Enviar búsqueda
Cargar
Cto ciip-gaborone workshop-presentation-final-18-mar-2015.compressed
•
1 recomendación
•
710 vistas
Candice Tang
Seguir
Denunciar
Compartir
Denunciar
Compartir
1 de 114
Descargar ahora
Descargar para leer sin conexión
Recomendados
Green Infrastructure Basic Principles & Tools
Green Infrastructure Basic Principles & Tools
nado-web
Business Continuity And Disaster Recovery Notes
Business Continuity And Disaster Recovery Notes
Alan McSweeney
Maintenance Network
Maintenance Network
Segun Kunle Ajayi
Network Design and Management
Network Design and Management
tlerell
Impacts of climate change to Critical Infrastructure
Impacts of climate change to Critical Infrastructure
eu-circle
Climate Resilience Infrastructure Development
Climate Resilience Infrastructure Development
Water, Land and Ecosystems (WLE)
Network design
Network design
csk selva
introduction to Networking
introduction to Networking
iicecollege
Recomendados
Green Infrastructure Basic Principles & Tools
Green Infrastructure Basic Principles & Tools
nado-web
Business Continuity And Disaster Recovery Notes
Business Continuity And Disaster Recovery Notes
Alan McSweeney
Maintenance Network
Maintenance Network
Segun Kunle Ajayi
Network Design and Management
Network Design and Management
tlerell
Impacts of climate change to Critical Infrastructure
Impacts of climate change to Critical Infrastructure
eu-circle
Climate Resilience Infrastructure Development
Climate Resilience Infrastructure Development
Water, Land and Ecosystems (WLE)
Network design
Network design
csk selva
introduction to Networking
introduction to Networking
iicecollege
Pace IT - Troubleshooting OS part 1
Pace IT - Troubleshooting OS part 1
Pace IT at Edmonds Community College
build a small wireless LAN LO2
build a small wireless LAN LO2
Jaleto Sunkemo
COMPUTER NETWORKING
COMPUTER NETWORKING
Milind Prajapat
Best fit topology - lo1 part iii
Best fit topology - lo1 part iii
Abenezer Abiti
Determine best fit topology
Determine best fit topology
Abenezer Abiti
Telecommunications and networks
Telecommunications and networks
Sopon Tumchota
The internet
The internet
Chinmay Raul
Network Monitoring System ppt.pdf
Network Monitoring System ppt.pdf
kristinatemen
Emerging technologies in computer science
Emerging technologies in computer science
Srinivas Narasegouda
Determine best fit topology copy
Determine best fit topology copy
Jaleto Sunkemo
RF Analysis at Fiber-based Cell Sites with OBSAI
RF Analysis at Fiber-based Cell Sites with OBSAI
Eduardo Inzunza
Advance Networking Course Details PPT
Advance Networking Course Details PPT
PSK Technolgies Pvt. Ltd. IT Company Nagpur
Network architecture
Network architecture
Dr. Shalini Pandey
It infrastructure hardware and software
It infrastructure hardware and software
Prof. Othman Alsalloum
Design of network
Design of network
Aniruddh Brahmbhatt
Monitoring And Evaluation Presentation
Monitoring And Evaluation Presentation
EquiGov Institute
Network Topologies in Simple (Logical, Physical and Types)
Network Topologies in Simple (Logical, Physical and Types)
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
Data comm and networking
Data comm and networking
Prof. Dr. K. Adisesha
լուսնի և արեգակի խավարումներ
լուսնի և արեգակի խավարումներ
Մանե Բարսեղյան
Lecture 02 fundamental concepts of internet and www khalid khan
Lecture 02 fundamental concepts of internet and www khalid khan
Khalid Khan
CTO-Cybersecurity-2010-Dr. Martin Koyabe
CTO-Cybersecurity-2010-Dr. Martin Koyabe
segughana
Critical Infrastucture Protection: a strategic opportunity for countries’ mod...
Critical Infrastucture Protection: a strategic opportunity for countries’ mod...
Community Protection Forum
Más contenido relacionado
La actualidad más candente
Pace IT - Troubleshooting OS part 1
Pace IT - Troubleshooting OS part 1
Pace IT at Edmonds Community College
build a small wireless LAN LO2
build a small wireless LAN LO2
Jaleto Sunkemo
COMPUTER NETWORKING
COMPUTER NETWORKING
Milind Prajapat
Best fit topology - lo1 part iii
Best fit topology - lo1 part iii
Abenezer Abiti
Determine best fit topology
Determine best fit topology
Abenezer Abiti
Telecommunications and networks
Telecommunications and networks
Sopon Tumchota
The internet
The internet
Chinmay Raul
Network Monitoring System ppt.pdf
Network Monitoring System ppt.pdf
kristinatemen
Emerging technologies in computer science
Emerging technologies in computer science
Srinivas Narasegouda
Determine best fit topology copy
Determine best fit topology copy
Jaleto Sunkemo
RF Analysis at Fiber-based Cell Sites with OBSAI
RF Analysis at Fiber-based Cell Sites with OBSAI
Eduardo Inzunza
Advance Networking Course Details PPT
Advance Networking Course Details PPT
PSK Technolgies Pvt. Ltd. IT Company Nagpur
Network architecture
Network architecture
Dr. Shalini Pandey
It infrastructure hardware and software
It infrastructure hardware and software
Prof. Othman Alsalloum
Design of network
Design of network
Aniruddh Brahmbhatt
Monitoring And Evaluation Presentation
Monitoring And Evaluation Presentation
EquiGov Institute
Network Topologies in Simple (Logical, Physical and Types)
Network Topologies in Simple (Logical, Physical and Types)
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
Data comm and networking
Data comm and networking
Prof. Dr. K. Adisesha
լուսնի և արեգակի խավարումներ
լուսնի և արեգակի խավարումներ
Մանե Բարսեղյան
Lecture 02 fundamental concepts of internet and www khalid khan
Lecture 02 fundamental concepts of internet and www khalid khan
Khalid Khan
La actualidad más candente
(20)
Pace IT - Troubleshooting OS part 1
Pace IT - Troubleshooting OS part 1
build a small wireless LAN LO2
build a small wireless LAN LO2
COMPUTER NETWORKING
COMPUTER NETWORKING
Best fit topology - lo1 part iii
Best fit topology - lo1 part iii
Determine best fit topology
Determine best fit topology
Telecommunications and networks
Telecommunications and networks
The internet
The internet
Network Monitoring System ppt.pdf
Network Monitoring System ppt.pdf
Emerging technologies in computer science
Emerging technologies in computer science
Determine best fit topology copy
Determine best fit topology copy
RF Analysis at Fiber-based Cell Sites with OBSAI
RF Analysis at Fiber-based Cell Sites with OBSAI
Advance Networking Course Details PPT
Advance Networking Course Details PPT
Network architecture
Network architecture
It infrastructure hardware and software
It infrastructure hardware and software
Design of network
Design of network
Monitoring And Evaluation Presentation
Monitoring And Evaluation Presentation
Network Topologies in Simple (Logical, Physical and Types)
Network Topologies in Simple (Logical, Physical and Types)
Data comm and networking
Data comm and networking
լուսնի և արեգակի խավարումներ
լուսնի և արեգակի խավարումներ
Lecture 02 fundamental concepts of internet and www khalid khan
Lecture 02 fundamental concepts of internet and www khalid khan
Similar a Cto ciip-gaborone workshop-presentation-final-18-mar-2015.compressed
CTO-Cybersecurity-2010-Dr. Martin Koyabe
CTO-Cybersecurity-2010-Dr. Martin Koyabe
segughana
Critical Infrastucture Protection: a strategic opportunity for countries’ mod...
