Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this


  1. 1. Protecting Investors and Industry How Mauritius handles cyber Security CTO Cyber Security Forum 2010 17 & 18 June 2010 UK, London
  2. 2. Mauritius positioning itself as a regional hub <ul><li>Commitment by Govt in the late 90’s to turn Mtius into a cyber island </li></ul><ul><ul><li>legal framework financial incentives </li></ul></ul><ul><ul><ul><li>double taxation treaties with approx. 32 countries </li></ul></ul></ul><ul><ul><ul><li>Low corporate tax of 15% </li></ul></ul></ul><ul><ul><ul><li>Business facilitation Act </li></ul></ul></ul><ul><ul><ul><ul><li>Reduce administrative bureaucracy in the setting up of a business in Mauritius by foreigners </li></ul></ul></ul></ul><ul><li>Affordable, secure & reliable infrastructure </li></ul><ul><ul><li>Global connectivity @ competitive rates </li></ul></ul><ul><ul><li>Creation of state-of-the art technology parks (e.g. Ebene Cybercity) </li></ul></ul><ul><li>A skilled, bilingual and cosmopolitan workforce </li></ul><ul><ul><li>international companies like Infosys, Microsoft, Accenture, and TNT have a delivery center in Mauritius are now capitalizing on the local skills for their BPO operations </li></ul></ul>
  3. 3. State of health of the ICT Investment & Industry in Mauritius <ul><li>Some indicators for the ICT sector between 2007 – 2009 </li></ul><ul><ul><li>Growth rate maintained @15% - 16% </li></ul></ul><ul><ul><li>Growth of Employment increased from 10,300 to 11,500 </li></ul></ul><ul><ul><li>Number of ICT-BPO companies: 185 to 300 (90 in 2005) </li></ul></ul><ul><ul><ul><li>BPO represents approx. 45% of the ICT industry </li></ul></ul></ul><ul><ul><li>Turnover for IT services & IT enabled services industry </li></ul></ul><ul><ul><li>doubled in that period </li></ul></ul><ul><ul><li>Turnover for telecommunications increased by 25% </li></ul></ul>
  4. 4. ICT & BPO activities requirements <ul><li>Activities include </li></ul><ul><ul><li>payroll administration, </li></ul></ul><ul><ul><li>processing of receivables and payables, document and data management, </li></ul></ul><ul><ul><li>multimedia and web design, </li></ul></ul><ul><ul><li>emergence of higher end BPO activities </li></ul></ul><ul><ul><ul><li>software development, web-enabled activities, </li></ul></ul></ul><ul><ul><ul><li>Business continuity & disaster recovery services </li></ul></ul></ul><ul><li>With ICT affirming itself as a resilient and growing economic pillar for the Mauritian economy, </li></ul><ul><ul><li>monitoring & ensuring the security and privacy aspects of ICT & BPO companies is of prime importance </li></ul></ul><ul><ul><li>Warranted the adoption of the right cybersecurity strategy at the national level </li></ul></ul>
  5. 5. Holistic approach <ul><li>The National Information Security Strategy Plan (NISS) as part of the National Information Communication Technologies Strategic Plan (NICTSP) 2007 - 2011 </li></ul><ul><ul><li>ICT as an economic pillar for Mauritius </li></ul></ul><ul><ul><li>Mauritius as a Regional ICT Hub </li></ul></ul><ul><ul><ul><li>Image building as a safe e-harbour for the ICT BPO sector </li></ul></ul></ul><ul><li>Both NICTSP & NISS considered as </li></ul><ul><ul><li>living and breathing resources </li></ul></ul><ul><ul><ul><li>Used as dash boards for implementation of resulting Action Plans </li></ul></ul></ul>
