REPUBLIC OF GHANA MINISTRY OF COMMUNICATIONS. Ghana National Cyber Security Policy & Strategy

Transcription

1 REPUBLIC OF GHANA MINISTRY OF COMMUNICATIONS Ghana National Cyber Security Policy & Strategy Final Draft March 2014

2 EXECUTIVE Document Contact a. SUMMARY Table of Contents I. SECTION ONE: BACKGROUND i. CHALLENGES, DEVELOPMENTS WITH FOCUS OF THE POLICY... 6 ii. Overview... 8 iii. Global Regional Activities Initiatives on Cyber Security II. NEED FOR POLICY b. III. RELEVANT PROVISION ICT4AD 13 I. SECTION TWO: CYBER SECURITY POLICY II. INTRODUCTION DEFINITIONS V VII. MISSION STATEMENT VIII. CONTEXT 19 Legislative POLICY STATEMENT Cyber & Regulatory Framework Culture Security Technology Framework Research of security and Capacity Building Compliance & Development and Enforcement towards Self-Reliance P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y iv. Local Initiatives... III. CNII SECTORS FOR GHANA...

3 Cyber Security Emergency Readiness c. International Cooperation I. SECTION THREE: NATIONAL CYBER SECURITY STRATEGY i. STRATEGIC ACTIONS FOR POLICY THRUST... ii. Strategy Specific Initiatives Implementation Timelines Policy Working Group... Awareness Program Center (NCSC)... Council (NCSCC)... National Cyber Computer Security Security Crisis Incidence Management Response Plan Team (NCSCMP) (National CSIRT) APPENDIX P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

4 GLOSSARY AU CCI Commonwealth Africa Union CERT Computer Emergency Cyber Response Initiative Council for Scientific and Industrial Team CSIRT Computer Security Incidence Response Research CNII Critical National Information Infrastructure Team EOCO CID Economic Criminal Investigation and Organized Department ETA Electronic Transactions Act Crime Office GARNET FIRST Ghanaian Forum of Incident Academic Response and Research and Security Network Teams ICT4AD ITU Information International Development and telecommunications Communication Technology Union for Accelerated IMPACT ISOC/IEC International Multilateral Partnership Organization against for Standardization Cyber Threat LI Legislative Electrotechnical Instrument Commission / International MDA NCA Ministries, Communications Departments and Authority Agencies NITA NitaCERT NITA National Computer Information Emergency Technology Response Agency Team 4 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

5 NCSAW Awareness Center Program NCSCC NCSPWG Working Council NCSCMP National Cyber Security Crisis Management Group PKI Public Key Infrastructure Plan R& SIM D Research Subscriber and Identification Development UNECA United Nations Economic Module WG Working Group Commission for Africa 5 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

6 In advent the early 2000 s, the focus of ICTs in Africa was on expanding Internet access. With the EXECUTIVE SUMMARY to high of speed submarine broadband fiber optics Internet transit, countries within the Africa region have access terrestrial The availability fiber optics of Internet backbone at access reasonable in countries. means prices. more The people focus today on access have access today to is Internet. the rollout The of expansion tendencies cyber of to dupe Internet other access Internet has users brought and with commit risks cybercrimes. of attack These from person disruptive with activities disruptive every African criminal country has cause and the many debate countries on cyber are planning security to strategies on the to top combat of the the agenda cyber for criminals. almost by security. systems Several Global on The cyber ITU s activities crimes IMPACT are and taking is program helping place is these providing around member the several fight countries against member secure cyber countries their criminals cyber early space. and warning cyber Commonwealth countries adopt efficient Cyber Initiative cyber security (CCI) is policy another and initiative Infrastructure. that seeks At the to African help commonwealth regional level, The the year. The AU cyber developed menace a in cyber Ghana security had convention been more which of cyber was fraud. ratified The by African popular heads Sakawa of states menace last where large help law sums cyber enforcement of criminals money remain properly tend to prevalent dupe prosecute unsuspecting because cyber inadequate criminals. Internet laws users The on from cyber Electronic Ghana crime Transaction which and abroad does Act not of stakeholder not (2008), adequate however, approach and has does provisions to fighting not address for the law cyber fully enforcement menace. all aspects Several to of fight cyber initiatives against security, cyber are especially on crime. going However to the address multi- this the The Africa cyber Ministry menace of Communications, and needs to be brought Ghana with under the one support umbrella of for UN Ghana. (ICT4AD) (UNECA) policy began a process to include 2011 recent to review developments Ghana s ICT in ICTs for Economic accelerated that was Commission Development not originally for included in the document. Cyber Security is one of the four thematic areas under this review 6 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