Critical Infrastucture Protection: a strategic opportunity for countries’ mod...
Community Protection Forum
CIP eu 2016 114(-8)
CIP eu 2016 114(-8)
Jan Biets [jan_biets@hotmail.com]
ITU Committed to connecting the world
ITU Committed to connecting the world
Dr Lendy Spires
Why the Private Sector is Key to Cyber Defence
Why the Private Sector is Key to Cyber Defence
Gareth Niblett
The importance of cie in the digital era
The importance of cie in the digital era
Ricardo de Almeida
Measuring digital development - ITU -Development sector
Measuring digital development - ITU -Development sector
Christina Parmionova
Protecting Critical Infrastructure: a multi-layered approach
Protecting Critical Infrastructure: a multi-layered approach
ITU
Cybersecurity Event 2010
Cybersecurity Event 2010
segughana
WCIT12 myth busting presentation
WCIT12 myth busting presentation
ITU
Mongi
Mongi
AFRINIC
RESEARCH PAPER
RESEARCH PAPER
Tanvi Jindal
Infraestructura 2030
Infraestructura 2030
Centro de la OCDE en México para América Latina
Critical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challenges
Community Protection Forum
Economic and social impact of broadband access
Economic and social impact of broadband access
Prayukth K V
Cyber Defense: three fundamental steps
Cyber Defense: three fundamental steps
Leonardo
ISNGI 2016 - Keynote Speaker: Dr Matt Ives - "Evidence-based national infrast...
ISNGI 2016 - Keynote Speaker: Dr Matt Ives - "Evidence-based national infrast...
SMART Infrastructure Facility
Why africa for ict
Why africa for ict
Waithera Murache
ITU Cybersecurity Capabilities
ITU Cybersecurity Capabilities
ITU
Critical national infrastructure
Critical national infrastructure
sommerville-videos
Similar a Cto ciip-gaborone workshop-presentation-final-18-mar-2015.compressed
(20)
CTO-Cybersecurity-2010-Dr. Martin Koyabe
CTO-Cybersecurity-2010-Dr. Martin Koyabe
Critical Infrastucture Protection: a strategic opportunity for countries’ mod...
Critical Infrastucture Protection: a strategic opportunity for countries’ mod...
CIP eu 2016 114(-8)
CIP eu 2016 114(-8)
ITU Committed to connecting the world
ITU Committed to connecting the world
Why the Private Sector is Key to Cyber Defence
Why the Private Sector is Key to Cyber Defence
The importance of cie in the digital era
The importance of cie in the digital era
Measuring digital development - ITU -Development sector
Measuring digital development - ITU -Development sector
Protecting Critical Infrastructure: a multi-layered approach
Protecting Critical Infrastructure: a multi-layered approach
Cybersecurity Event 2010
Cybersecurity Event 2010
WCIT12 myth busting presentation
WCIT12 myth busting presentation
Mongi
Mongi
RESEARCH PAPER
RESEARCH PAPER
Infraestructura 2030
Infraestructura 2030
Critical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challenges
Economic and social impact of broadband access
Economic and social impact of broadband access
Cyber Defense: three fundamental steps
Cyber Defense: three fundamental steps
ISNGI 2016 - Keynote Speaker: Dr Matt Ives - "Evidence-based national infrast...
ISNGI 2016 - Keynote Speaker: Dr Matt Ives - "Evidence-based national infrast...
Why africa for ict
Why africa for ict
ITU Cybersecurity Capabilities
ITU Cybersecurity Capabilities
Critical national infrastructure
Critical national infrastructure
Cto ciip-gaborone workshop-presentation-final-18-mar-2015.compressed
1.
2.
Critical Information Infrastructure
Protection Perspective on Cloud Computing Services CIIP Workshop Gaborone, Botswana 23 – 24 March 2015 Presenter Dr Martin Koyabe (CTO)
3.
Acknowledgement Ministry of Transport
& Communications Botswana
4.
Table of Content Session
1: Understanding CIIP & Challenges Session 2: Cloud Computing Today Session 3: CIIP Perspective of Cloud Computing Session 4: Cloud Computing CIIP Scenarios Session 5: Steps Towards a CI Protection Session 6: Cybersecurity Threat Horizon Session 7: Commonwealth Cybergovernance model
5.
Session 1: Understanding CIIP
& Challenges Presenter Dr Martin Koyabe (CTO) CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
6.
© Commonwealth Telecommunications
Organisation | www.cto.int Understanding CIIP • Critical Resources General definition • Critical Infrastructure • Critical Information Infrastructure Interdependencies
7.
© Commonwealth Telecommunications
Organisation | www.cto.int Critical Resources 7 Water Energy Forests Defined by some national governments to include:- • Natural & environmental resources (water, energy, forests etc) • National monuments & icons, recognized nationally & internationally
8.
© Commonwealth Telecommunications
Organisation | www.cto.int Critical Infrastructure (1/3) 8 Airports Power Grid Roads Defined by some national governments to include:- • Nation’s public works, e.g. bridges, roads, airports, dams etc • Increasingly includes telecommunications, in particular major national and international switches and connections
9.
© Commonwealth Telecommunications
Organisation | www.cto.int Critical Infrastructure (2/3) 9 “ the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” Source: US Homeland Security “ the (CNI) comprises those assets, services and systems that support the economic, political and social life of the UK whose importance is such that loss could either, cause large-scale loss of life; have a serious impact on the national economy; have other grave social consequences for the community; or be of immediate concern to the national government.” Source: UK Centre for the Protection of National Infrastructure (CPNI) “ an asset or system which is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviour, may have a significant negative impact for the security of the EU and the well-being of its citizens.” Source: European Union (EU)
10.
© Commonwealth Telecommunications
Organisation | www.cto.int Critical Infrastructure (3/3) 10 “ those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defense and ensure national security.” Source: The Australian, State & Territory Government “ processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and Significant harm to public confidence. Source: Government of Canada “those facilities, systems, or functions, whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation” Source: National Critical Information Infrastructure Protection Centre (NCIIPC)
11.
