SlideShare a Scribd company logo
1 of 27
Download to read offline
Managing Cybersecurity Risks
and
Compliance Requirements in
the Public Sector
A unified Cape Winelands of excellence for sustainable development
Cyber
Services
Cyber
Security
Risk
Governance
Framework
Compliance
Cyber Risks and Compliance
www.capewinelands.gov.za
Importance of Municipalities
• Municipalities play a critical role in serving local
communities.
• Their responsibilities include public services,
infrastructure, and governance.
Compliance as a Cornerstone
• Compliance ensures adherence to laws, regulations, and
standards.
• For municipalities, compliance is essential for
transparency, accountability, and public trust.
Introduction
www.capewinelands.gov.za
Cyber and ICT Services
• Cyber services broadly categorized into two groups:
• Internal Network and Server services
• Government services online
• Cybersecurity:
• Protect their own computer systems
• cybersecurity programs to residents and businesses.
• Examples of public cyber/ICT services :
• Online permitting and licensing
• Bill pay: Residents can pay their water, sewer, and trash bills online.
• Parks and recreation registration.
• Public safety: Municipalities may offer online crime maps and reporting tools.
• Cybersecurity awareness training.
Cyber Services (Formally ICT Services)
www.capewinelands.gov.za
Cyber
Services
• Manage Large
Fires (Bush and
Mountain fires)
• Disaster
Management
Coordination
• WiFi used at
clinics and fire
stations
• Executive
communication
• Financial
Management
ICT Risks
• Risk Assessment
• IT Managers assess vulnerabilities in municipal systems and data.
• Identify critical assets, threats, and impact.
• Mitigation Strategies
• Implement controls:
• Firewalls, intrusion detection systems.
• Encryption, secure access protocols.
• Prioritize based on risk severity.
• Risk Management
• Regular risk assessments for municipal systems and data.
• Process includes penetration testing and vulnerability scanning.
• Risk mitigation plan with specific controls (firewalls, intrusion detection,
encryption).
Cyber Risk (formally ICT Risk)
www.capewinelands.gov.za
Cyber Risks
• ICT
Dependency
• User Access
• Impersonation
• Fire
Management
• Disaster
Management
Common Cybersecurity Risks for Municipalities
• Data breaches
• Ransomware attacks
• Denial-of-Service (DoS) attacks
• Social engineering attacks
• Phishing attacks
• Software vulnerabilities
• Insider threats
Cyber Risk Mitigation
www.capewinelands.gov.za
Mitigating Cybersecurity Risks
• Employee training on cyber threats
and prevention (??)
• Data encryption for sensitive
information
• Regular data backups
• Firewalls and intrusion detection
systems
• Security policies outlining
cybersecurity responsibilities
Cyber Risk Mitigation
www.capewinelands.gov.za
• Phase 1 (Enablement Phase):
1) Municipal Corporate Governance of ICT Policy approved and implemented;
2) ICT Governance Charter approved and implemented;
3) The following capabilities created in the Municipality:
• Approved ICT User Access Management procedure.
• Approved and implemented Portfolio Management Framework that includes ICT
portfolio/programme and project management
• Phase 2 (Strategic Alignment):
1) Approved Enterprise Architecture informing the ICT Architecture;
• Phase 3: Continuous improvement of Corporate Governance and Governance of ICT
• The successful implementation of a Corporate Governance of ICT system leads to continuous
improvement in the creation of value to the Municipality. ICT delivery must be assessed on an on-going
basis to identify gaps between what was expected and what was realised. Assessments must be
performed coherently and encompass both:
a) Governance of ICT (Continuous improvement of the management of ICT).
Approach Cyber Risk Mitigation with Governance Framework
www.capewinelands.gov.za
• 2.4 THE DETAILED PHASED APPROACH
• Implementation deliverables per financial year
• Phase 1 (Enablement Phase):
1) Municipal Corporate Governance of ICT Policy approved and implemented;
2) ICT Governance Charter approved and implemented;