7 and by a national the the ministry Adhoc cyber has security committee appointed policy on an and cyber Adhoc strategy security technical for Ghana. which committee This outlines and document a the resource is proposed the person report policy to submitted develop running implementation in Ghana. strategy with specific initiatives to get enforcement of cyber security up and 7 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

8 a. SECTION ONE: BACKGROUND 8 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

9 I. i. CHALLENGES, Overview DEVELOPMENTS WITH FOCUS OF THE POLICY Ghana recent National one has being had a Ghana s number official websites portal. defaced Very by important hackers websites in recent like times. the website The most and the website Communication of the vice Authority, president the of National Ghana Information have all being Technology defaced Agency recent (NITA) past. of These weakness attacks of our have cyber indented infrastructure the national and space. image of Ghana and indicated a security Since The well growth the turn has of brought the century, along we cyber have attacks seen the on high various growth information of the Internet infrastructure Ghana. Sakawa. as cyber fraud perpetuated by criminally-minded persons popularly known activities had The often biggest not found problem an advertised that victims central of Sakawa point in the and country other to cyber report fraud the as incidences. Criminal suspect Investigation Even when Department these incidences (CID), it had has taken been reported many years to the to apprehend Ghana Police based because of the lack of know-how on tracing these using computers any and processed investigative to court, skills. there Worse were of no it all, sufficient when such legal cyber bases criminal to prosecute were these apprehended criminal as Ghana s For the many legal image years, system been cyber was dented cafes not up as have to a cyber date been to crime convict the pronged main and source punish location. of cyber Internet criminals access resulting as many in could advent fraud perpetuators not of high afford speed the are high mobile shifting cost Internet of their obtaining access operations personal via 2.5 from to Internet 3.5G the cyber modems, access. cafes However, many to working of the with cyber from the their used regulated home by many and and there obscure cyber are fraudsters not places specific that because rules are not guiding the easily cyber their accessible. operations. cafe business The cyber in Ghana cafes are is still not 9 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

10 Ghana s penetration years mobile has penetration brought about today an stands increase at over in mobile 92% as phone at July threats and The fraud. high mobile impending ago, there were calls from an anonymous caller who started rumors A of few Ministry of earthquake Communications which through caused the panic National and Communications threatened national Authority security. reacted The an swift recently Until recently, to bringing mobile Ghana s phone some sanity threats Internet to mobile by backbone announcing security. and SIM resources card registrations have been largely which private ended sector Communications Government driven. agencies Since Authority the have advent has to registered buy of Internet services over in 100 from Ghana Internet private in the and Internet early data 90s, service the operators. National which government these run most agencies of the using critical free information services infrastructure. like Yahoo The and result Google was highly which sensitive 2008, agencies to risk of exposure of sensitive information. However, expose efficiency Ghana in government has embarked operations on a massive and citizens government engagement network through rollout eservices. to bring about since first the phase of the egovernment network project has been completed and handed over The Internet National and Data Information services Technology to over 100 Agency Ministries which Departments has since and July Agencies 2011 provided (MDAs) to The all government includes and webhosting project records includes services and information. a national under government datacenter The Datacenter which designated will has become enable second the NITA level repository provide domain of (.gov.gh) ensure Key Infrastructure security and all of MDAs Government (PKI) are and expected Digital sensitive Certificates to information. migrate to to the enhance NITA platform is implementing secure in the communication near the future Public to within infrastructures will dent government. the cyber which image NITA s when of attacked Ghana. egovernment can adversely network affect has functioning become critical of government information and 10 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

11 Cyber ii. Security Global is Activities central to on the Cyber Information Security have high levels of networked computers and knowledge automation economy. stand greater Countries risks which countries with leased the least developed developed network networked infrastructure computer strive infrastructure. to become a knowledge As many than society, evidenced massive submarine many many network fiber African optic infrastructures countries cable Internet where will transit be over rolled land the last on out the few with shores years, automation. and we the have massive This seen is in-country infrastructure fiber will optic bring a back proportionate bones being risk to rollout. critical An information increase infrastructure. network computer Since infrastructure have the year been 2000, working several around countries securing with their high critical levels information of networked infrastructure computers crimes. developed The United cyber States security of policies America and for strategies instance to recently mitigate revised cyber incidences its policy strategy to meet high incidences of attacks and increasing threats of cyber war. and Every from criminally-minded around cyber citizen the globe (people irrespective cyberspace) of the location has a right of the to lawfully information. access However, to information commit cyber citizens tend to misuse the grant of access to information many have cyber crimes. Since no one country can control cyber space and everyone and robust access security to around information critical anywhere national it infrastructure, is important that setup countries very swift to put response in place systems a very can as cooperation risk of to attacks secure cannot cyber space be eliminated, and mitigate and cyber use crimes. an international approach of Many (CERT) the impact countries where and cyber national have incidences already emergency formed are response reported nation systems and Computer coordinated to Emergency facilitate actions process Response taken of to responses mitigate Teams when the security of the nation is in danger by cyber attacks. CERTs have been set in 11 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