© Commonwealth Telecommunications
Organisation | www.cto.int What about developing countries? 11 Q) Does your country have a critical infrastructure framework?
12.
© Commonwealth Telecommunications
Organisation | www.cto.int Critical Infrastructure Sectors (1/2) 12 • European Commission (EC) provides an indicative list of 11 critical sectors Energy ICT Water Food Health Financial Public & Legal Order and Safety Civil AdministraBon Transport Chemical and Nuclear Industry Space & Research
13.
© Commonwealth Telecommunications
Organisation | www.cto.int Critical Infrastructure Sectors (2/2) 13 • Provisional Critical Infrastructure list for Bangladesh Energy (Oil/Gas) Telecoms Transport (Roads) Monuments/ Buildings Water Financial ICT Source: CTO CIIP Workshop, Dhaka, Bangladesh (Sep 2014)
14.
© Commonwealth Telecommunications
Organisation | www.cto.int Critical Information Infrastructure (1/2) 14 CII definition:- “ Communications and/or information service whose availability, reliability and resilience are essential to the functioning of a modern economy, security, and other essential social values.” Rueschlikon Conference on Information Policy Report, 2005
15.
© Commonwealth Telecommunications
Organisation | www.cto.int Critical Information Infrastructure (2/2) 15 Cri$cal Infrastructures Telecoms Energy Transporta$on Finance/Banking Government Services Large Enterprises End-‐users Critical Information Infrastructure Cross-cutting ICT interdependencies among all sectors Cyber security Practices and procedures that enable the secure use and operation of cyber tools and technologies Non-essential IT Systems Essential IT Systems
16.
© Commonwealth Telecommunications
Organisation | www.cto.int Critical Information Infrastructure Protection (CIIP) 16 • Widespread use of Internet have transformed stand-alone systems and predominantly closed networks into a virtually seamless fabric of interconnectivity. • ICT or Information infrastructure enables large scale processes throughout the economy, facilitating complex interactions among systems across global networks. • ICT or Information infrastructure enables large scale processes throughout the economy, facilitating complex interactions among systems across global networks; and many of the critical services that are essential to the well-being of the economy are increasingly becoming dependent on IT.
17.
© Commonwealth Telecommunications
Organisation | www.cto.int • Today Critical Information Infrastructure Protection (CIIP) – Focuses on protection of IT systems and assets o Telecoms, computers/software, Internet, interconnections & networks services – Ensures Confidentiality, Integrity and Availability o Required 27/4 (365 days) o Part of the daily modern economy and the existence of any country Critical Information Infrastructure Protection (CIIP) Telecom Network Power Grid Water Supply Public Health NaBonal Defence NaBonal Defence Law Enforcement
18.
© Commonwealth Telecommunications
Organisation | www.cto.int CII Attack Scenarios Telecoms Health Services Cloud Services Finance/Banking eGovernment Critical Information Infrastructure (CII) Cross-cutting ICT interdependencies among all sectors Natural disaster, power outage, or hardware failure Resource exhaustion (due to DDoS attack) Cyber attack (due to a software flaw)
19.
© Commonwealth Telecommunications
Organisation | www.cto.int • Expanding Infrastructures – Fiber optic connectivity o TEAMS/Seacom/EASSy – Mobile/Wireless Networks o Kenya has 11.6 million Internet users and 31.3 million mobile network subscribers (CAK, 2014) • Existence of failed states – Increased ship piracy o To fund other activities – Cyber warfare platforms o Doesn’t need troops or military hardware • Cyber communities – Social Networks – Attacker’s “gold mine” Future CII Attack Vectors
20.
© Commonwealth Telecommunications
Organisation | www.cto.int • Increased awareness for CIIP & cyber security – Countries aware that risks to CIIP need to be managed o Whether at National, Regional or International level • Cyber security & CIIP becoming essential tools – For supporting national security & social-economic well-being • At national level – Increased need to share responsibilities & co-ordination o Among stakeholders in prevention, preparation, response & recovery • At regional & international level – Increased need for co-operation & co-ordination with partners o In order to formulate and implement effective CIIP frameworks Global trends towards CIIP
21.
© Commonwealth Telecommunications
Organisation | www.cto.int Challenges for developing countries #1: Cost and lack of (limited) financial investment – Funds required to establish a CIIP strategic framework can be a hindrance – Limited human & institutional resources Source: GDP listed by IMF (2013)
22.
© Commonwealth Telecommunications
Organisation | www.cto.int #2: Technical complexity in deploying CIIP – Need to understand dependencies & interdependencies o Especially vulnerabilities & how they cascade Challenges for developing countries Powerplants Regional Power Grid Regional Power Supply Private D2D links Private Datacenters Banks & Trading Public AdministraBon Public Datacenters eGovernment Online services, cloud compuBng Telco sites, switch areas, interconnecBons Public eComms Regional network, cables, wires, trunks Public Transport Emergency care (Police, Firefighters, Ambulances) Emergency Calls (99.9%) 8 hr outages are disastrous (99%) 3 days outages are disastrous (90%) 30 days outages are disastrous
23.
© Commonwealth Telecommunications
Organisation | www.cto.int #3: Limited knowledge on how to identify and classify critical infrastructure – Need to consider business value, scope of population & technical dependency Challenges for developing countries CriBcal FuncBon Infrastructure Element Supply Chain Supply Chain Key Resource Supply Chain CriBcal FuncBon Infrastructure Element Supply Chain Supply Chain Key Resource Supply Chain CriBcal FuncBon Infrastructure Element Supply Chain Supply Chain Key Resource Supply Chain Interdependencies Understand requirements & complexity
24.
© Commonwealth Telecommunications
Organisation | www.cto.int #4: Need for Cybersecurity education & culture re-think – Create awareness on importance of Cybersecurity & CIIP o By sharing information on what works & successful best practices – Creating a Cybersecurity culture can promote trust & confidence o It will stimulate secure usage, ensure protection of data and privacy Challenges for developing countries
25.
© Commonwealth Telecommunications
Organisation | www.cto.int #5: Lack of relevant CII strategies, policies & framework – Needs Cybercrime legislation & enforcement mechanisms – Setup policies to encourage co-operation among stakeholders o Especially through Public-Private-Partnerships (PPP) #6: Lack of information sharing & knowledge transfer – It is important at ALL levels National, Regional & International – Necessary for developing trust relationships among stakeholders o Including CERT teams Challenges for developing countries
26.
© Commonwealth Telecommunications
Organisation | www.cto.int Session 1: Group Discussions 26 Question What’s the CII definition for your country?
27.
Session 2: Cloud Computing
Today Presenter Dr Martin Koyabe (CTO) CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
28.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud Computing 28 Should Cloud Computing be considered a Critical Information Infrastructure?
29.