3) The following capabilities created in the Municipality:
• Governance Champion designated and responsibilities allocated;
• A proficient ICT Manager or CIO appointed functioning at strategic level.
• Approved and implemented Risk Management Policy that includes the management of Municipal-related ICT risks;
• Approved and implemented Internal Audit Plan that includes ICT audits;
• Approved ICT Disaster Recovery Plan informed by Municipal Continuity Plan and Strategy.
• Approved Data Backup and Recovery policy.
• Approved ICT Service Delivery Agreement Management policy.
• Approved ICT User Access Management procedure.
• Approved ICT Network Security Controls policy.
• Approved and implemented Portfolio Management Framework that includes ICT portfolio/programme and project management
•
ICT Governance Phased Approach
www.capewinelands.gov.za
•
• Phase 2 (Strategic Alignment):
1) Approved Enterprise Architecture informing the ICT Architecture;
2) Approved medium term ICT Strategy.
3) Approved ICT Performance Indicators as contained in the Municipality’s performance management system.
• Phase 3: Continuous improvement of Corporate Governance and Governance of ICT
• The successful implementation of a Corporate Governance of ICT system leads to continuous improvement in the creation of value to the
Municipality. ICT delivery must be assessed on an on-going basis to identify gaps between what was expected and what was realised.
Assessments must be performed coherently and encompass both:
a) The Corporate Governance of ICT (ICT contribution to realisation of Cape Winelands District Municipal value); and
b) Governance of ICT (Continuous improvement of the management of ICT).
ICT Governance Phased Approach
www.capewinelands.gov.za
Transferring Finance Risk
• Cyber Insurance (offset financial costs)
• Third-party vendors (evaluate their cybersecurity practices)
Liability for Cybersecurity Risks (IT Manager?)
• Shared nature of liability:
• Municipality (duty to protect data and ensure service
continuity)
• Third-party vendors (depending on contract terms)
• Individual actors (hackers, disgruntled employees)
• Cyber insurance as a risk mitigation tool.
• Where does your responsibility start and end??
• Executive Responsibility
Cyber Risk Mitigation
www.capewinelands.gov.za
➢ Cybersecurity
➢ Threats: Cyber attacks, data breaches, ransomware.
➢ Cloud Computing
➢ Risks: Data breaches, misconfigured cloud services, poor access
management.
➢ Third Party IT Service Providers
➢ Challenges: Data security, service interruptions, compliance issues.
➢ IT Manager Cybersecurity Compliance Document for Local
Government
➢ Compliance Framework
➢ Reference a recognized cybersecurity framework (e.g., NIST CSF, ISO 27001).
➢ Provides a structure for the IT Manager to build the cybersecurity program.
Cyber Risk AGSA Emerging Risks
www.capewinelands.gov.za
Cybersecurity status quo in South Africa:
Brief facts
• The Centre for Strategic and International Studies recently
has published a list of numerous of cyberattacks on
governments globally, which happened thus far in 2022.
• Ransomware attempts among the government customers
rose a staggering 1,885 %!
• This is more than double the increase was seen in healthcare
(+755%), education (152%) and retail (21%) combined.
• The seriousness of the cyber-attacks prompted many
governments and numerous other organisations to embrace
cybersecurity as one of the key protective drivers of their
businesses.
Cybersecurity status quo in
South African municipalities
Concerning facts
• The Auditor-General of South Africa (AGSA) Municipal Finance Management Act
(MFMA) Report 2021-20, has once again highlighted serious concerns regarding
Information Technology (IT) controls in local government.
• Transactions and financial information are processed using information systems that
should include sound systems of internal control, thus ensuring the integrity of
information used for decision-making.
• The assessment of the IT control environment identified significant weaknesses,
