Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. National Cybersecurity Management System Mohamed Dafir EL KETTANI PhD, ISO 27001 Lead Implementer ProfessorENSIAS, University Mohammed V-Souissi, Morocco
  2. 2. Agenda1 – Introduction2 – National Cybersecurity Management System NCSec Framework Maturity Model Roles & Responsibilities Implementation Guide3 – Morocco Case ICT Strategic Plan Cybersecurity Roadmap4 – Conclusion
  3. 3. 1 - Introduction
  4. 4. Introduction (1/3)• Increasing computer security challenges in the world;• Which entity(s) should be given the responsibility for National Cyber Security? – Case by case organisational structures – Partially standardized organisational structures (for example, CERTs)• Self-Assessment: – Best practices that organizations can refer to evaluate their readiness status; – Case by case strategies – Gap between countries and regions 1
  5. 5. Introduction (2/3)• But, there is lack of international standards (clear guidance) with which a State or region can measure its current security status. – Lack of framework – Lack of global vision in terms of: • Capacity building, Certification, • Self assessment • Responsibilities & Roles • Implementation process • Measurement through indicators • etc. – Harmonization between countries and regions is a delicate process 2
  6. 6. Introduction (3/3)• The main objective of this presentation is to propose a Model of National Cybersecurity Management System (NCSecMS), which is a global framework that best responds to the needs expressed by the ITU Global Cybersecurity Agenda (GCA 2007). – More than recommendations... – ... result of benchmarking – Answers real needs in terms of CyberSecurity – Adapted to a case by case implementation process• Working Team : – Former members of the HLEG Working Area 3 (Organisational Structures) 3
  7. 7. 2 – National Cybersecurity Management System
  8. 8. NCSecMS Components NCSec Management System 1 NCSecFR ITU ISODocuments 27002 NCSec Framework 5 Domains 34 Processes 2 NCSec NCSecMMCOBIT V4.1 Framework Maturity Model For each Process 3 NCSecRR National NCSecStakeholders Framework Roles & RACI Chart Responsibilities by Process 4 ISO ISO NCSecIG 27003 27001 Implementation PDCA Guide 4
  9. 9. NCSecMS Components ITU Q22/1 (September 2009) NCSec Management System Moroccan Proposal ICEGOV 2008 1 NCSecFR Conference ITU ISODocuments 27002 NCSec Framework 5 Domains 34 Processes ECEG 2009 2 Conference NCSec NCSecMMCOBIT V4.1 Framework Maturity Model For each Process ECIW 2009 3 NCSecRR Conference National NCSecStakeholders Framework Roles & RACI Chart Responsibilities by Process ITU Tunis 2009 4 National ISO ISO NCSecIG 27003 27001 Implementation PDCA Recommandation Guide 6
  10. 10. NCSecMS Components ITU Q22/1(September 2009) NCSec Management SystemMoroccan Proposal 1 NCSecFR–Points out vulnerabilities NCSec Framework 5 Domains 34 Processes & demonstrate them to gov.–Provides metrics to measure 2their achievement NCSecMM Maturity Model For each Process – Points out Roles 3 NCSecRR and Responsibilities Roles & RACI Chart Responsibilities by Process – Find out needed profiles to achieve the role of 4 a stakeholder NCSecIG Implementation PDCA Guide 4
  11. 11. 2.1 – National Cybersecurity Framework
  12. 12. NCSec Framework : 5 Domains / 34 proc 5
  13. 13. Domain 1: Strategy and Policies (SP)Proc Process Description NCSec StrategySP1 Promulgate & endorse a National Cybersecurity Strategy Lead InstitutionsSP2 Identify a lead institutions for developing a national strategy, and 1 lead institution per stakeholder category NCSec PoliciesSP3 Identify or define policies of the NCSec strategy Critical Information Infrastructures ProtectionSP4 Establish & integrate risk management for identifying & prioritizing protective efforts regarding CII StakeholdersSP5 Identify the degree of readiness of each stakeholder regarding to the implementation of NCSec strategy & how stakeholders pursue the NCSec strategy & policies 6
  14. 14. Domain 2: Implementation and Organisation (IO)Proc Process Description NCSec CouncilIO1 Define National Cybersecurity Council for coordination between all stakeholders, to approve the NCSec strategy NCSec AuthorityIO2 Define Specific high level Authority for coordination among cybersecurity stakeholders National CERTIO3 Identify or establish a national CERT to prepare for, detect, respond to, and recover from national cyber incidents Privacy and Personnal Data ProtectionIO4 Review existing privacy regime and update it to the on-line environment LawsIO5 Ensure that a lawful framework is settled and regularly levelled InstitutionsIO6 Identify institutions with cybersecurity responsibilities, and procure resources that enable NCSec implementation National Experts and PolicymakersIO7 Identify the appropriate experts and policymakers within government, private sector and university TrainingIO8 Identify training requirements and how to achieve them GovernmentIO9 Implement a cybersecurity plan for government-operated systems, that takes into account changes management International ExpertiseIO10 Identify international expert counterparts and foster international efforts to address cybersecurity issues, including information sharing and assistance efforts 7
