The European Union Agency for Network and Information Security (ENISA) is headquartered in Crete, Greece. Established in 2004 as the "European Network and Information Security Agency," the prime purpose of ENISA is to enhance the capability of the European Community, the Member States and, as consequence, the business community to prevent, address and respond to network and information security problems.
In 2008 ENISA's original mandate was extended until March 2012. At the same time, the European Council and the European Parliament called for "further discussion on the future of ENISA and on the general direction of the European efforts towards an increased network and information security."
In November 2009, the agency issued Cloud Computing: Benefits, Risks, and Recommendations for Information Security, which provides a set of information requirements and includes questions that a customer can ask a cloud computing service provider in order to evaluate the service provider's information security practices. The requirements address:
- Personnel security: policies and procedures when hiring IT administrators or others with system access.
- Supply chain assurance: defining and detailing services outsourced or subcontracted, inquiring about the measures taken to ensure third-party service levels are met and maintained, and confirmation that security policy and controls are applied to third-party providers.
- Operational security: ensuring a provider employs appropriate controls to mitigate unauthorized disclosure of information in addition to defined agreements.
- Identity and access management: controls that apply to both the cloud providers and the customer, including access control, authorization, frameworks, identity provisioning, management of personal data, key management, encryption, authentication, and credential compromise or theft.
- Asset management: ensuring cloud providers maintain an inventory of the assets under their control.
- Data and services portability: clarifying the risks related to becoming dependent on one vendor.
- Business continuity management: maintaining a documented method to determine the impact of a disruption and the relevant response and restoration process.
- Physical security: ensuring the vendor provides adequate physical security for the customers’ data.
- Environmental controls: policies and procedures to ensure environmental issues such as fires, floods, and power failures do not cause an interruption of service.
- Legal requirements: compliance with regulatory frameworks.
In addition, the agency's Cloud Computing Information Assurance Framework states the need for a clear definition and understanding of security-relevant roles and responsibilities between the customer and the provider.
- European Network and Information Security Agency, Cloud Computing: Benefits, Risks, and Recommendations for Information Security (Nov. 2009) (full-text).
- European Network and Information Security Agency, Cloud Computing Information Assurance Framework (Nov. 2009) (full-text).
- Cyberspace: United States Faces Challenges in Addressing Global Cybersecurity and Governance, at 10-11.