn/art4_tech

Study on monetizing privacy (Published in Q1 2012) http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/monetising-privacy

Study on data collection and storage in the EU (Published in Q1 2012) http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/data-collection

(extra mile) Economic efficiency of security breach notification (Published in Q1 2012)

Workshops, meetings and events: Workshop on data breach notification, 24.01.2012., Brussels, Belgium

http://www.enisa.europa.eu/act/it/risks-and-data-breaches/data-breach-notification/data-breach-notifications-in-europe-2013-the-way-forward

1.1.4 Horizontal activities

ENISA was involved in numerous high-level European conferences in 2011. These included ENISA’s own events, as well as joint conferences and speaking events. During 2011, ENISA participated in or co-ordinated 52 events and conferences throughout Europe and further afield. One of the key events during the year was ENISA’s High-Level Panel Discussion, which took place in October in Brussels. The panel discussion dealt with future challenges in network and information security. It brought together experts from the European Commission, Parliament, Council, Member States and industry. An audience made up of people from the worlds of network and information security, government and politics had the opportunity to watch the debate and put questions to the panel. Another key event was the NIS Summer School, organised jointly with Greece’s Foundation for Research and Technology (FORTH) on Crete. The event attracted a large number of participants. In 2011, ENISA received eight requests for assistance from Member States a marked increase from the two received in 2010. These requests, made under Article 10 of the ENISA Regulation, required the provision of highly technical support at short notice to the Member State concerned. In response to this need, ENISA established a Mobile Assistance Team (MAT) in 2011. The MAT works from the Agency’s branch office in Athens.

ENISA_AAR_2011_final Page 20 of 52

PART 2. MANAGEMENT AND INTERNAL

CONTROL SYSTEMS

2.1 Introduction to European Network and

Information Security Agency

ENISA was established in 2004 by Regulation (EC) No 460/2004 of the European Parliament and the Council. This regulation was subsequently amended by Regulation (EC) No 1007/2008 of the European Parliament and the Council and Regulation (EC) No 580/2011 of the European Parliament and the Council, extending ENISA mandate until 13 September 2013. Any statements made by the Agency for the period past the current

extension date, assume that the mandate of the Agency will be further extended within the limits set by the Commission proposal (COM(2010)5217). The Agency is governed by a Management Board (MB), composed by one representative of each Member State being EU Member States and EEA countries (Iceland, Liechtenstein, and Norway), three representatives of the Commission and three representatives of designated stakeholders (information and communication technologies industry, consumer groups; academic experts in network and information security). ENISA is managed by its Executive Director, appointed by the Management Board, from a list of candidates proposed by the European Commission and following a hearing in the European Parliament. The Agency is based in Heraklion, Greece, with a branch office in Athens, Greece. The ENISA Management Board and the Permanent Stakeholders Group (PSG) of 30 leading experts in network and information security, helped to extend the ENISA’s networking and information gathering capabilities. In line with the established practice, two Management Board meetings and one Permanent Stakeholders’ group meeting were held as planned during the 2011. In addition to several, regular and particular administrative, management and budgetary items, the preparation and subsequent adoption of the Budget and the Work Programme for 2012 were important activities during the year . Minutes and decisions of the Management Board are available on the ENISA website (http://www.enisa.europa.eu/about-enisa/structure-organization/management-board/minutes-decisions-1) Furthermore, an informal joint meeting between the Management Board and the Permanent Stakeholders Group took place in July 2011 in Greece. The meeting focused on setting the priorities and themes of the Work Programme 2012. In addition, an informal Management Board meeting on strategic guidance for Work Programme 2013 was held in Athens in November 2011. There is a network of National Liaison Officers (NLO) created as a partnership

7 Proposal for a Regulation of the European Parliament and of the Council Concerning the European Network

and Information Security Agency (ENISA), Brussels, 30.09.2010., COM(2010) 521 final. According to this

proposal the mandate of the Agency should be of limited duration; the starting point of the 5-year extension will

be 14/09/2013 or the day when the Regulation enters into force, whichever comes later.

ENISA_AAR_2011_final Page 21 of 52

network of the ENISA and its member countries. Although not formally based on the ENISA Regulation, this network is of great value to ENISA, as the NLOs serve as ENISA’s important point of reference into the Member States on specific issues. It consists of experts in national entities involved in the network and information security at national level. Being our formal contact points, also in 2011 the NLOs have been continuously asked for their feedback and assistance in disseminating information as well as informed on on-going issues at ENISA. The Agency greatly appreciates the work its NLOs perform, and the 2011 joint meeting between the NLOs and ENISA’s Permanent Stakeholder Group (PSG) provided an opportunity to find synergies between these two important groups of ENISA “ambassadors”. The organisational structure (see pict.1) of the ENISA follows the operational and horizontal objectives of the Agency, resulting in the reorganisation adopted by the Executive Director on 16 November 2011. It shows three horizontal Departments/Units and one operational Department, divided in three Units and managing the Working Programme. The Agency is still in an evolutionary phase, dictated by the rapidly changing operating environment, the new challenges identified by the stakeholders and the consequent shift in focus of the Agency’s operations.

Executive Director

IT & Facilities

Management Unit

Public Affairs Unit

Administration

Department

Technical

Competence Department

Finance, Accounting

and Procurement section

Quality Control

Advisor

Legal & Human

resources section

Secure Services & Project Support Activities unit

Operational Security unit

Resilience & CIIP

unit

Pict.1 ENISA organisational chart (as on 16.11.2011.)

As a knowledge-based organisation, ENISA relies on its personnel to deliver its services to its stakeholders and ensure compliance in line with the regulatory framework. As an EU Agency, ENISA benefits from having a diverse multi-national workforce.

In 2011 the Agency committed its appropriations at a rate of 100% (99,95% in 2010) in order to carry out its operational activities specified in the Work Programme 2011, as well as administrative tasks that are necessary to ensure compliance and services made available by the Agency. Payments reached the level of 85,82% (75,46% in 2010, a jump of 10% from compared to last year) of the total appropriations managed. Both commitment and payment rates are historical highs for the Agency, and demonstrate an increased capacity of utilisation of the Budget. An overview of the year’s performance follows hereunder:

ENISA_AAR_2011_final Page 22 of 52

Budget Title

Description Budget

€

Committed

€

% Paid

€

%

Title 1 Staff expenditure

5.020.944,06 5.020.876,35 100,00% 4.886.640,10 97,33%

Title 2 Administrative expenditure

676.902,17 676.888,49 100,00% 446.059,77 65,90%

Title 3 Operating expenditure

2.405.074,27 2.405.034,94 100,00% 1.621.161,45 67,41%

Total 8.102.920,50 8.102.799,78 100,00% 6.953.861,32 85,82%

The outturn of contracts awarded as a result of procurement procedures contracted in 2011, is as follows:

Contracts: 32, including 24 service contracts, 2 framework service contracts and 1 framework supply contract.

