REPUBLIC OF GHANA MINISTRY OF COMMUNICATIONS. Ghana National Cyber Security Policy & Strategy

Transcription

1 REPUBLIC OF GHANA MINISTRY OF COMMUNICATIONS Ghana National Cyber Security Policy & Strategy Final Draft July

2 Document Version Version Date Remark Ver. 1.0 March 2015 Final Draft handed over to Ministry of Communications Ver September 2015 Final version after Validation Workshop 2 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

3 Document EXECUTIVE Contact a. SUMMARY Table of Contents I. SECTION ONE: BACKGROUND i. CHALLENGES, DEVELOPMENTS WITH FOCUS ON THE POLICY... 7 ii. Overview... 9 iii. Global Regional Activities Initiatives on Cyber Security II. NEED FOR POLICY b. III. RELEVANT PROVISION ICT4AD 14 INTRODUCTION SECTION TWO: CYBER SECURITY POLICY DEFINITIONS CNII POLICY SECTORS FOR GHANA I. CONTEXT Legislative POLICY STATEMENT Cyber & Regulatory Framework Culture Security Technology Framework Research of security and Capacity Building Compliance & Development towards Self-Reliance Child Online and Protection Enforcement P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y iv. Local Initiatives...

4 Cyber Security Emergency Readiness c. International Cooperation I. SECTION THREE: NATIONAL CYBER SECURITY STRATEGY i. STRATEGIC ACTIONS FOR POLICY THRUST... ii. Strategy Specific Initiatives Implementation Timelines Policy Working Group... Awareness Program Center (NCSC)... Council (NCSCC)... National Cyber Computer Security Security Crisis Incidence Management Response Plan Team (NCSCMP) (National CSIRT) APPENDIX P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

5 GLOSSARY AU CCI Commonwealth Africa Union CERT Computer Emergency Cyber Response Initiative Council for Scientific and Industrial Team CSIRT Computer Security Incidence Response Research CNII Critical National Information Infrastructure Team CID COP Criminal Child Online Investigation Protection Department EOCO ETA Economic Electronic Transactions and Organized Act Crime Office GARNET FIRST Ghanaian Forum of Incident Academic Response and Research and Security Network Teams ICT4AD Information Development and Communication Technology for Accelerated ITU IMPACT International Multilateral Partnership telecommunications against Cyber Union ISOC/IEC International Organization for Standardization Threat Electrotechnical Commission / International LI Legislative Instrument 5 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

6 MDA NCA Ministries, Communications Departments and Authority Agencies NITA NitaCERT NITA National Computer Information Emergency Technology Response Agency NCSAW Awareness Program Team NCSCC Council Center NCSPWG NCSCMP National Cyber Security Working Crisis Management Group PKI Public Key Infrastructure Plan R& SIM D Research Subscriber and Identification Development UNECA United Nations Economic Module WG Working Group Commission for Africa 6 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

7 The more expansion EXECUTIVE people today of Internet in Africa, representing the largest growth in the world, means SUMMARY disruptive activities by tendencies cyber criminals have to defraud access has other to caused Internet, the with debate users its and attendant on cyber commit security risks cybercrimes. of attack to on from These the people top disruptive of with agenda for almost every country, and many countries are strategizing on how to combat cyber criminals. Several global initiatives are also addressing cyber crime and enhancement the on cyber security. crimes The and ITU s is IMPACT helping program these member is providing countries several secure member their countries cyber early space. warning The of Commonwealth countries adopt efficient Cyber Initiative cyber security (CCI) policies is another and initiative Infrastructure. that seeks to help commonwealth ratified At the continental by African Presidents. level, the African (AU) has developed a cyber security convention which was criminals remains The cyber prevalent defraud menace unsuspecting because Ghana of has inadequate Internet been more users laws of of cyber on large cyber fraud. sums crime The of popular money to prosecute sakawa in Ghana cyber where and criminals. abroad cyber The cyber as there Electronic crime. are legal However, Transaction gaps this caused is Act not by (2008) adequate rapidly has change for provisions law in enforcement the cyber law landscape. in enforcement the fight against There agencies is, cyber however, to crime fight the to of which fighting need need to the fully cyber to address brought menace. all under aspects Several one of umbrella initiatives cyber security, for are Ghana. on-going and apply to address a multi-stakeholder the cyber menace, approach all Africa Accelerated The Ministry (UNECA) Development of Communications, began a (ICT4AD) process Ghana in policy 2011 with to to the identify review support gaps some of as UN aspects a Economic result of the Ghana s Commission changing ICT ICT for 7 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