  15. 15. Domain 3: Awareness and Communication (AC)Proc Process DescriptionAC1 Leaders in the Government Persuade national leaders in the government of the need for national action to address threats to and vulnerabilities of the NCSec through policy-level discussionsAC2 National Cybersecurity and Capacity Manage National Cybersecurity and capacity at the national levelAC3 Continuous Service Ensure continuous service within each stakeholder and among stakeholdersAC4 National Awareness Promote a comprehensive national awareness program so that all participants—businesses, the general workforce, and the general population—secure their own parts of cyberspaceAC5 Awareness Programs Implement security awareness programs and initiatives for users of systems and networksAC6 Citizens and Child Protection Support outreach to civil society with special attention to the needs of children and individual usersAC7 Research and Development Enhance Research and Development (R&D) activities (through the identification of opportunities and allocation of funds)AC8 CSec Culture for Business Encourage the development of a culture of security in business enterprisesAC9 Available Solutions Develop awareness of cyber risks and available solutionsAC10 NCSec Communication 8 Ensure National Cybersecurity Communication
  16. 16. Domain 4 :Compliance and Coordination (CC)PS Process DescriptionCC1 International Compliance & Cooperation Ensure regulatory compliance with regional and international recommendations, standards …CC2 National Cooperation Identify and establish mechanisms and arrangements for cooperation among government, private sector entities, university and ONGs at the national levelCC3 Private sector Cooperation Encourage cooperation among groups from interdependent industries (through the identification of common threats) Encourage development of private sector groups from different critical infrastructure industries to address common security interest collaboratively with government (through the identification of problems and allocation of costs)CC4 Incidents Handling Manage incidents through national CERT to detect, respond to, and recover from national cyber incidents, through cooperative arrangement (especially between government and private sector)CC5 Points of Contact Establish points of contact (or CSIRT) within government, industry and university to facilitate consultation, cooperation and information exchange with national CERT, in order to monitor and evaluate NCSec performance in each sector 9
  17. 17. Domain 5: Evaluation and Monitoring (EM)Proc Process Description NCSec ObservatoryEM1 Set up the NCSec observatory Mechanisms for EvaluationEM2 Define mechanisms that can be used to coordinate the activities of the lead institution, the government, the private sector and civil society, in order to monitor and evaluate the global NCSec performance NCSec AssessmentEM3 Assess and periodically reassess the current state of cybersecurity efforts and develop program priorities NCSec GovernanceEM4 Provide National Cybersecurity Governance 10
  18. 18. 2.2 – Maturity Model
  19. 19. Maturity Model• CMMs Five Maturity Levels of Software Processes: • 1 : At the initial level, processes are disorganized, even chaotic. • 2 : At the repeatable level, basic project management techniques are established, and successes could be repeated. • 3 : At the defined level, an organization has developed its own standard software process. • 4 : At the managed level, an organization monitors and controls its own processes through data collection and analysis. • 5 : At the optimizing level, processes are constantly being improved through monitoring feedback 11
  20. 20. Maturity ModelPS Process Level 1 Level 2 Level 3 Level 4 Level 5 DescriptionSP1 Promulgate & Recognition of the NCSec is NCSec is NCSec is under NCSec is under endorse a National need for a announced & operational for all regular review continuous Cybersecurity National strategy planned. key activities improvement StrategySP2 Identify a lead Some institutions Lead institutions Lead institutions Lead institutions Lead institutions institution for have an are announced are operational are under regular are under developing a national individual cyber- for all key for all key review continuous strategy, and 1 lead security strategy activities activities improvement institution per stakeholder categorySP3 Identify or define Ad-hoc & Similar & Policies and National best Integrated policies of the Isolated common procedures are practices are policies & NCSec strategy approaches to processes defined, applied procedures policies & announced & documented, &repeatable Transnational practices planned operational best practiceSP4 Establish & Recognition of the CIIP are Risk management CIIP risk CIIP risk integrate risk need for risk identified & process is management management management management planned. Risk approved & process is process evolves process for process in CIIP management operational for all complete, to automated identifying & process is CIIP repeatable, and workflow & prioritizing announced lead to CI best integrated to protective efforts practices enable regarding NCSec improvement (CIIP) 11
  21. 21. Self-Assessment SP1 5 EM4 4 SP4 3 2CC2 1 IO2 0 SP1 Strategy CC1 IO3 SP4 CIIP IO2 Authority IO3 N-CERT IO5 Laws AC5 IO5 AC5 Awareness Prg CC1 Intern Coop CC2 Nat Coord EM4 Governance 12
  22. 22. 2.3 - Roles and Responsibilities (RACI Chart)
