1. National CybersecurityManagement System Mohamed Dafir EL KETTANI PhD, ISO 27001 Lead ImplementerProfessorENSIAS, University Mohammed V-Souissi, Morocco

2. Agenda1 Introduction2 National Cybersecurity Management System NCSec Framework Maturity Model Roles & Responsibilities Implementation Guide3 Morocco Case ICT Strategic Plan Cybersecurity Roadmap4 Conclusion 3. 1 - Introduction 4. Introduction (1/3) Increasing computer security challenges in the world; Which entity(s) should be given the responsibility forNational Cyber Security? Case by case organisational structures Partially standardized organisational structures (for example, CERTs) Self-Assessment: Best practices that organizations can refer to evaluate their readiness status; Case by case strategies Gap between countries and regions 1 5. Introduction (2/3) But, there is lack of international standards (clearguidance) with which a State or region can measure itscurrent security status. Lack of framework Lack of global vision in terms of: Capacity building, Certification, Self assessment Responsibilities & Roles Implementation process Measurement through indicators etc. Harmonization between countries and regions is a delicate process 2 6. Introduction (3/3) The main objective of this presentation is to propose aModel of National Cybersecurity Management System(NCSecMS), which is a global framework that bestresponds to the needs expressed by the ITU GlobalCybersecurity Agenda (GCA 2007). More than recommendations... ... result of benchmarking Answers real needs in terms of CyberSecurity Adapted to a case by case implementation process Working Team : Former members of the HLEG Working Area 3 (Organisational Structures) 3 7. 2 National Cybersecurity Management System 8. NCSecMS ComponentsNCSec Management System1NCSecFR ITUISODocuments27002NCSec Framework5 Domains34 Processes2 NCSecNCSecMMCOBIT V4.1 Framework Maturity Model For eachProcess3NCSecRRNational NCSecStakeholders FrameworkRoles &RACI Chart Responsibilitiesby Process4ISO ISONCSecIG 27003 27001 ImplementationPDCA Guide 4 9. NCSecMS Components ITU Q22/1(September 2009)NCSec Management SystemMoroccan ProposalICEGOV 20081NCSecFR Conference ITUISODocuments27002NCSec Framework5 Domains34 Processes ECEG 20092Conference NCSecNCSecMMCOBIT V4.1 Framework Maturity Model For eachProcessECIW 20093NCSecRRConferenceNational NCSecStakeholders FrameworkRoles &RACI Chart Responsibilitiesby ProcessITU Tunis 20094NationalISO ISONCSecIG 27003 27001 ImplementationPDCARecommandation Guide 6 10. NCSecMS Components ITU Q22/1(September 2009) NCSec Management SystemMoroccan Proposal 1NCSecFRPoints out vulnerabilitiesNCSec Framework5 Domains 34 Processes & demonstrate them to gov.Provides metrics to measure 2their achievement NCSecMMMaturity Model For each Process Points out Roles3NCSecRR and ResponsibilitiesRoles &RACI ChartResponsibilitiesby Process Find out needed profiles to achieve the role of 4 a stakeholderNCSecIGImplementationPDCAGuide 4 11. 2.1 National CybersecurityFramework 12. NCSec Framework : 5 Domains / 34 proc5 13. Domain 1: Strategy and Policies (SP)Proc Process Description NCSec StrategySP1 Promulgate & endorse a National Cybersecurity Strategy Lead InstitutionsSP2Identify a lead institutions for developing a national strategy, and 1 lead institution per stakeholdercategory NCSec PoliciesSP3 Identify or define policies of the NCSec strategy Critical Information Infrastructures ProtectionSP4 Establish & integrate risk management for identifying & prioritizing protective efforts regarding CII StakeholdersSP5Identify the degree of readiness of each stakeholder regarding to the implementation of NCSec strategy &how stakeholders pursue the NCSec strategy & policies6 14. Domain 2: Implementation and Organisation (IO)ProcProcess Description NCSec CouncilIO1 Define National Cybersecurity Council for coordination between all stakeholders, to approve the NCSec strategy NCSec AuthorityIO2 Define Specific high level Authority for coordination among cybersecurity stakeholders National CERTIO3 Identify or establish a national CERT to prepare for, detect, respond to, and recover from national cyber incidents Privacy and Personnal Data ProtectionIO4 Review existing privacy regime and update it to the on-line environment LawsIO5 Ensure that a lawful framework is settled and regularly levelled InstitutionsIO6 Identify institutions with cybersecurity responsibilities, and procure resources that enable NCSec implementation National Experts and PolicymakersIO7 Identify the appropriate experts and policymakers within government, private sector and university TrainingIO8 Identify training requirements and how to achieve them GovernmentIO9 Implement a cybersecurity plan for government-operated systems, that takes into account changes management International ExpertiseIO10 Identify international expert counterparts and foster international efforts to address cybersecurity issues, includinginformation sharing and assistance efforts7 15. Domain 3: Awareness and Communication (AC)Proc Process DescriptionAC1Leaders in the Government Persuade national leaders in the government of the need for national action to address threats to and vulnerabilities of the NCSec through