8 cyber landscape document. security and Cyber policy recent security and developments strategy is one of for the in Ghana four ICTs thematic that has were been areas not developed. under originally this The envisaged review policy and has and the nine put national in policy the pillars readiness and and includes international effective cooperation. governance, legal framework, technology framework, response cyber includes Five special establishment initiatives have of institutional been included frameworks, in the first creating five year awareness, strategic ensuring plan. These coordination initiatives implemented, security Ghana initiatives will have and a enforcement solid cyber security of cyber base standards framework in to Ghana. address When its cyber fully of needs. 8 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

9 a. SECTION ONE: BACKGROUND 9 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

10 I. i. CHALLENGES, Overview DEVELOPMENTS WITH FOCUS ON THE POLICY In a effect number recent on times, the of government cyber Ghana image has websites experienced of Ghana by and Internet a number are indications hackers. of cyber These of attacks security attacks including weakness have defacing a denting of our of cyber widespread information infrastructure infrastructure and many and countries but space. also Cyber ensuring are not attacks that only there have focusing are become very on good protecting very incidence sophisticated their responds critical and teams Since the place turn of to the respond century, to incidents we have cyber seen a security rapid growth incidents. growth various has brought its wake extensive cyber activities and of the subsequently Internet in Ghana. attacks The The biggest information challenge infrastructure is that the as designated well as cyber central fraud point popularly in the country known where as Sakawa. victims on of is many Sakawa under years resourced. to can apprehend report In to cases any the suspect when Police these because CID incidences Cybercrime of the lack had Unit of been is expertise not reported, visible in tracking nationally it has these taken and criminals cyber enough criminals using computers based were apprehended forensic and processed skills. To to make court, matters there are, worse, more when often, such convict legal basis to prosecute these criminal, as the legal system is inadequate not cyberspace and punish cyber criminals. Consequently, Ghana s image continues dwindle to For many years, and cyber therefore cafes considered have been as the a cyber main crime source prone of Internet country. access, as many in people could not afford the high cost of personal computers and Internet access and, as 10 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

11 a cyber result crime. of lack of operational guideline, cyber cafes have become fertile ground for Ghana s mobile The increased penetration mobile use penetration of has smart brought phones, stood about at especially % an increase with at in the the mobile introduction end of phone March of threats M-commerce, and The fraud. high likely There to is bring therefore more a need incidents to create like hackings awareness and of other risk of attacks cyber attacks to mobile and phone exploitations users. is for registered cyber mobile criminal all users. SIM continue As card a in to result Ghana engage of mobile but SIM there Box fraud, still fraud remain the and National other high crime fraudulent Communications in the activities. mobile space Authority as Until sector highly recently, driven. sensitive This Ghana s government result Internet has information been backbone that many using and government free resources officials services have been send such largely and Yahoo receiving private Google establishment making it vulnerable to information theft. However, since 2008, with and on a massive government of the National network Information rollout Technology to ensure efficiency Agency in (NITA), government Ghana operations embarked the and Data datacenter improved services facilities service to all that Ministries delivery enable to Departments citizens. NITA provide. The and result Agencies is and that webhosting NITA (MDAs) now and has services has Internet national under and government Public communication Key designated Infrastructure within government. second (PKI) level and There domain Digital is (.gov.gh) the Certificates need NITA of is a also strong to enhance implementing public secure private the partnership the private and in crafting public sectors. our national cyber security policy to take care of the interests of 11 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