illustrating the severity of challenges faced by local government.
• IT controls are foundational to credible reporting and can contribute immensely to
the success of a municipality.
https://www.saica.org.za/news/it-controls-remain-a-cause-for-concern-in-local-government
https://mybroadband.co.za/news/security/505982-interview-with-the-hackers-who-broke-into-south-africas-department-of-defence.html?utm_source=everlytic&utm_medium=newsletter&utm_campaign=businesstech
The attackers who claimed responsibility for breaching the South
African Department of Defence and exfiltrating terabytes of data.
“People are so far away from cyber security that many of them
did not even believe that there was any secret information on their
servers.”
“To put it simply, a lot of people didn’t even understand the word
server, asking whether their laptop was hacked. Oh, my laptop is
safe? Ok, that’s fine, bye.”
“We still have a so-called hibernated fix inside
the South African state networks,” the group said.
The Department of Defence
data breach
What is the NIST
CyberSecurity Framework
o The NIST Cybersecurity Framework is defined as a voluntary framework consisting of
Standards, Guidlines and Best Practices.
o Why was it created?
▪ The cybersecurity landscape is chaotic due to fragmented practices.
▪ Organizations struggle with information sharing, policy adherence, and diverse
cybersecurity languages.
▪ NIST’s goal: Eliminate chaos by providing a structured approach.
o Key Features of the NIST CSF
▪ Flexibility combined with regimented instructions.
▪ Addresses specific cybersecurity needs.
▪ Proven benefits
▪ Version 2.0 enhancements (still emerging).
NIST Framework Core
NIST Framework Core
NIST CSF Process View
Electronic Signature Project
www.capewinelands.gov.za
IT Org
Structure
Infrastructure
environment
Network
Environment
Database
Management
IT
EXPE
NDIT
URE
IT general
control
5 40 10 18 RRR 37
NIST has over 100 Controls
Electronic Signature Project
www.capewinelands.gov.za
IT Org
Structure
Infrastructu
re
environme
nt
Network
Environme
nt
Database
Manageme
nt
IT
EXP
END
ITU
RE
IT general
control
5 40 10 18 RRR 37
NIST has over 100 Controls
Tasks
Times per
year Time
Personne
l
Total
Hours Per
Year
Review user access and activity
including 3rd party 4 4 2 32
Review application access logs 4 4 1 16
Review user list 1 4 1 4
Firewall review 1 4 2 8
Firewall Check 250 1 1 250
Extended Detection Response
Firewall 12 8 2 192
Virus check 250 1 1 250
Virus exposure review 1 8 1 8
Extended Detection Response Virus 12 4 1 48
Email security 250 1 1 250
Extended Detection Response Email 12 4 1 48
Social engineering attach simulation 4 2 2 16
Social engineering Extended
Detection Response 4 8 2 64
Physical security check (look for
external installed access point or
devices) 1 16 2 32
Annual Security Review 1 8 3 24
Security seminars 2 8 2 32
Total Hours
1274
Audit Results Graphic
Benefits of using NIST Cybersecurity
Framework for Auditing
Role of Municipality Executives
• Strategic leadership.
• Policy development and approval.
• Resource allocation.
• Risk management and oversight.
• Regulatory compliance.
• Public communication, reputation management,
and stakeholder engagement.
• Accountability and transparency.
• Long-term planning.
Role of Municipality Managers
• Planning the audit and collecting required information
• Defining clear objectives and scope of the audit.
• Allocate resources for cybersecurity initiatives.
• Oversee implementation of audit recommendations.
• Collaborate with IT teams and auditors.
• Taking appropriate actions in accordance with audit results.
• Training and awareness of all employees/
• Foster a culture of security awareness among staff.
• Continuous improvements.
• Reporting to leadership.
➢Adopt the NIST framework
➢Implementation Plan
➢ICT Departmental Tasks
➢Non-ICT Departmental Tasks
➢ICT Policy Changes
➢Departmental Policy Changes
➢Process Changes
➢Job Description Changes
➢Job Evaluations (New Responsibility)
Cyber Risk Mitigation with Governance Framework
www.capewinelands.gov.za
NIST CSF Process View