Purchase orders: 218, 111 of which were issued under an existing framework service contract.

Procurement procedures launched: 31, including 10 open procedures .

Institutional relations In 2011 the proposal for a new ENISA regulation has been thoroughly discussed within European Parliament and Council. A Mini-Hearing took place in European Parliament’s Industry, Research and Energy (ITRE) Committee in May 2011, where ENISAs Executive Director and relevant ENISA stakeholders gave a presentation. This resulted into a mandate by the ITRE Committee for the development of a study, the results of which were presented to the ITRE Committee in July 2011. Throughout 2011, a lot of discussions on ENISAs new mandate took place in the European Parliament and strong liaison between ENISA and the European Parliament were created and strengthened, with the ITRE Committee, the Rapporteur and Shadow Rapporteurs in particular. In the light of these discussions a visit of two members of European Parliament to ENISAs premises (Professor Ioannis A. Tsoukalas, MEP, and Mr. Spyros Danellis, MEP) took place in October 2011. The Agency also actively contributed to a range of events during both the Hungarian

ENISA_AAR_2011_final Page 23 of 52

and Polish Presidencies of the EU. This resulted in strong contacts with both Presidencies, and personal meetings between ministers Mr. Nyitrai (HU) and Mr.Kolodziejczyk (PL) and ENISA’s Executive Director. The Council Telecommunication and information society working party has been discussing the new legislative proposal in 2011 thoroughly. In this context, a presentation of the Executive Director regarding ENISAs activities took place in September 2011 in the respective Council Working party under the Polish Presidency. In 2011, there was an increased focus on communicating ENISA’s work and concepts to the Commission and other EU agencies and regional and international organisations. Regular meetings with various Commission services, DG Information Society and Media (as of 1st July 2012, known as the DG Communications Networks, Content and Technology (DG CONNECT)) in particular, took place during the year. External Communication Throughout 2011, ENISA continued to place a strong emphasis on communication focusing on web, media and public participation. The Agency’s Public Affairs Unit (PAU) kept ENISA in the spotlight by managing and updating the ENISA website, and by creating wider public awareness of ENISA’s reports and other work via the media and special events. In addition, PAU achieved synergies with other EU bodies at shared events, such as an Agencies Day in Brussels, and a Digita l Agenda ‘Going Local’ event on Crete. The latter event highlighted the benefits of information communication technology for all of Europe’s citizens. Major Public Affairs achievements in 2011 included gaining Europe-wide coverage for Cyber Atlantic 2011 – the first ever joint EU-US cyber security exercise, and a high level event in Brussels. This brought together representatives of industry, the European Parliament, the European Commission, and Europol. At the start of the year, the structure of the Public Affairs Unit was changed, under the direction of a new Head of Unit, to strengthen in particular the team’s planning, delivery and evaluation capabilities. To ensure continued consistency in Agency communications, in 2011 a contract was awarded for the creation of a new ENISA brand identity that will be unveiled in 2012. In addition, contracts were signed to provide the Agency with comprehensive editorial, graphic design and printing services, to enhance quality and consistency in ENISA’s communications. In 2011, the Agency issued 24 media releases, and ran 60 individual news items on its website. As part of ENISA’s work to make its messages accessible to stakeholders across Europe, the Agency routinely issues media releases in five EU languages, to press, radio, television and web-based news organisations. These include the mainstream media, as well as specialist NIS publications and websites. Evaluation of the Agency’s media output shows that in 2011, this work generated several stories in Europe an news media, News stories on the ENISA website received more than 90,000 direct hits in 2011. ENISA’s website continues to be the Agency’s principal communications channel, and in 2011 development work was carried out to enhance its structure, appearance and ease

ENISA_AAR_2011_final Page 24 of 52

of use. The focus was on user accessibility, but ‘behind-the-scenes’ developments included a greater ability for the Agency to gather and analyse statistics on which web pages and reports are most popular, and search engine optimisation to help users find ENISA information more easily. The tagging of ENISA’s reports was also revised to improve search results. Technical improvements in 2011 included the migration of ENISA’s website and all portals to Version 4 of the Plone content management system, and the application of all security patches to the Zope application and PHP scripting used by the ENISA s ite. A dedicated web portal for ENISA’s Management Board (MB) was further developed and enhanced. It now incorporates a “collaboration area” where the MB members can have online discussions and exchange ideas. A video-wiki was also added to enhance the user experience. With regard to its IT environment, in early 2011 a new, centralised system for managing software on computers was rolled out in preparation for the replacement of all user computers, screens and keyboards. The new computers run Windows 7 and have Office 2010.

In preparation for a planned outsourcing of email to the Cloud, the email system was migrated to the latest version of Exchange and extensive testing commenced of Office 365 Cloud services. These services not only cover email, but also include Lync, a communication tool offering instant messaging, online meetings, desktop and application sharing, and presence. A tool like Lync has become a requirement given the high degree of workforce mobility. The technical evaluation of Office 365 was concluded at the end of the year with the plan to roll it out to users in phases in early 2012, following further analysis of such aspects as privacy and data protection.

Following a request from other EU agencies, ENISA IT Services successfully hosted the bi-annual two-day meeting of the heads of IT of the various EU agencies. Given the high degree of interest in cloud computing as well as CERT activities, and more generally IT Security, various ENISA experts gave presentations and were available to offer advice and information to the more than forty delegates who attended.

A new project management system, Matrix, was tested and put into operation in December 2011. This system, which has proven to be an efficient solution for other EU Agencies, contains several different modules and will allow ENISA to better manage its Annual Work Programmes, projects, resources, and procurement procedures. It has been operational since 1st January 2012.

2.2.The functioning of the entire Internal Control

system

2.2.1. Compliance with the requirements of the control

ENISA_AAR_2011_final Page 25 of 52

standards

In 2010, the Management Board of the Agency adopted8 a set of 16 Internal Control Standards laying down the minimum requirements that its internal control systems need to comply with. Internal procedures that were previously developed were grouped together, prioritised and implemented in the daily workflows of the Agency, as appropriate. The Agency has at its disposal a library of procedures that were drafted in 2008. The background reference document remains the ENISA Internal Control Manual that supports the internal control documentation process and combines in a single document all information regarding the Agency’s Internal Control.9

Mission (ICS 1)

The Agency’s mission and scope is described in the ENISA Regulation. The organisational Departments and Units have mission statements established following the evolution of the organisation in November 2011 and the roles and tasks of each Department and Unit are clearly defined.

Ethical and organisational values (ICS 2)

The Agency has procedures in place - including updates and yearly reminders - to ensure that all staff are aware of relevant ethical and organisational values (e.g. ethical conduct, avoidance of conflicts of interest, fraud prevention, reporting of irregularities). Specific training is organised by the Agency for its staff every year in order to reinforce professional behaviour, compliance with the expected behaviour, ethics and integrity, and avoidance of harassment at work.