  6. 6. NICTSP & NISS as living and breathing resources <ul><li>Legal framework </li></ul><ul><ul><li>Electronic Transactions Act 2000 </li></ul></ul><ul><ul><li>Information and Communication Technologies Act 2001 </li></ul></ul><ul><ul><li>Computer Misuse and Cyber-Crime Act 2003 </li></ul></ul><ul><ul><li>Data Protection Act 2004 </li></ul></ul><ul><ul><li>Forthcoming legislations </li></ul></ul><ul><ul><ul><li>New IP & Copyright Act (will include DRM) </li></ul></ul></ul><ul><ul><ul><li>Online Child Protection </li></ul></ul></ul><ul><ul><ul><li>Anti-spam </li></ul></ul></ul><ul><li>Implementation & institutional framework - </li></ul><ul><ul><li>Parent ICT Ministry </li></ul></ul><ul><ul><li>ICT Authority (Regulator) </li></ul></ul><ul><ul><li>National Computer Board (promotion of ICTs in Mauritius) </li></ul></ul><ul><ul><li>Central Informatics Bureau (computerisation of Ministries) </li></ul></ul><ul><li>Main Challenges </li></ul><ul><ul><li>Mapping of cyber security responsibilities onto the local institutions, properly aligned with the legal framework </li></ul></ul><ul><ul><li>Operationalise cyber security services (confidentiality, integrity & availability) thru’ well thought out cybersecurity project plans </li></ul></ul>
  7. 7. NISS Action Plan Framework <ul><li>Action Lines identified </li></ul><ul><ul><li>Continuous improvement of policy, legal and regulatory frameworks for addressing cybersecurity </li></ul></ul><ul><ul><li>Capacity building to increase stakeholders awareness and transfer of knowledge. </li></ul></ul><ul><ul><li>Improved detection of and responses to detect breaches in cybersecurity. </li></ul></ul><ul><ul><li>Increased protection to reinforce cybersecurity </li></ul></ul>
  8. 8. Action Line 1: Policy, legal & regulatory frameworks improvements <ul><ul><li>Data Protection Act 2004 in accordance with EU directives </li></ul></ul><ul><ul><ul><li>The right to know what information is held about you </li></ul></ul></ul><ul><ul><ul><li>Framework to ensure that personal information is protected & properly handled </li></ul></ul></ul><ul><ul><ul><li>Appointment of a Data Protection Commissioner </li></ul></ul></ul><ul><ul><li>Electronic Transactions Act 2000 </li></ul></ul><ul><ul><ul><li>Legal sanctity to digital signatures for secure e-transactions </li></ul></ul></ul><ul><ul><ul><li>Setting up of the Mauritian Public Key Infrastructure (PKI) aligned with the Indian PKI </li></ul></ul></ul><ul><ul><ul><li>Regulation under way to set up a PKI licensing framework. </li></ul></ul></ul><ul><ul><li>Information and Communication Technologies Act 2001 </li></ul></ul><ul><ul><ul><li>Creation of the ICT Regulatory body in 2002 </li></ul></ul></ul><ul><ul><ul><li>Amendments presently proposed to include, amongst others, </li></ul></ul></ul><ul><ul><ul><ul><li>further adapt the licensing framework to the converging ICT environment </li></ul></ul></ul></ul><ul><ul><ul><ul><li>definition of a Critical Information Infrastructure framework </li></ul></ul></ul></ul><ul><ul><li>Computer Misuse and Cyber-Crime Act 2003 </li></ul></ul><ul><ul><ul><li>Offences under the Act pertains to activities in which computers or networks are a tool, a target or a place of criminal activity (aligned with Council of Europe’s Convention on Cybercrime) </li></ul></ul></ul><ul><ul><ul><li>Setting up of the National Cybercrime Prevention Committee (NCPC) </li></ul></ul></ul>
  9. 9. Action Line 1: Policy, legal & regulatory frameworks improvements (contd) <ul><li>NCPC mandates (benchmarked with ITU HLEG report on Cybercrime) </li></ul><ul><ul><li>Mapping the different types of cybercrimes with provisions of Computer Misuse & Cybercrime Act in terms of substantive criminal and procedural provisions therein. </li></ul></ul><ul><ul><li>Assessing the technical and procedural measures deployed. </li></ul></ul><ul><ul><li>Understanding the role of different organisational structures involved in combating cybercrime. </li></ul></ul><ul><ul><li>Identifying capacity building requirements; and </li></ul></ul><ul><ul><li>Optimising on the need for international cooperation. </li></ul></ul>
