2 National Cybersecurity Management System Framework – Maturity ModelRACI Chart – Impementation GuideTaieb DEBBAGHGeneva, 6-7 December 2010Addressing security challenges on a global scale
3 Addressing security challenges on a global scale Agenda1 - Introduction2 - National Cybersecurity Management System3 - NCSec Framework : 5 Domains4 – NCSec Framework : 34 processes5 - Maturity Model6 – NCSec Assessment7 - Roles & Responsibilities (RACI Chart)8 - Implementation GuideGeneva, 6-7 December 2010Addressing security challenges on a global scale
4 1 - Introduction (1/2)Increasing computer security challenges in the world;No appropriate organizational and institutional structures to deal with these issues;Which entity(s) should be given the responsibility for computer security?Despite there are best practices that organizations can refer to evaluate their security status;But, there is lack of international standards (clear guidance) with which a State or region can measure its current security status.
5 1 - Introduction (2/2)The main objective of this presentation is to propose a Model of National Cybersecurity Management System (NCSecMS), which is a global framework that best responds to the needs expressed by the ITU Global Cybersecurity Agenda (GCA).This global framework consists of 4 main components:NCSec Framework;Maturity Model;Roles and Responsibilities chart;Implementation Guide.
6 2 – NCSec Management System Geneva, 6-7 December 2010Addressing security challenges on a global scale
8 4 - NCSec Framework (5 Domains and 34 Processes) 1 - SP : Strategy and Policies3 - AC : Awareness and CommunicationSP1NCSec Strategy : Promulgate & endorse a National Cybersecurity StrategyAC1Leaders in the Government : Persuade national leaders in the government of the need for national action to address threats to and vulnerabilities of the NCSec through policy-level discussionsSP2Lead Institutions : Identify a lead institutions for developing a national strategy, and 1 lead institution per stakeholder categoryAC2National Cybersecurity and Capacity : Manage National Cybersecurity and capacity at the national levelSP3NCSec Policies : Identify or define policies of the NCSec strategyAC3Continuous Service : Ensure continuous service within each stakeholder and among stakeholdersSP4Critical Information Infrastructures Protection : Establish & integrate risk management for identifying & prioritizing protective efforts regarding CIIAC4National Awareness : Promote a comprehensive national awareness program so that all participants—businesses, the general workforce, and the general population—secure their own parts of cyberspaceSP5Stakeholders : Identify the degree of readiness of each stakeholder regarding to the implementation of NCSec strategy & how stakeholders pursue the NCSec strategy & policiesAC5Awareness Programs : Implement security awareness programs and initiatives for users of systems and networks2 - IO : Implementation and OrganisationAC6Citizens and Child Protection : Support outreach to civil society with special attention to the needs of children and individual usersIO1NCSec Council : Define National Cybersecurity Council for coordination between all stakeholders, to approve the NCSec strategyAC7Research and Development : Enhance Research and Development (R&D) activities (through the identification of opportunities and allocation of funds)IO2NCSec Authority : Define Specific high level Authority for coordination among cybersecurity stakeholdersAC8CSec Culture for Business : Encourage the development of a culture of security in business enterprisesIO3National CERT : Identify or establish a national CERT to prepare for, detect, respond to, and recover from national cyber incidentsAC9Available Solutions : Develop awareness of cyber risks and available solutionsIO4Privacy and Personnal Data Protection : Review existing privacy regime and update it to the on-line environmentAC10NCSec Communication : Ensure National Cybersecurity CommunicationIO5Laws : Ensure that a lawful framework is settled and regularly levelled4 - CC : Compliance and CommunicationIO6Institutions : Identify institutions with cybersecurity responsibilities, and procure resources that enable NCSec implementationCC1International Compliance & Cooperation : Ensure regulatory compliance with regional and international recommendations, standards …IO7National Experts and Policymakers : Identify the appropriate experts and policymakers within government, private sector and universityCC2National Cooperation : Identify and establish mechanisms and arrangements for cooperation among government, private sector entities, university and ONGs at the national levelIO8Training : Identify training requirements and how to achieve themCC3Private sector Cooperation : Encourage cooperation among groups from interdependent industries (through the identification of common threats) .IO9Government : Implement