Скачать презентацию National Cybersecurity Management System Framework Maturity Model Скачать презентацию National Cybersecurity Management System Framework Maturity Model

beac96526694920f6511c5ba1d8ab950.ppt

  • Количество слайдов: 16

National Cybersecurity Management System Framework – Maturity Model RACI Chart – Impementation Guide Taieb National Cybersecurity Management System Framework – Maturity Model RACI Chart – Impementation Guide Taieb DEBBAGH Geneva, 6 -7 December 2010 Addressing security challenges on a global scale

Agenda 1 - Introduction 2 - National Cybersecurity Management System 3 - NCSec Framework Agenda 1 - Introduction 2 - National Cybersecurity Management System 3 - NCSec Framework : 5 Domains 4 – NCSec Framework : 34 processes 5 - Maturity Model 6 – NCSec Assessment 7 - Roles & Responsibilities (RACI Chart) 8 - Implementation Guide Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 3

1 - Introduction (1/2) Increasing computer security challenges in the world; No appropriate organizational 1 - Introduction (1/2) Increasing computer security challenges in the world; No appropriate organizational and institutional structures to deal with these issues; Which entity(s) should be given the responsibility for computer security? Despite there are best practices that organizations can refer to evaluate their security status; • • But, there is lack of international standards (clear guidance) with which a State or region can measure its current security status. • 4

1 - Introduction (2/2) The main objective of this presentation is to propose a 1 - Introduction (2/2) The main objective of this presentation is to propose a Model of National Cybersecurity Management System (NCSec. MS), which is a global framework that best responds to the needs expressed by the ITU Global Cybersecurity Agenda (GCA). This global framework consists of 4 main components: • NCSec Framework; • Maturity Model; • Roles and Responsibilities chart; • Implementation Guide. 5

2 – NCSec Management System Geneva, 6 -7 December 2010 Addressing security challenges on 2 – NCSec Management System Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 6

3 - NCSec Framework : 5 Domains 7 3 - NCSec Framework : 5 Domains 7

4 - NCSec Framework (5 Domains and 34 Processes) 1 - SP : Strategy 4 - NCSec Framework (5 Domains and 34 Processes) 1 - SP : Strategy and Policies SP 1 3 - AC : Awareness and Communication AC 1 NCSec Strategy : Promulgate & endorse a National Cybersecurity Strategy Lead Institutions : Identify a lead institutions for developing a national strategy, and 1 lead institution SP 2 per stakeholder category Leaders in the Government : Persuade national leaders in the government of the need for national action to address threats to and vulnerabilities of the NCSec through policy-level discussions AC 2 National Cybersecurity and Capacity : Manage National Cybersecurity and capacity at the national level SP 3 NCSec Policies : Identify or define policies of the NCSec strategy AC 3 Continuous Service : Ensure continuous service within each stakeholder and among stakeholders SP 4 Critical Information Infrastructures Protection : Establish & integrate risk management for identifying & prioritizing protective efforts regarding CII AC 4 National Awareness : Promote a comprehensive national awareness program so that all participants —businesses, the general workforce, and the general population—secure their own parts of cyberspace SP 5 Stakeholders : Identify the degree of readiness of each stakeholder regarding to the implementation of NCSec strategy & how stakeholders pursue the NCSec strategy & policies AC 5 Awareness Programs : Implement security awareness programs and initiatives for users of systems and networks 2 - IO : Implementation and Organisation AC 6 IO 1 NCSec Council : Define National Cybersecurity Council for coordination between all stakeholders, to approve the NCSec strategy AC 7 IO 2 NCSec Authority : Define Specific high level Authority for coordination among cybersecurity stakeholders AC 8 National CERT : Identify or establish a national CERT to prepare for, detect, respond to, and recover from national cyber incidents Privacy and Personnal Data Protection : Review existing privacy regime and update it to the on-line environment IO 3 IO 4 Citizens and Child Protection : Support outreach to civil society with special attention to the needs of children and individual users Research and Development : Enhance Research and Development (R&D) activities (through the identification of opportunities and allocation of funds) CSec Culture for Business : Encourage the development of a culture of security in business enterprises AC 9 Available Solutions : Develop awareness of cyber risks and available solutions AC 10 NCSec Communication : Ensure National Cybersecurity Communication IO 5 Laws : Ensure that a lawful framework is settled and regularly levelled IO 6 Institutions : Identify institutions with cybersecurity responsibilities, and procure resources that enable NCSec implementation CC 1 International Compliance & Cooperation : Ensure regulatory compliance with regional and international recommendations, standards … 4 - CC : Compliance and Communication IO 7 National Experts and Policymakers : Identify the appropriate experts and policymakers within government, private sector and university CC 2 National Cooperation : Identify and establish mechanisms and arrangements for cooperation among government, private sector entities, university and ONGs at the national level IO 8 Training : Identify training requirements and how to achieve them CC 3 IO 9 Government : Implement a cybersecurity plan for government-operated systems, that takes into account changes management CC 4 IO 10 International Expertise : Identify international expert counterparts and foster international efforts to address cybersecurity issues, including information sharing and assistance efforts CC 5 Private sector Cooperation : Encourage cooperation among groups from interdependent industries (through the identification of common threats). Incidents Handling : Manage incidents through national CERT to detect, respond to, and recover from national cyber incidents, through cooperative arrangement (especially between government and private sector) Points of Contact : Establish points of contact (or CSIRT) within government, industry and university to facilitate consultation, cooperation and information exchange with national CERT, in order to monitor and evaluate NCSec performance in each sector 5 - EM : Evaluation and Monitoring EM 1 NCSec Observatory : Set up the NCSec observatory EM 3 NCSec Assessment : Assess and periodically reassess the current state of cybersecurity efforts and develop program priorities EM 2 Mechanisms for Evaluation : Define mechanisms that can be used to coordinate the activities of the lead institution, the government, the private sector and civil society, in order to monitor and evaluate the global NCSec performance EM 4 NCSec Governance : Provide National Cybersecurity Governance 8