Staff Allocation and Mobility (ICS 3)

Whenever necessary - at least once a year – the management aligns the organisational structures and staff allocations with priorities and workload. In order to realign the Agency’s resources to operational goals, a structural reorganisation occurred on 16 November 2011, as a result of the needs for increased level of flexibility for reacting to changes in NIS environment, for clear identification of roles and responsibilities, and for providing a firm basis for possible future growth. The new structure is based on reasonable assumptions on the profiles of staff that can be recruited and retained by the Agency. Finally, the new structure was dictated by the need to establish a flexible business model which will facilitate the increase of the impact of ENISA work in the Member States, which genuinely requires an increased mobility of staff in order to efficiently respond to issues that may arise, when they arise.

Staff evaluation and development (ICS 4)

In the context of the Career Development Report (CDR) process, discussions are held individually with all staff to establish their annual objectives. Staff performance is evaluated according to standards set by the Agency.

An annual training plan is developed at Agency level based on needs deriving from the policy of the Agency. An individual training plan is completed annually by each staff member, in the Career Development Plan (CDP) process.

Management ensures that every staff member attends as minimum the compulsory

8 MB Decision of 14 October 2010 On Internal Control Standards, published on ENISA website:

http://www.enisa.europa.eu/about-enisa/structure-organization/management-board/minutes-

decisions-1/DecisionICS/view?searchterm=internal+control. 9 In 2012, the Agency will update this reference document for financial and accounting procedures

as a result of a project concerning financial and accounting procedures’ simplification which was completed in the fourth quarter of 2011.

ENISA_AAR_2011_final Page 26 of 52

training courses defined in the annual training plan.

Objectives and Performance Indicators (ICS 5)

Work Programme and budget preparation procedures have been developed in 2009 and will be revised in 2012. The Annual Work Programme (WP) of the Agency is developed by the Agency services, with the continuous input and guidance of its two governing bodies, the Management Board and the Permanent Stakeholders Group. The W P clearly sets out how the planned activities at each management level contribute to the achievement of objectives set, taking into account the allocated resources and the risks identified. The WP objectives are established on SMART criteria and updated or changed during the year in order to address significant changes on priorities and activities.

The Agency has based the measurement of its performance on Key Performance Indicators (KPIs) that are applied on all areas of activity. KPIs are more qualitatively oriented for the Agency's operational goals, whereas they are more quantitative for the Agency's administrative goals. The assessment of the continuous effectiveness of key controls is measured on relevant KPIs, including self-assessment that has been carried out in terms of progress reports and follow up actions that seek to straightening out potential divergences from the Work Programme.

The Agency’s Work Programmes are annual. The MB and the PSG gives input on a regular basis during the WP development process as well as during the year of implementation.

A reporting tool exists in order to monitor progress of operational progress and alert management on deviations from the WP objectives. On top of that, ENISA installed the project management tool MATRIX, which will streamline and consolidate the planning, monitoring and reporting functions in a uniform and comprehensive way. The tool became operational on 01/01/2012.

Finally, the Agency managed to rectify the budget under-spending highlighted by IAS in 2009, by optimising budget execution in two consecutive years. The commitment rate of budget appropriations available for years 2010 and 2011 were 99,95% and 100% respectively.

Risk management process (ICS 6)

A risk management exercise has been performed in 2010. The risk management plan is in the implementation phase.

The IAS has performed a risk assessment of the Agency in 2009. Risks considered as very important have been addressed by the Agency and actions were planned and communicated to the IAS accordingly. Effort and resources were devo ted in 2011 in order to address and mitigate the risks identified in order to satisfy the recommendations of both the European Court of Auditors and IAS, published in their annual reports.

A Business Continuity Plan (BCP) was developed with the assistance of a professional service provider and is in place since 2010.

Operational structure (ICS 7)

Delegation of authority is clearly defined, assigned and communicated by the means of Executive Director’s Decisions (EDD), conforms to regulatory requirements and is appropriate to the importance of decisions to be taken and risks involved. All delegated authorising officers have received and acknowledged the Charter of the role and responsibility of the Authorising Officer (by Delegation) as well as individual delegation EDD.

ENISA_AAR_2011_final Page 27 of 52

The Agency’s sensitive functions are clearly defined, recorded and kept up to date.

The Agency records derogations granted to allow staff to remain in sensitive functions beyond five years along with documentation of the risk analysis and the mitigating controls.

The IT governance policy has been developed. ENISA has IT policies for all main system and sub-systems, defining the system owner and the roles and responsibilities of users with different access rights. These policies are duly published internally in order to ensure availability to all users.

As regards sensitive functions, due care has been taken in order to avoid potential conflict of interest situations. However, due to the small size of the Agency mobility of staff on sensitive functions is very limited and takes into account service needs and available resources. Proper back-ups are designated in order to ensure business continuity.

Processes and procedures (ICS 8)

The Agency’s main operational and financial processes and procedures and IT systems are adequately documented in the Internal Control Manual which comprises of 201 procedures and templates organised in 9 groups that cover the following areas: Internal Control, Accounting, Budgeting, Operations, Communication, Procurement, Human Resources, Logistics, and Common Templates. As mentioned above, all IT policies are published internally.

All Agency’s processes and procedures comply with the applicable regulatory framework and ensure appropriate segregation of duties.

A registry of exceptions is in place to ensure that all instances of overriding of controls or deviations from established financial processes and procedures are documented, justified, duly approved before action is taken and logged centrally.

Management supervision (ICS 9)

Management at all levels supervises the activities they are responsible for and keep track of main issues identified. To this regard, the Management Team, which comprises of the ED, the Heads of Departments/Units/Sections and the Quality Control Advisor, meets weekly and prioritises the actions to be taken in order to achieve short and medium term objectives of the Agency. An action items list is compiled and contains all agreed actions allocated to specific organisational Departments/Units/Sections. The list is published on the dedicated Intranet page and reviewed by the Management Team regularly. Management supervision covers both legality and regularity aspects (i.e. setting up and compliance with applicable rules) and operational performance (i.e. achievement of Annual WP objectives).

The management establishes action plans in order to address accepted ECA and IAS audit recommendations and monitors the implementation of these action plans throughout the year.

The installation of the project management tool MATRIX, which started in 2011 and was finalised at the end of the year, is expected to enhance the planning, implementation, monitoring and reporting of operational projects, and establish a common project management framework across different organisational units of the Agency.

Existing electronic workflows for the management and authorisation of leaves and missions of staff were further enhanced in 2011, reducing the resources (time, human, paper) needed to manage and authorise leaves and missions, as well as reducing the human error risks.

