Taieb DEBBAGH, PhD, CISA Secretary–General Ministry of Industry, Trade and New Technologies, Morocco ITU Regional Cybersecurity Forum for Africa and Arab States 4-5 June 2009, Tunis, Tunisia National Cybersecurity Management System: Framework, Maturity Model and Implementation Guide 1
30
Embed
National Cybersecurity Management System - TT · Model of National Cybersecurity Management System ... ISO 27001 COBIT V4.1 National Stakeholders ISO ... Ensuring SMEs ICT equipment
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Taieb DEBBAGH, PhD, CISASecretary–General
Ministry of Industry, Trade and New Technologies, Morocco
ITU Regional Cybersecurity Forum for Africa and Arab States4-5 June 2009, Tunis, Tunisia
National Cybersecurity Management System:Framework, Maturity Model and Implementation Guide
1
1 – Introduction2 – National Cybersecurity Management System
• Increasing computer security challenges in the world;• No appropriate organizational and institutional structures
to deal with these issues;• Which entity(s) should be given the responsibility for
computer security?• Despite there are best practices that organizations can
refer to evaluate their security status;
• But, there is lack of international standards (clear guidance) with which a State or region can measure its current security status.
4
Introduction (2/2)
The main objective of this presentation is to propose a Roll Model of National Cybersecurity Management System (NCSecMS), which is a global framework that best responds to the needs expressed by the ITU Global Cybersecurity Agenda (GCA).
This global framework consists of 4 main components:• NCSec Framework;• Maturity Model;• Roles and Responsibilities; and• Implementation Guide.
5
2 – National CybersecurityManagement System (NCSecMS)
6
NCSecFR5 Domains
34 ProcessesISO
27002
NCSecFramework
NCSecFramework
ISO27001
COBIT V4.1
NationalStakeholders
ISO27003
NCSec FrameworkITU
Documents
1
Maturity Model2
Roles &Responsibilities
3
ImplementationGuide
4
NCSecMMFor eachProcess
NCSecRR
RACI Chartby Process
NCSecIGPDCA
NCSecMS Components
7
2.1 – National CybersecurityFramework
8
NCSec Framework : 5 Domains
9
AC1GvtLeader
SP1Cyb Strat
SP2Lead Inst.
IO4Privacy
IO5Law
SP3Policies
IO1NCC
IO2NCA
IO6Institutins
IO7Nat Exper IO8
Training
AC7R&D
SP4CIIP
SP5Stackhldrs
IO3N-CERT
AC10NCyb Com
AC2N Awar
AC4COP
AC5Capacity
AC9Awer Sol
IO9Gov Oper
AC3Users Syst
AC8Cyb Culture
AC6ContinSce
CC1Coop Multi
CC2Coop Ind
CC3Privat Sect
CC4Mng Incid
CC5PtsContact
EM3Mech Mon
CC6Reg Coop
EM1Obsevator
EM2Ass Prog
IO10IntExpert
EM4Nat Govce
EM: Eval & Monotor
IO: Implem & OrganSP: Strat & Policies
AC: Awar & Comm
NCSec Framework : 34 processes
10CC: Complian & Coord
Domain 1: Strategy and Policies (SP)
Proc Process Description
SP1 NCSec StrategyPromulgate & endorse a National Cybersecurity Strategy
SP2Lead InstitutionsIdentify a lead institutions for developing a national strategy, and 1 lead institution per stakeholder
category
SP3 NCSec PoliciesIdentify or define policies of the NCSec strategy
management for identifying & prioritizing protective efforts regarding NCSec (CIIP)
A R R C I R C R I
19R = Responsible, A = Accountable, C = Consulted, I = Informed
Head of Gov
Nat Cyb CounLegisi AuthICT AuthorityM
in of IntM
in of DefM
in of FinM
in of EduNat Cyb AuthCivil SocTrade UnionPrivate SectAcadem
iaCritical InfrasNat CERTCSIRTs
Governm
ent
RACI Chart / Stakeholders
2.4 – Implementation Guide
20
NCSec Implementation Guide & PDCA
Approve Implementation
Define Scope& Strategy
ConductNational context
Analysis
1
3
2
Conduct RiskAssessment
DesignNCSec Management
System
ImplementNCSec Management
System
4
6
5
EstablishNCSecMS
Implemente & Operate
Maintain& Improve
Monitor & Review
Plan
Do
Check
Act
21
Implementation Guide
Approve Implementation
Define Scope& Strategy
ConductNational Context
Analysis
1
3
2
HLCommitment
High LevelDecision Makers
Conduct RiskAssessment
DesignNCSec Managnt
System
ImplementNCSec Managnt
System
4
6
5
HLAwarness
NCSecStrategy
Nat. Inf SecAssessment
ProcessesSelected
NCSecManagnt Syst
NCSec MSImplemt Prg
NCSecFramework
NCSecMaturity Model
NCSecFramework
NCSecRACI Chart
ISO27001
HLCommitment
NCSecStrategy
Nat. Inf SecAssessment
ProcessesSelected
NCSecIG
NCSec
22
3 – Research Papers
ACM Publication
ECEG 20099th European Conference on e-Government
Westminster Business School, University of Westminster, London, UK29-30 June 2009
NCSecMM: A National Cyber Security Maturity Model for an Interoperable “National Cyber Security” Framework
Taïeb Debbagh, Mohamed Dafir Ech-Cherif El Kettani
Abstract: Security Maturity Model is a systematic approach that replaces traditional security metrics. There is more than one Security Maturity Model (SMM, COBIT, CERT/CSO, ISM3), and each of them has only five levels of maturity, providing the blueprint for a complete security program, telling management the order in which to implement security elements (ISM3 Consortium 2007), and leading toward the use of best practice standards (e.g., BS 17799). But very few of them are dedicated to National Cybersecurity.
We propose in this paper a “National CyberSecurity Maturity Model”, that will make it possible to evaluate the security of a country or a whole region, making thus comparisons between them, and pointing out its forces and threats.
4 – Morocco Case
26
3 Supporting measures
• Implement Cyber-confidence requirements;
• Review/formulate HR policies to build ICT capabilities;
• Set up a global governance structure, a changing policy, and an ICT observatory.
5 PrioritiesEnsuring SMEs ICT equipment (Computerization of SMEs) to increase their productivity and contribute to their development;
Promoting Broadband Internet access (to be accessible for all citizens) and knowledge access;
Implementing an ambitious e-government programme that contributes to the efficiency and effectiveness of the Administration and Local Collectivities;
Exploiting the offshore to rapidly develop the export industry and create jobs;
Promoting the entrepreneurship and the creation of Areas of Excellence in ICT.
2
3
4
5
1
27
Morocco ICT Strategic Plan
Objectives:Set up a National Cybersecurity policy that aims to ensure business trust,
enhance security capabilities, and secure information critical infrastructures.
Ensure Networks Security Ensure Information Systems Security
Secure Electronic Data Exchange
Ensure Private Data Protection
Lead Fight Against Cybercrime
28
Cybersecurity Roadmap
4 Sub-programmes have been identified to achieve these objectives
4 Sub-Programmes
• Upgrade/update the legal and regulatory framework in order to face the Cybersecurity challenges and harmonize it with the partners countries
Legal and Regulatory Framework
Development
Structures
Awareness and Communications
• Establish necessary Entities that will be in charge of implementing the national Cybersecurity policy
• Promote the development of security capabilities
• Arise awareness of the citizens, enterprises and administration on the Cybersecurity and cyberconfidence issues 29