12 very developing few developing countries as nations, networked although computers there infrastructure is much talk expands. about the subject in many The Partnership is International against Telecommunication Cyber Threat (IMPACT) Union program (ITU) through has been the playing International a leadership Multilateral Today, providing IMPACT early has warning over systems 142 countries and training as members. cyber security The IMPACT experts program around the has world. been role used work and strategy for to prosecute developing around a cyber countries global security. cyber to help security them agenda. kick start ITU a process has indeed of developing developed policies frame Forum platform is by recommendation of of Incident Computer Response Emergency and through and Response Security testing teams Teams of operational in (FIRST) the world. has environment Membership also been of to a country FIRST global CERTs. The elaborated Africa Budapest and the by USA. Convention the Council The convention on of Cyber Europe is Security with open the to which any participation country has been which of in Canada, force wants since Japan, to participate South was The 100 countries. convention is used as a guideline, reference standard or model law in more than Governments iii. Regional in Africa Initiatives security. Many countries A decade have ago, invested today infrastructure have massive moved was a ICT major in-country discussion challenge infrastructure form to many infrastructure African and the countries. to access cyber challenge countries risk has is waning. open up The cyber networked space to computer many more infrastructure citizens and coming accompanying up many this, African have of a using CERT the in Internet. place. Many A few countries are like also Tunisia, in the South process Africa of and developing Kenya already cyber the security policy and strategy (including formation of CERTs). In order to harmonize the 12 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

13 development Economic convention Commission that of has cyber been security for under Africa policy review (UNECA) and over strategy, the have last few the developed months Africa Union and a draft is (AU) due cyber to and be security the ratified UN by cooperation African heads in the fight of States. against Harmonization, cyber crime. it can be argued, will establish regional Today s iv. society Local Initiatives As threat networked to business computer thrives and communication. virtually infrastructure on using expands the Internet in the for country, communication there is and increasing business. Recent the incidences development several have cyber been of attacks a uncoordinated cyber on security government and policy in websites many and cases, strategy. in Ghana there Resolutions is were a wake-up no of reporting call cyber for NITA s structure concern put in place of ensuring to guide security us dealing of the with network future has attacks. amongst NITA stakeholder the Ministries, Departments and forced Agencies it to (MDAs) initiate to discussion and assist Computer in resolving Emergency future Response incidences team within (nitacert) the government to coordinate network. cyber incidences setup a The Ministry ongoing national of Communications Computer Security and the Incident Commonwealth Response Cybersecurity Team (CSIRT) Initiative initiative (CCI) by is the recently on project the scoping for the creation mission to of assist national Ghana CSIRT. develop A a CCI cyber team security were policy in Ghana and strategy team Adhoc interviewed Technical and, to help committee over Ghana 70 cyber on establish the security Cyber a national stakeholder Security CSIRT. Policy in During Ghana and Strategy. the and scoping interacted mission, with the 13 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

14 The and towards National Research securing Security Network cyberspace. Council (GARNET) and many in academia other institutions are working such as on Ghanaian different Academic projects The mitigate also put SIM in cyber registration place crimes the Anti-Fraud by committed the National Unit using to Communication alleviate mobile phones. cyber and Authority The other Ghana crimes. is another Police The Service initiative Economic has to Financial geared and Organized and Intelligence mitigating Crime crime Center Office in general for (EOCO) the and financial of cyber the crime sector Attorney in are particular. General s all government Department initiatives and On investigate the business cyber side, crime the thoroughly opening and of an improve e-crime protection bureau in of Ghana cyber will space. help organization In cyber to spite addressed. security all these amongst initiatives, the consuming the fact still public remains of ICT that products a general and services lack of education which needs on As Ghana II. NEED strives FOR to POLICY increased information and emphasis knowledge become, on informational economy, an information wars activities will and be and fought knowledge information around economy, information industry. there token In is the an countries. efficiently on Businesses the right will information compete to on produce information the and output computer required. systems It becoming will work of extremely ensure continues national necessary to thrive security and for nations bring and about ensure to protect wealth that critical the creation information national citizens. information and knowledge As that the infrastructure is required economy to problems computers get and solved the critical in information countries, there infrastructure is an increase that will sustain attacks the economy networked of the 14 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

