Upload
doankhanh
View
218
Download
0
Embed Size (px)
Citation preview
Making our Cyber Space Safe
Ghana’s Emerging Cyber Security Policy & Strategy
5/28/2014 1
National IT Agency, Ghana
William Tevie Director General
Agenda
• Cyber Security Issues • Background to Policy • Target Audience for Framework • National Strategy – Level of coverage • Mission & Vision • Identified CNII • Policy Thrusts • Action Plans • Implementation Plan
5/28/2014 2
National IT Agency, Ghana
Cyber Security Issues in Ghana
National Image
SIM Box Fraud
•Large Extensive Government Network by NITA
•Data center running cloud applications and email service
•Exposure to risk
Need to ensure protection of CNII
Low Awareness about cyber security issues
•Need to review laws in relation to cyber security
•Need for capacity building of law enforcement
Lack of empowerment to enforce law in
cyberspace
Lack of Coordination of Cyber Initiatives
5/28/2014 3
National IT Agency, Ghana
The Genesis of ICT Policy in Ghana
• ICT4AD policy Driving Ghana’s ICT Agenda
• Policy Developed and adopted in 2003
• 14 Pillars Addressing all sectors
• Pillar 14 Address Law enforcement and Cyber security
5/28/2014 4
National IT Agency, Ghana
ICT4AD Pillar 14
• Policy measures and mechanisms to address
– national security
– law and order issues
• relating to the deployment exploitation and the utilization of ICTs within the economy and society.
• Address security issues relating to
– privacy,
– data and consumer protection
– security of computer networks and information systems and their information and data contents
5/28/2014 5
National IT Agency, Ghana
Evolution of e-Government Strategy -1
• 14 Pillars
• All sectors Address
2003
ICT4AD Adopted
• Legal framework and enabling environment
• Design of eGhana Project
2006
Preparatory Work for e-Government • NITA ACT (771
• Electronic Transaction ACT (772)
• Electronic Communication ACT (775)
• NCA ACT (769)
2008
Legal Instruments enacted
5/28/2014 6
National IT Agency, Ghana
Electronic Transaction Act (ACT 772)
• Developed as result of Pillar 14 and other pillars • Legal Instrument embracing all Electronic
transaction – Certifying authorities – Registry – ICT Tribunal – Cyber Inspectors – Electronic Government Services – Cyber Offenses – Protected computers and Databases – Consumer protection
5/28/2014 7
National IT Agency, Ghana
ACT 772 Cyber Related Provisions
• Cyber inspectors
– Powers of law enforcement officers
– Law enforcement officer and third party assistance
– Preservation of evidence
– Disclosure of electronic information
– Inadmissible evidence
5/28/2014 8
National IT Agency, Ghana
ACT 772 Cyber Related Provisions
• Cyber offences – Stealing
– Appropriation
– Representation
– Charlatanic advertisement
– Attempt to commit crimes
– Aiding and abetting
– Duty to prevent felony
– Conspiracy
– Forgery
5/28/2014 9
National IT Agency, Ghana
Why Need for Policy review
• Cyber Security Has grown bigger
– Every user is at risk
• Law enforcement can provide security
– Require full participation of everyone
– Element of developing culture of cyber security
– PPP approach to resolving cyber security issues
5/28/2014 10
National IT Agency, Ghana
Person Specific • Consumer User • Corporate user
Device Specific •Telephones •Wireless Cell Devices •Personal Digital Assistant (PDA)
Network Specific •Wireless Carrier’s Transport •Local Area, Metropolitan Area and Wireless Area •Internet
Target Groups of Cyber Security Framework
5/28/2014 11 National IT Agency, Ghana
Background to Policy Development
Existing Ghana “ICT4AD” pillar 14
• National security and law enforcement in cyber space
• Implemented by Electronic Transaction Act (Act 772)
Some shortfall in policy
• Does not adopt a PPP approach
• All target audience not addressed
• Protection of CNII not covered under policy
• Culture of cyber security across sectors not properly covered
• Capacity building focused on only National security agencies and law enforcement
• Pillar not citizen-centric
12
5/28/2014
National IT Agency, Ghana
National Strategy – Level of Coverage
Level 1:Home and Small Business users
Level 2: Large Enterprise Users
Level 3: Critical Sectors
Level 4: National Priorities
Level 5: Global
5/28/2014 13 National IT Agency, Ghana
Vision and Mission
Vision
• Our vision is to secure the Critical National Information Infrastructure (CNII) and make it resilient, and for Ghana to be self-reliant in securing its cyber space by infusing a culture of security to promote stability, social well being and wealth creation of our people. All actors in law enforcement, national security, network security practitioners in government and business, and the public will take part in the vision.
• .
