Embed Size (px)
DESCRIPTION
National Cybersecurity Management System. Framework – Maturity Model RACI Chart – Impementation Guide Taieb DEBBAGH. Agenda. 1 - Introduction 2 - National Cybersecurity Management System 3 - NCSec Framework : 5 Domains 4 – NCSec Framework : 34 processes 5 - Maturity Model - PowerPoint PPT Presentation
Citation preview
National CybersecurityManagement System
Framework – Maturity ModelRACI Chart – Impementation Guide
Taieb DEBBAGH
2Addressing security challenges on a global scale Geneva, 6-7 December 2010
Agenda
1 - Introduction2 - National Cybersecurity Management System3 - NCSec Framework : 5 Domains4 – NCSec Framework : 34 processes5 - Maturity Model6 – NCSec Assessment7 - Roles & Responsibilities (RACI Chart)8 - Implementation Guide
3Geneva, 6-7 December 2010 Addressing security challenges on a global scale
1 - Introduction (1/2)
• Increasing computer security challenges in the world;• No appropriate organizational and institutional structures to
deal with these issues;• Which entity(s) should be given the responsibility for
computer security?• Despite there are best practices that organizations can refer to
evaluate their security status;
• But, there is lack of international standards (clear guidance) with which a State or region can measure its current security status.
4
1 - Introduction (2/2)
The main objective of this presentation is to propose a Model of National Cybersecurity Management System (NCSecMS), which is a global framework that best responds to the needs expressed by the ITU Global Cybersecurity Agenda (GCA).
This global framework consists of 4 main components:• NCSec Framework;• Maturity Model;• Roles and Responsibilities chart;• Implementation Guide.
5
2 – NCSec Management System
6Addressing security challenges on a global scale Geneva, 6-7 December 2010
3 - NCSec Framework : 5 Domains
7
4 - NCSec Framework (5 Domains and 34 Processes)
8
1 - SP : Strategy and Policies 3 - AC : Awareness and Communication
SP1 NCSec Strategy : Promulgate & endorse a National Cybersecurity Strategy AC1 Leaders in the Government : Persuade national leaders in the government of the need for national action to address threats to and vulnerabilities of the NCSec through policy-level discussions
SP2 Lead Institutions : Identify a lead institutions for developing a national strategy, and 1 lead institution per stakeholder category
AC2National Cybersecurity and Capacity : Manage National Cybersecurity and capacity at the national level
SP3 NCSec Policies : Identify or define policies of the NCSec strategy AC3 Continuous Service : Ensure continuous service within each stakeholder and among stakeholders
SP4Critical Information Infrastructures Protection : Establish & integrate risk management for identifying & prioritizing protective efforts regarding CII AC4
National Awareness : Promote a comprehensive national awareness program so that all participants—businesses, the general workforce, and the general population—secure their own parts of cyberspace
SP5Stakeholders : Identify the degree of readiness of each stakeholder regarding to the implementation of NCSec strategy & how stakeholders pursue the NCSec strategy & policies AC5
Awareness Programs : Implement security awareness programs and initiatives for users of systems and networks
2 - IO : Implementation and Organisation AC6 Citizens and Child Protection : Support outreach to civil society with special attention to the needs of children and individual users
IO1 NCSec Council : Define National Cybersecurity Council for coordination between all stakeholders, to approve the NCSec strategy AC7
Research and Development : Enhance Research and Development (R&D) activities (through the identification of opportunities and allocation of funds)
IO2 NCSec Authority : Define Specific high level Authority for coordination among cybersecurity stakeholders AC8 CSec Culture for Business : Encourage the development of a culture of security in business enterprises
IO3 National CERT : Identify or establish a national CERT to prepare for, detect, respond to, and recover from national cyber incidents AC9 Available Solutions : Develop awareness of cyber risks and available solutions
IO4 Privacy and Personnal Data Protection : Review existing privacy regime and update it to the on-line environment AC10 NCSec Communication : Ensure National Cybersecurity Communication
IO5 Laws : Ensure that a lawful framework is settled and regularly levelled 4 - CC : Compliance and Communication
IO6 Institutions : Identify institutions with cybersecurity responsibilities, and procure resources that enable NCSec implementation CC1
International Compliance & Cooperation : Ensure regulatory compliance with regional and international recommendations, standards …
IO7 National Experts and Policymakers : Identify the appropriate experts and policymakers within government, private sector and university CC2
National Cooperation : Identify and establish mechanisms and arrangements for cooperation among government, private sector entities, university and ONGs at the national level
IO8 Training : Identify training requirements and how to achieve them CC3 Private sector Cooperation : Encourage cooperation among groups from interdependent industries (through the identification of common threats) .