© Commonwealth Telecommunications
Organisation | www.cto.int Concentration of ICT Resources 29 • Earlier approach not scalable and costly High capacity link Between organizations or operators IT IT Information Technology Resources Per each organizations or operatorsIT IT IT Organization or Operator
30.
© Commonwealth Telecommunications
Organisation | www.cto.int Concentration of ICT Resources 30 • Spread associated costs among users Organizations or operators Access resources in the same area Information Technology Resources Consolidated in data centers IT IT Data Centre
31.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud Computing Deployment Models 31 Private Cloud (Hosted Internally or Externally) Hybrid Cloud Public Cloud Community Cloud (Hosted Internally by Member or Externally)
32.
© Commonwealth Telecommunications
Organisation | www.cto.int Some of the benefits of Cloud Computing 32 Reduced Capital & Operational Cost • Less up-front capital investment • Allow companies to increase resource needs gradually (pay-as-you-go) Simplify application deployment & management • Common programming model across platforms • Access to ecosystem of widely deployed applications • Integration with existing IT assets
33.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud Computing 33 Simple definition Cloud Computing = Software as a Service (SaaS) + Platform as a Service (PaaS) + Infrastructure as a Service (IaaS) + Data as a Service (DaaS) + * as a Service (*aaS)
34.
© Commonwealth Telecommunications
Organisation | www.cto.int Software as a Service (SaaS) 34 SaaS characteristics:- • From end user’s point of view • Application are located in the cloud • Software experiences are delivered online (Internet)
35.
© Commonwealth Telecommunications
Organisation | www.cto.int Platform as a Service (PaaS) 35 PaaS characteristics:- • From developer’s point of view (i.e. cloud users) • Cloud providers offer an Internet-based platform • Developers use the platform to create services
36.
© Commonwealth Telecommunications
Organisation | www.cto.int Infrastructure as a Service (IaaS) 36 IaaS characteristics:- • Cloud providers build datacentres – Power, scale, hardware, networking, storage, distributed system etc • Datacentre as a service • Users rent storage, computation & maintenance
37.
© Commonwealth Telecommunications
Organisation | www.cto.int Data as a Service (DaaS) 37 DaaS characteristics:- • Data->Information->Knowledge->Intelligence • Infrastructure for web data mining & knowledge • Empower people with knowledge • Enrich apps & services with intelligence
38.
© Commonwealth Telecommunications
Organisation | www.cto.int Uptake of Cloud Computing 38 MicrosoS's Data Center, San Antonio, Texas Google's Data Centre, Georgia • Western Europe market to grow to €15B by 2015 • Amazon AWS carries 1% of all Internet consumer traffic in North America • Data centre growth estimated to be in excess of €30B • Facebook server farm (Oregon) measures 14000 m2, cost ~ $200M
39.
© Commonwealth Telecommunications
Organisation | www.cto.int Who is leading the cloud market today?
40.
© Commonwealth Telecommunications
Organisation | www.cto.int Session 2: Group Discussions 40 Question What is the level of Cloud Computing uptake in your country? Is it increasing?
41.
Session 3: CIIP Perspective
of Cloud Computing Presenter Dr Martin Koyabe (CTO) CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
42.
© Commonwealth Telecommunications
Organisation | www.cto.int Concentration of ICT Resources 42 Large cloud providers can deploy security and business continuity measures and spread the associated cost among the customers. Can be a “Double Edged Sword” If an outage or security breach occurs, the the consequences can be catastrophic affecting large number of users and organisations at once.
43.
© Commonwealth Telecommunications
Organisation | www.cto.int Concentration of ICT Resources 43 Japan Earthquake 2011 • Cloud computing was resilient • Cloud services survived power outages by using emergency fuel • Data connections over mobile networks and fixed networks held up • Traditional IT deployments went offline • Cloud computing used to get organizations up and running
44.
© Commonwealth Telecommunications
Organisation | www.cto.int Concentration of ICT Resources 44 Lightening Strike Dublin 2011 • Took down Amazon & Microsoft services. Outage lasted for 2 days • Amazon’s other customers (Foursquare, Reddit & Netflix) were badly affected • Amazon’s Elastic Computer Cloud (EC2) and Relational Database Service (RDS) experienced disruption in North Virginia. • Amazon US-EAST data centers were cut-off the Internet
45.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud and CIIP 45 Critical in themselves Cloud Computing services can be critical in two ways Critical for other critical services
46.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud and CIIP 46 e.g. Cloud based eHealth Record Platform Critical in itself • But needed for other emergency health operations, which are also critical Critical to other systems • Critical to other systems that depend on the data records
47.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud and CIIP 47 Most CIIP action plans address two major issues: (1) Cyber disruptions (or outage) with large impact 12M Pakistan 6M Egypt 4.7M Saudi Arabia 1.7M UAE 0.8M Kuwait 0.3M Qatar 12M India Outage caused by undersea cable cut near Alexandria, Egypt (2008)
48.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud and CIIP 48 (2) Cyber attacks with a large impact • Influenced mainly by interdependencies Snapshot of the Internet before an aVack on Facebook Source: NORSE
49.
© Commonwealth Telecommunications
Organisation | www.cto.int CIIP Dependencies (1/4) 49 Continuity of services & infrastructure dependencies
50.
© Commonwealth Telecommunications
Organisation | www.cto.int CIIP Dependencies (2/4) 50 Powerplants Regional Power Grid Regional Power Supply Private D2D links Private Datacenters Banks & Trading Public AdministraBon Public Datacenters eGovernment Online services, cloud compuBng Telco sites, switch areas, interconnecBons Public eComms Regional network, cables, wires, trunks Public Transport Emergency care (Police, Firefighters, Ambulances) Emergency Calls (99.9%) 8 hr outages are disastrous (99%) 3 days outages are disastrous (90%) 30 days outages are disastrous
51.
© Commonwealth Telecommunications
Organisation | www.cto.int CIIP Dependencies (3/4) 51 Software as a service dependencies
52.
© Commonwealth Telecommunications
Organisation | www.cto.int CIIP Dependencies (4/4) 52 Hospitals Power plant Air traffic controllers IT vendor for Office soSware Banks Public administraBon
53.
© Commonwealth Telecommunications
Organisation | www.cto.int Session 3: Group Discussions 53 Question List (at least 3) known incidents/cases of CII related attacks in the recent past in your country? Discuss any remedies taken (if known).
54.