policy-level discussionsAC2National Cybersecurity and Capacity Manage National Cybersecurity and capacity at the national levelAC3Continuous Service Ensure continuous service within each stakeholder and among stakeholdersAC4National Awareness Promote a comprehensive national awareness program so that all participantsbusinesses, the general workforce,and the general populationsecure their own parts of cyberspaceAC5Awareness Programs Implement security awareness programs and initiatives for users of systems and networksAC6Citizens and Child Protection Support outreach to civil society with special attention to the needs of children and individual usersAC7Research and Development Enhance Research and Development (R&D) activities (through the identification of opportunities and allocation of funds)AC8CSec Culture for Business Encourage the development of a culture of security in business enterprisesAC9Available Solutions Develop awareness of cyber risks and available solutionsAC10 NCSec Communication8 Ensure National Cybersecurity Communication 16. Domain 4 :Compliance and Coordination (CC)PSProcess DescriptionCC1 International Compliance & CooperationEnsure regulatory compliance with regional and international recommendations, standards CC2 National CooperationIdentify and establish mechanisms and arrangements for cooperation among government, private sector entities, university and ONGs at the national levelCC3 Private sector CooperationEncourage cooperation among groups from interdependent industries (through the identification of common threats)Encourage development of private sector groups from different critical infrastructure industries to address common security interest collaboratively with government (through the identification of problems and allocation of costs)CC4 Incidents HandlingManage incidents through national CERT to detect, respond to, and recover from national cyber incidents, through cooperative arrangement (especially between government and private sector)CC5 Points of ContactEstablish points of contact (or CSIRT) within government, industry and university to facilitate consultation,cooperation and information exchange with national CERT, in order to monitor and evaluate NCSecperformance in each sector9 17. Domain 5: Evaluation and Monitoring (EM)ProcProcess Description NCSec ObservatoryEM1 Set up the NCSec observatory Mechanisms for EvaluationEM2Define mechanisms that can be used to coordinate the activities of the lead institution, the government, theprivate sector and civil society, in order to monitor and evaluate the global NCSec performance NCSec AssessmentEM3 Assess and periodically reassess the current state of cybersecurity efforts and develop program priorities NCSec GovernanceEM4 Provide National Cybersecurity Governance10 18. 2.2 Maturity Model 19. Maturity Model CMMs Five Maturity Levels of Software Processes: 1 : At the initial level, processes are disorganized, evenchaotic. 2 : At the repeatable level, basic project managementtechniques are established, and successes could berepeated. 3 : At the defined level, an organization has developed itsown standard software process. 4 : At the managed level, an organization monitors andcontrols its own processes through data collection andanalysis. 5 : At the optimizing level, processes are constantly beingimproved through monitoring feedback11 20. Maturity ModelPS ProcessLevel 1Level 2Level 3Level 4 Level 5 DescriptionSP1 Promulgate &Recognition of the NCSec isNCSec isNCSec is underNCSec is underendorse a Nationalneed for a announced & operational for all regular review continuousCybersecurity National strategyplanned.key activitiesimprovementStrategySP2 Identify a lead Some institutionsLead institutions Lead institutions Lead institutions Lead institutionsinstitution forhave an are announced are operational are under regular are underdeveloping a national individual cyber-for all key for all key reviewcontinuous strategy, and 1 lead security strategyactivitiesactivitiesimprovementinstitution perstakeholdercategorySP3 Identify or defineAd-hoc & Similar & Policies andNational best Integrated policies of theIsolated commonprocedures arepractices arepolicies &NCSec strategy approaches to processes defined,appliedprocedures policies &announced & documented, &repeatable Transnational practices planned operationalbest practiceSP4 Establish & Recognition of the CIIP areRisk management CIIP risk CIIP risk integrate risk need for riskidentified &process ismanagementmanagement management management planned. Risk approved &process isprocess evolves process forprocess in CIIPmanagementoperational for all complete, to automated identifying & process isCIIPrepeatable, and workflow &prioritizing announced lead to CI best integrated toprotective efforts practices enableregarding NCSecimprovement(CIIP)11 21. Self-Assessment SP1 5 EM4 4 SP4 3 2CC21 IO2 0 SP1 Strategy CC1 IO3 SP4 CIIP IO2 Authority IO3 N-CERT IO5 Laws AC5 IO5 AC5 Awareness Prg CC1 Intern Coop CC2 Nat Coord EM4 Governance 12 22. 