ENISA_AAR_2011_final Page 28 of 52

Business continuity (ICS 10)

Adequate measures - including handover files and deputising arrangements for relevant operational activities and financial transactions - are in place to ensure the continuity of all service during “business-as-usual” interruptions (such as sick leave, staff mobility, migration to new IT systems, incidents, etc.).

IT Business Continuity Plan (BCP) has been developed and implemented. An Agency-wide BCP, designed to cover the crisis response and recovery arrangements with respect to major disruptions, has been developed and is implemented. The latter BCP, identifies the functions, services and infrastructure which need to be restored within certain time-limits and the resources necessary for this purpose.

Electronic and hardcopy versions of both BCPs are stored in secure and easily accessible locations, which are known to relevant staff.

Document management (ICS 11)

Document management systems and related procedures comply with relevant compulsory security measures, provisions on document management and rules on protection of personal data. Specific information security policy on data categorisation and labelling is in place. As regards the exchange of information classified at the level RESTREINT UE/EU RESTRICTED, an administrative arrangement between Security Directorate of the Commission and the Agency was signed on 27 May 2011.

A document management internal guide sets out the conditions according to which documents need to be registered, filed and preserved by appropriate use of the Agency’s registration and filing systems. A special, intranet-based tool has been developed to capture the relevant information needed for the registration and retrieve of documents.

Information and communication (ICS 12)

Internal communication measures and practices are in place for information sharing and activities’ monitoring purpose, such as regular Management Team meetings, where the issues relevant to performance, audit results and financial information, are discussed and actions are decided upon and assigned. Regular financial reporting is available to all staff on intranet. All engagements in new projects are discussed during the implementation of the Annual Work Programme and decisions are appropriately documented and communicated. An External Communication Strategy is in place. ICT security policies are in place for main systems and sub-systems, and described in procedures and policies.

Internal communication is supported also by weekly Staff Meetings, meetings in the level of organisation units of the Agency and the use of Intranet.

External communication and dissemination procedures have to be further developed and communicated to staff accordingly.

Accounting and Financial Reporting (ICS 13)

All finance and accounting procedures are documented in the Internal Control Manual of the Agency. The preparation, implementation, monitoring and reporting of budget implementation is centralised in Finance, Accounting and Procurement Section, within Administration Department.

The Commission’s budget and accounting management system, ABAC, is the main tool used for financial management, and is compliant to applicable financial regulatory framework. The ABAC Assets module is used since 2011 for the management of ENISA inventory.

ENISA_AAR_2011_final Page 29 of 52

Financial management information produced by the Agency, including financial information provided in the Annual Activity Report, is in conformity with applicable financial and accounting rules.

Evaluation of activities (ICS 14)

Key performance indicators are used in order to measure the performance and assess the impact of Agency’s projects provided for in its Annual Work Programmes. The General Report and the Annual Activity Report are the tools used by the Agency to report on performance and impact, and the feedback of relevant stakeholders is accounted for.

Assessment of internal control systems (ICS 15)

The Management of ENISA annually assesses the compliance of annual activities and performance with internal control systems in place, as part of the Annual Activity Report preparation.

In 2011 the Agency has started implementing ex post controls with the support of a professional service provider.

Internal Audit Capability (ICS 16)

The Head of Administration assumes the Internal Control Coordination (ICC) function, being responsible for the implementation of internal control systems in the Agency and liaising with the IAS of the Commission. Since 2005, the Agency relies on IAS to carry out internal audits due to its key role in auditing bodies of the European Union.

Internal Control tasks performed in ENISA include ex ante verifications, hierarchical controls and outsourced engagements, coordinated by the ICC.

In line with the Strategic Audit Plan 2010-2012, the Internal Audit Service (IAS) carried out an audit on planning, reporting, monitoring of operations in ENISA. More details are provided under section 3.1.2. of this document.

2.2.2. Effectiveness of implementation of the prioritised

control standards

In 2011 the Agency focused on the compliance with the standards that were relevant areas of concern identified during the risk assessment exercise together with the recommendations raised by the auditing bodies (ECA and IAS). During 2011 the Agency prioritised its activities to achieve compliance with the following internal control standards.

Objectives and Performance indicators (ICS 5)

Following an IAS recommendation, on the lack of guidelines for the establishment of operational plans, in 2012 the Agency will develop a method on how to carry out operational planning, with specific focus on plan implementation; guidelines and procedures will be added.

The implementation of a project management and monitoring tool (Matrix) will be leveraged in this regard. The scope and documentation of Matrix will be associated with the method for operational planning at ENISA. The training for Matrix was completed by the end of 2011. The relevant documentation is regularly reviewed in 2012.

IAS audit on Planning, Stakeholders and operations objectives, in 2010, revealed a lack of a map of stakeholders and their relevant expectations, recommended to obtain feedback from stakeholders in the preparation of the annual WP, as well as the use of an IT tool to improve management of stakeholders. All three actions were kicked off in 2011. The

ENISA_AAR_2011_final Page 30 of 52

feedback of the PSG and MB was actively sought and accounted for in the preparation of the annual work programme 2012.

As mentioned in Section 2.2.1 above, the budget execution rate reached 100% in 2011, addressing a risk identified in 2009 by the IAS during the risk assessment exercise performed which resulted in the IAS Strategic Audit Plan 2010-2012.

Business continuity (ICS 10)

A fully fledged Business Continuity Plan was developed in 2010 and put in place in 2011

IAS performed an IT risk assessment in 2011 and recommendation regarding the business continuity is reported under the section 3.1.3.below.

Information and communication (ICS 12)

A new communication strategy in under development, in line with the revised operational strategy. Internal policies and procedures on dissemination and external communication should be further developed. A new, experienced Head of Public Affairs Unit, with competence over communication, was recruited in March 2011.

2.2.3. Conclusion

In general ENISA carried out its yearly operations in due consideration of its objectives, tasks and expectations of the requirements of the stakeholders. In the Agency’s view its objectives have been attained to as expected within the limits set by its mandate, general orientations and resources.

The recommendations emanating from audits carried out by the Court of Auditors and the Internal Audit Service audit have been duly taken into account and the Agency has implemented all comments agreed as expected. With regard to risks the Agency believes that most important risks have been mitigated by taking appropriate measures. Vigilance ensures that any additional mitigation measures be taken as soon as a concern arises and is validated. Based on the available information and the above analysis, the Agency considers that an effective and reliable internal control system is established.