  10. 10. Action Line 1: Policy, legal & regulatory frameworks improvements (contd) <ul><li>NCPC forthcoming projects </li></ul><ul><ul><li>A Portal to centralise the initiatives taken by different stakeholders involved in cybercrime detection & prevention. </li></ul></ul><ul><ul><ul><li>It will also host the online reporting mechanism to the citizens of Mauritius for filing of complaints. </li></ul></ul></ul><ul><ul><li>A cybersecurity observatory which will collect data at the national and international level </li></ul></ul><ul><ul><ul><li>analysis to detect patterns and trends can be performed. </li></ul></ul></ul><ul><ul><li>Setting up of a National Cybercrime Watch Centre </li></ul></ul><ul><ul><ul><li>identify and deal effectively with threats and risks related to cybercrime. </li></ul></ul></ul>
  11. 11. Action Line 2: Capacity building to increase stakeholders awareness and transfer of knowledge. <ul><li>Ongoing interventions of awareness and capacity building </li></ul><ul><ul><li>To establish a culture of information security in businesses, government and society </li></ul></ul><ul><ul><ul><li>Information Security Risk Management practices </li></ul></ul></ul><ul><ul><ul><li>ISO 27001 ISMS </li></ul></ul></ul><ul><ul><li>on cyber crimes detection & prevention techniques for law enforcement and the industry. </li></ul></ul><ul><ul><li>To promote cooperation between industry and academia on knowledge sharing in information security areas through the holding of regular annual conferences on Information Security </li></ul></ul>
  12. 12. Action Line 3: Improved detection of and responses to detect breaches in cybersecurity. <ul><li>Police Cybercrime Unit created in 2000 </li></ul><ul><ul><li>Takes into consideration </li></ul></ul><ul><ul><ul><li>Data Protection Act </li></ul></ul></ul><ul><ul><ul><li>Information & Communication Technologies Act </li></ul></ul></ul><ul><ul><ul><li>Computer Misuse & Cybercrime Act </li></ul></ul></ul><ul><li>Computer Emergency Response Team (CERT-mu) set up in 2008 </li></ul><ul><ul><li>Security alerts & cybersecurity advisory roles </li></ul></ul><ul><ul><li>Will need to be upgraded to include </li></ul></ul><ul><ul><ul><li>a monitoring infrastructure to proactively handle cybersecurity incidents </li></ul></ul></ul><ul><ul><ul><li>an Incident Management System to record reported incidents in order to provide statistics and status tracking </li></ul></ul></ul>
  13. 13. Action Line 4: Increased protection to reinforce cybersecurity <ul><li>Deployment of a Content Security Monitoring Solution in the pipeline </li></ul><ul><ul><li>A centralised content filtering service that enables ISPs to effectively filter </li></ul></ul><ul><ul><ul><li>Child Sexual Abuse sites & </li></ul></ul></ul><ul><ul><ul><li>web contents classified as illegal by local authorities </li></ul></ul></ul><ul><ul><li>Two steps filtering solution to ensure minimal QoS degradation by </li></ul></ul><ul><ul><ul><li>routing of blacklisted IP addresses by ISPs to a filtering server deployed at Internet gateway </li></ul></ul></ul><ul><ul><ul><li>filtering server checks the URL against the blacklist using packet inspection </li></ul></ul></ul><ul><ul><ul><li>if request is blocked, it is not passed on to the destination web site but redirected to a blocking server and displays a block page </li></ul></ul></ul>
  14. 14. Conclusion <ul><li>“ Much work is needed to increase the security of the Internet and its connected computers and to make the environment more reliable for everyone. Security is a mesh of actions and features and mechanisms. No one thing makes you secure.” Vint Cerf </li></ul><ul><li>Thank you </li></ul>