2.3 - Roles and Responsibilities(RACI Chart) 23. RACI Chart / StakeholdersNCSec StrategyPromulgate & endorse aSP1 NationalI A C C R C C C I I R I IICybersecurityStrategyLead InstitutionsIdentify a lead institutionsfor developing aSP2 national strategy,I I A C R C C I I R C C CCand 1 lead institutionper stakeholdercategoryNCSec PoliciesIdentify or define policiesSP3 A C R C I C I R IIof the NCSecstrategyCritical InfrastructuresEstablish & integrate riskmanagement forSP4 identifying & A R R C I R CR Iprioritizing protectiveefforts regardingNCSec (CIIP)13 R = Responsible, A = Accountable, C = Consulted, I = Informed 24. 2.4 Implementation Guide 25. Implementation GuideA roadmap to assistHigh LevelDecision MakersCyberSecurity Implementationat the National Level1HLHLAwarnessApproveCommitment Implementation2 HLNCSecNCSecCommitment FrameworkDefine Scope Strategy & Strategy3 NCSec NCSec Nat. Inf SecConductStrategyMaturity Model AssessmentNational ContextAnalysis4 Nat. Inf SecNCSecProcesses AssessmentFrameworkConduct Risk SelectedAssessment5 NCSec ProcessesNCSec Design Managnt SystSelected RACI ChartNCSec ManagntSystem6 ISONCSec MSNCSecIGImplement27001Implemt Prg14 NCSec Managnt System 26. ACM Publication15 27. 3 Morocco Case 28. Maroc Numeric 2013 Morocco ICT Strategic Plan consists of2 Accompanying2 Implementation4 Strategic Priorities MeasuresModes User-OrientedSocialComputerizationIT Industry HumanTransformationDevelopment of of SMEsDevelopmentCapitalCybersecurityGovernanceBudgetPublic ServicesEnsuring Access Public SMEs Entrepreneurial Supervision and Financial to Education AdministrationProfessionalRegulatory Follow-up and Areas ofCluster TI Governance ResourcesPlayers Efficiency Solutions Cluster TI Framework StructuresExcellence Internet Citizens Raising OrganizationalBroadband IT OffshoringOffshoring TI Training PlansIT Observatory Services AwarenessOffshoring TI StructuresAccessLocal ContentEnterprises Mobilization of New Training Promotion andDevelopmentServicesprescriptionsCoursesAwareness 18 Initiatives 51 actions 1628 29. Cybersecurity (1/2) Ambition Objectives 2013 Compliance of IT Moroccan Laws (Protection of Ensure business trust, enhancePersonal Data, Consumer Protection, Legal Electronic Cyber-confidencesecurity capabilities, and secure Data Exchange) with common international Laws critical information infrastructures 60 000 Electronic Certificates deliveredInitiatives Projects DescriptionProtection ofSet up the National Commission for Data Protection (CNDP)Personal DataRegulatoryConsumerFramework Elaborate the necessary legal and regulatory texts to protect online ConsumersProtection ICT Legal StudyUpgrade/update the legal and regulatory framework in order to face theCybersecurity challenges and harmonize it with the partners countriesElectronicCertification ProviderSupport the creation of PKI provider for ensuring electronic signatureCreation of ComputerOrganizationalEmergency ResponseSet up the National Computer Emergency Response Team (MA-CERT) Structures Team (ma-CERT) Critical Information InfrastructuresEncourage the development of backup sites to ensure the Business ContinuityProtectionof Critical Information Infrastructures in Morocco 17 29 30. Cybersecurity (2/2)InitiativesProjects Description Awareness andChild/YoungerArise awareness of the children, younger and parents on the Cybersecurity Online Protection Communication and cyberconfidence issues sAdministration and EnterpriseArise awareness of the administration and enterprises on the Cybersecurity awareness and cyberconfidence issues ISS integration in theIntegrate the Information Security Systems (ISS) in the Higher Scientific Higher EducationEducation and training programs Judge/Magistrate CapacityISS TrainingEnsure training on ISS for judges/magistrates buildingContinuous TrainingEnsure continuous training for administration employees/officials on ISS 1830 31. 4 Conclusion 32. Conclusion NCSecMS: More than a best practice document related to NationalCyberSecurity. Affords a complete environment with indicators at thenational level, Provides metrics to measure their achievement, and toidentify from a cybersecurity viewpoint the associatedresponsibilities of stakeholders and control process. Extensions: Quality of implementation measurement for each element Security metrics : a meaningful gauge of NCSec perf. Costs and benefits of an organized, mature and high-quality security program can be better understood19 33. Conclusion National Cybersecurity Capacity Building: Affords a complete environment describing needs andprofiles at the national level, Might provide metrics to measure their achievement, Identifies from a cybersecurity viewpoint the associatedresponsibilities of stakeholders and the needed profiles(certification, etc.) Extensions : Quality of implementation measurement for each element Capacity Building metrics High-quality security adequate profiles can better answernational needs20 34. Conclusion Results: NCSecMS: Adopted as a National Recommandationby the ITU during the ITU Regional Cybersecurity Forumfor Africa and Arab States (4-5 June 2009, Tunis) NCSecMS & ITU: Q22.1- september 2009 Extension of this work: Questionnaire elaboration A benchmarking tool for evaluating CyberSecurity at thetrans-national level, in collaboration with the ITU withinits Global CyberSecurity Agenda: some national casestudies 21 35. Thank you for your attentionEmail : dafir@ensias.ma