12 Cyber ii. Global Security Activities is central on to Cyber the Information Security have countries high levels of networked computers and knowledge automation economy. stand greater Countries risks which with less developed with less developed network infrastructure networked strive computer become infrastructure. a knowledge As many society, countries than network African Internet countries infrastructures where will over be the rolled last out few with years, automation. massive submarine This is evidenced fiber optic in many backbones transit have landed on the shores and massive in-country fiber cable bring a proportionate are being risk rolled to critical out. An information increase infrastructure. network computer infrastructure optic will For have developed many been years, working many around countries securing with high their degree critical of information networked infrastructure computer infrastructure crimes. cyber security policies and strategies to mitigate cyber incidences and have and access place No one information country control from the cyber Internet. space It and is therefore everyone very from important anywhere that in countries the world put can swift response robust security systems around as risk critical of attacks national cannot information eliminated. infrastructure Additionally and set using up very an in international is also essential. approach of cooperation to secure cyber space and mitigate cyber crimes Many already responses countries have Computer with high Security networked Incidents computer Response infrastructure Teams (CSIRTs) and global in place companies incidences. to However cyber incidences developing are economies, coordinated very to few mitigate CSIRTs the have impact been of where setup, cyber 12 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

13 although infrastructure it is expands. top of the agenda for many of these countries as networked computer The Partnership a International against Telecommunication Cyber Threat (IMPACT) Union program (ITU) through has over the the International last few years Multilateral around leadership the world. role is Today, providing IMPACT early warning has over systems 152 countries and training members. cyber ITU security has experts indeed played developed developing a policies framework and strategy for developing around cyber countries security. to help them kick start a process of Forum Computer recommendation of Incident Security and Response Incidents through Response a and rigorous Security standards Teams Teams (CSIRTs). process. (FIRST Membership Inc.) is a global to FIRST forum is by of The elaborated Africa Budapest and the by USA. Convention the Council The Convention on of Cyber Europe Security is with open the to which participation any country has been which of in Canada, force wants since Japan, to participate South was The 100 countries. convention is used as a guideline, reference standard or model law in more than Governments iii. Regional in Initiatives Africa iatives cyber countries. security. Many A countries decade today ago, have have infrastructure invested moved the massive was ICT a major discussion in-country challenge infrastructure from to infrastructure many and African the to connectivity coming and up and many access African challenge countries is has waning. opened The up networked cyber space computer to many more infrastructure Africa accompanying and Kenya already this, the have risk a of CERT using in the place. Internet. Many A countries few countries are also like Tunisia, in the process citizens South 13 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

14 of to (AU) developing harmonize and the cyber the UN development Economic security policy Commission of and cyber strategy security for Africa (including policy (UNECA) and formation strategy, have of developed CERTs). the Africa In a Union cyber order security Ratification fight against and of cyber cybercrime the convention, crime. convention it can and be argued, has been will ratified foster by regional African cooperation heads of States. in the In annually for 2010, African AfricaCERT in countries. different Africa was formed countries and on have the been establishment undertaking and capacity management building of program CSIRTs Today s iv. Local society Initiatives As threat networked to business computer thrives and communication. virtually infrastructure on using expands the Internet in the for country, communication there is and increasing business. Recent the incidences development several have cyber been of attacks a uncoordinated cyber on security government and policy in websites many and cases, strategy. in Ghana there Resolutions is were a wake-up no of reporting call cyber for The structure National put in Information place to guide Technology dealing Agency with future (NITA) s attacks. the Departments government and network Agencies initiated (MDAs) discussion to setup a amongst NITA Computer concern stakeholder of Emergency ensuring the security Ministries, Response of team incidences (nitacert) within the to government coordinate network. cyber incidences and assist in resolving future 14 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

15 The Team was Ministry (CERT) of project Communication in 2013 in initiated collaboration the national with the ITU-IMPACT. Computer Emergency The national Response early established in August 2014 is fully operational handling incidents and sending CERT institutions warning such to as its Ghanaian constituents. Academic The and National Research Security Network Council (GARNET) and in many academia other out are The working SIM registration on different by projects NCA is towards another securing initiative cyberspace. using Unit to mobile alleviate phones. cyber The and Ghana other related Police crimes. Service The has to mitigate also Economic put cyber in and place crimes Organized the cybercrime committed Office Center (EOCO) for the financial under the sector Attorney are all General s government Department initiatives and geared Financial towards Intelligence mitigating Crime crime On the in business general and side, computer the opening crime of in an particular. organizations investigate cyber crime thoroughly e-crime and Bureau improve in Ghana protection has of greatly cyber space. helped on In needs spite cyber to all be security these addressed. initiatives, amongst the the fact consuming still remains public that of there ICT is products a general and lack services of education which As Ghana II. NEED strives FOR to POLICY increased will compete emphasis on information on become informational and an computer information activities systems and and the knowledge information will work efficiently economy, industry. on there Businesses the is right an 15 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

