2. Ghana’s Experience
Agenda
Background
• Existing Policy and Law on the fight against cybercrime
• Gaps in Existing Policy/laws and Need for Policy & Strategy
National Cyber Security Policy
• Policy Development Process
• 9 Pillars of Our Policy
5 Year Strategic Action Plan
• Special Initiatives
Way Forward
11/12/2015 2
4. Ghana’s Experience
Existing Policy & ACTS
• ICT4AD (Pillar 14) 2003
– ICT4AD is Ghana’s policy guidelines for ICT development
– Comprise 14 Pillars address all ICT needs in Ghana
– Pillar 14
• Policy measures and mechanisms to address
– national security
– law and order issues
• Electronic Transaction Act (ACT 772) 2008
– Legal text embracing key instrument for the fight against cyber crime
• ICT Tribunal
• Cyber Inspectors
• Electronic Government Services
• Cyber Offenses
• Protected computers and Databases
• Consumer protection
• Data Protection Act (843) 2012
– Focuses on application of Principles of Data Protection
• Privacy of Individual
• Collection of personal data
• Security measures
– Data Protection & Enforcement
– Disclosure of information
411/12/2015
5. Ghana’s Experience
Why the need for Cybersecurity Policy?
Some shortfall
in policy & Laws
• ICT4AD does not adopt a PPP approach to ensuring cyber security
• All prospective target audience not properly addressed by Pillar 14
• Protection of CNII not properly addressed under policy and ETA
• Culture of cyber security across sectors not properly covered
• In adequate cyber laws and capacity building for National security agencies
and law enforcement to fight cybercrime
Challenges
• Prevalence of Cyber Frauds called “Sakawa”
• Defacement of multiple government websites
• Several Financial establishments hit with funds of customer stolen
• Prevalent SIM Box Fraud – loss revenue to Government on International call
traffic
• Lack of awareness of risk to mobile data users on the Internet
• Low awareness of risk of children using the Internet
• Uncoordinated cyber initiatives across Ghana/ no information sharing
• Lack of Information security technology framework in place
11/12/2015 5
6. Ghana’s Experience
Person Specific
•Consumer User
•Corporate user
Device Specific
• Telephones
• Wireless Cell Devices
• Personal Digital Assistant (PDA)
Network Specific
• Wireless Carrier’s Transport
• Local Area, Metropolitan Area and Wireless Area
• Internet
Targets: National Cyber Security
Framework
11/12/2015 6
7. Ghana’s Experience
Level 1:Home and Small Business users
Level 2: Large Enterprise Users
Level 3: Critical Sectors
Level 4: National Priorities
Level 5: Global
11/12/2015 7
Levels
8. Ghana’s Experience
CNII Sectors Identified for Ghana
1.National Defense
and Security
2. Banking and
Finance
3. Information and
Communications
4. Energy
5. Transportation
6. Water
7. Health Services
8. Government
9. Emergency
services
10. Food and
Agriculture
11/12/2015 8
10. Ghana’s Experience
Initiated by
Ministry of
Communications
in 2011 with
support from
UNECA
National
Stakeholder
Meeting to
review areas for
upgrade in
National ICT
needs
Adhoc Technical
committee
established by
MOC to develop
policy and
strategy
Stakeholder
meeting to
review draft
Final review by
Adhoc
committee to
include
comments
Validation
Workshop
11/12/2015 10
Policy Development Process
2011 2015
11. Ghana’s Experience
Policy Development Process-2
• Step 1: Multi-stakeholder Adhoc Technical Committee
formed
• Step 2: Defined Terms to be used
• Step 3: Reviewed existing Policy and Laws to determine
gaps
• Step 4: Reviewed conventions and country specific
policies and strategies.
– Budapest Convention, AU draft Convention
• Step 5: Developed text of Policy
11/12/2015 11
12. Ghana’s Experience
Vision & Mission
• Vision
A secure and stable connected Ghana with Internet users working and creating wealth in a safe
cyber space, with a well-researched and trained academic and professional community protecting
Ghana’s cyber space equipped with global standards and responding swiftly to cyber incidents, and
with up-to-date laws and systems in place to efficiently prosecute cyber criminals.
.
• Mission
Our mission is to determine, analyze and address the immediate cyber security threats posed on
identified critical national information infrastructure by providing adequately protection for the critical
national information infrastructure and over time become a self sufficient country attending to its
cyber security needs.