15 information critical response national system and information knowledge when any attacked society. infrastructure There is made (CNII) is on therefore the and CNII create an to increasing avoid a very loss robust need of revenue to incidence protect to The down need time to create and ensure a culture national of security security. which is absent today due to lack of awareness due of national stakeholders the enormous cyber are security threats exposed policy. that to users Awareness can drastically of Internet creation mitigate are of exposed the the risks risks must Internet of be cyber addressed users attacks and other by and a consequential information harassment by economy loss cyber of criminal where revenue. and Ghanaians This fraudsters. will create can create a very worth conducive in peace environment without fear in the of Government the public same Internet way, business and many phone businesses can services be brought may are to attacked. grind a halt to a if There halt the NITA if is infrastructure therefore infrastructure the of need ISPs is attacked. to and develop other In technical to knowledge government capacity on incidence and of private local response technocrats sector and critical to ensure enable information that them there infrastructure. manage is a uniform cyber In risk order security management to share risks of address partnership all critical the model. need information a central infrastructures coordinating (both body public and and work private), with a the public policy private must III. Pillar RELEVANT 14 of the PROVISION ICT4AD policy ICT4AD cybercrime. cooperation The and building pillar among infrastructure other relates things for to security Security emphasis agencies Agencies on capacity to using enable building, ICT them for international use combating combat security crime agencies and prosecute also ensure any that cyber the crime legal text offenders the by policy the Attorney pillar is up General s to date to office. ICT help to 15 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

16 The prescribes fight Electronic against punishment cyber Transaction crime. for cyber Act (ETA) crime 2008 perpetuators. has specific The legislation Act addresses on cyber issues crime on and the The protection Data Protection of private data Act of which government, has been citizens passed and by businesses the Parliament in Ghana. of Ghana ensures The space create Pillar as worth. a 14 means and of the mitigating ETA fails cyber to capture incidences a holistic that may approach affect the to securing ability of citizens the cyber to The what cyber several different security. on-going agencies A initiatives National of Government, which Cyber are Academia Security not coordinated and framework business makes covering are it impossible doing policy to enhance to know implementation the national cyber strategy security done of Ghana. holistically will ensure coordination and greatly enhance and 16 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

17 b. SECTION TWO: CYBER SECURITY POLICY 17 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

18 I. INTRODUCTION our Ghana s people determination are free from of cyber securing attacks its cyber with devastating space is driven effects. by a This desire is informed to ensure by that and fact that capacity a people building with are a culture in a better of cyber position security to handle achieved cyber through attacks awareness as and when creation they the occur. reduces operation Our the of ability the number national to identify of actual infrastructure and understanding attacks on significantly which threats critical and and information enhances how they can are the held be continuous handled interest restricted and only security to government of the nation. but also Our to desire operators also who recognizes provide public that the services threat to is not the the citizens security must and private be a private networks public and partnership. looks ensure that ally effort to ensure cyber For II. the purpose DEFINITIONS of this policy document, and destruction Critical virtual), National would systems Information have and a devastating functions Infrastructure that impact are (CNII) on: vital may to the be nations defined that as those their incapacity assets (real or National Confidence economic that the strength nation's key growth area can successfully compete in global National market while maintaining favorable standards of living. Projection image of national image towards enhancing stature and sphere of influence. 18 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

19 National defense and security Government Guarantee sovereignty capability to and functions independence whilst maintaining internal security. Public Maintain order to perform and deliver minimum essential public services. Delivering health and and managing safety optimal health care to the citizen. on Countries III. CNII identify SECTORS the CNII FOR based GHANA Ghana, them the can following affect factors sectors mentioned have been the above. identified level For of networked the as CNII purpose sectors: computers of policy as and it relates how attacks to National Banking Information and Defense and Finance Communications and Security Energy 7. Transportation 8. Water 9. Health Government Emergency Services 10. Food and Agriculture services 19 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

20 Our IV. vision VISION Information securing Infrastructure of developing (CNII) a cyber and security make resilient, policy is and to for secure Ghana the to Critical be self-reliant National being and its wealth cyber space creation by of infusing our people a culture by. of All security actors to in promote law enforcement, stability, social national well in security, take part network in the vision. security practitioners in government and business, and the public will Our V. mission MISSION is to determine, STATEMENT posed protection for identified the critical critical national national analyze information information and address infrastructure infrastructure the immediate and by over cyber providing time security become adequately threats sufficient country attending to its cyber security needs. a self This VI. policy POLICY covers various SCOPE national information security, infrastructure. legal measures, aspect of law cyber enforcement security including and protection fight against of critical cyber security, national Ghana, VII. like POLICY many CONTEXT uncoordinated Many initiatives countries are being Africa put faces place to the secure risk of the cyber attacks. space of Different in custodians of critical national information infrastructure are unaware of their Ghana. are ensuring discussing the maintenance how to secure of cyber their cyberspace security within in the country. wake of In heightened Africa, Governments threats roles to 20 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