16 information nations the to protect to produce critical the national output information required. infrastructure It is becoming to ensure extremely national necessary security for for citizens. wake of As recent networked cyber wars, computer and ensure infrastructure a safe cyber increases, space there to enable will be wealth an increase creation in attacks the information on critical and information knowledge infrastructure society. There that is therefore is required an to increasing sustain the need economy to protect of in critical system and ensure national when national any information attack security. is made infrastructure on the CNII, (CNII) to and avoid create loss of a robust revenue incidence due to down response time The that national users, need to especially create a children, security culture of the Internet by creating are exposed awareness to must of the be enormous addressed threats Internet cyber are exposed security and policy. the Awareness vulnerabilities creation our (education) phones, computers of the risks and users PDAs of by the to a can business economy drastically are where involved. reduce Ghanaians This cyber will can incidences create a wealth very with conducive its in peace consequential environment without loss fear of in of harassment the revenue information when cyber criminal and fraudsters. by Government other same public way, Internet business many and businesses can phone be brought services may to grind a are halt to attacked. if a the halt NITA if There the infrastructure is therefore is of attacked. the ISPs need and to In develop security order risks technical to government capacity of and local private technocrats sector critical to enable information them manage infrastructure. the cyber management to share of knowledge all critical information on incidence infrastructures response and (both ensure public that and there private), is a uniform the policy risk In 16 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

17 must partnership address model. the need for a central coordinating body and work with a public private III. Pillar RELEVANT 14 of the PROVISION ICT4AD policy ICT4AD cybercrime. international The cooperation pillar among and building other relates things infrastructure to Security places emphasis for Agencies security using on agencies capacity ICT to to building, combat them use ICT to combat crime. Additionally, the pillar is to ensure that the legal enable offenders. policy is up to date to help law enforcement agencies prosecute any cyber text crime of The prescribes fight Electronic against punishment cyber Transaction crime. for cyber Act (ETA) crime 2008 perpetuators. has specific The legislation Act addresses on cyber issues crime on and the The protection Data Protection of private data Act of which government, has been citizens passed and by businesses the Parliament Ghana. of Ghana ensures The as wealth. a Pillar means 14 of and mitigating the ETA cyber fail to incidences capture a that holistic may approach affect the to ability securing of citizens the cyber to create space The what cyber several different security. on-going agencies A initiatives National of Government, which Cyber are academia Security not coordinated and framework business makes covering are it impossible doing policy to enhance to know implementation the national cyber strategy security done of Ghana. holistically will ensure coordination and greatly enhance and 17 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

18 b. SECTION TWO: CYBER SECURITY POLICY 18 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

19 INTRODUCTION Ghana s people that a people are determination free with from a culture cyber to secure attacks of cyber its with cyber security devastating space achieved is driven effects. through by This a desire awareness is informed to ensure creation by that the and fact our capacity occur. reduces Our building the ability number are to identify in of a actual better and attacks position understand significantly to handle threats cyber and attacks how enhances they as can and the be continuous when handled they operation interest only to government and of security the national but of the also infrastructure nation. to operators We also on who which recognize provide critical that public information the services threat are is to not citizens held restricted and the private networks, thus the need for private public partnership. DEFINITIONS For the purpose of this policy document, and destruction Critical virtual), National would systems Information have and a devastating functions Infrastructure that impact are (CNII) on: vital may to the be nations defined that as those their incapacity assets (real or National Confidence market while economic that maintaining the strength nation's favorable key growth standards area can of living. successfully compete in global 19 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

20 National image National Projection defense of national and image security towards enhancing stature and sphere of influence. Government Guarantee sovereignty capability to and functions independence whilst maintaining internal security. Public Maintain order to perform and deliver minimum essential public services. Delivering health and and managing safety optimal health care to the citizen. CNII on Countries SECTORS identify FOR the GHANA Ghana, them the can following affect factors sectors CNII mentioned based have been the above. identified level For of networked the as CNII purpose sectors: computers of policy as and it relates how attacks to National Banking Information and Defense and Finance Communications and Security Energy 7. Transportation 8. Water 9. Health Government Emergency Services services 20 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

