Dear European Union Agency for Network and Information Security,

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting access to the following documents:

(1) Documents and presentation slides that outline/or explain the Blue OLEx 2021 table-top scenario, including: the descriptions of roles, responsibilities, infrastructure, incidents, and timeline.
(2) All the scenario injects, including: intelligence briefs, background information, action parameters, and any other information that was disseminated to individual participants to drive the scenario.
(3) Documents that outline and/or describe the role of the high-level actors within the Standard Operating Procedures (SOP) of EU CyCLONe.

Yours faithfully,
Stefan Soesanto

access-documents, Agencia Europea de Seguridad de las Redes y de la Información

6 Adjuntos

Dear Mr. Soesanto,

 

Thank you for your email message.

 

Concerning your request regarding the CyCLONe group SOPs, please kindly
note that the SOP document is not yet finalised thus we cannot share it.

 

As far as your two other requests are concerned regarding the BlueOLEx
2021 material (scenario, injects, presentations, infra, timelines, etc.)
before sharing it we would need the agreement of the CyCLONe group. In
this light, we have asked the CyCLONe Group Chair for its opinion and we
will get back to you as soon as we will have its response.

 

We hope the above clarifies and we remain at your disposal in case of
clarifications/ questions.

 

Kind regards,

 

 

Public
[1]ENISA Access to
Documents
[2]ENISA
Agamemnonos 14, 15231 Chalandri, Attiki,
Greece | enisa.europa.eu
[3]Twitter [4]Facebook [5]LinkedIn [6]YouTube

 

 

 

mostrar partes citadas

access-documents, Agencia Europea de Seguridad de las Redes y de la Información

7 Adjuntos

Dear Mr. Soesanto,

 

 

In accordance with Regulation 1049/2001, and based on your request, please
find attached our reply.

 

We hope this information satisfies your request.

 

Kind regards,

 

 

Public
[1]ENISA Access to
Documents
[2]ENISA
Agamemnonos 14, 15231 Chalandri, Attiki,
Greece | enisa.europa.eu
[3]Twitter [4]Facebook [5]LinkedIn [6]YouTube

 

 

 

 

mostrar partes citadas

Dear European Union Agency for Network and Information Security,

Please pass this on to the person who reviews confirmatory applications.

I am filing the following confirmatory application with regards to my access to documents request 'Blue OLEx 2021'. The EU CyCLONe group declined access to all document on the Blue OLEx 2021 table-top scenario by citing (a) sensitive information contained in the scenario materials, and (b) Article 4(1)(a) and 4(2) of Regulation (EC) 1049/2001.

Given that Blue OLEx 2021 is a table top exercise based on a fictional scenario that tests CyCLONe's Standard Operating Procedures, I question whether the arguments listed to decline my document access were made in good faith.

On point (a) sensitive information contained in the scenario materials:
As I understand it, sensitive information is not the same as a sensitive document as defined under Article 9(1) of Regulation (EC) 1049/2001. If that is the case, then the CyCLONe group does have the practical option to redact any sensitive information from the documents request. A blanket refusal to any and all documents used to play through a fictional scenario by citing sensitive information seems disproportionate to me.

On point (b) Article 4(1)(a) and 4(2) of Regulation (EC) 1049/2001:
I would need clarification as to whether Article 4(1)(a) - i.e., undermining the protection of the public interest - can apply to documents that describe the roles, responsibilities, infrastructure, incidents, and timeline in a fictional scenario. Similarly, I would like to have clarification as to whether Article 4(1)(a) does apply to access to the injects of a fictional scenario, "including: intelligence briefs, background information, action parameters, and any other information that was disseminated to individual participants to drive the [fictional] scenario." What highly likely is protected by Article 4(1)(b) are the specific decisions of the individual participants made in reaction of the scenario. But I do not requesting any documents relating to those.

It is unclear to me how Article 4(2) applies in this case. If the documents in question include sensitive information then they cannot be covered under commercial interests/intellectual property. It is highly likely also not the case that the materials used in this exercise are part of any court proceeding or legal advice. And it is unclear to me whether the protection of inspections, investigations, and audits, is applicable to a fictional table-top scenario. It might fall under its broader contours if the same fictional scenario would be played through in every Blue OLEx exercise. To my knowledge, that is not the case. Every Blue OLEx exercise scenario is different.

A full history of my request and all correspondence is available on the Internet at this address: https://www.asktheeu.org/en/request/blue...

Yours faithfully,
Stefan Soesanto

access-documents, Agencia Europea de Seguridad de las Redes y de la Información

6 Adjuntos

Dear Mr. Soesanto,

 

 

We hereby acknowledge receipt of your confirmatory application with
regards to your access to documents request on 'Blue OLEx 2021' ,
registered today 23/11/2021.

 

We will revert to you.

Thank you.

 

 

Kind regards,

 

 

Public
[1]ENISA Access to
Documents
[2]ENISA
Agamemnonos 14, 15231 Chalandri, Attiki,
Greece | enisa.europa.eu
[3]Twitter [4]Facebook [5]LinkedIn [6]YouTube

 

 

 

 

mostrar partes citadas

access-documents, Agencia Europea de Seguridad de las Redes y de la Información

7 Adjuntos

Dear Mr.Soesanto,

 

In accordance with Regulation 1049/2001, and based on your confirmatory
application, please find attached our reply.

 

 

We hope this information satisfies your request.

 

 

Kind regards,

 

 

[1]ENISA Public Access to Documents
[2]ENISA
Agamemnonos 14, 15231 Chalandri, Attiki, Greece |
enisa.europa.eu
[3]Twitter [4]Facebook [5]LinkedIn [6]YouTube

 

 

 

 

 

 

mostrar partes citadas