21 national that The legal threat information systems that cyber are infrastructure. updated attacks pose to enable Several to African proper national governments persecution initiatives of has are cyber taking prompted criminals. place the to African ensure Union to harmonize Commission the efforts to develop of African a draft countries convention in fighting under cyber discussion crime. at the regional level The the awareness national cyber security information policy will infrastructure. address major The cyber policy risks seeks facing to Ghana address from the attacks lack on problem of of Sakawa risks users which and has businesses tarnished face Ghana s doing cyber business credentials in cyber as space. a haven The of cyber develop fraudster technology will be framework addressed for by combating the policy. cyber The policy attacks also and addresses capacity the building need for to of cyber and in security the near expects future create to make a culture Ghana of self cyber sufficient security in in Ghana. the fight against cyber crime The National systems National of Information ten Cyber critical Security Infrastructure sectors. Policy (CNII) (NCSP) which seeks comprises to address the the networked risks to information the Critical The to ensure develop policy recognizes and establish the a critical comprehensive and highly program interdependent and a series nature of of frameworks the CNII and that aims developed the to effectiveness ensure that the of CNII cyber are security protected controls to a level over that vital commensurate assets. It is the being risks will faced. The economy regulatory, policy and has will been based designed on to a number facilitate of Ghana s frameworks move that towards comprises a knowledge-based aspects. technology, public-private cooperation, institutional, and legislation international and 21 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

22 Effective VIII. Governance POLICY STATEMENT Government promote the gains effective from will any cooperation centralize initiatives, coordination government between public will of establish national and private formal cyber sectors. and security encourage In order initiatives to informal sustain and information sharing exchanges. Legislative Government & Regulatory will in collaboration Framework periodic address the process dynamic of reviewing nature of and cyber enhancing with security the Attorney threats. Ghana s In General s laws order relating to empower department to cyber national space setup law to a enforcement establish ways of enforcing progressive agencies cyber capacity to laws. properly Government building prosecute programs will ensure cyber to security that acquire all applicable crimes, new skills government local and legislation effective will is complementary to and in harmony with international laws, treaties and conventions. Policy Cyber Security measures Technology will be put Framework framework elements. that specifies cyber in place security to develop requirement a national controls cyber and security baselines technology evaluation/certification This will program be accompanied for cyber security will product mechanism and systems. to implement for CNII an 22 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

23 Culture Government of security will invest and Capacity every resource Building culture government of security. will support As part the of the standardization process need of to development develop, and coordination foster of culture and maintain of of cyber a security, national awareness also: and education programmes across all elements of the CNII. Government will Establish at Identify the national an effective level mechanism for cyber security knowledge dissemination professionals minimum requirements and qualifications for information security Research In order & Ghana Development become towards self-reliant Self-Reliance commensurate prioritization of with cyber the security risk, research government in and protecting will development formalize the CNII activities the to coordination a level enlarge that and is strengthen encouraged properties, the technologies by cyber promoting security and the innovations research development community. through and focused Research commercialization research and development and of development. intellectual will be Government industry will also put measures place to nurture the growth of cyber security In Compliance order to ensure and Enforcement be put in place to standardize compliance cyber and enforcement, security systems policy across measures all elements and mechanism of the CNII. will 23 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

24 Government develop a standard will also cyber strengthen security risk the assessment monitoring framework and enforcement of standards and Cyber To ensure Security cyber Emergency security Readiness stakeholders will include the will development effective emergency and cyber strengthening security readiness, incident the government of reporting national computer mechanisms. together with security This all incidence advisories business response and threat team warnings (CSIRT) in a and timely sector manner CSIRTs, and the dissemination development of of vulnerability elements continuity management framework. The government will also encourage a standard assessment of the programs. CNII to monitor cyber security events and perform periodic vulnerability all Policy International measures Cooperation relevant Government international will will make be cyber put every in security place effort to to bodies, encourage promote panels active active and participation participation multi-national of in Ghana all agencies. relevant in all international conference. cyber security activities by hosting an annual international cyber security 24 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

25 c. SECTION THREE: NATIONAL CYBER SECURITY STRATEGY 25 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

26 For thrusts. be implemented each policy thrust, in isolation specific or strategic in concert actions with other will be strategic implemented. actions These from actions other policy may I. STRATEGIC ACTIONS FOR POLICY THRUST Action Item Policy Effective Thrust Governance Action 1. Government Plan Policy Drivers and sustenance information governance exchange. of will Cyber setup structure Security cyber Action to security ensure will activity be institutions long term taken including as Ministry collaboration society (public of private government, partnership business Institutions). and civil Communications, National of 1. The institutions Cyber to Computer be Security setup include: Council, Response Team (CSIRT) Security Council NCA NITA, Security 1.4. National Cyber Security Center Group Policy Incidence Legislative Working Regulatory and Framework 1. Government Committee Department under to will do setup a the study Cyber Attorney on Law the General s laws Review of Attorney Ghana the Cyber to accommodate environment legal and review challenges every in Department, Ministry General s 2. three 1.1. year Communication of 1.2. cyber environment 1: 2. Review identifications current of laws issues on cyber in the 1.3. environment Stage amendment 3. Make of national recommendations laws for 26 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