Session 4: Cloud Computing
CIIP Scenarios Presenter Dr Martin Koyabe (CTO) CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
55.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud Computing CIIP Scenarios 55 CII attack vectors Telecoms Health Services Cloud Services Finance/Banking eGovernment Critical Information Infrastructure (CII) Cross-cutting ICT interdependencies among all sectors Natural disaster, power outage, or hardware failure Resource exhaustion (due to DDoS attack) Cyber attack (due to a software flaw)
56.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud Computing CIIP Scenarios 56 Four (4) scenarios where Cloud Computing is critical (1) Financial Services Source: New York Stock Exchange (NYSE)
57.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud Computing CIIP Scenarios 57 Datacenter Datacenter Operator Datacenter Trader Trader Private network, Dedicated links Duplicated connection between datacenters Public Internet or telephony Connecting traders to datacenters Data Centers All systems are duplicated Traders platform Web-interface access Trading Platform (SaaS)
58.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud Computing CIIP Scenarios 58 Key Points: • Software flaw can impact wide range of organisations directly • Consider creating ‘logical redundancy’ in addition to ‘physical redundancy’
59.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud Computing CIIP Scenarios 59 (2) Health Services • By 2016 about 30% of IT budget of healthcare organisation would be devoted for cloud computing based expenses • 73% plan to make greater use of cloud-based technologies in the future Source: Accenture
60.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud Computing CIIP Scenarios 60 Datacenter Datacenter Datacenter Hospital Hospital Private network, Dedicated links Duplicated connection between datacenters Public Internet or telephony Connecting hospital to datacenters Data Centers All systems are duplicated eHealth platform Web-interface access eHealth Record Platform (SaaS)
61.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud Computing CIIP Scenarios 61 Key Point: • Cloud computing is expected to bring additional efficiency gains in health care service provision “APT 18” launched the attack Said to have links with Chinese government and behind targeted attack on companies in aerospace and defense, construction and engineering, technology, financial services and healthcare industry. Source: FireEye Inc TDoS Attack Telephony Denial of Service (TDoS) attack targets emergency response services in critical services such as health care
62.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud Computing CIIP Scenarios 62 (3) e-Government Services • UK Gov Cloud app store “GovStore” has over 1,700 information & communication services available to the UK public sector Source: http://govstore.service.gov.uk
63.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud Computing CIIP Scenarios 63 Datacenter Datacenter Datacenter eGov Website eGov Website Private network, Dedicated links Duplicated connection between datacenters Public Internet or telephony Connecting eGov to datacenters Data Centers All systems are duplicated eGovernment platform Web-interface access (SaaS) Gov cloud app store (PaaS)
64.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud Computing CIIP Scenarios 64 Key Point: • eGovernment services need to be resilient at all levels of attacks VS VS
65.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud Computing CIIP Scenarios 65 (4) Cloud Services
66.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud Computing CIIP Scenarios 66 Datacenter Datacenter Datacenter Webmail provider (SaaS) Online backup service (SaaS) Private network, Dedicated links Duplicated connection between datacenters Public Internet or telephony Connecting eGov to datacenters Data Centers All systems are duplicated eGovernment applications (SaaS) Running on a government app store (PaaS) Infrastructure or platform as a service (PaaS)
67.
© Commonwealth Telecommunications
Organisation | www.cto.int Cloud Computing CIIP Scenarios 67 Key Point: • The impact of failure at an IaaS/PaaS provider can have an impact across a range of organisations, affecting many end- users.
68.
© Commonwealth Telecommunications
Organisation | www.cto.int Session 4: Group Discussions 68 Question What practical measures need to be taken to enhance CII resilience, especially the Cloud Infrastructure?
69.
Session 5: Steps towards
CI Protection Presenter Dr Martin Koyabe (CTO) CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
70.
© Commonwealth Telecommunications
Organisation | www.cto.int Steps towards CI Protection 70 (1) Establish CIP Goals, e.g. Critical infrastructures (CI) provide the essential services that support modern information societies and economies. Some CI support critical functions and essential services so vital that the incapacitation, exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being. • Critical Infrastructure (CI) CI exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well- being. • Understand Critical Infrastructure (CI) Risks Prevent or minimize disruptions to critical information infrastructures, no matter the source, and thereby protect the people, the economy, the essential human and government services, and the national security. In the event disruptions do occur, they should be infrequent, of minimal duration and manageable. • Articulate CIP policy/goals National CIP framework includes relevant government entities, as well as, establishing public private partnerships involving corporate and non-governmental organizations. • Establish Public- Private Partnerships
71.
© Commonwealth Telecommunications
Organisation | www.cto.int Steps towards CI Protection 71 (2) Define CIP Roles Define Policy and Identify RolesGovernment Define CIP goal and roles Determine Acceptable Risks LevelsPublic-Private Partnership Define what’s critical Assess Risks IdenBfy Controls and MiBgaBons Implement Controls Measure EffecBveness Infrastructure Prioritize Risks Operators & Service Providers Deploy best control solutions
72.
© Commonwealth Telecommunications
Organisation | www.cto.int Steps towards CI Protection 72 CIP Coordinator (ExecuBve Sponsor) Law Enforcement Sector Specific Agency Computer Emergency Response Team (CERT) Public Private Partnership Infrastructure owners and operators IT vendors and soluBon providers Shared PrivateGovernment
73.
© Commonwealth Telecommunications
Organisation | www.cto.int Steps towards CI Protection 73 (3) Identify & Prioritize Critical Functions CriBcal FuncBon Infrastructure Element Supply Chain Supply Chain Key Resource Supply Chain CriBcal FuncBon Infrastructure Element Supply Chain Supply Chain Key Resource Supply Chain CriBcal FuncBon Infrastructure Element Supply Chain Supply Chain Key Resource Supply Chain Interdependencies Understand requirements & complexity • Understand the critical functions, infrastructure elements, and key resources necessary for – Delivering essential services – Maintaining the orderly operations if the economy – Ensure public safety.
74.
© Commonwealth Telecommunications
Organisation | www.cto.int Steps towards CI Protection 74 (4) Continuously Assess and Mange Risks Assess Risks Identify Controls and Mitigations Implement Controls Measure Effectiveness • Based on holistic approach • Implement defense in-depth • Organize by control effectiveness • Evaluate program effectiveness • Leverage findings to improve risk management • Identify key functions • Assess risks • Evaluate consequences • Define functional requirements • Evaluate proposed controls • Estimate risk reduction/cost benefit • Select mitigation strategy
75.
© Commonwealth Telecommunications
Organisation | www.cto.int Steps towards CI protection 75 • Develop joint PPP plans for managing emergencies – including recovering critical functions in the event of significant incidents, including but limited to natural disasters, terrorist attacks, technological failures or accidents. • Create emergency response plans to mitigate damage and promote resiliency. • Create effective emergency response plans that are generally short and highly actionable so they can be readily tested, evaluated, and implemented. • Testing and exercising emergency plans to promote trust, understanding and greater operational coordination among public and private sector organizations. • Exercises also provide an important opportunity by identifying new risk factors that can be addressed in response plans or controlled through regular risk management functions. (5) Establish & Exercise Emergency Plans
76.
