Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Protecting Investors and Industry How Mauritius handles cyber Security CTO Cyber Security Forum 2010 17 & 18 June 2010 UK, London
  2. 2. Mauritius positioning itself as a regional hub <ul><li>Commitment by Govt in the late 90’s to turn Mtius into a cyber island </li></ul><ul><ul><li>legal framework financial incentives </li></ul></ul><ul><ul><ul><li>double taxation treaties with approx. 32 countries </li></ul></ul></ul><ul><ul><ul><li>Low corporate tax of 15% </li></ul></ul></ul><ul><ul><ul><li>Business facilitation Act </li></ul></ul></ul><ul><ul><ul><ul><li>Reduce administrative bureaucracy in the setting up of a business in Mauritius by foreigners </li></ul></ul></ul></ul><ul><li>Affordable, secure & reliable infrastructure </li></ul><ul><ul><li>Global connectivity @ competitive rates </li></ul></ul><ul><ul><li>Creation of state-of-the art technology parks (e.g. Ebene Cybercity) </li></ul></ul><ul><li>A skilled, bilingual and cosmopolitan workforce </li></ul><ul><ul><li>international companies like Infosys, Microsoft, Accenture, and TNT have a delivery center in Mauritius are now capitalizing on the local skills for their BPO operations </li></ul></ul>
  3. 3. State of health of the ICT Investment & Industry in Mauritius <ul><li>Some indicators for the ICT sector between 2007 – 2009 </li></ul><ul><ul><li>Growth rate maintained @15% - 16% </li></ul></ul><ul><ul><li>Growth of Employment increased from 10,300 to 11,500 </li></ul></ul><ul><ul><li>Number of ICT-BPO companies: 185 to 300 (90 in 2005) </li></ul></ul><ul><ul><ul><li>BPO represents approx. 45% of the ICT industry </li></ul></ul></ul><ul><ul><li>Turnover for IT services & IT enabled services industry </li></ul></ul><ul><ul><li>doubled in that period </li></ul></ul><ul><ul><li>Turnover for telecommunications increased by 25% </li></ul></ul>
  4. 4. ICT & BPO activities requirements <ul><li>Activities include </li></ul><ul><ul><li>payroll administration, </li></ul></ul><ul><ul><li>processing of receivables and payables, document and data management, </li></ul></ul><ul><ul><li>multimedia and web design, </li></ul></ul><ul><ul><li>emergence of higher end BPO activities </li></ul></ul><ul><ul><ul><li>software development, web-enabled activities, </li></ul></ul></ul><ul><ul><ul><li>Business continuity & disaster recovery services </li></ul></ul></ul><ul><li>With ICT affirming itself as a resilient and growing economic pillar for the Mauritian economy, </li></ul><ul><ul><li>monitoring & ensuring the security and privacy aspects of ICT & BPO companies is of prime importance </li></ul></ul><ul><ul><li>Warranted the adoption of the right cybersecurity strategy at the national level </li></ul></ul>
  5. 5. Holistic approach <ul><li>The National Information Security Strategy Plan (NISS) as part of the National Information Communication Technologies Strategic Plan (NICTSP) 2007 - 2011 </li></ul><ul><ul><li>ICT as an economic pillar for Mauritius </li></ul></ul><ul><ul><li>Mauritius as a Regional ICT Hub </li></ul></ul><ul><ul><ul><li>Image building as a safe e-harbour for the ICT BPO sector </li></ul></ul></ul><ul><li>Both NICTSP & NISS considered as </li></ul><ul><ul><li>living and breathing resources </li></ul></ul><ul><ul><ul><li>Used as dash boards for implementation of resulting Action Plans </li></ul></ul></ul>