21 VISION 10. Food and Agriculture A in community secure a safe and cyber protecting stable space, connected Ghana s with a well-researched Ghana cyber with space Internet and equipped trained users with working academic global and and creating standards professional wealth responding efficiently prosecute swiftly to cyber criminals. incidents, and with up-to-date laws and systems in place and to To MISSION identify, STATEMENT threats measures posed analyze, on identified address critical and remediate national information the immediate infrastructures and potential (CNIIs) cyber and security and meet the in place countries that cyber will adequately security needs. regulate and secure the system infrastructures put POLICY This policy SCOPE against research, cyber and covers development crime, all creating aspect of of cyber public cyber laws awareness, security and legal and investment measures, national response in national education, including security, scientific, fight enforcement rephrase sentence) and protection of critical national information infrastructures. (We can law 21 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

22 POLICY Ghana, CONTEXT uncoordinated Many like many initiatives developing are being economies put place faces to the secure risk the of cyber-attacks. space of Different custodians of critical national information infrastructure are unaware of their Ghana. behind ensuring the national the maintenance policy is the of cyber realization security that within a combination the country. of persistent The driving computer force roles vulnerabilities infrastructures and at risks. worldwide connectivity has placed the national critical information In heightened taking Africa, place Governments threats to ensure to national that are legal discussing information systems how infrastructure. are to updated secure their to Several enable cyberspace national proper in persecution initiatives the wake are of of cyber The threat criminals. Union of African Commission countries that cyber-attacks to in develop fighting cybercrime a pose convention to African and at ensuring the governments regional cyber level security. has to prompted harmonize the the African efforts The the awareness national cyber security information policy will infrastructure. address major The cyber policy risks seeks facing to Ghana address from the attacks lack on problem of of Sakawa risks users which and has businesses tagged as face a doing haven business of cyber in fraudsters cyber space. will The be of addressed base, building systems by the and policy. technology The policy framework also addresses for combating the need cyber-attacks to develop and knowledge cybercrime for and cyber in the security near future expects create to make a culture Ghana of cyber self sufficient security in in Ghana. the fight capacity against 22 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

23 The National systems National of Information ten Cyber critical Security Infrastructure sectors. Policy (CNII) (NCSP) which seeks comprises to address the the networked risks to information the Critical The to ensure develop policy recognizes and establish the a critical comprehensive and highly program interdependent and a series nature of of frameworks the CNII and that aims developed the to effectiveness ensure that the of CNII cyber are security protected controls to a level over that vital commensurate assets. It is the being risks will faced. The economy regulatory, policy and has will been based designed on to a number facilitate of Ghana s frameworks move that towards comprises a knowledge-based aspects. technology, public-private cooperation, institutional, and legislation international and 23 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

24 Effective I. POLICY Governance STATEMENT Government promote the gains effective from will any cooperation centralize initiatives, coordination government between public will of establish national and private formal cyber sectors. and security encourage In order initiatives to informal sustain and information sharing exchanges. Legislative Government & through Regulatory the Framework reviewing nature of cyber and enhancing security threats. Ghana s Attorney In order laws General s relating to empower department to cyber national space set law up to enforcement a address periodic the process agencies dynamic of to capacity laws. properly building prosecute programs cyber to security acquire new crimes, skills Government and effective will ways establish of enforcing progressive and in Government harmony with will international ensure that laws, all applicable treaties and local conventions. legislation is complementary cyber to Policy Cyber Security measures Technology will be put Framework framework that specifies cyber in place security to develop requirement a national controls cyber and security baselines technology for CNII 24 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