ACM Publication – December 2008 ACM Publication – December 2008

5 - NCSec Maturity Model PS Mor SP 1 3 Promulgate & endorse a 5 - NCSec Maturity Model PS Mor SP 1 3 Promulgate & endorse a National Cybersecurity Strategy Recognition of the need for a National strategy NCSec is announced & planned. NCSec is operational for all key activities NCSec is under regular review NCSec is under continuous improvement SP 2 1 Identify a lead institution for developing a national strategy, and 1 lead institution per stakeholder category Some institutions have an individual cybersecurity strategy Lead institutions are announced for all key activities Lead institutions are operational for all key activities Lead institutions are under regular review Lead institutions are under continuous improvement SP 3 2 Identify or define policies of the NCSec strategy Ad-hoc & Isolated approaches to policies & practices Similar & common processes announced & planned Policies and procedures are defined, documented, operational National best practices are applied &repeatable Integrated policies & procedures Transnational best practice SP 4 1 Establish & integrate Risk management process for Identifying & prioritizing protective efforts regarding NCSec (CIIP) Recognition of the need for risk management process in CIIP are identified & planned. Risk management process is announced Risk management process is approved & operational for all CIIP risk management process is complete, repeatable, and lead to CI best practices CIIP risk management process evolves to automated workflow & integrated to enable improvement Process Description Level 1 Level 2 Level 3 Level 4 Level 5 10

Example : SP 1 Maturity Model • the first process SP 1 consists in Example : SP 1 Maturity Model • the first process SP 1 consists in “Promulgating and endorsing a National Cybersecurity Strategy”. • Process SP 1 is in conformance with level 5 if the following conditions are respected: 1. 2. 3. 4. 5. 11 Recognition of the need for National Cybersecurity Strategy the NCSec strategy is “announced and planned” the NCSec strategy is “operational” the NCSec strategy is under a “regular review” the NCSec strategy is under “continuous improvement”

ce 6 - NCSec Assessment 5 SP 1 4 EM 4 Legend: SP 4 ce 6 - NCSec Assessment 5 SP 1 4 EM 4 Legend: SP 4 3 2 1 CC 2 IO 2 0 CC 1 IO 3 AC 5 SP 1: National Cybersecurity Strategy SP 4: CIIP IO 2: National Cybersecurity Authority IO 3: National-CERT IO 5: Cyber Law AC 5: Awareness Programme CC 1: International Cooperation CC 2: National Coordination EM 4: Cybersecurity Governance IO 5 12

7 - RACI Chart / Stakeholders I SP 3 NCSec Policies Identify or define 7 - RACI Chart / Stakeholders I SP 3 NCSec Policies Identify or define policies of the NCSec strategy A C R C I C SP 4 Critical Infrastructures Establish & integrate risk management for identifying & prioritizing protective efforts regarding NCSec (CIIP) A R R C I s C IRT C CS R T ER C t. C A ras I Na I Inf SP 2 Lead Institutions Identify a lead institutions for developing a national strategy, and 1 lead institution per stakeholder category I al I ia C itic Cr C em C ct R Se C ad Ac C te n io Un th A va Pri de Tra oc il S u Au Ed Fin yb t. C of of ef t I 13 Civ Na Min f. D no Mi f In n rity tho Au o Min ICT v u Co Go t en uth i. A of yb t. C gis Le Na ad He rnm ve Go SP 1 NCSec Strategy Promulgate & endorse a National Cybersecurity Strategy R I I I R C C I R R R = Responsible, A = Accountable, C = Consulted, I = Informed I C I C R I

8 - Implementation Guide Geneva, 6 -7 December 2010 Addressing security challenges on a 8 - Implementation Guide Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 14

ITU-D / SG 1 / Question 22 -1/1 Securing information and communication networks, best ITU-D / SG 1 / Question 22 -1/1 Securing information and communication networks, best practices for developing a culture of cybersecurity Report of the meeting of the Rapporteur Group on Question 22 -1/1 (Geneva, Wednesday, 22 September 2010 • Document 1/23 was presented by Morocco. It provides a model for administrations to use in managing their cybersecurity programme based on ISO 27000 family and COBIT. It was suggested that it could be a framework to be used by developing countries in assessing their cybersecurity strategy. The Rapporteur asked the BDT to put the entire document on the web site of Study Group 1 and invited comments for the next meeting. Geneva, 6 -7 December 2010 Addressing security challenges on a global scale 15

Thank you for your attention Email : t. debbagh@technologies. gov. ma or tdebbagh@gmail. com Thank you for your attention Email : t. debbagh@technologies. gov. ma or tdebbagh@gmail. com 16