  6. 6. NICTSP & NISS as living and breathing resources <ul><li>Legal framework </li></ul><ul><ul><li>Electronic Transactions Act 2000 </li></ul></ul><ul><ul><li>Information and Communication Technologies Act 2001 </li></ul></ul><ul><ul><li>Computer Misuse and Cyber-Crime Act 2003 </li></ul></ul><ul><ul><li>Data Protection Act 2004 </li></ul></ul><ul><ul><li>Forthcoming legislations </li></ul></ul><ul><ul><ul><li>New IP & Copyright Act (will include DRM) </li></ul></ul></ul><ul><ul><ul><li>Online Child Protection </li></ul></ul></ul><ul><ul><ul><li>Anti-spam </li></ul></ul></ul><ul><li>Implementation & institutional framework - </li></ul><ul><ul><li>Parent ICT Ministry </li></ul></ul><ul><ul><li>ICT Authority (Regulator) </li></ul></ul><ul><ul><li>National Computer Board (promotion of ICTs in Mauritius) </li></ul></ul><ul><ul><li>Central Informatics Bureau (computerisation of Ministries) </li></ul></ul><ul><li>Main Challenges </li></ul><ul><ul><li>Mapping of cyber security responsibilities onto the local institutions, properly aligned with the legal framework </li></ul></ul><ul><ul><li>Operationalise cyber security services (confidentiality, integrity & availability) thru’ well thought out cybersecurity project plans </li></ul></ul>
  7. 7. NISS Action Plan Framework <ul><li>Action Lines identified </li></ul><ul><ul><li>Continuous improvement of policy, legal and regulatory frameworks for addressing cybersecurity </li></ul></ul><ul><ul><li>Capacity building to increase stakeholders awareness and transfer of knowledge. </li></ul></ul><ul><ul><li>Improved detection of and responses to detect breaches in cybersecurity. </li></ul></ul><ul><ul><li>Increased protection to reinforce cybersecurity </li></ul></ul>
  8. 8. Action Line 1: Policy, legal & regulatory frameworks improvements <ul><ul><li>Data Protection Act 2004 in accordance with EU directives </li></ul></ul><ul><ul><ul><li>The right to know what information is held about you </li></ul></ul></ul><ul><ul><ul><li>Framework to ensure that personal information is protected & properly handled </li></ul></ul></ul><ul><ul><ul><li>Appointment of a Data Protection Commissioner </li></ul></ul></ul><ul><ul><li>Electronic Transactions Act 2000 </li></ul></ul><ul><ul><ul><li>Legal sanctity to digital signatures for secure e-transactions </li></ul></ul></ul><ul><ul><ul><li>Setting up of the Mauritian Public Key Infrastructure (PKI) aligned with the Indian PKI </li></ul></ul></ul><ul><ul><ul><li>Regulation under way to set up a PKI licensing framework. </li></ul></ul></ul><ul><ul><li>Information and Communication Technologies Act 2001 </li></ul></ul><ul><ul><ul><li>Creation of the ICT Regulatory body in 2002 </li></ul></ul></ul><ul><ul><ul><li>Amendments presently proposed to include, amongst others, </li></ul></ul></ul><ul><ul><ul><ul><li>further adapt the licensing framework to the converging ICT environment </li></ul></ul></ul></ul><ul><ul><ul><ul><li>definition of a Critical Information Infrastructure framework </li></ul></ul></ul></ul><ul><ul><li>Computer Misuse and Cyber-Crime Act 2003 </li></ul></ul><ul><ul><ul><li>Offences under the Act pertains to activities in which computers or networks are a tool, a target or a place of criminal activity (aligned with Council of Europe’s Convention on Cybercrime) </li></ul></ul></ul><ul><ul><ul><li>Setting up of the National Cybercrime Prevention Committee (NCPC) </li></ul></ul></ul>
  9. 9. Action Line 1: Policy, legal & regulatory frameworks improvements (contd) <ul><li>NCPC mandates (benchmarked with ITU HLEG report on Cybercrime) </li></ul><ul><ul><li>Mapping the different types of cybercrimes with provisions of Computer Misuse & Cybercrime Act in terms of substantive criminal and procedural provisions therein. </li></ul></ul><ul><ul><li>Assessing the technical and procedural measures deployed. </li></ul></ul><ul><ul><li>Understanding the role of different organisational structures involved in combating cybercrime. </li></ul></ul><ul><ul><li>Identifying capacity building requirements; and </li></ul></ul><ul><ul><li>Optimising on the need for international cooperation. </li></ul></ul>