11/12/2015 12
13. Ghana’s Experience
9 Pillars of Our Policy
Effective Governance
Legislative & Regulatory Framework
Cyber Security Technology Framework
Culture of security and Capacity Building
Research & Development towards Self-Reliance
Compliance and Enforcement
Child Online Protection
Cyber Security Emergency Readiness
International Cooperation
11/12/2015 13
15. Ghana’s Experience
Special Initiative 1:
National Cybersecurity Awareness Program
Program to train
different stakeholders
on different aspects of
cyber security with the
intent of helping them
provide a reasonable
security consummate
with the risks to avoid
incidences of cyber
attacks.
Will take the form of
identification, need
assessment, training
and evaluation of
different sets of
stakeholders.
The program will
include a cyber
security awareness
portal that will
establish a permanent
awareness campaign
on the internet
11/12/2015 15
16. Ghana’s Experience
Special Initiatives 2:
Computer Emergency Response Teams
Establishment of National Computer Emergency
response Team (CERT-GH) Phase I
Established with
support
ITU/IMPACT
In August 2014
In January 2015
11 Government
website defaced
but brought
under control
with 24 hours by
CERT-GH
Sharing Alerts
and Advisories
with
constituents to
proactive
lyimprove
security of
systems
Working to
establish
phase II in
2015
Introducing
probes on
Ghanaian
networks and
subscribing to
HORNET and
AWARE early
warning systems
Phase III to
be
implemented
in 2016
Establishment of
National
Forensic
Laboratory
11/12/2015 16
17. Ghana’s Experience
Special Initiative 3:
National Cyber Security Centre
• Defines, communicates and updates (when necessary) the national cyber
security programs to all the CNII.
National Cyber Security Policy
Implementation:
• Closely coordinates cyber security initiatives of various key Agencies and
organizations in Ghana.National Coordination:
•Promote and facilities formal and informal mechanism for information sharing across
the CNII. This includes promoting cyber security awareness, training and education
programs to grow the competency of information security professionals and the
industry as a whole.
Outreach:
• Facilitiate the monitoring of compliance to cyber security policies and standards
across the CNII.Compliance Monitoring:
• Assesses and identifies cyber security threats exploiting vulnerabilities and risks
across the CNII.Risk Assessment:
• Assist the National Cyber Security Council in all its function activities and help
industry to test its emergency plansSupport:
• Contribute to application of international standards on cyber security as well as
on accreditation and certification of ICT infrastructure, services and suppliers.Contribution:
11/12/2015 17
18. Ghana’s Experience
Special Initiative 4:
National Cyber Security Council
Governance institution with full oversight of policy
and ensuring full implementation of policy after its
creation
To serve as the
highest-level
liaison body for
cyber security
Responsible for
adopting or
approving the
policies put
forward for
implementation
of the function
centre.
To ensure that
appropriate
policies are in
place to make
Ghana a safe
destination for
cyber activity
To boost
national image
in its sphere of
influence and
make it a
leader in the
region
To ensure
Ghana is part
of international
conventions
and is playing
its role as a
leader in the
region
11/12/2015 18
19. Ghana’s Experience
Special Initiative 5:
National Cybersecurity Crisis Management Plan
Conceived to ensure that a coordinated swift response is made to any cyber
incidences having a bearing on national security.
Objective is to:
Increase preparedness of
country against cyber attacks
Enhance capability to respond
to cyber security issues
Provide coordinated effort in
handling cyber attacks
Minimize impact to socio –
economic activities
A management committee which will be under the council
where ultimate decisions are made on any major attacks and
a working group created as PPP and having membership from
the center, the national CERT, CNII sectors and any related
agencies to enforce any tactic adopted for resolving any major
attacks
11/12/2015 19
20. Ghana’s Experience11/12/2015 20
STRATEGY TIMELINE ACTIVITIES
Short Term Year 1 -2
Holistic assessment of CNII and addressing immediate
Concerns & Awareness Creation – Identify issues with CNII,
analyze vulnerabilities and put in place stop gap intervention to
safeguard systems while setting up institutional structures and
creating public awareness
Medium Term Year 3 - 4
Building the infrastructure for Cyber security - Setting-up the
necessary systems, process, standards and institutional
arrangements (mechanisms) and building capacity amongst
researchers and information security professionals
Long Term Year 5+
Developing self-reliance & international Cooperation – Adopting
technology and developing capacity of professionals, monitoring the
mechanisms for compliance, evaluating and improving the
mechanisms and creating the culture of cyber security
Implementation Timelines
21. Ghana’s Experience
Way Forward
• Ghana’s Draft Policy Develop started in 2011
• Submitted to Cabinet to review and approve in 2013.