PART 3. BUILDING BLOCKS

TOWARDS THE DECLARATION OF

ASSURANCE

The risk framework is used as a common means of classifying and communicating risk across the agency. It provides a common understanding and language around “risk”, and provides a structure for the assessment, reporting and monitoring of risk. The risk framework defines the categories, sub-categories and business risks applicable at the organisational level, for ENISA as a whole. It includes:

Risk categories and sub-categories Risks specific to each category (business risks)

Risk definitions

ENISA_AAR_2011_final Page 31 of 52

3.1. Building blocks towards reasonable assurance

3.1.1.Building block 1: Assessment by management

The Agency’s operations are channelled through the following activity areas that belong to the competence of administrative functions at the Agency:

Own resources (staff) that carry out tasks in line with the annual work program in term of operational and administrative activities

Outsource agents that support operational activities and other support activities that cannot be in sourced by the Agency. External agents are appointed pursuant to either a procurement procedure or through a call for expressions of interest for funding related to the co-organisation of events or by means of a selection procedure for appointments of working group members.

To mitigate compliance risks with regard to its administrative activities the Agency has carried out the activities presented in the table below:

Systemic process Activity Performance indicator

1

Follow up on auditor’s comments and recommendations regarding ADM practices and procedures as they are implemented in line with FR, IR and SR

Update of documents and activities reporting

Feedback by auditors in the next application period and overall improvement of performance

2 Opening and Closing of the Annual Budget and preparation of Budgetary Statements.

Approved Budget tree opened, appropriations posted properly.

Annual budget lines open and running by the end of the third week of 2009, economic outturn account and supporting operations done in time.

3 Implementation and Consolidation of Internal Controls, as appropriate.

Annual review of internal controls

Guidelines and check-lists reviewed, annual risk assessment done. Controls updated accordingly. Staff participation and information.

4 Performance Evaluation

Organise annual performance evaluation.

Administer appeals

Number of evaluations carried out

5 Annual Training Program

Draft the generic Training Plan of the Agency

Document presentation and implementation of program

6 Recruitment plan Execute the Agency recruitment plan in

Number of Staff hired to cover new posts or make up for

ENISA_AAR_2011_final Page 32 of 52

line with the Establishment Plan.

resignations

7 Internal ICT Networks and Systems

Secure ICT Networks and Systems in place

Results of external security assessment / audit

8 Public Procurement Regular, consistent observation of public procurement practices and appropriate assistance provided to all Departments.

Clear mandate of the Procurement function established, staff informed, forms available, number and type of procurement processes handled, files of procurement processes organized, auditable files available. Number of Purchase Orders keeping a suppliers inventory, number of complaints processed.

9 Contract Management General support on contract management

Number of contracts prepared and signed by the Agency, number of requests for support received from Departments, number of claims processed.

10 Ex ante controls Well developed at procedural, operational and financial level

Number of transactions as compared to number or erroneous transactions

11 Ex post controls Developed with the assistance of the professional service provider

Number of transactions as compared to number or erroneous transactions

Exceptions

In 2011, the Agency faced two main categories of deviations that led to exceptions reported in the Registry:

A posteriori commitments

minor procedural error

The main reasons associated with the a posteriori commitments are limitations in planning, the absence of a planning tool that presents in a centralised resource the activities of the Agency, activity based budgeting that currently remains at the planning level and it has not been fully implemented at the day to day level in ABAC.

Additionally to the above, late payments have been made in a specific period of the year due to limitations in the cash flow of the Agency that depleted reserves; in this period the Agency prioritised payments made, to reduce as much as possible financial impact; however it was inevitable to pay some interest.

In 2011 out of all exceptions recorded the ones exceeding the materiality threshold of 1000 EUR as defined in the ED Decision 19/2007, were as follows:

ENISA_AAR_2011_final Page 33 of 52

1/11/MM

MISSION 14752

Article 9 of ENISA Mission Rules

Financial Risk, Procedures

BL:3013, Payment Order NIS.4758

1.131,20 €

All airline tickets were purchased before the mission's approval

>1000 >5000

2/11/MM

MISSION 14820

Article 9 of ENISA Mission Rules

Financial Risk, Procedures

BL:3013, Payment Order NIS.4784

1.575,74 €

All airline tickets were purchased before the mission's approval

>1000 >5000

3/11/MM

MISSION 14814

Article 9 of ENISA Mission Rules

Financial Risk, Procedures

BL:3013, Payment Order NIS.4786

4.358,84 €

All airline tickets were purchased before the mission's approval

>1000 >5000

6/11/SP

TECHNICAL SUPPORT AGREEMENT CCTV/ACCESS/ALARM

ENISA Financial Regulation Art.60-63, EU General Financial Regulation Article 76

Financial Risk, Procedures

BL:2006, Level 2 Commitment NIS.1923

4.800,00 €

A posteriori commitment. The Service provided as of 15/06/11, commitment was signed on 16/06.

>1000 >5000

ENISA_AAR_2011_final Page 34 of 52

7/11/KW

VCENTER SERVER & MID ACC KIT MAINTENANCE

ENISA Financial Regulation Art.60-63, EU General Financial Regulation Article 76

Financial Risk, Procedures

BL:2301, Level 2 Commitment NIS.1943

7.119,96 €

A posteriori commitment. The Service provided as of 26/06/11, commitment was signed on 29/06.

>5000 <50000

8/11/GC

WEB DEVELOPMENT & HELPDESK SERVICES FOR ENISA WEB SITE

ENISA Financial Regulation Art.60-63, EU General Financial Regulation Article 76

Financial Risk, Procedures

BL:3220, Level 2 Commitment NIS.1946

7.733,00 €

A posteriori commitment. The services had been provided before the commitment was signed.

>5000 <50000

9/11/GC

WEB DEVELOPMENT & HELPDESK SERVICES FOR ENISA WEB SITE

ENISA Financial Regulation Art.60-63, EU General Financial Regulation Article 76

Financial Risk, Procedures

BL:3220, Level 2 Commitment NIS.1945

5.920,00 €

A posteriori commitment. The services had been provided before the commitment was signed.

>5000 <50000

ENISA_AAR_2011_final Page 35 of 52

10/11/AM

Services of Medical Adviser

ENISA Financial Regulation Art.60-63, EU General Financial Regulation Article 76

Financial Risk, Procedures

BL:1310, Level 2 Commitment NIS.1796

5.311,32 €

A posteriori increase of commitment. The services had been provided before the commitment was signed.

>5000 <50000

11/11/UH

EC Management Costs 2011

ENISA Financial Regulation Art.60-63, EU General Financial Regulation Article 76

Financial Risk, Procedures

BL:1400, Level 2 Commitment NIS.1962

2.609,38 €

A posteriori increase of commitment. The services had been provided before the commitment was signed.

>1000 >5000

12/11/EM

INSTALLATION AND CONFIGURATION OF AN INTEGRATED PROJECT AND RESOURCES MANAGEMENT TOOL - MATRIX

Procurement Procedure

PROCUREMENT PROCEDURE P/20/11/ADM

Authorisation of the procurement procedure was signed by the Deputy Head of Administation on behalf of the Head of Administration

ENISA_AAR_2011_final Page 36 of 52

while the Deputy HoA did not have an authority to sigh on behalf of the HoA.