More Related Content

Similar to Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements in the Public Sector

Cyber capability brochureCybersecurity Today A fresh l.docx
Cyber capability brochureCybersecurity Today  A fresh l.docxCyber capability brochureCybersecurity Today  A fresh l.docx
Cyber capability brochureCybersecurity Today A fresh l.docx
faithxdunce63732
 
Cyber Security - Awareness Presentation - High Level
Cyber Security - Awareness Presentation - High LevelCyber Security - Awareness Presentation - High Level
Cyber Security - Awareness Presentation - High Level
bbothma718
 

Similar to Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements in the Public Sector (20)

PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019 PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
PPT Latvia, SIGMA Workshop on Digital Auditing for SAIs, Skopje, November 2019
 
Technological innovations in facilities management
Technological innovations in facilities managementTechnological innovations in facilities management
Technological innovations in facilities management
 
Achieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyAchieving Caribbean Cybersecuirty
Achieving Caribbean Cybersecuirty
 
Enhancing the support structure for e governance (NCS Lagos conference)
Enhancing the support structure for e governance (NCS Lagos conference)Enhancing the support structure for e governance (NCS Lagos conference)
Enhancing the support structure for e governance (NCS Lagos conference)
 
Cybersecurity environment in malaysia and the function of internal auditor
Cybersecurity environment in malaysia and the function of internal auditorCybersecurity environment in malaysia and the function of internal auditor
Cybersecurity environment in malaysia and the function of internal auditor
 
National cyber security policy final
National cyber security policy finalNational cyber security policy final
National cyber security policy final
 
Cyber capability brochureCybersecurity Today A fresh l.docx
Cyber capability brochureCybersecurity Today  A fresh l.docxCyber capability brochureCybersecurity Today  A fresh l.docx
Cyber capability brochureCybersecurity Today A fresh l.docx
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 
Cyber Security: Threat and Prevention
Cyber Security: Threat and PreventionCyber Security: Threat and Prevention
Cyber Security: Threat and Prevention
 
Securing Smart Cities
Securing Smart CitiesSecuring Smart Cities
Securing Smart Cities
 
E goverance project
E goverance projectE goverance project
E goverance project
 
Cyber Security Action Plan of RVNL
Cyber Security Action Plan of RVNLCyber Security Action Plan of RVNL
Cyber Security Action Plan of RVNL
 
John Bosco Arends- Emerging Threats Against Public Sector
John Bosco Arends- Emerging Threats Against Public SectorJohn Bosco Arends- Emerging Threats Against Public Sector
John Bosco Arends- Emerging Threats Against Public Sector
 
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
 
smart security infrastructure
smart security infrastructuresmart security infrastructure
smart security infrastructure
 
Smart Security Infrastructure
Smart Security InfrastructureSmart Security Infrastructure
Smart Security Infrastructure
 
Unveiling the Power of IT Services.docx.pdf
Unveiling the Power of IT Services.docx.pdfUnveiling the Power of IT Services.docx.pdf
Unveiling the Power of IT Services.docx.pdf
 
Cyber Security - Awareness Presentation - High Level
Cyber Security - Awareness Presentation - High LevelCyber Security - Awareness Presentation - High Level
Cyber Security - Awareness Presentation - High Level
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA Presentation
 
Managing IT Risks in Internet Banking
Managing IT Risks in Internet BankingManaging IT Risks in Internet Banking
Managing IT Risks in Internet Banking
 

More from itnewsafrica

More from itnewsafrica (20)

Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Kenneth Palliam- Cybersecurity Maturity: The Role of the GITO Considering New...
Kenneth Palliam- Cybersecurity Maturity: The Role of the GITO Considering New...Kenneth Palliam- Cybersecurity Maturity: The Role of the GITO Considering New...
Kenneth Palliam- Cybersecurity Maturity: The Role of the GITO Considering New...
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Ansgar Pabst- Disruptive Innovation through Corporate Collaboration with Star...
Ansgar Pabst- Disruptive Innovation through Corporate Collaboration with Star...Ansgar Pabst- Disruptive Innovation through Corporate Collaboration with Star...
Ansgar Pabst- Disruptive Innovation through Corporate Collaboration with Star...
 