Mission
• Our mission is for Ghana to become a self-sufficient country attending to its cyber security needs by 2017
14
5/28/2014
National IT Agency, Ghana
Identified CNII Sectors
1. National Defense and Security
2. Banking and Finance
3. Information and Communications
4. Energy
5. Transportation
6. Water
7. Health Services
8. Government machinery
9. Emergency services
10. Food and Agriculture 15
5/28/2014
National IT Agency, Ghana
The Eight thrusts of the Policy
16
THRUST
THEME
DETAIL
1 Effective Governance centralize coordination of national cyber security initiatives
promote effective cooperation between public and private sectors
2 Legislative & Regulatory Framework Attorney General’s department periodic reviewing and enhancing
Ghana’s laws relating to cyber space
progressive capacity building programs to acquire new skills and
effective ways of enforcing cyber laws
3 Cyber Security Technology Framework develop a national cyber security technology framework that specifies
cyber security requirement controls and baselines for CNII elements
mechanism to implement an evaluation/certification program for
cyber security product and systems
4 Culture of security and Capacity Building invest every resource needed to develop, foster and maintain a
national culture of security
Establish an effective mechanism for cyber security knowledge
dissemination at the national level
Identify minimum requirements and qualifications for information
security professionals
5 Research & Development towards Self-Reliance formalize the coordination and prioritization of cyber security research
and develop activities to enlarge and strengthen the cyber security
research
measures in place to nurture the growth of cyber security industry
5/28/2014
National IT Agency, Ghana
The Eight thrust of the policy
17
Thrust
THEME
DETAILS
6 Compliance and Enforcement standardize cyber security systems across all elements of
the CNII
strengthen the monitoring and enforcement of standards
and develop a standard cyber security risk assessment
framework
7 Cyber Security Emergency Readiness develop effective cyber security incident reporting
mechanisms
o include the development and strengthening of the
national CSIRT
development of a standard business continuity
management framework and perform periodic vulnerability
assessment programs
8 International Cooperation encourage the active participation of Ghana in all relevant
international cyber security bodies and conferences
5/28/2014
National IT Agency, Ghana
Action Plans
18
Item
Thrust
Action Plan
Policy Drivers
1. Effective Governance Setup Governance Structure and institutions to enable
long –term substance of Cyber Security activity including
information exchange. Institutions include:
National Cyber Security Council
National Cyber Security Center
National Computer Emergency Response Team
National Cyber Security Policy Working Group
Ministry of
Communications, National
Security Council, NITA, NCA
2. Legislative and
Regulatory Framework
Setup Cyber Law Review Committee under the Attorney
General’s Department to do a study on the laws of
Ghana to accommodate legal challenges in the Cyber
environment and review every three year
Stage 1: identifications of issues in the cyber
environment
Stage 2. Review current laws on cyber environment
Stage 3. Make recommendations for amendment of
national laws
Attorney General’s
Department
3. Cyber Security
Technology Framework
Review and adopt international cyber security
standard such as MS ISO/IEC 27001 to increase
robustness of CNII sectors
Expansion of national certification scheme for
information security management & assurance
Ministry of
Communications, NITA
NSC
5/28/2014
National IT Agency, Ghana
Action Plans
19
Item
Thrust
Action Plan
Policy Drivers
4. Culture of Cyber Security &
Capacity Building
Reduce number of Information security incidents
through improved awareness & skill level
o Increase Certification course on information
and cyber security,
Develop a National Cyber Security Awareness
program and portal targeted at stakeholders by
content providers using different packaging for
different demographics
Ministry of Communications,
Ministry of Information, (National
Cyber Security Council, National
Cyber Security Center, National
CSIRT , National Cyber Security
Policy Working Group)
5. Research & Development
towards Self–Reliance
Develop National R&D Roadmap for Cyber Security
o Identify technologies relevant & desirable for CNII
o Provide domain competency development
o Nature growth of Cyber Security Industry
o Update roadmap regularly
National Cyber Security Council,
National Cyber Security center,
National CERT , Universities,
CSIR, Professional certification
Centers
6.
Compliance & Enforcement Develop Risk Assessment framework for CNII
7.
Cyber Security Emergency
Readiness
Frame work for cyber attack responds – Mitigation of
Cyber attacks
National and sector CSIRTs
National Cyber Crises management Committee
National Cyber Crises Management WG
National Cyber Security Council
5/28/2014
National IT Agency, Ghana
Action Plans
20
Item
Thrust
Action Plan
Policy Drivers
8.
International Cooperation Engage in relevant international cyber security
meetings
Prioritize international engagements, sign
and ensure compliance of
International/regional conventions
Ministry of Communications
Ministry of Foreign Affairs
Attorney Generals’
Department
National Security Council
5/28/2014
National IT Agency, Ghana
Implementation
21
Period Issues to be Addresses
Activities
Short Term
(0 -1 Years)
Identifying CNII and Addressing Immediate
Concerns
- Identify Critical National Information Infrastructure
- Stop-gap measures to address fundamental vulnerabilities to
the cyber security of the CNII
- Creating a centralized platform for security mechanism
- Establish Cyber Incidence Response readiness
- Raising awareness of cyber security and its implications
Medium Term
(2-3 Years)
Building the Infrastructure - Setting-up the necessary systems, process, standards and
institutional arrangements (mechanisms)
- Building capacity amongst researches and information
security professionals
Long Term (Year 4-
5):
Developing Self-Reliance - Developing self-reliance in terms of technology as well as
professionals
- Monitoring the mechanisms for compliance
- Evaluating and improving the mechanisms
- Creating the culture of cyber security
5/28/2014
National IT Agency, Ghana
22
5/28/2014
National IT Agency, Ghana
Structure of Initiatives within Strategy
Opportunities for Security Communities
• Information System Security practitioners are key drivers – Critical mass of expertise needed to drive whole
process
• Capacity building to be driven by practitioners
• Risk Management framework and strategies for maintaining CNII require skill set that can be found in the community
• ISACA and related professional bodies have a critical role in emerging cyber security strategy
5/28/2014
National IT Agency, Ghana 23
Visit our Websites @ http://www.nita.gov.gh
http://www.eservices.gov.gh
http://www.data.gov.gh Contact:
[email protected], Phone: 0302-661777
National IT Agency, Ghana
Thank You !
5/28/2014 24