  10. 10. Action Line 1: Policy, legal & regulatory frameworks improvements (contd) <ul><li>NCPC forthcoming projects </li></ul><ul><ul><li>A Portal to centralise the initiatives taken by different stakeholders involved in cybercrime detection & prevention. </li></ul></ul><ul><ul><ul><li>It will also host the online reporting mechanism to the citizens of Mauritius for filing of complaints. </li></ul></ul></ul><ul><ul><li>A cybersecurity observatory which will collect data at the national and international level </li></ul></ul><ul><ul><ul><li>analysis to detect patterns and trends can be performed. </li></ul></ul></ul><ul><ul><li>Setting up of a National Cybercrime Watch Centre </li></ul></ul><ul><ul><ul><li>identify and deal effectively with threats and risks related to cybercrime. </li></ul></ul></ul>
  11. 11. Action Line 2: Capacity building to increase stakeholders awareness and transfer of knowledge. <ul><li>Ongoing interventions of awareness and capacity building </li></ul><ul><ul><li>To establish a culture of information security in businesses, government and society </li></ul></ul><ul><ul><ul><li>Information Security Risk Management practices </li></ul></ul></ul><ul><ul><ul><li>ISO 27001 ISMS </li></ul></ul></ul><ul><ul><li>on cyber crimes detection & prevention techniques for law enforcement and the industry. </li></ul></ul><ul><ul><li>To promote cooperation between industry and academia on knowledge sharing in information security areas through the holding of regular annual conferences on Information Security </li></ul></ul>
  12. 12. Action Line 3: Improved detection of and responses to detect breaches in cybersecurity. <ul><li>Police Cybercrime Unit created in 2000 </li></ul><ul><ul><li>Takes into consideration </li></ul></ul><ul><ul><ul><li>Data Protection Act </li></ul></ul></ul><ul><ul><ul><li>Information & Communication Technologies Act </li></ul></ul></ul><ul><ul><ul><li>Computer Misuse & Cybercrime Act </li></ul></ul></ul><ul><li>Computer Emergency Response Team (CERT-mu) set up in 2008 </li></ul><ul><ul><li>Security alerts & cybersecurity advisory roles </li></ul></ul><ul><ul><li>Will need to be upgraded to include </li></ul></ul><ul><ul><ul><li>a monitoring infrastructure to proactively handle cybersecurity incidents </li></ul></ul></ul><ul><ul><ul><li>an Incident Management System to record reported incidents in order to provide statistics and status tracking </li></ul></ul></ul>
  13. 13. Action Line 4: Increased protection to reinforce cybersecurity <ul><li>Deployment of a Content Security Monitoring Solution in the pipeline </li></ul><ul><ul><li>A centralised content filtering service that enables ISPs to effectively filter </li></ul></ul><ul><ul><ul><li>Child Sexual Abuse sites & </li></ul></ul></ul><ul><ul><ul><li>web contents classified as illegal by local authorities </li></ul></ul></ul><ul><ul><li>Two steps filtering solution to ensure minimal QoS degradation by </li></ul></ul><ul><ul><ul><li>routing of blacklisted IP addresses by ISPs to a filtering server deployed at Internet gateway </li></ul></ul></ul><ul><ul><ul><li>filtering server checks the URL against the blacklist using packet inspection </li></ul></ul></ul><ul><ul><ul><li>if request is blocked, it is not passed on to the destination web site but redirected to a blocking server and displays a block page </li></ul></ul></ul>
  14. 14. Conclusion <ul><li>“ Much work is needed to increase the security of the Internet and its connected computers and to make the environment more reliable for everyone. Security is a mesh of actions and features and mechanisms. No one thing makes you secure.” Vint Cerf </li></ul><ul><li>Thank you </li></ul>