Making our Cyber Space Safe

Ghana’s Emerging Cyber Security Policy & Strategy

5/28/2014 1

National IT Agency, Ghana

William Tevie Director General

Agenda

• Cyber Security Issues • Background to Policy • Target Audience for Framework • National Strategy – Level of coverage • Mission & Vision • Identified CNII • Policy Thrusts • Action Plans • Implementation Plan

5/28/2014 2

National IT Agency, Ghana

Cyber Security Issues in Ghana

National Image

SIM Box Fraud

•Large Extensive Government Network by NITA

•Data center running cloud applications and email service

•Exposure to risk

Need to ensure protection of CNII

Low Awareness about cyber security issues

•Need to review laws in relation to cyber security

•Need for capacity building of law enforcement

Lack of empowerment to enforce law in

cyberspace

Lack of Coordination of Cyber Initiatives

5/28/2014 3

National IT Agency, Ghana

The Genesis of ICT Policy in Ghana

• ICT4AD policy Driving Ghana’s ICT Agenda

• Policy Developed and adopted in 2003

• 14 Pillars Addressing all sectors

• Pillar 14 Address Law enforcement and Cyber security

5/28/2014 4

National IT Agency, Ghana

ICT4AD Pillar 14

• Policy measures and mechanisms to address

– national security

– law and order issues

• relating to the deployment exploitation and the utilization of ICTs within the economy and society.

• Address security issues relating to

– privacy,

– data and consumer protection

– security of computer networks and information systems and their information and data contents

5/28/2014 5

National IT Agency, Ghana

Evolution of e-Government Strategy -1

• 14 Pillars

• All sectors Address

2003

ICT4AD Adopted

• Legal framework and enabling environment

• Design of eGhana Project

2006

Preparatory Work for e-Government • NITA ACT (771

• Electronic Transaction ACT (772)

• Electronic Communication ACT (775)

• NCA ACT (769)

2008

Legal Instruments enacted

5/28/2014 6

National IT Agency, Ghana

Electronic Transaction Act (ACT 772)

• Developed as result of Pillar 14 and other pillars • Legal Instrument embracing all Electronic

transaction – Certifying authorities – Registry – ICT Tribunal – Cyber Inspectors – Electronic Government Services – Cyber Offenses – Protected computers and Databases – Consumer protection

5/28/2014 7

National IT Agency, Ghana

ACT 772 Cyber Related Provisions

• Cyber inspectors

– Powers of law enforcement officers

– Law enforcement officer and third party assistance

– Preservation of evidence

– Disclosure of electronic information

– Inadmissible evidence

5/28/2014 8

National IT Agency, Ghana

ACT 772 Cyber Related Provisions

• Cyber offences – Stealing

– Appropriation

– Representation

– Charlatanic advertisement

– Attempt to commit crimes

– Aiding and abetting

– Duty to prevent felony

– Conspiracy

– Forgery

5/28/2014 9

National IT Agency, Ghana

Why Need for Policy review

• Cyber Security Has grown bigger

– Every user is at risk

• Law enforcement can provide security

– Require full participation of everyone

– Element of developing culture of cyber security

– PPP approach to resolving cyber security issues

5/28/2014 10

National IT Agency, Ghana

Person Specific • Consumer User • Corporate user

Device Specific •Telephones •Wireless Cell Devices •Personal Digital Assistant (PDA)

Network Specific •Wireless Carrier’s Transport •Local Area, Metropolitan Area and Wireless Area •Internet

Target Groups of Cyber Security Framework

5/28/2014 11 National IT Agency, Ghana

Background to Policy Development

Existing Ghana “ICT4AD” pillar 14

• National security and law enforcement in cyber space

• Implemented by Electronic Transaction Act (Act 772)

Some shortfall in policy

• Does not adopt a PPP approach

• All target audience not addressed

• Protection of CNII not covered under policy

• Culture of cyber security across sectors not properly covered

• Capacity building focused on only National security agencies and law enforcement

• Pillar not citizen-centric

12

5/28/2014

National IT Agency, Ghana

National Strategy – Level of Coverage

Level 1:Home and Small Business users

Level 2: Large Enterprise Users

Level 3: Critical Sectors

Level 4: National Priorities

Level 5: Global

5/28/2014 13 National IT Agency, Ghana

Vision and Mission

Vision

• Our vision is to secure the Critical National Information Infrastructure (CNII) and make it resilient, and for Ghana to be self-reliant in securing its cyber space by infusing a culture of security to promote stability, social well being and wealth creation of our people. All actors in law enforcement, national security, network security practitioners in government and business, and the public will take part in the vision.

• .

Mission

• Our mission is for Ghana to become a self-sufficient country attending to its cyber security needs by 2017