Koen den Hollander- The Future is Omni
Koen den Hollander- The Future is OmniKoen den Hollander- The Future is Omni
Koen den Hollander- The Future is Omni
 
Wongama Millie- South African Social Media Insights 2023
Wongama Millie- South African Social Media Insights 2023Wongama Millie- South African Social Media Insights 2023
Wongama Millie- South African Social Media Insights 2023
 
Emphasising Personalization and Customer Journey Mapping in Digital Retail
Emphasising Personalization and  Customer Journey Mapping in Digital  RetailEmphasising Personalization and  Customer Journey Mapping in Digital  Retail
Emphasising Personalization and Customer Journey Mapping in Digital Retail
 
Munyaradzi Nyikavaranda- Assessing the intersect between UX, AI, Big Data: Cr...
Munyaradzi Nyikavaranda- Assessing the intersect between UX, AI, Big Data: Cr...Munyaradzi Nyikavaranda- Assessing the intersect between UX, AI, Big Data: Cr...
Munyaradzi Nyikavaranda- Assessing the intersect between UX, AI, Big Data: Cr...
 
Data Analytics & Customer Insights as enablers of businesses to employ predic...
Data Analytics & Customer Insights as enablers of businesses to employ predic...Data Analytics & Customer Insights as enablers of businesses to employ predic...
Data Analytics & Customer Insights as enablers of businesses to employ predic...
 
Mark Cockerell- A New Era of Retail Data Integration Mark Cockerell Retail ...
Mark Cockerell- A New Era of  Retail Data  Integration Mark Cockerell Retail ...Mark Cockerell- A New Era of  Retail Data  Integration Mark Cockerell Retail ...
Mark Cockerell- A New Era of Retail Data Integration Mark Cockerell Retail ...
 
Pravir Ishvarlal- Artificial Intelligence in Healthcare
Pravir Ishvarlal- Artificial Intelligence in HealthcarePravir Ishvarlal- Artificial Intelligence in Healthcare
Pravir Ishvarlal- Artificial Intelligence in Healthcare
 
Braden van Breda- The Role of AI, Robotics in African Healthcare
Braden van Breda- The Role of AI, Robotics in African HealthcareBraden van Breda- The Role of AI, Robotics in African Healthcare
Braden van Breda- The Role of AI, Robotics in African Healthcare
 
Rodney Taylor- AVA Disrupts Primary Healthcare with the Latest Asynchronous I...
Rodney Taylor- AVA Disrupts Primary Healthcare with the Latest Asynchronous I...Rodney Taylor- AVA Disrupts Primary Healthcare with the Latest Asynchronous I...
Rodney Taylor- AVA Disrupts Primary Healthcare with the Latest Asynchronous I...
 
Anish Gupta- Smart Care Coordination Platform
Anish Gupta- Smart Care Coordination PlatformAnish Gupta- Smart Care Coordination Platform
Anish Gupta- Smart Care Coordination Platform
 
Andrew Roberts- How Technology can Transform Healthcare for the Better
Andrew Roberts- How Technology can Transform Healthcare for the BetterAndrew Roberts- How Technology can Transform Healthcare for the Better
Andrew Roberts- How Technology can Transform Healthcare for the Better
 
Andrew Roberts - Mobile Health Apps for Improved Patient Engagement and Educa...
Andrew Roberts - Mobile Health Apps for Improved Patient Engagement and Educa...Andrew Roberts - Mobile Health Apps for Improved Patient Engagement and Educa...
Andrew Roberts - Mobile Health Apps for Improved Patient Engagement and Educa...
 
