System of security controls


Published on

The System of Security Controls for Cyber Security
Veaceslav PUȘCAȘU
E-Government Center
Government of the Republic of Moldova

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

System of security controls

  1. 1. The System of Security Controls for Cyber Security October 3th , 2013 GOVERNMENT OF THE REPUBLIC OF MOLDOVA Veaceslav PUȘCAȘU, CISM E-Government Center / Government CIO Government of the Republic of Moldova
  2. 2. This prezentaion is e-Government Center2 • A summary of what was presented and discussed during the training seminars provided by Estonian e-Governance Academy • A summary of ideas circulated and discussed during the meetings of Cyber Security Roadmap focal group which includes reprezentatives from MA, MTIC, SIS, CTS, CNPDCP, MAI • A summary of the experience gained by some public institutions in Republic of Moldova • A summary of experience gained by other countries, ex. Estonia
  3. 3. Cyber Space Cyber Space - an environment resulted from all types of interactions by means of software hardware and communication infrastructure.
  4. 4. Cyber Security e-Government Center4 Cyber Security - a normality reached as a result of applying a set of proactive and reactive measures to ensure confidentiality, integrity, availability, authenticity and nonrepudiation of information, resources and services in cyber space
  5. 5. Cyber Security Threats e-Government Center5
  6. 6. Cyber Security in Republic of Moldova e-Government Center6 Trends • Increasingly usage of electronic service in public sectors including in interaction with citizens and business • Increasingly usage of mobile device; • Widespread of Internet and using it for business propose; • Increasing usage of ICT in national critical infrastructure; • Increasing usage of ICT infrastructure to launch cyber attacks against other nations.
  7. 7. Cyber Security in Republic of Moldova e-Government Center7 Threats • Lack of a common approach for cyber security at the state level; • Lack of clear organizational structure at both the state and institutional level; • Lack of qualified people in the field; • Very low level of awareness of the threats and safeguards in cyberspace; • Lack of an unique set of measures (system of security baselines/controls) that should be applied according to the criticality of the systems; • ………
  8. 8. Standards and Technical Regulations e-Government Center8 • Hotărârea Guvernului nr. 1123 din 14.12.2010 privind aprobarea Cerinţelor faţă de asigurarea securităţii datelor cu caracter personal la prelucrarea acestora în cadrul sistemelor informaţionale de date cu caracter personal; • Reglamentare tehnică. Asigurarea securităţii informaţiei a infrastructurii informaţionale pentru autorităţile administraţiei publice, anexa nr.2 la ordinul MTIC 106 din 20 decembrie 2010. • SM SR ISO/IEC 27001:20006
  9. 9. Challenges e-Government Center9 • Define requiremets and luck of implemenation guidlines; • Depend on the skills and knolwledge of the persons involved in implemenation; • Mostly are based on risk assesment; • No sicronization between them; • etc.
  10. 10. System of Cyber Security Controls – Elaboration Process e-Government Center10
  11. 11. System of Cyber Security Controls - ToRs e-Government Center11 • Adopt an international best practice; • Mandatory for public authorities; • Compliant with current legislations framework; • Include : Physical measures; Technical measures; Organizational measures. • Define security classification levels (integrity, confidentiality, availability): Low, Medium, High; • Free of charge and updated regularly; • Provide requirements and clear guidance on how to implement them; Examples: Recommended Security Controls for Federal Information Systems and Organizations (NIST 800-53), BSI (IT-Grundschutz Methodology) , ISKE ,SANS TOP 20, etc.
  12. 12. Compliance Certification of Authorities e-Government Center12 Do not invent the wheel. It has already been invented… • Outsource to private sector • Define a compliance certification framework taking into consideration: – International experience – ex. PCI DSS – Local experience – ex. BNM • Require international recognized certification (ex. CISA, CISM, CISSP, etc.)
  13. 13. System of Cyber Security Controls – Quick Wins e-Government Center13 • Start with some simple things which can be implemented quickly • Develop and expand to rich a state of “normality” • Develop cyber security guide based on SANS 20 Critical Controls for Cyber Defense • Encourage public authorities to implement the guide. Identify and fix the issues • Include this guide as a part of the System of Cyber Security Controls
  14. 14. Summary e-Government Center14 • One of the threats to cyber security is lack of security baselines that should be applied according to the criticality of the systems • Defining and implementing of a System of Cyber Security Controls is a complex task which take time to do it right • We should start with something simple which can be implemented quickly • Further we should develop and expand to reach a state of “normality”
  15. 15. Thank you ! e-Government Center15