27 3. Cyber Technology Security Framework 1. Government stakeholders international cyber in will collaboration security review standard with adopt such key as robustness Government MS ISO/IEC of CNII sectors to increase expand the national and its certification partners scheme will also for 1. information assurance Efforts will be security made to reduce management number of & 2. Information improved developing awareness security incidents & skill level through Awareness program a National and portal Cyber targeted Security by all different stakeholders packaging by content for providers different using at 2. demographics. Capacity Certification cyber security will course be to built prepare on through information Ghana increased for and 3. reliance Targeted in cyber capacity security. building will self implemented investigation for and law enforcement to on improve cyber Development & towards prosecution of cyber crime in Ghana. Self Reliance 1. A Security will National will R&D be developed Roadmap to ensure Cyber security be self needs. sufficient attending to its cyber that Technologies will Domain be developed. competency relevant development & desirable for will CNII provided 3.1. Natural for: growth of Cyber Security be 3.2. Industry Updating R&D roadmap regularly 4. Culture of Cyber Security & Capacity Building 5. Research Ministry of Communications, NITA Communications, Ministry Information, of Ministry Communications, NITA, of Universities, Professional certification CSIR, Centers 27 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

28 6. Compliance 7. Cyber 8. International Enforcement & 1. CNII framework national will be Risk for developed all Assessment CNII. to ensure framework a uniform Emergency Security Readiness 1. A attacks responses framework and to ensuring for attacks mitigation that structures threaten of risk for of national swift cyber security 1.1. Setup management through: National of Cyber National security Committee council) Cyber (under Crises 1.2. Positioning CSIRTs in the National line of responding and sector 1.3. emergencies Setup of National Cyber Crises Management reviewing recommendations structures WG and continuously committee to be acted making by Cooperation Ghana cyber engagement will security engage meeting relevant and international International/regional and conventions join or prioritize sign New NITA, Institutions, NCA National Council, of Ministry Security Communications National Council, of Ministry Security communications, Ministry of Foreign Affairs. 28 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

29 The i. policy Strategy will be Implementation implemented in three Timelines stages: Short STRATEGY Term TIMELINE Year 1-2 ACTIVITIES Identifying analyze up CNII and addressing immediate Concerns Identify CNII, The vulnerabilities and put place stop gap measures while setting Effective institutional short term structures will focus on and following creating policy public thrust: awareness other governance CNIIs, address stakeholders evaluate immediate vulnerabilities put concerns. in place a and stop gap develop measure measures to identify to Cyber Culture Security of Cyber Emergency Security Readiness Medium Term Year 3-4 Building standards capacity the infrastructure - Setting-up the necessary systems, process, The and institutional arrangements (mechanisms) and, building Culture medium of amongst Cyber term Security researchers will focus & Capacity on and following information Building policy security thrust: professionals Compliance Research & Development and enforcement towards Self Reliance Long Term Year 5+ Developing Legislative and Regulatory Framework professionals, and improving self-reliance monitoring the mechanisms the - mechanisms in terms and creating of for technology compliance the culture as, evaluating of well cyber as 29 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y i. Strategy Implementation Implement Action 1.4 to assist ministry of communications and Begin building Action institution 2 to begin by implementing awareness creation Actions Implement Action 1 to develop framework Actions 1 and - 2 and accompanying accompanying infrastructure infrastructure - Implement Action 1

30 security The Cyber long Security Continuous term strategy Technology review will focus and Framework improvement on following policy thrust: Compliance Enforcing & Enforcement Culture comliance of cyber security adopted Risk Management framework within CNII for - Continuous awareness creation Details ii. Specific of Specific Initiatives are attached in the appendix. initiatives including strategic objectives, estimated cost and drivers 30 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