25 elements. evaluation/certification This will program be accompanied for cyber security will product mechanism and systems. to implement an Culture Government of security will invest and Capacity every resource Building national security, culture government of security. will support As part the of standardization the needed process to of and develop, development coordination foster of of and culture cyber maintain of security cyber a awareness also: and education programmes across all elements of the CNII. Government will Establish Identify the national an effective level mechanism for cyber security knowledge dissemination at professionals minimum requirements and qualifications for information security Research In order for & Development Ghana to become towards self-reliant Self-Reliance commensurate prioritization of with cyber the security risk, research Government and in protecting will development formalize the CNII activities the to coordination a enlarge level that and is strengthen encouraged properties, the technologies by cyber promoting security and the innovations research development community. through and focused Research commercialization research and development and of development. intellectual will be Government industry. will also put measures place to nurture the growth of cyber security 25 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

26 Compliance In order to ensure and Enforcement be Government put in place will to also standardize compliance strengthen cyber and the enforcement, security monitoring systems policy and across enforcement measures all elements and of mechanism standards of the CNII. and will develop a standard cyber security risk Management Framework. Child Policy Online measures Protection industry, Government Civil Society, will be implemented and relevant through international multi-stakeholder child online working protection by government concerned and will create encourage awareness dialogue of the possibilities national and and dangers local of levels the Internet. to engage agencies. all Cyber To ensure Security cyber Emergency security Readiness stakeholders will include the will development effective emergency and cyber strengthening security readiness, incident of the government reporting national computer mechanisms. together with security This all incidence advisories business response and threat team warnings (CSIRT) in a and timely sector manner CSIRTs, and the dissemination development of of vulnerability elements continuity management framework. The government will also encourage a standard assessment of the programs. CNII to monitor cyber security events and perform periodic vulnerability all 26 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

27 Policy International measures Cooperation relevant Government international will will make be cyber put every in place security effort to encourage to bodies, promote panels the active active and participation participation multi-national in of Ghana all agencies. relevant in all international conference. cyber security activities by hosting an annual international cyber security 27 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

28 c. SECTION THREE: NATIONAL CYBER SECURITY STRATEGY 28 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

29 For FIRST each 5 YEAR policy thrust, CYBER specific SECURITY strategic STRATEGIC actions will PLAN be implemented ( ) year other strategic plan. actions These from actions other policy may thrusts. be implemented in isolation or under in concert the first with 5- Action I. STRATEGIC ACTIONS FOR POLICY THRUST Item Effective Policy Thrust Action Plan Policy Drivers Collaborators Governance 1. Government institutions structure to and ensure will put set long term in up place cyber governance sustenance security Ministry of information Cyber Security exchange. activity Action including Communications, of National Council, will be NCA, Security 1. taken business partnership as and collaboration Institutions). civil society of The (public government, to be setup include: institutions private General Attorney NITA, National Cyber Computer Security Council Incidence Response Center (CSIRT) Security 4. National Cyber Security Policy Team Legislative Working Group Regulatory Framework and 1. Government Review Attorney General s Committee will set Department up under Cyber to Law the do Attorney General s Department, Ministry Communication, Ministry of of P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

30 3. Cyber Technology Framework Security a accommodate cyber study environment on the legal laws challenges and of child Ghana online the to protection year Stage 1: identifications and review of every issues three the Stage cyber 2. Review environment current laws on in cyber Stage amendment environment 3. Make of national recommendations laws for 1. Government stakeholders international in will information collaboration review and / with adopt cyber key security robustness series, standards of NIST, CNII such etc sectors as increase ISO/IEC ensure Government safety in cyberspace for all and expand scheme the and national its partners certification will also management standardized for & information assurance. Digital Forensics security 2. Investigations will the be developed Standards that will be and used Model law academia enforcement to teach agencies students, and to train be by used witnesses by in the cybercrime lawyers cases. and expert Forensics 4. Setup professional strong 3. A NITA Interior, Professional Security Associations, Standards Organizations, Universities Professional Certification and Centers association such as Digital 30 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