Tanya Muller- Improving Healthcare Delivery Through The Use Of AI
Tanya Muller- Improving Healthcare Delivery Through The Use Of AITanya Muller- Improving Healthcare Delivery Through The Use Of AI
Tanya Muller- Improving Healthcare Delivery Through The Use Of AI
 

Recently uploaded

Recently uploaded (20)

Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 

Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements in the Public Sector

  • 1. Managing Cybersecurity Risks and Compliance Requirements in the Public Sector A unified Cape Winelands of excellence for sustainable development
  • 3. Importance of Municipalities • Municipalities play a critical role in serving local communities. • Their responsibilities include public services, infrastructure, and governance. Compliance as a Cornerstone • Compliance ensures adherence to laws, regulations, and standards. • For municipalities, compliance is essential for transparency, accountability, and public trust. Introduction www.capewinelands.gov.za
  • 4. Cyber and ICT Services • Cyber services broadly categorized into two groups: • Internal Network and Server services • Government services online • Cybersecurity: • Protect their own computer systems • cybersecurity programs to residents and businesses. • Examples of public cyber/ICT services : • Online permitting and licensing • Bill pay: Residents can pay their water, sewer, and trash bills online. • Parks and recreation registration. • Public safety: Municipalities may offer online crime maps and reporting tools. • Cybersecurity awareness training. Cyber Services (Formally ICT Services) www.capewinelands.gov.za Cyber Services • Manage Large Fires (Bush and Mountain fires) • Disaster Management Coordination • WiFi used at clinics and fire stations • Executive communication • Financial Management
  • 5. ICT Risks • Risk Assessment • IT Managers assess vulnerabilities in municipal systems and data. • Identify critical assets, threats, and impact. • Mitigation Strategies • Implement controls: • Firewalls, intrusion detection systems. • Encryption, secure access protocols. • Prioritize based on risk severity. • Risk Management • Regular risk assessments for municipal systems and data. • Process includes penetration testing and vulnerability scanning. • Risk mitigation plan with specific controls (firewalls, intrusion detection, encryption). Cyber Risk (formally ICT Risk) www.capewinelands.gov.za Cyber Risks • ICT Dependency • User Access • Impersonation • Fire Management • Disaster Management
  • 6. Common Cybersecurity Risks for Municipalities • Data breaches • Ransomware attacks • Denial-of-Service (DoS) attacks • Social engineering attacks • Phishing attacks • Software vulnerabilities • Insider threats Cyber Risk Mitigation www.capewinelands.gov.za
  • 7. Mitigating Cybersecurity Risks • Employee training on cyber threats and prevention (??) • Data encryption for sensitive information • Regular data backups • Firewalls and intrusion detection systems • Security policies outlining cybersecurity responsibilities Cyber Risk Mitigation www.capewinelands.gov.za
  • 8. • Phase 1 (Enablement Phase): 1) Municipal Corporate Governance of ICT Policy approved and implemented; 2) ICT Governance Charter approved and implemented; 3) The following capabilities created in the Municipality: • Approved ICT User Access Management procedure. • Approved and implemented Portfolio Management Framework that includes ICT portfolio/programme and project management • Phase 2 (Strategic Alignment): 1) Approved Enterprise Architecture informing the ICT Architecture; • Phase 3: Continuous improvement of Corporate Governance and Governance of ICT • The successful implementation of a Corporate Governance of ICT system leads to continuous improvement in the creation of value to the Municipality. ICT delivery must be assessed on an on-going basis to identify gaps between what was expected and what was realised. Assessments must be performed coherently and encompass both: a) Governance of ICT (Continuous improvement of the management of ICT). Approach Cyber Risk Mitigation with Governance Framework www.capewinelands.gov.za