© Commonwealth Telecommunications
Organisation | www.cto.int Steps towards CII protection 76 • Promote trusted relationships needed for information sharing and collaborating on difficult problems • Leverage the unique skills of government and private sector organizations • Provide the flexibility needed to collaboratively address today’s dynamic threat environment (5) Establish Public Private Partnership (PPP)
77.
© Commonwealth Telecommunications
Organisation | www.cto.int Steps towards CII protection 77 • Ability to prepare for and adapt to changing conditions, and withstand and recover rapidly from disruptions • Implement contingency frameworks that will enable critical functions to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents (6) Build Security & Resiliency into Operations
78.
© Commonwealth Telecommunications
Organisation | www.cto.int Steps towards CII protection 78 • Cyber threats are constantly evolving • All CIP stakeholders need to prepare for changes in cyber threats • Constantly monitor trends and changes in critical function dependencies • Keep systems patched and maintain the latest software versions • Adopt smart & effective procedures and processes (7) Update & Innovate Technology and Processes
79.
© Commonwealth Telecommunications
Organisation | www.cto.int Session 5: Group Discussions 79 Question • What should be the additional roles and responsibilities of the state? • What investment is required to address CIIP vulnerabilities & threats? • How should the private sector & government work on CIIP and build trust?
80.
Session 6: Cybersecurity Threat
Horizon Presenter Dr Martin Koyabe (CTO) CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
81.
© Commonwealth Telecommunications
Organisation | www.cto.int • Increased penetration of smart phones – Lower costs (~$80) have increased user uptake – Other models Tecno (China), Wiko (France) & Infinix (Hong Kong) – Will increase from 17% (2014) to 34% (2018) • Africa leads mobile subscriptions – 55% (1.3 billion) from developing countries • Rapid growth of eCommerce – Websites such as Jumia, Cheki & OLX Relevant trends in Africa today (1/2) 45% 55% Developed Countries Developing Countries
82.
© Commonwealth Telecommunications
Organisation | www.cto.int • Expanding Infrastructure – SAT3/GLO/WACS/ACE etc e.g. 6Km of Fibre in Cameroon • Mobile money transfer – Increasingly growing e.g. M-Pesa has 16.8 Million customers – Handles >$1 Billion transactions per month in Kenya alone – Nigeria – introduced digital ID and transaction card • Social media – 78% of internet usage in Africa is for social media – Estimated will $230 Billion to Africa’s growth by 2025 Relevant trends in Africa today (2/2)
83.
© Commonwealth Telecommunications
Organisation | www.cto.int • 2014 global cyber attacks assessment shows – Africa accounted for 4% security incidents worldwide – Every 1 second, 18 adults are victims of cyberscrime – 1.5 million victims globally per day • Financial fraud – Africa’s major cities like Cairo, Johannesburg, Lagos and Nairobi experience many cases of financial fraud – African countries are becoming targets & source of malicious Internet activities • Software piracy and lack of updated software – Home user PCs remain vulnerable to cyber attacks Emerging Cyber Threats (1/3)
84.
© Commonwealth Telecommunications
Organisation | www.cto.int • Use of ICT to commit acts of terrorism – Planning, co-ordination, implementation and promotion. For example Boko Harum, ISIS, Al-Shabaab & Al-Qaida etc – Creates social-economical problem. For example, the Westgate Mall in Kenya – 67 people killed and nearly $200 Million lost tourism revenue. Emerging Cyber Threats (2/3) Teenage girls in the UK who flew to Syria via Turkey
85.
© Commonwealth Telecommunications
Organisation | www.cto.int • Cyber attacks targeting government websites – Defacement of websites, motivated by individual reasons o Nigeria defence HQ attacked for fighting Boko Haram o Ghana (gov.gh) portal attacked (11 out of 58 sites attacked) o Senegalese ICT agency site attacked, linked to Charle Hebdo • Social media – Reputation and defamation is a new form of cyber attack – Anonymity on social networks – could tools such as Yik Yak be used for Cyber bullying? Emerging Cyber Threats (3/3)
86.
© Commonwealth Telecommunications
Organisation | www.cto.int • Low level of security provisions – Inadequate control and lack of information risk assessment • Lack of technical know-how – inability to monitor and defend national networks • Need to develop necessary legal frameworks – 21 countries in Africa have proposed legislation • Cross boundary challenges of Cybersecurity – inability to prosecute and apprehend at source • Limited levels of awareness – Regulators, military, law-enforcement, judiciary, legislators Cybersecurity challenges facing Africa
87.
© Commonwealth Telecommunications
Organisation | www.cto.int Success of above needs full government support • Legal framework – Lack of Cybersecurity legislation affects businesses – Needs technology to support enforcement • Regional harmonization of policy & legal frameworks – Global good, needs national, regional & international actions • Co-ordination and corporation is a MUST – Cybersecurity is a cross-boundary issue – Needed to combat ICT fraud, hacking, child pornography and copyright infringement – Creates uniformity in procedures and processes Policy, Legal & Regulatory Considerations
88.
© Commonwealth Telecommunications
Organisation | www.cto.int Success of above needs full government support • Development of infrastructure – Develop reliable, resilient and available connectivity • Need to establish & enhance national CERTs – Create sectorial CERTs o Finance, Energy, Transport, Military, Maritime, SMEs etc – Harmonize regional CERTs or CIRTs • Best practice in Cyber governance – Encourage use of country Top Level Domain (TLD) names Technology Considerations
89.
© Commonwealth Telecommunications
Organisation | www.cto.int Success of above needs full government support • Cybersecurity is complex & challenging – Develop technical skills through training & collaborations – Use expertise from the Diaspora • Cultivate a culture of Cybersecurity awareness – CERTs must be proactive other than reactive – Engage in capacity building initiatives with ALL stakeholders • Best practice in Cyber governance – Encourage use of country Top Level Domain (TLD) names – Have effective data protection act Capacity building, Research & Innovation Considerations
90.
Session 7: Commonwealth Cybergovernance
Model Presenter Dr Martin Koyabe (CTO) CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
91.
© Commonwealth Telecommunications
Organisation | www.cto.int Trends in Cyberspace • Cyberspace provides access to ICT – Bridging the digital divide and influencing social-economic activities • Cyberspace is increasingly becoming a global system – Anticipated to grow from 2-4 Billion users by 2020 (mostly from developing countries) • Cyberspace is open, decentralised and empowering – This has fostered innovation, collaboration and rapid development • Cyberspace success depends on it’s infrastructure – Infrastructure should be secure, resilient and available to users • Cyberspace can also be used for criminal activities – Cybercrimes, extremisms and other social crimes 91
92.
© Commonwealth Telecommunications
Organisation | www.cto.int Why a Commonwealth Model • Contrasting views emerging across the world on governing the Cyberspace • Harmonisation is critical to facilitate the growth and to realise the full potentials of Cyberspace • Commonwealth family subscribes to common values and principles which are equally well applicable to Cyberspace • CTO is the Commonwealth agency mandated in ICTs • The project was launched at the 53rd council meeting of the CTO in Abuja, Nigeria (9th Oct 2013) • Wide consultations with stakeholders • Adopted at the Commonwealth ICT Ministers Forum on 3rd and 4th March 2014 in London 92
93.