31 4. Culture of Cyber Security & Capacity Building 5. Research Development towards Self & Reliance 1. Association Efforts number will of Ghana incidents of Information/cyber through made to improved security reduce awareness development including children creations for by all & developing stakeholders online skill National program Cyber and portal Security targeted Awareness at all a stakeholders using different by packaging content for providers 2. demographics. Capacity will be built through different increased information certification course an prepare Ghana and for cyber self-reliance security on to 3. cyber Targeted security. capacity building will be in implemented cyber to improve investigation for prosecution law and enforcement enforcement of cyber on 1. crime A Security National in Ghana. that will R&D be developed roadmap for to Cyber attending Ghana to will its cyber self security sufficient ensure 2. Technologies relevant & desirable needs. 3. CNII Domain will competency be developed. development for will 3.1. be Natural Industry provided growth for: of Cyber Security Ministry Communications, of Nongovernmental Organizations, Universities, Professional Certification Centers Cyber businesses Ministry Communications, of Ministry Education, Universities, of Council Scientific Industrial for Research and (CSIR), Professional Certification 31 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

32 6. Compliance 7. Cyber Build Updating Research R&D Labs roadmap at Universities regularly Centers, Enforcement & 1. A framework national Risk for CNII Management will be developed to CNII. ensure a uniform framework for all Communications Ministry of NITA, Ministry Environment, NCA, Science of technology, Professional & Security Private Sector Bodies, IT (Finance, Network Operators), Research Education Network and Emergency Readiness Security 1. A cyber for framework swift attacks responses for and mitigation ensuring to attacks of structures risk that of Ministry threaten Setup national of National security Cyber through: Communications of National Council, management National Cyber Committee security council) (under Crises Sector Security (Financial, Private Operators), Positioning CSIRTs in the National line of and responding sector Ministry Interior, NITA of to Setup Management emergencies of National WG Cyber continuously Crises reviewing recommendations by committee structures to be and acted making on 2. Organize Hacking Workshops to 32 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

33 8. Child 9. International Online exploit vulnerabilities systems and identify Protection Develop children which ensures as a framework they engage that for with the protection the Internet of 1. Ensuring Structures put that in place Organizational for agencies A Technical Monitoring Framework and Procedural 2. Capacity Measures stakeholders for working with all raising and Building public education. Awareness Legal Implementation Cooperation Measures and International Cooperation Ghana international online will cyber engage security in and relevant prioritize protection meetings child sign engagement and join and conventions International/regional or and stakeholders work together to address children s online risk by Ministry Communications of Ministry Gender, and of Protection; Social Children Ministry Interior, of Educations Ministry of Ministry Foreign of Ministry Communications, National of Council, of Ministry Security Ministry Interior, of Affairs. Gender Child Protection and and Social 33 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

34 34 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

35 The i. policy Strategy will be Implementation implemented in three Timelines stages: Short STRATEGY Term TIMELINE Year 1-2 ACTIVITIES analyze up Identifying institutional vulnerabilities CNII structures and addressing and and put creating g place immediate public stop gap awareness Concerns measures Identify while setting CNII, The Effective - short Implement governance term will focus Action on 4 following to assist policy ministry thrust: CNIIs, other stakeholders evaluate vulnerabilities put in place a and stop gap of develop communications measure measures to identify and address Begin building immediate institution concerns. by implementing Actions 1-3 to Cyber Culture of Implement Cyber Security - Security Implement Emergency Action Action 21 Readiness to to begin develop awareness framework creation Child stakeholders Online Coordinate Protection with local Develop universities framework or existing for engaging entities with to help all with Set leading the up expert the expertise. COP group stakeholder advising Committee the national to Government serve as the Ghana. formulation (Other and actions implementation stipulated of in a the national Ghana COP COP plan strategy) on for the Medium Term Year 3-4 Building standards the and infrastructure institutional - arrangements Setting-up the (mechanisms) necessary systems, and building process, 35 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

36 capacity The Culture medium of amongst Cyber term Security researchers will focus & Capacity on and following information Building policy security thrust: professionals Research Implement & Development Action 1 Compliance Implement Actions towards 1-2 and Self Reliance Implement and enforcement Action and accompanying accompanying infrastructure infrastructure Long Term Year 5+ Developing Legislative - Implement and self-reliance Regulatory Action 1 Framework and professionals, improving monitoring the mechanisms the - in mechanisms terms and creating of for technology compliance, the culture as evaluating of well cyber as security The Cyber long Security Continuous term strategy Technology review will focus and Framework improvement on following policy thrust: Compliance Enforcing & Enforcement Culture compliance of cyber security adopted Risk Management framework within CNII for - Continuous awareness creation Details ii. Specific of Specific Initiatives are attached in the appendix. initiatives including strategic objectives, estimated cost and drivers 36 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