IO9Government : Implement a cybersecurity plan for government-operated systems, that takes into account changes management CC4
Incidents Handling : Manage incidents through national CERT to detect, respond to, and recover from national cyber incidents, through cooperative arrangement (especially between government and private sector)
IO10 International Expertise : Identify international expert counterparts and foster international efforts to address cybersecurity issues, including information sharing and assistance efforts CC5
Points of Contact : Establish points of contact (or CSIRT) within government, industry and university to facilitate consultation, cooperation and information exchange with national CERT, in order to monitor and evaluate NCSec performance in each sector
5 - EM : Evaluation and Monitoring
EM1 NCSec Observatory : Set up the NCSec observatory EM3 NCSec Assessment : Assess and periodically reassess the current state of cybersecurity efforts and develop program priorities
EM2Mechanisms for Evaluation : Define mechanisms that can be used to coordinate the activities of the lead institution, the government, the private sector and civil society, in order to monitor and evaluate the global NCSec performance
EM4 NCSec Governance : Provide National Cybersecurity Governance
ACM Publication – December 2008
5 - NCSec Maturity Model
PS Mor Process Description
Level 1 Level 2 Level 3 Level 4 Level 5
SP1 3 Promulgate & endorse a National Cybersecurity Strategy
Recognition of the need for a National strategy
NCSec is announced & planned.
NCSec is operational for all key activities
NCSec is under regular review
NCSec is under continuous improvement
SP2 1 Identify a lead institution for developing a national strategy, and 1 lead institution perstakeholder category
Some institutions have an individual cyber-security strategy
Lead institutions are announced for all key activities
Lead institutionsare operationalfor all key activities
Lead institutions are under regular review
Lead institutions are under continuous improvement
SP3 2 Identify or define policies of the NCSec strategy
Ad-hoc & Isolatedapproaches topolicies & practices
Similar & common processes announced & planned
Policies and procedures are defined, documented, operational
National best practices are applied &repeatable
Integrated policies & proceduresTransnational best practice
SP4 1 Establish & integrate Risk management process for Identifying & prioritizing protective efforts regarding NCSec (CIIP)
Recognition of the need for risk management process in CIIP
CIIP are identified & planned. Risk management process is announced
Risk management process is approved & operational for all CIIP
CIIP risk management process is complete, repeatable, and lead to CI best practices
CIIP risk management process evolves to automated workflow & integrated to enable improvement
10
Example : SP1 Maturity Model
• the first process SP1 consists in “Promulgating and endorsing a National Cybersecurity Strategy”.
• Process SP1 is in conformance with level 5 if the following
conditions are respected:
1. Recognition of the need for National Cybersecurity Strategy2. the NCSec strategy is “announced and planned”3. the NCSec strategy is “operational”4. the NCSec strategy is under a “regular review”5. the NCSec strategy is under “continuous improvement”
11
6 - NCSec Assessment
12
ce
Legend: SP1: National Cybersecurity Strategy SP4: CIIPIO2: National Cybersecurity Authority IO3: National-CERT IO5: Cyber LawAC5: Awareness Programme CC1: International Cooperation CC2: National CoordinationEM4: Cybersecurity Governance
SP1
NCSec StrategyPromulgate & endorse a National Cybersecurity Strategy
I A C C R C C C I I R I I I
SP2
Lead InstitutionsIdentify a lead institutions for developing a national strategy, and 1 lead institution per stakeholder category
I I A C R C C I I R C C C C
SP3NCSec PoliciesIdentify or define policies of the NCSec strategy
A C R C I C I R I I
SP4
Critical InfrastructuresEstablish & integrate risk management for identifying & prioritizing protective efforts regarding NCSec (CIIP)
A R R C I R C R I
13 R = Responsible, A = Accountable, C = Consulted, I = InformedH
ead of Gov
Nat C
yb Coun
Legisi Auth
ICT A
uthorityM
in of IntM
in of Def
Min of Fin
Min of E
duN
at Cyb A
uthC
ivil Soc
Trade Union
Private S
ectA
cademia
Critical Infras
Nat C
ER
TC
SIR
Ts
Governm
ent
7 - RACI Chart / Stakeholders
8 - Implementation Guide
14Addressing security challenges on a global scale Geneva, 6-7 December 2010
ITU-D / SG1 / Question 22-1/1Securing information and communication networks, best practices for
developing a culture of cybersecurity
Report of the meeting of the Rapporteur Group on Question 22-1/1 (Geneva, Wednesday, 22 September 2010
• Document 1/23 was presented by Morocco. It provides a model for administrations to use in managing their cybersecurity programme based on ISO 27000 family and COBIT. It was suggested that it could be a framework to be used by developing countries in assessing their cybersecurity strategy. The Rapporteur asked the BDT to put the entire document on the web site of Study Group 1 and invited comments for the next meeting.
15Addressing security challenges on a global scale Geneva, 6-7 December 2010