• Validation workshop held in 2015 for final cabinet
approval
• Development of detailed implementation framework
of each policy Pillar after Cabinet approval
• To develop or not to develop new Cyber security and
Cybercrime laws - discussion
11/12/2015 21
24. Ghana’s Experience
Definitions-1
Cyber Security is “Enhancing security and building confidence in the use of ICT applications” (ITU GCA)
Cyber Security means the collection of tools, policies, guidelines, risk management approaches, actions,
training, best practices, assurance and technologies that can be used to protect organization and user’s
assets on the cyber environment. Organization and user’s assets include connected computing devices,
computing users, applications/services, communications systems, multimedia communication, and the
totality of transmitted and/or stored information in the cyber environment. (ITU-T Recommendation
X.1205)
Cybersecurity ensures the attainment and maintenance of the security properties of the organization and
user’s assets against relevant security risks in the cyber environment. The security properties include
one or more of the following:
– Availability
– Integrity, which may include authenticity and non-repudiation
– Confidentiality
11/12/2015 24
25. Ghana’s Experience
Definitions -2
• Critical Infrastructures (CI) are generally considered as the key systems,
services and functions whose disruption or destruction would have a
debilitating impact on public health and safety, commerce, and national
security, or any combination of those matters.
– Economic and industrial sectors have their own physical assets which
today depend upon reliable functioning of Critical Information
Infrastructure (CII) to deliver their services and to conduct business.
– Critical Information Infrastructure Protection (CIIP) protects virtual
elements (such as systems and data) of the CII.
11/12/2015 25
26. Ghana’s Experience
Policy Pillar 1 & 2
• Effective Governance
Government will centralize coordination of national cyber security initiatives and promote effective
cooperation between public and private sectors. In order to sustain the gains from any initiatives,
government will establish formal and encourage informal information sharing exchanges.
• Legislative & Regulatory Framework
Government will in collaboration with the Attorney General’s department setup a periodic process
of reviewing and enhancing Ghana’s laws relating to cyber space to address the dynamic nature
of cyber security threats. In order to empower national law enforcement agencies to properly
prosecute cyber security crimes, government will establish progressive capacity building programs
to acquire new skills and effective ways of enforcing cyber laws. Government will ensure that all
applicable local legislation is complementary to and in harmony with international laws, treaties
and conventions.
11/12/2015 26
27. Ghana’s Experience
Policy Pillar 3 & 4
• Cyber Security Technology Framework
Policy measures will be put in place to develop a national cyber security technology framework that
specifies cyber security requirement controls and baselines for CNII elements. This will be accompanied
will mechanism to implement an evaluation/certification program for cyber security product and systems.
• Culture of security and Capacity Building
Government will invest every resource needed to develop, foster and maintain a national culture of
security. As part of the process of development of culture of cyber security, government will support the
standardization and coordination of cyber security awareness and education programmes across all
elements of the CNII. Government will also:
– Establish an effective mechanism for cyber security knowledge dissemination at the national level
– Identify minimum requirements and qualifications for information security professionals
11/12/2015 27
28. Ghana’s Experience
Policy Pillar 5 & 6
• Research & Development towards Self-Reliance
In order Ghana become self-reliant in protecting the CNII to a level that is commensurate with the risk,
government will formalize the coordination and prioritization of cyber security research and development
activities enlarge and strengthen the cyber security research community. Research and development will
be encouraged by promoting the development and commercialization of intellectual properties,
technologies and innovations through focused research and development. Government will also put
measures in place to nurture the growth of cyber security industry
• Compliance and Enforcement
In order to ensure compliance and enforcement, policy measures and mechanism will be put in place to
standardize cyber security systems across all elements of the CNII. Government will also strengthen the
monitoring and enforcement of standards and develop a standard cyber security risk assessment
framework
11/12/2015 28
29. Ghana’s Experience
Policy Pillar 7 & 8
• Child Online Protection
Policy measures will be implemented through multi-stakeholder working by government industry, Civil
Society, and relevant international child online protection agencies. Government will encourage dialogue
at national and local levels to engage all concerned and create awareness of the possibilities and
dangers of the Internet.