13/11/GC

WEB HOSTING - WEB DEVELOPMENT SERVICES LOT 1

ENISA Financial Regulation Art.60-63, EU General Financial Regulation Article 76

Financial Risk, Procedures

BL:3220, Level 2 Commitment NIS. 2002

20.040,00 €

A posteriori commitment. The services had been provided before the commitment was signed.

>5000 <50000

14/11/KW

EXTENSION OF DELL 1950 SERVERS MAINTENANCE

ENISA Financial Regulation Art.60-63, EU General Financial Regulation Article 76

Financial Risk, Procedures

BL: 2302, Level 2 Commitment NIS.2026

1.180,00 €

A posteriori commitment. The services had been provided before the commitment was signed based on the offer.

>1000 <5000

ENISA_AAR_2011_final Page 37 of 52

17/11/GC

REIMB (NLOS) FOR PSG&NLO MEETING ON 14-15NOV. 2011 IN ATHENS

ENISA Financial Regulation Art.60-63, EU General Financial Regulation Article 76

Financial Risk, Procedures

BL: 3320, Level 2 Commitment NIS. 2038

24.960,00 €

A posteriori commitment. The services had been provided before the commitment was signed based on the offer.

>5000 <50000

Appropriate actions have been taken by the Agency to rectify the situation emanating from the exceptions reported herein. These actions include recurrent trainings, informing the actors involved, and reporting exceptions in a constructive manner.

3.1.2. Building block 2: Results from audits during the

reporting year

In line with the Strategic Audit Plan 2010-2012, Internal Audit Service (IAS) carried out an Information Technology (IT) risk assessment exercise to the identify and evaluate key IT risks

in ENISA. The monitoring system of supplier performance was considered as a best practice. The

main risks identified during the IT risk assessment concerned disaster recovery plan (DRP) and Business Impact Analysis for the Agency’ s email service. These are reduced as ENISA

will outsource this service and risks will be transferred to the service provider and are controlled by Service Level Agreements (SLA).

In addition during 2011 the Agency was audited by IAS on planning, reporting, monitoring of operations in ENISA to assess the adequacy and effective application of the internal control

system related to the planning, reporting and monitoring of the Agency's operational activities. Based on this audit ENISA provides reasonable assurance regarding the achievement of the

objectives set up for planning, reporting and monitoring of operations in general. As regards recommendations, the audit resulted in:

- no “critical”, - 1 “very important”, - 6 important, and

- 1 desirable recommendation.

The Agency implemented all the action as per action plan agreed with IAS and the Agency is undertaking all relevant actions to close recommendation concerning the operational planning

ENISA_AAR_2011_final Page 38 of 52

via implementation of a project management and monitoring tool Matrix in particular.

European Court of Auditors (ECA) audits for 2011

The audit mission of the European Court of Auditors for the Agency’s 2011 accounts took place in March 2012. The final report is expected in the third quarter of 2012. The Agency expects that the Court’s opinion on the true and fair presentation of the accounts as well as on the legality and regularity of the transactions underlying the accounts will be unqualified as it has been for the last six years.

3.1.3. Building block 3: Follow-up of previous years'

reservations and action plans for audits from previous years

Follow up of previous years’ Internal Audit Service (IAS) reports

In previous years, the Internal Audit Service during the 2010 audit “Planning: stakeholders and operations objectives” came up with three recommendations marked as a very important.

The first and third recommendation concerned the necessity for the Agency to develop a map of stakeholders and identify stakeholders' expectations and to improve management of stakeholders’ relations. In this regard the Agency is committed to submit an action plan within 2012. In addition, ENISA is installing a Stakeholders Relationship Management (SRM) platform that will facilitate the communication between ENISA and specific groups of interest making easier the fragmentation of the stakeholders according to their areas of knowledge and interest to interchange information with them.

The second recommendation with the same level of importance invited ENISA to obtain input from key stakeholders for the provisional work programme. In reply to this recommendation, ENISA held several meetings in 2010 and 2011 with PSG, Management Board and National Liaison Officers (NLOs) in order to improve the communication channel. As a follow-up of this second recommendation, ENISA has provided the IAS with supporting documents which still have to be validated.

Follow up of previous years’ European Court of Auditors (ECA) reports

With regard to the previous year, the European Court of Auditors’ report on Annual Accounts 2010 contained two comments. The first comment related to the level of carry-over of Title III appropriations which was considered by the Court as being excessive (52%). In response to this comment, the Agency in Q4/2011, achieved to move the planning, preparation and launch of procurement procedures related to projects of the Work Programme of next year in Q4 of the previous year. The shift in the procurement planning led to an increased rate of the Technical Competence Department b udget contracted by 1st March of the relevant year (from 22% in 2010 to 38% in 2011), an improvement in the overall payments rate at the end of that year (all Titles, from 75% to 86%, which is a historical high) and a decrease of the level of carry-over of Title III appropriations at the end of 2011 (from 52% in 2010 to 32,5% in 2011). The Agency has also launched the use of a Project and Budget Management tool, MATRIX, which is used by other EU Agencies, and is expected to improve the planning and follow up of projects implementation and budget execution.

The second comment of the Court related to staff selection procedures. The Court commented that neither the thresholds that candidates had to meet in order to be invited to interview nor those necessary for them to be put on the reserve list were fixed in

ENISA_AAR_2011_final Page 39 of 52

advance. In response to this comment, the Agency adopted relevant recruitment guidelines on 2 March 2012, which regulate the recruitment procedures and provide clear guidance to the members of the Selection Boards.

3.1.4. Building block 4: Assurance received from other

Authorising Officers in cases of crossed sub-delegation

As no cross-sub delegation is done at ENISA, this is not applicable a reporting

requirement.

3.1.5. Completeness and reliability of the information

reported in the building blocks

It is hereby confirmed that information made available in the preceding sections are an

accurate account of the situation known to the Authorising Officer in the end of 2011.

ENISA_AAR_2011_final Page 40 of 52

3.2. Reservations

The Authorising Officer concludes that there is no justification for any reservation in the

Annual Activity Report 2011.

3.3. Overall conclusions on the combined impact

of the reservations on the declaration as a whole

As the Authorising Officer concludes that there is no justification for any reservation in the

Annual Activity Report 2011, there are no conclusions or impact assessments to be

drawn.