© Commonwealth Telecommunications
Organisation | www.cto.int Objectives The Cybergovernance Model aims to guide Commonwealth members in:- – Developing policies, legislation and regulations – Planning and implementing practical technical measures – Fostering cross-border collaboration – Building capacity 93
94.
© Commonwealth Telecommunications
Organisation | www.cto.int Commonwealth Values in Cyberspace • Based on Commonwealth Charter of March 2013 – Democracy, human rights and rule of law • The Charter expressed the commitment of member states to – The development of free and democratic societies – The promotion of peace and prosperity to improve the lives of all peoples – Acknowledging the role of civil society in supporting Commonwealth activities • Cyberspace today and tomorrow should respect and reflect the Commonwealth Values – This has led to defining Commonwealth principles for use of Cyberspace 94
95.
© Commonwealth Telecommunications
Organisation | www.cto.int Commonwealth Principle for use of Cyberspace Principle 1: We contribute to a safe and an effective global Cyberspace • as a partnership between public and private sectors, civil society and users, a collective creation; • with multi-stakeholder, transparent and collaborative governance promoting continuous development of Cyberspace; • where investment in the Cyberspace is encouraged and rewarded; • by providing sufficient neutrality of the network as a provider of information services; • by offering stability in the provision of reliable and resilient information services; • by having standardisation to achieve global interoperability; • by enabling all to participate with equal opportunity of universal access; • as an open, distributed, interconnected internet; • providing an environment that is safe for its users, particularly the young and vulnerable; • made available to users at an affordable price. 95
96.
© Commonwealth Telecommunications
Organisation | www.cto.int Commonwealth Principle for use of Cyberspace Principle 2: Our actions in Cyberspace support broader economic and social development • by enabling innovation and sustainable development, creating greater coherence and synergy, through collaboration and the widespread dissemination of knowledge; • respecting cultural and linguistic diversity without the imposition of beliefs; • promoting cross-border delivery of services and free flow of labour in a multi-lateral trading system; • allowing free association and interaction between individuals across borders; • supporting and enhancing digital literacy; • providing everyone with information that promotes and protects their rights and is relevant to their interests, for example to support transparent and accountable government; • enabling and promoting multi-stakeholder partnerships; • facilitating pan-Commonwealth consultations and international linkages in a single globally connected space that also serves local interests. 96
97.
© Commonwealth Telecommunications
Organisation | www.cto.int Commonwealth Principle for use of Cyberspace Principle 3: We act individually and collectively to tackle cybercrime • nations, organisations and society work together to foster respect for the law; • to develop relevant and proportionate laws to tackle Cybercrime effectively; • to protect our critical national and shared infrastructures; • meeting internationally-recognised standards and good practice to deliver security; • with effective government structures working collaboratively within and between states; • with governments, relevant international organisations and the private sector working closely to prevent and respond to incidents. 97
98.
© Commonwealth Telecommunications
Organisation | www.cto.int Commonwealth Principle for use of Cyberspace Principle 4: We each exercise our rights and meet our responsibilities in Cyberspace • we defend in Cyberspace the values of human rights, freedom of expression and privacy as stated in our Charter of the Commonwealth; • individuals, organisations and nations are empowered through their access to knowledge; • users benefit from the fruits of their labours; intellectual property is protected accordingly; • users can benefit from the commercial value of their own information; accordingly, responsibility and liability for information lies with those who create it; • responsible behaviour demands users all meet minimum Cyberhygiene requirements; • we protect the vulnerable in society in their use of Cyberspace; • we, individually and collectively, understand the consequences of our actions and our responsibility to cooperate to make the shared environment safe; our obligation is in direct proportion to culpability and capability. 98
99.
Commonwealth Approach for Developing National
Cybersecurity Strategies
100.
© Commonwealth Telecommunications
Organisation | www.cto.int Development of a Nation Cybersecurity Strategy • Need support from highest levels of government • Adopt a multi-stakeholder partnership (private sector, public sector & civil society) • Draw on the expertise of the International Community • Appoint a lead organisation or institution • Be realistic and sympathetic to the commercial consideration of the private sector • Add mechanisms to monitor & validate implementation 100
101.
© Commonwealth Telecommunications
Organisation | www.cto.int Main elements of a Cybersecurity Strategy • Introduction and background • Guiding principles • Vision and strategic goals • Specific objectives • Stakeholders • Strategy implementation 101
102.
© Commonwealth Telecommunications
Organisation | www.cto.int Introduction & Background • Focuses on the broad context • Sets the importance of Cybersecurity to national development • Assess current state of Cybersecurity and challenges 102 STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE 1. Introduc$on / background This secBon provides a succinct background of the country’s circumstances and the status of its Cybersecurity • Explain the importance of Cybersecurity to economic and social development. • Describe the use of Cyberspace and the nature of Cybersecurity challenges to jusBfy the need for the Cybersecurity strategy • Explain the relaBonship to exisBng naBonal strategies and iniBaBves. Uganda’s introducBon covers: • The definiBon of informaBon security • The jusBficaBon for a strategy • Country analysis of current state of informaBon security framework. • Strategy guiding principles • Vision, mission, strategic objecBves Note that this example covers the first three secBons in this framework.
103.
© Commonwealth Telecommunications
Organisation | www.cto.int • Based on Commonwealth Cybergovernance principles • Balance security goals & privacy/protection of civil liberties • Risk-based (threats, vulnerabilities, and consequences) • Outcome-focused (rather than the means to achieve it) • Prioritised (graduated approach focusing on critical issues) • Practicable (optimise for the largest possible group) • Globally relevant (harmonised with international standards) 103 Guiding Principles (1/2)
104.
© Commonwealth Telecommunications
Organisation | www.cto.int Guiding Principles (2/2) 104 STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE 2. Guiding principles This secBon idenBfies the guiding principles for addressing Cybersecurity within which the strategy is designed and delivered. • Build from the principles of the Commonwealth Cybergovernance model. • Include any relevant naBonal principles. • Describe the delivery principles that guide the design of the objecBves goals, vision and objecBves. In addiBon to the Commonwealth Cybergovernance principles and naBonal principles the following delivery principles are recommended: Risk-‐based. Assess risk by idenBfying threats, vulnerabiliBes, and consequences, then manage the risk through miBgaBons, controls, costs, and similar measures. Outcome-‐focused. Focus on the desired end state rather than prescribing the means to achieve it, and measure progress towards that end state. PrioriBsed. Adopt a graduated approach and focus on what is criBcal, recognising that the impact of disrupBon or failure is not uniform among assets or sectors. PracBcable. OpBmise for adopBon by the largest possible group of criBcal assets and realisBc implementaBon across the broadest range of criBcal sectors. Globally relevant. Integrate internaBonal standards to the maximum extent possible, keeping the goal of harmonizaBon in mind wherever possible.
