Presentation is loading. Please wait.

Presentation is loading. Please wait.

NISF Objectives Conceptual structure for guiding IS activities

Published byVivien Todd Modified over 6 years ago

Similar presentations

Presentation on theme: "NISF Objectives Conceptual structure for guiding IS activities"— Presentation transcript:

1

2 NISF Objectives Conceptual structure for guiding IS activities
Common approach for addressing IS issues Secure GoU information and other assets Improve understanding of IS risk, roles and responsibilities Guarantee IS compliance by CNII operator Improve IS governance and environment

3 Responsibility Assignment Matrix
Different infosec/cybersecurity roles Government: Accountable CII Sectors: Responsible under the law

4 Government Information Security Accountability

5 Government Accountability
The President owner/sponsor of NISF President delegates responsibility for NISF to Ministers, Accounting Officers (Heads of Departments) & Boards within MDAs/CIIs CIOs responsible for overall IT function NISF to create a cadre to manage day-to-day information security arrangements Roles would include a Senior Information Risk Owner (SIRO) who reports to the Board Ultimately, NISF is everyone’s responsibility

6 National Information Security Framework – Applicability

7 Applicability All information systems used or operated by an Ministry, Department or Agency (MDA), by a contractor of an MDA, or by another organisation on behalf of an MDA All operators/owners of critical information infrastructure (CII) – i.e. systems and services in (1) government, (2) banking, (3) energy, (4) water, (5) communications, (6) transport, (7) health, (8) emergency services and (9) food sectors

8 Public & Private Sector

9 Advise, coordinate, supervise and monitor IT
Structure of the NISF Advise, coordinate, supervise and monitor IT

10 Presidential Security Directive 1

11 Presidential Security Directive 1
“All sector-specific regulators, in particular those supervised by the ministries of security; defence; foreign affairs; finance, planning and economic development; information and communications technology; internal affairs; justice and constitutional affairs; health; energy and minerals; water and environment; and local government, shall work with NITA-U.”

12 Structure – Executive Handbook

13 Executive Handbook For Accounting Officers (Heads of Departments) and their Boards Explains Threat sources & Environment Outlines Guiding Principles Roles of Accounting Officers within NISF Summarises Mandatory Requirements

14 National Information Security Policy
Outlines minimum mandatory security requirements for all MDAs/CII in four security domains: Governance, Information, Personnel & Physical Defines security outcomes i.e. what “best practice” means from GoU perspective Defines roles & responsibilities i.e. RACI A minimum standard. Hence, MDAs/CII must have own risk assessment/policy Assurance & compliance arrangements

15 Structure – National Information Security Policy

16 NISP Part 1 – Security Governance

17 Security Governance Security Organisation Risk management approaches
Suitably staffed MDA/CII security organisation Clear lines of responsibility and accountability for information security up to the Board Board-level ownership of security risks Training for all officials performing security roles Risk management approaches Formal Holistic Consistent Policy guided

18 Security Governance ……
Education, Awareness & Training Mandatory security induction training Formal and validated risk awareness training Ensure that all staff and contractors accept personal responsibility for information security Incident management Formal Tested policies and procedures Assurance & Compliance Give President & other stakeholders confidence that security controls address risks adequately

19 NISP Part 2 – Information Security

20 Information Security Information Security Policy
Setting out how an MDA/CII operator and their supply chain protect information assets they hold, store or process from C-I-A threats Information security classification How MDA/CII value, handle, share/use and protect sensitive assets e.g. information Certification & Accreditation IT system and service lifecycle security Cyber Supply Chain security Confidence supplier would handle assets securely

21 Security classification levels
Applicable Legislation Official Secrets Act, 1964(!) Access to Information Act, 2005 Considerations Business Impacts – Trivial to Catastrophic Mandatory Security Outcomes – Who to deter Marking – Explicit marking; or not

