GUIDE TO DEVELOPING A NATIONAL CYBERSECURITY STRATEGY CYBERSECURITY S¢  Cybersecurity Strategy Guide,

  • View
    0

  • Download
    0

Embed Size (px)

Text of GUIDE TO DEVELOPING A NATIONAL CYBERSECURITY STRATEGY CYBERSECURITY S¢  Cybersecurity...

  • STRATEGIC ENGAGEMENT IN CYBERSECURITY

    GUIDE TO DEVELOPING A NATIONAL

    CYBERSECURITY STRATEGY

    PO TO

    MAC INSTITUTE

    F O

    R

    POLICY ST UD

    IE S

    B

    G

  • IIGuide to Developing a National Cybersecurity Strategy

  • IIIGuide to Developing a National Cybersecurity Strategy

    This work is a co-publication of the International Telecommunication Union (ITU), the World Bank, Commonwealth Secretariat (ComSec), the Commonwealth Telecommunications Organisation (CTO), and NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE), thereafter (IGOs). The findings, interpretations and conclusions expressed in this work do not necessarily reflect the views of the IGOs, or their governing bodies. The IGOs do not guarantee the accuracy of the data included in this work. The boundaries, colours, denominations and other information shown on any map in this work do not imply any judgment on the part of the IGOs concerning the legal status of any territory or the endorsement or acceptance of such boundaries.

    Nothing herein shall constitute or be considered to be a limitation upon or waiver of the privileges and immunities of the IGOs, all of which are specifically reserved.

    © 2018 International Telecommunication Union (ITU) Place des Nations 1211, Geneva 20 Switzerland Internet: www.itu.int

    This work is available under the Creative Commons Attribution 3.0 IGO license (CC BY 3.0 IGO) http://creativecommons.org/licenses/by/3.0/igo. Under the Creative Commons Attribution license, you are free to copy, distribute, transmit and adapt this work, including for commercial purposes, under the following conditions:

    Attribution — Please cite the work as follows: the International Telecommunication Union (ITU), The World Bank, Commonwealth Secretariat (ComSec), the Commonwealth Telecommunications Organisation (CTO), NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE). 2018. Guide to Developing a National Cybersecurity Strategy – Strategic engagement in cybersecurity. Creative Commons Attribution 3.0 IGO (CC BY 3.0 IGO).

    Translations — If you create a translation of this work, please add the following disclaimer along with the attribution: This translation was not created by the International Telecommunication Union (ITU), The World Bank, Commonwealth Secretariat (ComSec), the Commonwealth Telecommunications Organisation (CTO), and NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE), and should not be considered an official translation. The above-mentioned entities shall not be liable for any content or error in this translation.

    Some Rights Reserved

    Rights & Permission

  • IVGuide to Developing a National Cybersecurity Strategy

    Adaptations — If you create an adaptation of this work, please add the following disclaimer along with the attribution: This is an adaptation of an original work by the International Telecommunication Union (ITU), The World Bank, Commonwealth Secretariat (ComSec) the Commonwealth Telecommunications Organisation (CTO) and NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE). Views and opinions expressed in the adaptation are the sole responsibility of the author or authors of the adaptation and are not endorsed by above mentioned organisations.

    Third Party Content — The International Telecommunication Union (ITU), the World Bank, Commonwealth Secretariat (ComSec), the Commonwealth Telecommunications Organisation (CTO) and NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE) do not necessarily own each component of the content contained within the work. They therefore do not warrant that the use of any third-party-owned individual component or part contained in the work will not infringe on the rights of those third parties. The risk of claims resulting from such infringement rests solely with you. If you wish to re-use a component of the work, it is your responsibility to determine whether permission is needed for that re-use and to obtain permission from the copyright owner. Examples of components can include but are not limited to, tables, figures, or images.

    Any requests for use exceeding the scope of the aforementioned license (CC BY 3.0 IGO) should be addressed to the International Telecommunication Union (ITU), Place des Nations, 1211 Geneva 20, Switzerland; email: itumail@itu.int

  • VGuide to Developing a National Cybersecurity Strategy

    Acknowledgments This Guide was developed by twelve partners from Intergovernmental and International Organisations, private sector, as well as academia and civil society and included the following organisations: Commonwealth Secretariat (ComSec), the Commonwealth Telecommunications Organisation (CTO), Deloitte, the Geneva Centre for Security Policy (GCSP), the Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford, the International Telecommunication Union (ITU), Microsoft, the NATO Cooperative Cyber Defence Centre Of Excellence (NATO CCD COE), the Potomac Institute for Policy Studies, RAND Europe, The World Bank and the United Nations Conference on Trade and Development (UNCTAD).