ENISA_AAR_2011_final Page 41 of 52

PART 4. DECLARATION OF ASSURANCE

I, the undersigned, Udo Helmbrecht, Executive Director of the European Network and Information Security Agency, in my capacity as authorising officer: Declare that the information contained in this report gives a true and fair view. State that I have reasonable assurance that the resources assigned to the activities described in this report have been used for their intended purpose and in accordance with the principles of sound financial management, and that the control procedures put in place give the necessary guarantees concerning the legality and regularity of the underlying transactions. This reasonable assurance is based on my own judgement and on the information at my disposal, such as the results of the self-assessment, ex post controls, the work of the internal audit capability, the observations of the Internal Audit Service and the lessons learnt from the reports of the Court of Auditors for years prior to the year of this declaration. Confirm that I am not aware of anything not reported here which could harm the interests of the institution. Heraklion, 7 May 2012 Udo Helmbrecht Executive Director

ENISA_AAR_2011_final Page 42 of 52

ANNEX 1. STATEMENT OF THE RESOURCES

DIRECTOR

“I confirm the overall state of internal control in the Agency. I hereby certify that the information provided in Part 2 of the present Annual Activity Report and in its annexes 2 to 3 is, to the best of my knowledge, accurate and exhaustive.” Heraklion, 7 May 2012 Head of Administration

ENISA_AAR_2011_final Page 43 of 52

ANNEX 2. HUMAN RESOURCES BY ABB ACTIVITY

Code ABB Activity

ABB Activity Full time equivalent

(FTE)

Work Stream 1 ENISA as a facilitator for improving cooperation 9

Work Stream 2 ENISA as a competence centre for securing current & future technology

8,5

Work Stream 3 WS3 - ENISA as a promoter or privacy & trust 6

SR Stakeholder Relations 3

PA Public Affairs 4,5

Project Support Activities 3

Management & Support activities 9

Total 43

Remark: The above mentioned figures refer to the operational human resources allocated to each of the operational activities of the Agency in 2011.

ENISA_AAR_2011_final Page 44 of 52

ANNEX 3. DRAFT ANNUAL ACCOUNTS AND

FINANCIAL REPORTS

Table 1: Outturn on C1 commitment appropriations in 2011 (in Mio €)

Chapter

Commitment

appropriations authorised *

Commitments

made %

1 2 3=2/1

Title A-1 STAFF

A-11 STAFF IN ACTIVE EMPLOYMENT 4,38 4,38 100,00 %

A-12 RECRUITMENT EXPENDITURE 0,17 0,17 100,00 %

A-13 SOCIO-MEDICAL SERVICES AND TRAINING 0,11 0,11 99,97 %

A-14 TEMPORARY ASSISTANCE 0,36 0,36 99,99 %

Total Title A-1 5,02 5,02 100,00 %

Title A-2 FUNCTIONING OF THE AGENCY

A-20 BUILDINGS AND ASSOCIATED COSTS 0,17 0,17 100,00 %

A-21 MOVABLE PROPERTY AND ASSOCIATED COSTS 0,09 0,09 100,00 %

A-22 CURRENT ADMINISTRATIVE EXPENDITURE 0,11 0,11 100,00 %

A-23 INFORMATION AND COMMUNICATION TECHNOLOGIES

0,30 0,30 100,00 %

Total Title A-2 0,68 0,68 100,00 %

Title B0-3 OPERATING EXPENDITURE

B3-0 GROUP ACTIVITIES 0,71 0,71 100,00 %

B3-2 HORIZONTAL OPERATIONAL ACTIVITIES 0,28 0,28 99,99 %

B3-3 OPERATIONS OF THE COOP. SUPPORT DEPARTMENT

0,51 0,51 100,00 %

B3-5 OPERATIONS OF THE TECHNICAL DEPARTMENT

0,90 0,90 100,00 %

Total Title B0-3 2,41 2,41 100,00 %

TOTAL % 8,10 8,10 100,00 %

* Commitment appropriations authorised include, in addition to the budget voted by the legislative authority, appropriations carried over from the previous exercise, budget amendments as well as miscellaneous commitment appropriations for the period (e.g. internal and external assigned revenue).

ENISA_AAR_2011_final Page 45 of 52

Table 2: Outturn on payment appropriations in 2011 (in Mio €)

Chapter Payment

appropriations authorised *

Payments made

%

1 2 3=2/1

TITLE A-1 STAFF

A-11 STAFF IN ACTIVE EMPLOYMENT 4,38 4,38 100,00 %

A-12 RECRUITMENT EXPENDITURE 0,20 0,18 91,82 %

A-13 SOCIO-MEDICAL SERVICES AND TRAINING 0,18 0,14 79,00 %

A-14 TEMPORARY ASSISTANCE 0,80 0,68 84,46 %

TOTAL A-1 5,56 5,38 96,79 %

TITLE A-2 FUNCTIONING OF THE AGENCY

A-20 BUILDINGS AND ASSOCIATED COSTS 0,20 0,17 87,26 %

A-21 MOVABLE PROPERTY AND ASSOCIATED COSTS 0,12 0,04 31,65 %

A-22 CURRENT ADMINISTRATIVE EXPENDITURE 0,14 0,12 83,41 %

A-23 INFORMATION AND COMMUNICATION TECHNOLOGIES

0,45 0,34 74,55 %

TOTAL A-2 0,90 0,66 73,20 %

75%

80%

85%

90%

95%

100%

A-11 A-12 A-13 A-14 A-20 A-21 A-22 A-23 B3-0 B3-2 B3-3 B3-5

% Outturn on commitment appropriations

ENISA_AAR_2011_final Page 46 of 52

TITLE B0-3 OPERATING EXPENDITURE

B3-0 GROUP ACTIVITIES 0,81 0,71 87,51 %

B3-2 HORIZONTAL OPERATIONAL ACTIVITIES 0,47 0,31 65,90 %

B3-3 OPERATIONS OF THE COOP. SUPPORT

DEPARTMENT 0,63 0,51 80,46 %

B3-5 OPERATIONS OF THE TECHNICAL DEPARTMENT 1,72 1,24 72,39 %

TOTAL B0-3 3,63 2,77 76,33 %

TOTAL % 10,09 8,81 87,32 %

* Payment appropriations authorised include, in addition to the budget voted by the legislative authority, appropriations carried over from the previous exercise, budget amendments as well as miscellaneous payment appropriations for the period (e.g. internal and external assigned revenue).