  • 9. • 2.4 THE DETAILED PHASED APPROACH • Implementation deliverables per financial year • Phase 1 (Enablement Phase): 1) Municipal Corporate Governance of ICT Policy approved and implemented; 2) ICT Governance Charter approved and implemented; 3) The following capabilities created in the Municipality: • Governance Champion designated and responsibilities allocated; • A proficient ICT Manager or CIO appointed functioning at strategic level. • Approved and implemented Risk Management Policy that includes the management of Municipal-related ICT risks; • Approved and implemented Internal Audit Plan that includes ICT audits; • Approved ICT Disaster Recovery Plan informed by Municipal Continuity Plan and Strategy. • Approved Data Backup and Recovery policy. • Approved ICT Service Delivery Agreement Management policy. • Approved ICT User Access Management procedure. • Approved ICT Network Security Controls policy. • Approved and implemented Portfolio Management Framework that includes ICT portfolio/programme and project management • ICT Governance Phased Approach www.capewinelands.gov.za
  • 10. • • Phase 2 (Strategic Alignment): 1) Approved Enterprise Architecture informing the ICT Architecture; 2) Approved medium term ICT Strategy. 3) Approved ICT Performance Indicators as contained in the Municipality’s performance management system. • Phase 3: Continuous improvement of Corporate Governance and Governance of ICT • The successful implementation of a Corporate Governance of ICT system leads to continuous improvement in the creation of value to the Municipality. ICT delivery must be assessed on an on-going basis to identify gaps between what was expected and what was realised. Assessments must be performed coherently and encompass both: a) The Corporate Governance of ICT (ICT contribution to realisation of Cape Winelands District Municipal value); and b) Governance of ICT (Continuous improvement of the management of ICT). ICT Governance Phased Approach www.capewinelands.gov.za
  • 11. Transferring Finance Risk • Cyber Insurance (offset financial costs) • Third-party vendors (evaluate their cybersecurity practices) Liability for Cybersecurity Risks (IT Manager?) • Shared nature of liability: • Municipality (duty to protect data and ensure service continuity) • Third-party vendors (depending on contract terms) • Individual actors (hackers, disgruntled employees) • Cyber insurance as a risk mitigation tool. • Where does your responsibility start and end?? • Executive Responsibility Cyber Risk Mitigation www.capewinelands.gov.za
  • 12. ➢ Cybersecurity ➢ Threats: Cyber attacks, data breaches, ransomware. ➢ Cloud Computing ➢ Risks: Data breaches, misconfigured cloud services, poor access management. ➢ Third Party IT Service Providers ➢ Challenges: Data security, service interruptions, compliance issues. ➢ IT Manager Cybersecurity Compliance Document for Local Government ➢ Compliance Framework ➢ Reference a recognized cybersecurity framework (e.g., NIST CSF, ISO 27001). ➢ Provides a structure for the IT Manager to build the cybersecurity program. Cyber Risk AGSA Emerging Risks www.capewinelands.gov.za
  • 13. Cybersecurity status quo in South Africa: Brief facts • The Centre for Strategic and International Studies recently has published a list of numerous of cyberattacks on governments globally, which happened thus far in 2022. • Ransomware attempts among the government customers rose a staggering 1,885 %! • This is more than double the increase was seen in healthcare (+755%), education (152%) and retail (21%) combined. • The seriousness of the cyber-attacks prompted many governments and numerous other organisations to embrace cybersecurity as one of the key protective drivers of their businesses.
  • 14. Cybersecurity status quo in South African municipalities Concerning facts • The Auditor-General of South Africa (AGSA) Municipal Finance Management Act (MFMA) Report 2021-20, has once again highlighted serious concerns regarding Information Technology (IT) controls in local government. • Transactions and financial information are processed using information systems that should include sound systems of internal control, thus ensuring the integrity of information used for decision-making. • The assessment of the IT control environment identified significant weaknesses, illustrating the severity of challenges faced by local government. • IT controls are foundational to credible reporting and can contribute immensely to the success of a municipality. https://www.saica.org.za/news/it-controls-remain-a-cause-for-concern-in-local-government