31 APPENDIX 31 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

32 The Implementation TECHNICAL Strategy: PROPOSAL Programs and Initiatives APPENDIX -1 (STRUCTURING THE IMPLEMENTATION STRATEGY PROGRAMS AND INTIATIVE) Program Title of Program/Initiative Strategic National Cyber Security Policy Working Group Objective Assist Identifying sectors MOC to collation of all cyber security initiatives Support critical national information infrastructure in term strategy as policy defined drivers by the to setup policy structures for medium Relevant Design Cyber Security and implement Awareness a comprehensive program National Background Policy Achievable Objective to Program National & Goals /Initiative ICT4D National In Security, Law and other and enhanced cyber Security and order to have continuous activity the Cyber security policy committee (WG) strategy, for it cyber is proposed security be that converted the current to a Adhoc Working technical ensure to a keep quick the implementation momentum of the policy cyber and security strategy. agenda Group to Description of Program/Initiative The made which National up composition of current Cyber represent policy Security drafting a Policy public Adhoc private WG technical (NSCPWG) collaboration committee will and be by bottom-up overcome virtue of any approach. the shortfall selection in New skill of the members such members, as legal may in also the be represent conversion. added to a The establishment immediate NCSPWG attention of will recommended assist such the as the ministry specific awareness of programs communication campaign that require for in Program/Initiative Implementation first year of the policy. the Rationale between The rationale the adoption for the setting of the up policy of WG and is the to avoid implementation any vacuum of 32 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

33 Program/Initiative Implementation the of awareness long term structures creation. of the policy as well as begin a process Specific Goals Support implementation Develop implementing of strategy agency to begin actual Cyber Security Security Awareness a National including Awareness portal the creation Creation of Nation Program Cyber on Program/Initiative Time-Frame One Assisting structures policy for the implementing achievement agencies of long term to build goals the role (may after year be extended first in active year if engagement necessary) with but will policy continue implementation in advisory Program/Initiatives Deliverables and Target National Program/Initiative Cyber Security (NCSAP) Deliverables Awareness Time 3-months Bound Measurable Form policy (TBM) adoption Target Identification National Cyber of Critical Security (NCSP) Nation Awareness Information Portal 6-months from adoption of policy Infrastructure (CNII) and immediate as prescribed concerns. by the Policy 12- Months from adoption of policy Program /Initiative: Output, Outcome and Beneficiaries and Estimated Cost NCSAP activities, will Document well online detailing informed activities awareness professionals etc and program budget. and including, The citizens outcome workshops, on of threats program media cyberspace beneficiaries and with how be security they can professional, guard against citizens these and threats. businesses The main NCSP Oversee Ghana. support downloads and the and creation receive support of updates Interactive where of citizens Portal latest can with cyber report all security relevant incidences, information. information, seek 33 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

34 Outcomes find citizenry everything and will businesses include on cyber a one security. Ghana. stop shop The for main citizens beneficiaries and business are the to CNII Oversee NCSPWG Infrastructure investigative will and assist determine work selecting critical to determine consultants ones based the to National policy do exercise. documents. Information outcome expansion will be a document with all details of CNII as it today The Government plans of Ghana. for next 5 years. The main beneficiary and is COST Members they setting are actively of NCSWG involved must be in implementation. rewarded role This for the must period include when Estimated allowance Budget of and GHC200, expenses cover for one for year any activity performed. a Project Implementation Management, Monitoring and Evaluation Agencies Supporting and their Implementation Supporting Implementation Responsibilities Assignment Ministry of Communications Agency Oversight Assigned of NCSWG, Responsibility National Security Council funding Technical/security / monitoring and project CNII input for evaluation creation and of new cyber advisory security for defining National technology Information Agency/ National structure Communication Authority Technical collating CNII, advisory web and portal guide on Program Program/Initiative Success Factors Critical Commitment WG members of to work to implement policy, motivation of Implementation Risk Factors Inactivity Communications of WG members or lack of needed support form Ministry of Non Additional Comments and Remarks 34 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

35 (STRUCTURING THE IMPLEMENTATION TECHNICAL APPENDIX STRATEGY PROPOSAL 2 The Implementation Strategy: Programs PROGRAMS and Initiatives AND INTIATIVE) Program Title of Program/Initiative Strategic National Cyber Security Awareness Program Objective Objectives Identify Define Security Awareness Goals and General Define Intended Public) Audience ( Stakeholders, Identify Obtain Topics to be covered Establish Current Training Needs Define Support Develop Security Policy Delivery Methods to be used Design a Strategy for Implementation Develop Awareness Training Evaluation Strategy Strategy Methods Relevant Create a National Awareness portal Policy Background Objective Achievable to & Program Goals National /Initiative ICT4D The National Cyber Security Awareness Program shall be used Description of Program/Initiative to expected The stimulate, National of them. motivate, Cyber Security and remind Awareness the audience Program what is a is program Culture to security train consummate with different the intent stakeholders with of the helping risks on to them different avoid provide incidences aspects a reasonable of of attacks. assessment, This training will take and the evaluation form of of identification, different sets cyber need of of Cyber Security, Awareness creation 35 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