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

A-11 A-12 A-13 A-14 A-20 A-21 A-22 A-23 B3-0 B3-2 B3-3 B3-5

% Outturn on payment appropriations

ENISA_AAR_2011_final Page 47 of 52

Table 3: Breakdown of commitments to be settled at 31/12/2011

2011 Commitments to be settled

Chapter Commitments

2011 Payments

2011 RAL 2011

% to be settled

1 2 3=1-2 4=1-2//1

Title A-1 STAFF

A-11 STAFF IN ACTIVE EMPLOYMENT 4,38 -4,38 0,00 0,00 %

A-12 RECRUITMENT EXPENDITURE 0,17 -0,17 0,01 5,32 %

A-13 SOCIO-MEDICAL SERVICES AND TRAINING

0,11 -0,08 0,03 25,04 %

A-14 TEMPORARY ASSISTANCE 0,36 -0,26 0,10 27,19 %

Total Title A-1 5,02 -4,89 0,13 2,67 %

Title A-2 FUNCTIONING OF THE AGENCY

A-20 BUILDINGS AND ASSOCIATED COSTS

0,17 -0,15 0,02 14,54 %

A-21 MOVABLE PROPERTY AND ASSOCIATED COSTS

0,09 -0,02 0,08 83,50 %

A-22 CURRENT ADMINISTRATIVE EXPENDITURE

0,11 -0,09 0,02 16,13 %

A-23 INFORMATION AND COMMUNICATION TECHNOLOGIES

0,30 -0,19 0,11 36,64 %

Total Title A-2 0,68 -0,45 0,23 34,10 %

Title B0-3 OPERATING EXPENDITURE

B3-0 GROUP ACTIVITIES 0,71 -0,64 0,07 9,45 %

B3-2 HORIZONTAL OPERATIONAL ACTIVITIES

0,28 -0,13 0,15 53,61 %

B3-3 OPERATIONS OF THE COOP. SUPPORT DEPARTMENT

0,51 -0,39 0,12 23,58 %

B3-5 OPERATIONS OF THE TECHNICAL DEPARTMENT

0,90 -0,46 0,44 49,33 %

Total Title B0-3 2,41 -1,62 0,78 32,59 %

TOTAL % 8,10 -6,95 1,15 14,18 %

ENISA_AAR_2011_final Page 48 of 52

Table 4: Balance sheet

BALANCE SHEET

BALANCE SHEET 2011 2010

A.I. NON CURRENT ASSETS 252.222 300.781

A.I.1. Intangible Assets 14.658 19.232

A.I.2. Property, plant and equipment 237.564 281.550

A.II. CURRENT ASSETS 1.565.971 3.184.067

A.II.3. Short-term Receivables 81.347 66.686

A.II.5. Cash and Cash Equivalents 1.484.624 3.117.381

ASSETS 1.818.193 3.484.849

P.I.2. Provisions (long term) - -

P.III. CURRENT LIABILITIES -1.105.268 -2.076.973

P.III.2. Short-term provisions -149.904 -50.000

P.III.4. Accounts Payable -955.364 -2.026.973

LIABILITIES -1.105.268 -2.076.973

NET ASSETS (ASSETS less LIABILITIES)

712.925 1.407.876

0,00

0,05

0,10

0,15

0,20

0,25

0,30

0,35

0,40

0,45

0,50

A-11 A-12 A-13 A-14 A-20 A-21 A-22 A-23 B3-0 B3-2 B3-3 B3-5

Breakdow n of Commitments remaining to be settled (in Mio EUR)

ENISA_AAR_2011_final Page 49 of 52

Table 5: Economic Outturn Account

ECONOMIC OUTTURN ACCOUNT

ECONOMIC OUTTURN ACCOUNT 2011 2010

II.1.1. OPERATING REVENUES -7.974.050 -8.021.504

II.1.1.1. Other operating revenue -7.974.050 -8.021.504

II.1.2. OPERATING EXPENSES 8.666.320 7.811.050

II.1.2.1. Administrative Expenses 6.186.440 5.553.227

II.1.2.2. Operating Expenses 2.479.880 2.257.823

ECONOMIC OUTTURN FOR THE YEAR (SURPLUS)/DEFICIT

694.950 -207.643

Remark:

The figures included in tables 4 & 5 are provisional since they are, on the date of the preparation of the Annual Activity Report, sti l l subject to audit by the European Court of Auditors. It is thus possible that amounts included in these tables may have to be adjusted following this audit.

Table 6: Average payment times for 2011

Legal Times

Maximum Payment

Time (Days)

Total Number of

Payments

Nbr of Payments

within Time Limit

Percentage

Average Payment

Times (Days)

Nbr of Late

Payments

Percentage

Average Payment

Times (Days)

30 852 787 92,37 % 12,05 65 7,63 % 42,18

45 719 526 73,16 % 18,68 193 26,84 % 67,68

Total

Number of Payments

1571 1313 83,58 % 258 16,42 %

Average Payment Time

22,35 14,71 61,26

Suspensions

Average Report

Approval Suspension

Days

Average Payment

Suspension Days

Number of

Suspended Payments

% of Total

Number

Total

Number of Payments

Amount of

Suspended Payments

% of Total

Amount

Total Paid

Amount

0 22 44, 2,80 % 1.571, 450.301,71 7,20 % 6.255.760,38

Late Interest paid in 2011

DG GL Account Description Amount (Eur)

0,00

ENISA_AAR_2011_final Page 50 of 52

Table 7: Situation on revenue and income on 2011

Title Description Year of

Origin

Revenue and Income

recognized

Revenue and Income

cashed

Oustanding

Balance

90-0 SUBSIDY FROM THE EU GENERAL BUDGET

2010 8.113.187,93 0,00 8.113.187,93

90-0 SUBSIDY FROM THE EU GENERAL BUDGET

2011 8.102.920,50 0,00 8.102.920,50

93-0 REVENUE FROM ADMINISTRATIVE OPERATIONS

-17.956,50 -17.956,50

TOTAL 16.198.151,93 -17.956,50 16.216.108,43

Table 8: Recovery of undue payments

RECOVERY ORDERS ISSUED IN

2011 TOTALS

Year of Origin (commitment)

Nbr RO Amount

Sum: 0 0.00

EXPENSES

Nbr Amount

INCOME LINES IN INVOICES 0. 0.00

Nbr Amount

NON ELIGIBLE AMOUNT IN COST CLAIMS 0. 0.00

No error / irregularity

Nbr Amount

CREDIT NOTES 0. 0.00

Table 9: Ageing balance of recovery orders at 31/12/2011

Year of Origin

Number at 01/01/2011

Number at 31/12/2011

Evolution Open Amount

(Eur) at

01/01/2011

Open Amount (Eur) at

31/12/2011

Evolution

Totals 0 0 0 0 0 0

ENISA_AAR_2011_final Page 51 of 52

Table 10: Recovery order waivers in 2011 > 100,000 EUR

Waiver

Central Key

Linked RO

Central Key

RO Accepted

amount (Eur) LE Account Group

Commission

Decision Comments

Total 0

Number of RO waivers 0

Justifications:

N/A

Table 11: Census of negotiated procedures NEGOTIATED PROCEDURES – CONTRACTS > € 60.000

Count: 0

Total amount: 0

Contractor(s)

Number Name Address Type of

contract

Description Amount

(€)

Legal

base

None

Table 12: Building contracts

BUILDING CONTRACTS

Count: 0

Total

amount:

0

Contractor(s)

Number Name Address Type of

contract

Description Amount (€) Legal base

N/A

ENISA_AAR_2011_final Page 52 of 52

Table 13: Contracts declared secret

SECRET CONTRACTS

Count: 0

Total

amount:

0

Contractor(s)

Number Name Address Type of

contract

Description Amount (€) Legal base

N/A