a cybersecurity plan for government-operated systems, that takes into account changes managementCC4Incidents Handling : Manage incidents through national CERT to detect, respond to, and recover from national cyber incidents, through cooperative arrangement (especially between government and private sector)IO10International Expertise : Identify international expert counterparts and foster international efforts to address cybersecurity issues, including information sharing and assistance effortsCC5Points of Contact : Establish points of contact (or CSIRT) within government, industry and university to facilitate consultation, cooperation and information exchange with national CERT, in order to monitor and evaluate NCSec performance in each sector5 - EM : Evaluation and MonitoringEM1NCSec Observatory : Set up the NCSec observatoryEM3NCSec Assessment : Assess and periodically reassess the current state of cybersecurity efforts and develop program prioritiesEM2Mechanisms for Evaluation : Define mechanisms that can be used to coordinate the activities of the lead institution, the government, the private sector and civil society, in order to monitor and evaluate the global NCSec performanceEM4NCSec Governance : Provide National Cybersecurity Governance
10 5 - NCSec Maturity Model PS Process Description Level 1 Level 2 MorProcess DescriptionLevel 1Level 2Level 3Level 4Level 5SP13Promulgate &endorse a NationalCybersecurityStrategyRecognition of theneed for aNational strategyNCSec isannounced &planned.operational for allkey activitiesNCSec is underregular reviewcontinuousimprovementSP21Identify a leadinstitution fordeveloping a nationalstrategy, and 1 leadinstitution perstakeholder categorySome institutionshave anindividual cyber-security strategyLead institutionsare announcedfor all keyactivitiesare operationalfor all keyare under regularrevieware underSP32Identify or definepolicies of theNCSec strategyAd-hoc & Isolatedapproaches topolicies & practicesSimilar &commonprocessesplannedPolicies andprocedures aredefined,documented,operationalNational bestpractices areapplied&repeatableIntegratedpolicies &proceduresTransnationalbest practiceSP4Establish & integrateRisk managementprocess forIdentifying &prioritizingprotective effortsregarding NCSec(CIIP)need for riskmanagementprocess in CIIPCIIP areidentified &planned. Riskprocess isannouncedapproved &CIIPCIIP riskcomplete,repeatable, andlead to CI bestpracticesprocess evolvesto automatedworkflow &integrated toenable
11 Example : SP1 Maturity Model the first process SP1 consists in “Promulgating and endorsing a National Cybersecurity Strategy”.Process SP1 is in conformance with level 5 if the following conditions are respected:Recognition of the need for National Cybersecurity Strategythe NCSec strategy is “announced and planned”the NCSec strategy is “operational”the NCSec strategy is under a “regular review”the NCSec strategy is under “continuous improvement”
12 6 - NCSec Assessment Legend: SP1: National Cybersecurity Strategy ce6 - NCSec AssessmentLegend:SP1: National Cybersecurity StrategySP4: CIIPIO2: National Cybersecurity AuthorityIO3: National-CERTIO5: Cyber LawAC5: Awareness ProgrammeCC1: International CooperationCC2: National CoordinationEM4: Cybersecurity Governance
13 7 - RACI Chart / Stakeholders Head of GovNat Cyb CounLegisi AuthICT AuthorityMin of IntMin of DefMin of FinMin of EduNat Cyb AuthCivil SocTrade UnionPrivate SectAcademiaCritical InfrasNat CERTCSIRTsGovernmentSP1NCSec StrategyPromulgate & endorse aNational CybersecurityStrategyIACRSP2Lead InstitutionsIdentify a lead institutionsfor developing a nationalstrategy, and 1 leadinstitution per stakeholdercategorySP3NCSec PoliciesIdentify or define policiesof the NCSec strategySP4Critical InfrastructuresEstablish & integrate riskmanagement foridentifying & prioritizingprotective effortsregarding NCSec (CIIP)R = Responsible, A = Accountable, C = Consulted, I = Informed
14 8 - Implementation Guide Geneva, 6-7 December 2010Addressing security challenges on a global scale
15 Addressing security challenges on a global scale ITU-D / SG1 / Question 22-1/1 Securing information and communication networks, best practices for developing a culture of cybersecurityReport of the meeting of the Rapporteur Group on Question 22-1/1 (Geneva, Wednesday, 22 September 2010Document 1/23 was presented by Morocco. It provides a model for administrations to use in managing their cybersecurity programme based on ISO family and COBIT. It was suggested that it could be a framework to be used by developing countries in assessing their cybersecurity strategy. The Rapporteur asked the BDT to put the entire document on the web site of Study Group 1 and invited comments for the next meeting.Geneva, 6-7 December 2010Addressing security challenges on a global scale
16 Thank you for your attention Email : t. debbagh@technologies. gov Thank you for your attention or