36 stakeholders. awareness campaign portal the The internet that program will establish will include a permanent a cyber awareness security Program/Initiative Rationale Implementation take an The aware rationale appropriate community for preventive the setting is able measure up to the foresee Awareness to any overcome possible Campaign such attack attacks. is and that Program/Initiative Implementation The general campaign public to will help be develop targeted culture at main of cyber stakeholders security. and the Specific Goals To develop a level of awareness in the community to Develop mitigate media and risk other of cyber awareness attacks programs by workshops, mass to information a National cyber Awareness security portal and easily for easy downloads access Program/Initiative Time-Frame On-going for quick fixes National program. In the first year, it is proposed that the and responsible hand Cyber over for to ensuring Security the emerging Policy that the WG organization country begin attains work that on a will level the be program awareness to mitigate cyber incidences. of Program/Initiatives Deliverables and Target National Detailed Program/Initiative Cyber Awareness Security Program Deliverables Time Portal table Time 6-months 3-months Bound Measurable Policy Adoption (TBM) of Target Start program of Delivery of Holistic Awareness 12 Months from adoption of policy Program /Initiative: Output, Outcome and Beneficiaries and Estimated Cost National Awareness Cyber Program Security Informed cyber work in incidences emerging stakeholders information and and crimes. public. economy Citizens Outcome in and peace in business substantial to create in worth. reduction Ghana can in 36 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

37 level Estimated Internet of protection users cost in of Ghana against entire should program threats Know online will how be about get themselves GHC500, a basic National Cyber Security year one. Annual budget of about GHC200, then after. Awareness Portal One on through emerging stop shop threats. cyber security Interactive Alerts, portal quick where downloads questions and can information Estimated web cost 2.0 of applications. portal creation Outcome and maintenance will be informed year community. be one asked GHC100, GHC200, Subsequent year may be down to less than is Project Implementation Management, Monitoring and Evaluation Agencies Supporting and their Implementation Supporting Implementation Responsibilities Assignment Ministry & National of Agency Communication Cyber Security Assigned Responsibility Policy National Council WG and Cyber (year Center Security one). Oversight monitoring of and program; evaluation funding, over by end of year to 2 take ( Capacity building after year 2) Technology National Information Authority Communication Agency/ Technical portal for year development. one advisory and Capacity guide building on web Program Critical Ministry of Information programs Support the awareness creation Success Factors Availability Commitment of of Funding Implementation Program/Initiative Risk Factors Lack of funds and supporting commitment agencies Additional Comments and Remarks to implement portal 37 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

38 The Implementation TECHNICAL Strategy: PROPOSAL Programs and Initiatives APPENDIX -3 (STRUCTURING THE IMPLEMENTATION STRATEGY PROGRAMS AND INTIATIVE) Program Title of Program/Initiative Strategic National Cyber Security Center (NCSC) Objective Strategic National Defines, Objective Cyber of NCSC Security are Policy : the communicates and updates Implementation: National national cyber security programs to (when all the necessary) security Coordination: Closely coordinates cyber CNII. organizations Outreach: initiatives Ghana. of various key Agencies and mechanism Promote and facilities formal and informal This training includes for promoting information cyber sharing security across awareness, the CNII. competency and education of information programs security to grow professionals the and the Compliance compliance industry as Monitoring: a whole. across cyber security Facilities policies the and monitoring standards of Risk security Assessment: the CNII. Assesses and identifies cyber across Assist threats CNII. exploiting vulnerabilities and risks function the National Cyber Security Council in all its emergency Contribute activities plans and help industry to test its cyber security to application as well of on international accreditation standards on Relevant Achievable National ICT4D Effective certification suppliers. Governance of of ICT National infrastructure, Cyber Security services Policy 38 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

39 Background Policy Objective to Program & Goals /Initiative The created NCSC to sustain is part the of the cyber proposed security institutional policy the structure long term. to be Description of Program/Initiative The one-stop initiatives Ghana by coordination Cyber adopting Security a centre coordinated Centre for is national envisioned and focused cyber to become approach, security a with security The the centre arena. key will objective be under of strengthening the purview the of the country s Ministry cyber Communications, Council for policy direction and overseen and the by National the National Security Cyber Council Security of Program/Initiative Implementation times of national crisis. in Rationale sectors The and rationale institutional for approach the setting to up coordinating the NCSC is the the policies help establish minimum. to It ensure will also that spearhead the risks all of awareness attack are and at the education of barest CNII Program/Initiative Specific Goals Implementation activities on make Cyber Ghana security a safe after destination creation. make boost it a national leader in image the region its sphere for of cyber influence activity and Program/Initiative Time-Frame To be To low ensure level of that risk Ghana that will has be technical achieved skill to maintain - setup within first two years. - Program/Initiatives - Deliverables and Target Creation Program/Initiative of Structures NCSC Deliverables and function of By Time 6- Months Bound from Measurable Adoption (TBM) of the Target policy Financial Legal framework Sourcing for & establishment Establishment passed of By 12-month from the of the policy NCSC By 18 Months from adoption of policy 39 P a g e D r a f t N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y