105.
© Commonwealth Telecommunications
Organisation | www.cto.int • Promote economic development • Provide national leadership • Tackle cybercrime • Strengthen the critical infrastructure • Raise and maintain awareness • Achieve shared responsibility • Defend the value of Human Rights • Develop national and international partnerships 105 Visions & Strategic Goals
106.
© Commonwealth Telecommunications
Organisation | www.cto.int 106 STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE 3. Strategic goals and vision This secBon defines what success looks like in broad summary terms and reflects the country’s prioriBes. • Make a clear statement of the country’s commitment to protecBng the use of its Cyberspace • Emphasise the breadth of the use of Cyberspace: covering social and economic acBvity • Include text that can be quoted as part of the communicaBon with wider stakeholders, e.g. a vision statement. Australia’s vision: “The maintenance of a secure, resilient and trusted electronic operaBng environment that supports Australia’s naBonal security and maximises the benefits of the digital economy” Three pillars of the Australian strategy: • All Australians are aware of cyber risks, secure their computers and take steps to protect their idenBBes, privacy and finances online; • Australian businesses operate secure and resilient informaBon and communicaBons technologies to protect the integrity of their own operaBons and the idenBty and privacy of their customers; • The Australian Government ensures its informaBon and communicaBons technologies are secure and resilient.” Four pillars of the UK strategy: • Tackle cybercrime and be one of the most secure places in the world to do business in cyberspace; • To be more resilient to cyber aVacks and beVer able to protect our interests in cyberspace; • To have helped shape an open, stable and vibrant cyberspace which the UK public can use safely and that supports open socieBes; • To have the cross-‐cuing knowledge, skills and capability it needs to underpin all our Cybersecurity objecBves. Visions & Strategic Goals
107.
© Commonwealth Telecommunications
Organisation | www.cto.int • Provide a national governance framework for securing Cyberspace • Enhance the nation’s preparedness to respond to the challenges of Cyberspace • Strengthening Cyberspace and national critical infrastructure • Securing national ICT systems to attract international businesses • Building a secure, resilient and reliable Cyberspace • Building relevant national and international partnerships and putting effective political-strategic measures in place to promote Cyber safety • Developing a culture of Cybersecurity awareness among citizens • Promoting a culture of “self protection” among businesses and citizens • Creating a secure Cyber environment for protection of businesses and individuals • Building skills and capabilities needed to address Cybercrime • Becoming a world leader in Cybercrime-preparedness and Cybercrime-defence 107 Specific Objectives
108.
© Commonwealth Telecommunications
Organisation | www.cto.int 108 STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE 4. Risk management (Risk based approach objec$ves) How the risk management process works, and then seing objecBves and prioriBes This secBon describes how risk management is performed and provides a top-‐level analysis. It states specific and tangible targets and assigns relaBve prioriBes. • How risk management is currently performed, for example for naBonal security. • Sources of threat informaBon and of major vulnerabiliBes. • How granular to make the outcomes and objecBves. • How frequently to repeat the risk assessment process. Source: MicrosoY’s guidance, listed in appendix 3: • A clear structure for assessing and managing risk • Understand naBonal threats and major vulnerabiliBes • Document and review risk acceptance and excepBons • Set clear security prioriBes consistent with the principles • Make naBonal cyber risk assessment an on-‐going process Specific Objectives
109.
© Commonwealth Telecommunications
Organisation | www.cto.int 109 Stakeholders CIP Coordinator (ExecuBve Sponsor) Law Enforcement Sector Specific Agency Computer Emergency Response Team (CERT) Public Private Partnership InternaBonal OrganisaBons Infrastructure owners and operators IT vendors and soluBon providers Shared PrivateGovernment
110.
© Commonwealth Telecommunications
Organisation | www.cto.int 110 STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE 4. Stakeholders This secBon idenBfies key parBcipants in the development and delivery of the strategy. Roles and responsibiliBes should be clearly defined using RACI terminology (see appendix 5). • IdenBfy all relevant key stakeholders taking into consideraBon, country objecBves and focus areas • IdenBfy key internaBonal stakeholders and partners that could contribute effecBvely • Draw stakeholders from governmental and non-‐ governmental organizaBons, civil socieBes, academia, public and private sectors of the economy. Should include but not limited to soSware and equipment vendors, owners and operators of CII, law enforcement insBtuBons etc. In construcBng the list of stakeholders, the following consBtuencies should be considered: • ministers and other poliBcians; • government departments concerned with ICT, telecommunicaBons and informaBon security; • private sector organisaBons that provide ICT services; • government departments whose responsibiliBes rely upon or who engage with Cyberspace, including: most economic acBvity, trade, tourism, law enforcement; • providers of the criBcal naBonal infrastructure whose vital communicaBons are increasingly carried across the internet; • companies across the economy that rely upon Cyberspace, oSen represented by trade associaBons; • representaBves of civil society, oSen in the form of groups that reflect broad public opinion and can advise on the best way to achieve outcomes involving the public; • civil society organisaBons that represent parBcular parts of society or interest groups and can explain, for example, the needs of the young, of women, of rural communiBes and of the vulnerable; • experts who understand how Cyberspace works, from a technical perspecBve, to ensure that government strategies are pracBcal; • Academia who can advise on R&D, internaBonal best pracBce, emerging issues; • InternaBonal bodies such as the Commonwealth TelecommunicaBons OrganisaBon • Other countries, parBcularly regional countries. Specific Objectives
111.
© Commonwealth Telecommunications
Organisation | www.cto.int • Governance and management structure • Legal and regulatory framework • Capacity Development • Awareness and outreach programmes • Incident response – Incentivize commercial competitors to cooperate – Create national CERTs (include sector based CERTs) • Stakeholder collaboration • Research and Development • Monitoring and evaluation 111 Strategy Implementation
112.
© Commonwealth Telecommunications
Organisation | www.cto.int 112 Strategy Implementation
113.
© Commonwealth Telecommunications
Organisation | www.cto.int What Next? Upcoming CIIP Workshops 113 Yaounde, Cameroon Jan-Feb 2015 Nairobi, Kenya Nov 2014 Colombo, Sri Lanka/Dhaka, Bangladesh Aug-Sep 2014 Port Vila, Vanuatu Sep-Oct 2014 Successfully completed Scheduled to take place To be confirmed CTO CIIP Workshops
114.
© Commonwealth Telecommunications
Organisation | www.cto.int Further Information Contact: Dr Martin Koyabe Email: m.koyabe@cto.int Tel: +44 (0) 208 600 3815 (Off) +44 (0) 791 871 2490 (Mob) 114 Q & A Session
Descargar ahora