  23. 23. RACI Chart / Stakeholders NCSec Strategy Promulgate & endorse aSP1 National I A C C R C C C I I R I I I Cybersecurity Strategy Lead Institutions Identify a lead institutions for developing aSP2 national strategy, I I A C R C C I I R C C C C and 1 lead institution per stakeholder category NCSec Policies Identify or define policiesSP3 A C R C I C I R I I of the NCSec strategy Critical Infrastructures Establish & integrate risk management forSP4 identifying & A R R C I R C R I prioritizing protective efforts regarding NCSec (CIIP) 13 R = Responsible, A = Accountable, C = Consulted, I = Informed
  24. 24. 2.4 – Implementation Guide
  25. 25. Implementation Guide•A roadmap to assist High Level Decision MakersCyberSecurity Implementationat the National Level 1 HL HL Awarness Approve Commitment Implementation 2 HL NCSec NCSecCommitment Framework Define Scope Strategy & Strategy 3 NCSec NCSec Nat. Inf Sec Conduct Strategy Maturity Model Assessment National Context Analysis 4 Nat. Inf Sec NCSec Processes Assessment Framework Conduct Risk Selected Assessment 5 NCSec Processes NCSec Design Managnt Syst Selected RACI Chart NCSec Managnt System 6 ISO NCSec MS NCSecIG Implement 27001 Implemt Prg 14 NCSec Managnt System
  26. 26. ACM Publication 15
  27. 27. 3 – Morocco Case
  28. 28. “Maroc Numeric 2013” Morocco ICT Strategic Plan consists of… 2 Accompanying 2 Implementation 4 Strategic Priorities Measures Modes User-Oriented Social Computerization IT Industry HumanTransformation Development of of SMEs Development Capital Cybersecurity Governance Budget Public ServicesEnsuring Access Public SMEs Entrepreneurial Supervision and Financial to Education Administration Professional Regulatory Follow-up and Areas of Cluster TI Governance Resources Players Efficiency Solutions Cluster TI Framework Structures Excellence Internet Citizens’ Raising Organizational Broadband IT Offshoring Offshoring TI Training Plans IT Observatory Services Awareness Offshoring TI Structures AccessLocal Content Enterprises’ Mobilization of New Training Promotion andDevelopment Services prescriptions Courses Awareness 18 Initiatives 51 actions 16 28
  29. 29. Cybersecurity (1/2) Ambition Objectives 2013 • Compliance of IT Moroccan Laws (Protection of Ensure business trust, enhance Personal Data, Consumer Protection, Legal Electronic Cyber-confidence security capabilities, and secure Data Exchange) with common international Laws critical information infrastructures • 60 000 Electronic Certificates deliveredInitiatives Projects Description Protection of Set up the National Commission for Data Protection (CNDP) Personal Data Regulatory Consumer Framework Elaborate the necessary legal and regulatory texts to protect online Consumers Protection ICT Legal Study Upgrade/update the legal and regulatory framework in order to face the Cybersecurity challenges and harmonize it with the partners countries Electronic Certification Provider Support the creation of PKI provider for ensuring electronic signature Creation of Computer Organizational Emergency Response Set up the National Computer Emergency Response Team (MA-CERT) Structures Team (ma-CERT) Critical Information Infrastructures Encourage the development of backup sites to ensure the Business Continuity Protection of Critical Information Infrastructures in Morocco 17 29
  30. 30. Cybersecurity (2/2)Initiatives Projects Description Awareness and Child/Younger Arise awareness of the children, younger and parents on the Cybersecurity Online Protection Communication and cyberconfidence issues s Administration and Enterprise Arise awareness of the administration and enterprises on the Cybersecurity awareness and cyberconfidence issues ISS integration in the Integrate the Information Security Systems (ISS) in the Higher Scientific Higher Education Education and training programs Judge/Magistrate Capacity ISS Training Ensure training on ISS for judges/magistrates building Continuous Training Ensure continuous training for administration employees/officials on ISS 18 30
  31. 31. 4 – Conclusion
  32. 32. Conclusion• NCSecMS: – More than a best practice document related to National CyberSecurity. – Affords a complete environment with indicators at the national level, – Provides metrics to measure their achievement, and to identify from a cybersecurity viewpoint the associated responsibilities of stakeholders and control process.• Extensions: – Quality of implementation measurement for each element – Security metrics : a meaningful gauge of NCSec perf. – Costs and benefits of an organized, mature and high- quality security program can be better understood 19
  33. 33. Conclusion• National Cybersecurity Capacity Building: – Affords a complete environment describing needs and profiles at the national level, – Might provide metrics to measure their achievement, – Identifies from a cybersecurity viewpoint the associated responsibilities of stakeholders and the needed profiles (certification, etc.)• Extensions : – Quality of implementation measurement for each element – Capacity Building metrics – High-quality security adequate profiles can better answer national needs 20
  34. 34. Conclusion• Results: – NCSecMS: Adopted as a National Recommandation by the ITU during the ITU Regional Cybersecurity Forum for Africa and Arab States (4-5 June 2009, Tunis) – NCSecMS & ITU: Q22.1- september 2009• Extension of this work: – Questionnaire elaboration – A benchmarking tool for evaluating CyberSecurity at the trans-national level, in collaboration with the ITU within its Global CyberSecurity Agenda: some national case studies 21
  35. 35. Thank you for your attention Email : dafir@ensias.ma