14

5/28/2014

National IT Agency, Ghana

Identified CNII Sectors

1. National Defense and Security

2. Banking and Finance

3. Information and Communications

4. Energy

5. Transportation

6. Water

7. Health Services

8. Government machinery

9. Emergency services

10. Food and Agriculture 15

5/28/2014

National IT Agency, Ghana

The Eight thrusts of the Policy

16

THRUST

THEME

DETAIL

1 Effective Governance centralize coordination of national cyber security initiatives

promote effective cooperation between public and private sectors

2 Legislative & Regulatory Framework Attorney General’s department periodic reviewing and enhancing

Ghana’s laws relating to cyber space

progressive capacity building programs to acquire new skills and

effective ways of enforcing cyber laws

3 Cyber Security Technology Framework develop a national cyber security technology framework that specifies

cyber security requirement controls and baselines for CNII elements

mechanism to implement an evaluation/certification program for

cyber security product and systems

4 Culture of security and Capacity Building invest every resource needed to develop, foster and maintain a

national culture of security

Establish an effective mechanism for cyber security knowledge

dissemination at the national level

Identify minimum requirements and qualifications for information

security professionals

5 Research & Development towards Self-Reliance formalize the coordination and prioritization of cyber security research

and develop activities to enlarge and strengthen the cyber security

research

measures in place to nurture the growth of cyber security industry

5/28/2014

National IT Agency, Ghana

The Eight thrust of the policy

17

Thrust

THEME

DETAILS

6 Compliance and Enforcement standardize cyber security systems across all elements of

the CNII

strengthen the monitoring and enforcement of standards

and develop a standard cyber security risk assessment

framework

7 Cyber Security Emergency Readiness develop effective cyber security incident reporting

mechanisms

o include the development and strengthening of the

national CSIRT

development of a standard business continuity

management framework and perform periodic vulnerability

assessment programs

8 International Cooperation encourage the active participation of Ghana in all relevant

international cyber security bodies and conferences

5/28/2014

National IT Agency, Ghana

Action Plans

18

Item

Thrust

Action Plan

Policy Drivers

1. Effective Governance Setup Governance Structure and institutions to enable

long –term substance of Cyber Security activity including

information exchange. Institutions include:

National Cyber Security Council

National Cyber Security Center

National Computer Emergency Response Team

National Cyber Security Policy Working Group

Ministry of

Communications, National

Security Council, NITA, NCA

2. Legislative and

Regulatory Framework

Setup Cyber Law Review Committee under the Attorney

General’s Department to do a study on the laws of

Ghana to accommodate legal challenges in the Cyber

environment and review every three year

Stage 1: identifications of issues in the cyber

environment

Stage 2. Review current laws on cyber environment

Stage 3. Make recommendations for amendment of

national laws

Attorney General’s

Department

3. Cyber Security

Technology Framework

Review and adopt international cyber security

standard such as MS ISO/IEC 27001 to increase

robustness of CNII sectors

Expansion of national certification scheme for

information security management & assurance

Ministry of

Communications, NITA

NSC

5/28/2014

National IT Agency, Ghana

Action Plans

19

Item

Thrust

Action Plan

Policy Drivers

4. Culture of Cyber Security &

Capacity Building

Reduce number of Information security incidents

through improved awareness & skill level

o Increase Certification course on information

and cyber security,

Develop a National Cyber Security Awareness

program and portal targeted at stakeholders by

content providers using different packaging for

different demographics

Ministry of Communications,

Ministry of Information, (National

Cyber Security Council, National

Cyber Security Center, National

CSIRT , National Cyber Security

Policy Working Group)

5. Research & Development

towards Self–Reliance

Develop National R&D Roadmap for Cyber Security

o Identify technologies relevant & desirable for CNII

o Provide domain competency development

o Nature growth of Cyber Security Industry

o Update roadmap regularly

National Cyber Security Council,

National Cyber Security center,

National CERT , Universities,

CSIR, Professional certification

Centers

6.

Compliance & Enforcement Develop Risk Assessment framework for CNII

7.

Cyber Security Emergency

Readiness

Frame work for cyber attack responds – Mitigation of

Cyber attacks

National and sector CSIRTs

National Cyber Crises management Committee

National Cyber Crises Management WG

National Cyber Security Council

5/28/2014

National IT Agency, Ghana

Action Plans

20

Item

Thrust

Action Plan

Policy Drivers

8.

International Cooperation Engage in relevant international cyber security

meetings

Prioritize international engagements, sign

and ensure compliance of

International/regional conventions

Ministry of Communications

Ministry of Foreign Affairs

Attorney Generals’

Department

National Security Council

5/28/2014

National IT Agency, Ghana

Implementation

21

Period Issues to be Addresses

Activities

Short Term

(0 -1 Years)

Identifying CNII and Addressing Immediate

Concerns

- Identify Critical National Information Infrastructure

- Stop-gap measures to address fundamental vulnerabilities to

the cyber security of the CNII

- Creating a centralized platform for security mechanism

- Establish Cyber Incidence Response readiness

- Raising awareness of cyber security and its implications

Medium Term

(2-3 Years)

Building the Infrastructure - Setting-up the necessary systems, process, standards and

institutional arrangements (mechanisms)

- Building capacity amongst researches and information

security professionals

Long Term (Year 4-

5):

Developing Self-Reliance - Developing self-reliance in terms of technology as well as

professionals

- Monitoring the mechanisms for compliance

- Evaluating and improving the mechanisms

- Creating the culture of cyber security

5/28/2014

National IT Agency, Ghana

22

5/28/2014

National IT Agency, Ghana

Structure of Initiatives within Strategy

Opportunities for Security Communities

• Information System Security practitioners are key drivers – Critical mass of expertise needed to drive whole

process

• Capacity building to be driven by practitioners

• Risk Management framework and strategies for maintaining CNII require skill set that can be found in the community

• ISACA and related professional bodies have a critical role in emerging cyber security strategy

5/28/2014

National IT Agency, Ghana 23

Visit our Websites @ http://www.nita.gov.gh

http://www.eservices.gov.gh

http://www.data.gov.gh Contact:

William.tevie@nita.gov.gh, Phone: 0302-661777

National IT Agency, Ghana

Thank You !

5/28/2014 24