• Cyber Security Emergency Readiness
To ensure cyber security emergency readiness, government together with all stakeholders will develop
effective cyber security incident reporting mechanisms. This will include the development and
strengthening of the national computer security incidence response team (CSIRT) and sector CSIRTs,
dissemination of vulnerability advisories and threat warnings in a timely manner and the development of
a standard business continuity management framework. The government will also encourage all
elements of the CNII to monitor cyber security events and perform periodic vulnerability assessment
programs.
11/12/2015 29
30. Ghana’s Experience
Policy Pillar 9
• International Cooperation
Policy measures will be put in place to encourage active participation of
Ghana in all relevant international cyber security bodies, panels and multi-
national agencies. Government will make every effort to promote active
participation in all relevant international cyber security activities by hosting
an annual international cyber security conference.
11/12/2015 30
31. Ghana’s Experience
Action Plan 2016 -2020
31
Item Thrust Actions and Special Initiatives Policy Drivers
1. Effective Governance Setup Governance Structure and institutions to enable
long –term substance of Cyber Security activity including
information exchange. Institutions include:
National Cyber Security Council
National Cyber Security Center
National Cyber Security Policy Working Group
Ministry of
Communications,
National Security
Council, NITA, NCA
2. Legislative and
Regulatory Framework
Setup Cyber Law Review Committee under the Attorney
General’s Department to do a study on the laws of
Ghana to accommodate legal challenges in the Cyber
environment and review every three year
Stage 1: identifications of issues in the cyber
environment
Stage 2. Review current laws on cyber environment
Stage 3. Make recommendations for amendment of
national laws
Attorney General’s
Department
3. Cyber Security
Technology Framework
Review and adopt international cyber security
standard such as MS ISO/IEC 27001 to increase
robustness of CNII sectors
Expansion of national certification scheme for
information security management & assurance
Ministry of
Communications, NITA
NSC
11/12/2015
32. Ghana’s Experience
Action Plan 2016 -2020
32
Item Thrust Actions and Special Initiatives Policy Drivers
4. Culture of Cyber Security
& Capacity Building
Reduce number of Information security
incidents through improved awareness &
skill level
o Increase Certification course on
information and cyber security,
Develop a National Cyber Security
Awareness program and portal targeted
at stakeholders by content providers
using different packaging for different
demographics
Ministry of
Communications, Ministry
of Information, (National
Cyber Security Council,
National Cyber Security
Center, National CSIRT ,
National Cyber Security
Policy Working Group)
5. Research & Development
towards Self–Reliance
Develop National R&D Roadmap for
Cyber Security
o Identify technologies relevant &
desirable for CNII
o Provide domain competency
development
o Nature growth of Cyber Security Industry
o Update roadmap regularly
National Cyber Security
Council, National Cyber
Security center, National
CERT , Universities,
CSIR, Professional
certification Centers
6. Compliance &
Enforcement
Develop Risk Assessment framework for CNII
11/12/2015
33. Ghana’s Experience
Action Plan 2016 - 2020
11/12/2015 33
Item Thrust Actions & Special Initiatives Policy Drivers
7.
Child Online Protection Develop a framework for the protection of children as
they engage with the Internet which ensures that
agencies and stakeholders work together to address
children’s online risk by
1. Ensuring that Organizational Structures put in
place for
A Monitoring Framework
Technical and Procedural Measures for working
with all stakeholders
1. Capacity Building – Awareness raising and public
education.
2. Legal Measures
3. Implementation and International Cooperation
Ministry of Communications
Ministry of Gender, Children and Social
Protection; Ministry of Interior, Ministry
of Educations
34. Ghana’s Experience
Action Plan 2016 -2020
Item Thrust Actions & Special Initiatives Policy Drivers
8 Cyber Security Emergency
Readiness
Frame work for cyber attack responds – Mitigation of
Cyber attacks
National and sector CSIRTs
National Cyber Crises management Committee
National Cyber Crises Management WG
Private Sector and
Government Network
Operators, Academic,
Financial Sectors, Security
agencies, Utilities, National
Cyber Security Council,
9.
International
Cooperation
Engage in relevant international cyber
security meetings
Prioritize international engagements,
sign and ensure compliance of
International/regional conventions
Ministry of
Communications
Ministry of Foreign
Affairs
Attorney Generals’
Department
National Security
Council
11/12/2015 34