22 Supply chain security

23 NISP Part 3 – Personnel Security

24 Personnel Security Manage the risk of staff and contractors exploiting legitimate access to premises, information and staff for unauthorised use: HR Recruitment National Security Vetting Ongoing personnel security Security appraisal procedures Formal leaver’s process Formal Career paths for IT staff Give IT staff a stake in information security Value and promote IT staff; Incentive schemes etc

25 Personnel security - highlights
“Vetting” process of getting Security Cleared Baseline Security Clearance – Applies to all Identity Verification Employment history Nationality and Immigration Status Criminal Record National Security Vetting SECRET Clearance – Uncontrolled access to GoU information up to, and including, SECRET TOP SECRET Clearance – Up to TOP SECRET

26 NISP Part 4 - Physical Security

27 Physical Security Security measures, layout and design of sites/facilities to prevent unauthorised access to sensitive GoU/CII assets: Physical Perimeter Security Physical Entry Controls Internal Data Centre Physical Access Equipment Security Media Security, Distribution & Backup Secure Disposal & Re-Use of Equipment Reasonable confidence that authorised parties would not retrieve or reconstruct erased data

28 Physical security - highlights
New Governance Structure Board-level Information Risk Owner Security Controller – Physical security & Vetting Facilities Manager – Routine site management Data centre Classifications Class A – Hosting TOP SECRET information Class B – Hosting information up to SECRET Class C – Up to OFFICIAL-RESTRICTED Secure Decommissioning, Disposal & Use Stop unauthorised retrieval & reconstruction

29 Current documents [PSD] Executive Handbook Implementation Guide
National Information Security Policy NISP Target Operating Model SS1: Technical Risk Assessment SS2: Risk Management and Accreditation SS3: Security Classification SS4: Personnel Security SS5: Physical Security SS6: Incident Management

30 Thank You Mangeni R. Arnold, CISSP®
Manager - Information Security Operations National Information Technology Authority Alt:

Download ppt "NISF Objectives Conceptual structure for guiding IS activities"

Similar presentations

EMS Checklist (ISO model)

EMS Checklist (ISO model)
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.

1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.
Ensuring Better Services and Fair Value “Introduction and roadmap to implementation of ISO 17025 in Zambia’s water utilities” Kasenga Hara March 2015.

Ensuring Better Services and Fair Value “Introduction and roadmap to implementation of ISO in Zambia’s water utilities” Kasenga Hara March 2015.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
BRC Storage & Distribution Safety and Quality Management System Training Guide www.brcfoodsafety.com.

BRC Storage & Distribution Safety and Quality Management System Training Guide
Security Controls – What Works

Security Controls – What Works
Business Crisis and Continuity Management (BCCM) Class Session 3 3 - 1.

Business Crisis and Continuity Management (BCCM) Class Session
Information Systems Security Officer

Information Systems Security Officer
Regulatory Body MODIFIED Day 8 – Lecture 3.

Regulatory Body MODIFIED Day 8 – Lecture 3.
Blue Drop 10yr plan Indaba Auditorium, Rand Water, Rietvlei Kista Naidoo 18 February 2015.

Blue Drop 10yr plan Indaba Auditorium, Rand Water, Rietvlei Kista Naidoo 18 February 2015.
OHSAS 18001: Occupational health and safety management systems - Specification Karen Lawrence.

OHSAS 18001: Occupational health and safety management systems - Specification Karen Lawrence.
The case of Saint Lucia IFC/World Bank Conference on Trade Logistics Washington DC - June 7, 2010 By Senator the Hon. Charlotte Tessa Mangal Minister for.

The case of Saint Lucia IFC/World Bank Conference on Trade Logistics Washington DC - June 7, 2010 By Senator the Hon. Charlotte Tessa Mangal Minister for.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
ZHRC/HTI Financial Management Training

ZHRC/HTI Financial Management Training
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
1 CHCOHS312A Follow safety procedures for direct care work.

1 CHCOHS312A Follow safety procedures for direct care work.

Similar presentations

Ads by Google