    The team included Katalaina Sapolu (ComSec), Shadrach Haruna (ComSec), Martin Koyabe (CTO), Fargani Tambeayuk (CTO), Andrea Rigoni (Deloitte), Carolin Weisser (GCSCC), Marco Obiso (ITU), Kaja Ciglic (Microsoft), Kadri Kaska (NATO CCD COE), Francesca Spidalieri and Melissa Hathaway (the Potomac Institute for Policy Studies), Erik Silfversten (RAND Europe), David Satola and Sandra Sergeant (The World Bank), and Cecile Barayre (UNCTAD).

    The European Union Agency for Network and Information Security (ENISA) provided a significant contribution to the Guide.

    The contributions of the following people are also recognised: Grace Acayo, Rosheen Awotar-Mauree, Ben Baseley-Walker, Paul Cornish, Luc Dandurand, Michael Goldsmith, Kemal Huseinovic, Andraz Andy Kastelic, Maxim Kushtuev, Lena Lattion, Gustav Lindstrom, Damien Maddalena, Emily Munro, Lara Pace, Sarah Puello Alfonso, Valeria Risuglia, Taylor Roberts, Monica M. Ruiz, Irene Rubio, Ann Valjataga, Julienne Wright.

  • VIGuide to Developing a National Cybersecurity Strategy

    It is a pleasure to present – on behalf of the partners involved – the National Cybersecurity Strategy Guide, aimed at providing an aggregated and harmonised set of principles and good practices on the development, establishment and implementation of national cybersecurity strategies.

    Facilitated by ITU, twelve partners from the public and private sectors, academia and civil society agreed to share their experience, knowledge and expertise, producing a Guide that gathers existing know-how from the participating organisations as well as providing references to complementary publications, in order to ease access to available resources.

    Over the last two decades, billions of people around the world have benefited from the exponential growth and rapid adoption of information and communications technologies, and the associated economic and social opportunities. We are witnessing a digital revolution that is profoundly transforming our societies.

    Cybersecurity is a fundamental factor in achieving socio-economic development. Yet, only seventy-six1 countries around the world have, publicly available, national cybersecurity strategies. It is therefore imperative to boost efforts to produce them. As the title suggests, the objective of the Guide is to instigate strategic thinking and help national leaders and policy-makers to develop, establish and implement national cybersecurity strategies.

    I am confident that the National Cybersecurity Strategy Guide will serve as a useful tool for all stakeholders with cybersecurity responsibilities. I would personally like to express my gratitude to the partners, for their continuous, invaluable support and commitment in making this project a great success as a concrete example of a successful multistakeholder collaboration.

    Brahima Sanou Director, ITU Telecommunication Development Bureau

    Foreword

    1 From the ITU Global Cybersecurity Index (GCI) 2017

  • 1Guide to Developing a National Cybersecurity Strategy

    Preface 5

    1 Document Overview 7

    1.1 Purpose 8

    1.2 Scope 8

    1.3 Overall structure and usage of the Guide 9

    1.4 Target audience 10

    2 Introduction 11

    2.1 What is cybersecurity 13

    2.2 Benefits of a National Cybersecurity Strategy and Strategy development process 13

    3 Lifecycle of a National Cybersecurity Strategy 15

    3.1 Phase I: Initiation 18

    3.1.1. Identifying the lead project authority 18

    3.1.2. Establishing a steering committee 18

    3.1.3. Identifying stakeholders to be involved in the development of the Strategy 19

    3.1.4. Planning the development of the Strategy 19

    3.2 Phase II: Stocktaking and analysis 21

    3.2.1 Assessing the national cybersecurity landscape 21

    3.2.2 Assessing the cyber-risk landscape 22

    3.3 Phase III: Production of the National Cybersecurity Strategy 22

    3.3.1 Draft the National Cybersecurity Strategy 23

    3.3.2 Consulting with a broad range of stakeholders 23

    3.3.3 Seeking formal approval 23

    3.3.4 Publishing the Strategy 24

    Table of contents

    Table of Contents

  • 2Guide to Developing a National Cybersecurity Strategy

    3.4 Phase IV: Implementation 24

    3.4.1 Developing the action plan 24

    3.4.2 Determ