2. Contents
• Overview of Cybersecurity
• Guidelines / Frameworks / Acts
• South African and Public Sector context
• Departmental context (Strategic risks)
• DPSA Guidance – Executive leadership
• Key Questions
• Three pillar approach to Cybersecurity
• References
• Thank you
3. Overview
● What is Cybersecurity? Cybersecurity, a subset of
information security, is the practice of defending
your organisation's cloud, networks, computers,
and data from unauthorised digital access, attack,
or damage by implementing various defence
processes, technologies, and practices.
● Cybersecurity awareness involves being mindful of
cybersecurity in day-to-day situations. Being aware
of the dangers of browsing the web, checking email
and interacting online are all components of
cybersecurity awareness. As leaders, it’s our
responsibility to make sure everyone considers
cybersecurity an essential part of their role.
3
4. Guidelines / frameworks / acts
• Corporate Governance of ICT Policy Framework of 2012
• National Cybersecurity policy framework Published Dec 2015
• Cyber crimes Act 19 of 2020
• Protection of Personal Information Act 3 of 2013 ( Effected 1 July 2020)
• Corporate Governance of ICT Policy Framework of March 2022 – Circular 21 of
2022
• CIRCULAR 1 OF 2022 CLOUD COMPUTING DETERMINATION AND DIRECTIVE
AWARENESS
• CIRCULAR 23 OF 2022 DIRECTIVE ON PUBLIC SERVICE INFORMATION SECURITY
4
7. DEPARTMENTAL RISK REGISTERS – STRATEGIC
23/24
7
Risk
No.
Prog Risk Description Root Causes
SR02 P1 Existing infrastructure
unable to handle the
growing demands of
business/ Inadequate ICT
infrastructure to support
the Department's needs
1. Poor ICT infrastructure
2. Dilapidating ICT infrastructure
3. Inadequate ICT resources (ICT Funding and skills on infrastructure management)
4. Outdated ICT policies (bureaucracy and non agile policy environment)
5. Operational ineffeciences on the ICT network ,
6. Inadequate Budget for Repairs and Maintenance
7. Aging of systems ( BAS, PERSAL And LOGIS, SCOA system)
8. Prolong IFMS Project– (need a stopgap)
9. PT dependency on OTP and SITA for service delivery
10. National Policies environment constraints
11. Slow Implementation of 4IR ( 4th Industrial Revolution)
12. Loadshedding/ unavailability of power
13. Water outages
SR03 P1 Lack of business
continuity:
1 Existing infrastructure unable to handle the growing demands of business/ Inadequate ICT infrastructure to support the
Department's needs
2. Lack of funding
3. Inadequate resources ( Human and financial Resources)
4. Negative impact caused by Disasters ( e.g Covid -19 )
5. Bulk infrastructure (building, water, electricity, sanitation, pests).
6. IT solutions for remote access.
7. Cyber security attacks.
8. Community protests.
9. Occupational health and safety
10. Reliance on third parties for service delivery ( OTP, SITA and Public Works- consider to move it to TRM)
11. Loadshedding/ unavailability of power
12. Water outages
13. Fire hazards
14. ICT Network outages
15. Vandalism and theft of infrastructure( cable theft ect)
16. Ineffective Business Continuity Committee
17. Business Continuity Plans do not address a wide enough range of potential incidents
High demand on the infrastructure and
that actually shows how much cyber
security should be taken seriously,
because the higher the usage the higher
the risk of security threats on the network .
8. DPSA Directives – Executive Leadership
8
• Corporate Governance of ICT Policy Framework of March 2022
• “The Head of Department is the designated governance champion accountable for the
corporate governance of ICT and is responsible for the establishment of corporate
governance of the ICT system and monitoring of its performance.”
• “It directs the strategic leadership of the department (executive management) to take
responsibility for the governance of ICT equivalent to the other departments, including but
not limited to finances and human resources.”
• “The Policy Framework directs the strategic leadership of the department to take
responsibility for the corporate governance of ICT and provide leadership for the use of ICT to
support the achievement of the strategic objectives and goals of the department.”
• “Principle 4: Manage ICT-related business risks
• The ICT-related business risks, including security and cybersecurity, must be managed
(mitigated and audited regularly).
• Regular reporting to the ICT Steering committee and EXCO on key general IT Controls.”
• Directive on Public Service Information Security
• 25. CYBERSECURITY
• The Head of Department must ensure that -
• a) Penetration testing, vulnerability scans, and threat risk analysis are part of the
• departmental cybersecurity initiatives.
9. Key Questions Executive needs to ask
• Do we know what needs to be protected?
• Hardware and software
• Data
• Policies (Who wrote them, suitable for our environment, available and updated, does everyone know them, enforced,
awareness of policies and audit of policies)
• Are we all educated enough in terms of cyber security?
• Do we understand security polices, cookies, phishing attacks?)
• How would we be attacked?
• Mitre listing – Vectors of attack. What kind of ransomware? How would data be stolen? What is the damage?
• Are we able to recover from an attack?
• Incident Response Plan, Disaster Recovery Plan and Business Continuity Plan
• Do we have metrics that matter?
• Risks are tangible and quantifiable. Have metrics that matter with right KPI’s and KRI’s.
10. Three pillar approach to Cybersecurity
CIA TRIAD: An information security model made up of three main
components:
Confidentiality
Integrity
Availability