  • 15. https://mybroadband.co.za/news/security/505982-interview-with-the-hackers-who-broke-into-south-africas-department-of-defence.html?utm_source=everlytic&utm_medium=newsletter&utm_campaign=businesstech The attackers who claimed responsibility for breaching the South African Department of Defence and exfiltrating terabytes of data. “People are so far away from cyber security that many of them did not even believe that there was any secret information on their servers.” “To put it simply, a lot of people didn’t even understand the word server, asking whether their laptop was hacked. Oh, my laptop is safe? Ok, that’s fine, bye.” “We still have a so-called hibernated fix inside the South African state networks,” the group said. The Department of Defence data breach
  • 16. What is the NIST CyberSecurity Framework o The NIST Cybersecurity Framework is defined as a voluntary framework consisting of Standards, Guidlines and Best Practices. o Why was it created? ▪ The cybersecurity landscape is chaotic due to fragmented practices. ▪ Organizations struggle with information sharing, policy adherence, and diverse cybersecurity languages. ▪ NIST’s goal: Eliminate chaos by providing a structured approach. o Key Features of the NIST CSF ▪ Flexibility combined with regimented instructions. ▪ Addresses specific cybersecurity needs. ▪ Proven benefits ▪ Version 2.0 enhancements (still emerging).
  • 20. Electronic Signature Project www.capewinelands.gov.za IT Org Structure Infrastructure environment Network Environment Database Management IT EXPE NDIT URE IT general control 5 40 10 18 RRR 37 NIST has over 100 Controls
  • 21. Electronic Signature Project www.capewinelands.gov.za IT Org Structure Infrastructu re environme nt Network Environme nt Database Manageme nt IT EXP END ITU RE IT general control 5 40 10 18 RRR 37 NIST has over 100 Controls Tasks Times per year Time Personne l Total Hours Per Year Review user access and activity including 3rd party 4 4 2 32 Review application access logs 4 4 1 16 Review user list 1 4 1 4 Firewall review 1 4 2 8 Firewall Check 250 1 1 250 Extended Detection Response Firewall 12 8 2 192 Virus check 250 1 1 250 Virus exposure review 1 8 1 8 Extended Detection Response Virus 12 4 1 48 Email security 250 1 1 250 Extended Detection Response Email 12 4 1 48 Social engineering attach simulation 4 2 2 16 Social engineering Extended Detection Response 4 8 2 64 Physical security check (look for external installed access point or devices) 1 16 2 32 Annual Security Review 1 8 3 24 Security seminars 2 8 2 32 Total Hours 1274
  • 23. Benefits of using NIST Cybersecurity Framework for Auditing
  • 24. Role of Municipality Executives • Strategic leadership. • Policy development and approval. • Resource allocation. • Risk management and oversight. • Regulatory compliance. • Public communication, reputation management, and stakeholder engagement. • Accountability and transparency. • Long-term planning.
  • 25. Role of Municipality Managers • Planning the audit and collecting required information • Defining clear objectives and scope of the audit. • Allocate resources for cybersecurity initiatives. • Oversee implementation of audit recommendations. • Collaborate with IT teams and auditors. • Taking appropriate actions in accordance with audit results. • Training and awareness of all employees/ • Foster a culture of security awareness among staff. • Continuous improvements. • Reporting to leadership.
  • 26. ➢Adopt the NIST framework ➢Implementation Plan ➢ICT Departmental Tasks ➢Non-ICT Departmental Tasks ➢ICT Policy Changes ➢Departmental Policy Changes ➢Process Changes ➢Job Description Changes ➢Job Evaluations (New Responsibility) Cyber Risk Mitigation with Governance Framework www.capewinelands.gov.za