37 APPENDIX 37 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

38 The Implementation TECHNICAL Strategy: PROPOSAL Programs and Initiatives APPENDIX -1 (STRUCTURING THE IMPLEMENTATION STRATEGY PROGRAMS AND INTIATIVE) Program Title of Program/Initiative Strategic National Cyber Security y Policy Working Group Objective To sectors assist MoC to collate all cyber security initiatives To identify critical national information infrastructure in medium support as term defined policy strategy drivers by the to policy setup structures for Relevant To Cyber design Security and implement Awareness a program comprehensive National Background Policy Achievable Objective to Program National & Goals /Initiative ICT4D National In order to Security, have continuous Law and order activity and on enhanced the Cyber cyber security Security policy and strategy, it is proposed that the current Adhoc technical 38 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

39 ensure committee (WG) to a keep quick for cyber the implementation momentum security be of converted the policy cyber to and security a strategy. Working agenda Group to Description of Program/Initiative The made which National up composition of current Cyber represent policy Security drafting a Policy public Adhoc private WG technical (NSCPWG) collaboration committee will and be by bottom-up overcome virtue of any approach. the shortfall selection New in skill of the members such members, as legal may also expertise be represent added in to a Working Communication conversion Group. from The the NCSPWG Adhoc Technical will assist Committee the Ministry to the that require immediate to establish attention recommended such as specific the awareness programs of Program/Initiative Rationale Implementation The between campaign rationale for the for first the setting year of up the of policy. the the adoption of the WG and is the to avoid implementation any vacuum of awareness long term structures creation. of the policy as well as begin a process of Program/Initiative Specific Goals Implementation Support implementation Develop implementing of strategy agency to begin actual Cyber Security Security, Awareness a National including Awareness portal the creation Creation of National Program Cyber on Program/Initiative Timeframe One Assisting structures policy for the implementing achievement agencies of long term to build goals the role (may after year be extended first in active year if engagement necessary) with but will policy continue implementation in advisory Program/Initiatives Deliverables and Target 39 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

40 National Program/Initiative Program Cyber Security (NCSAP) Deliverables Awareness Time 3-months Bound Measurable form policy adoption (TBM) Target Identification National Cyber of Critical Security (NCSP) National Awareness Portal 6-months from adoption of policy Information the concerns. Policy (CNII Infrastructure ) and immediate as prescribed by 12- Months from adoption of policy Program /Initiative: Output, Outcome and Beneficiaries and Estimated Cost NCSAP activities, Document will well online detailing informed activities awareness professionals etc. and program budget. and including, The citizens outcome workshops, on of threats program media beneficiaries cyberspace and will how be government they can guard security against professional, these threats. citizens The main and NCSP Oversee businesses the in creation Ghana. support downloads and support of Interactive where citizens Portal can with report all relevant incidences, information, Outcomes and will receive include updates a one stop of latest shop for cyber citizens security and information. business seek find citizenry, everything government on cyber and security. businesses The Ghana. main beneficiaries are the to CNII Oversee NCSPWG Infrastructure investigative will and assist determine work selecting critical to determine consultants ones based the to National policy do exercise. documents. Information outcome expansion will be a document with all details of CNII as it today The Government plans for next five years. The main beneficiary and Members of NCSWG of Ghana. must be rewarded for role for the period when is 40 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

41 COST seating WG they meets are allowance actively monthly, involved and estimated expenses in implementation. Budget cover of for GHC100, any This activity must performed. include year If a (seating any programme entity allowance+ in related support costs meals of as this + well venue) plan, or we ( it In simply will order be refer to appropriate get to the this buy-in budget to state from OVERHEADS.) as Project Implementation Management, Monitoring and Evaluation Agencies Supporting and their Implementation Supporting Implementation Responsibilities Assignment Ministry of Communications Agency Oversight Assigned of NCSWG, Responsibility National Security Council funding Technical/security / monitoring and project CNII input for evaluation creation and of new cyber advisory security for defining National Technology Information Agency/ National structure Communication Authority Technical collating CNII, advisory web and portal guide on Program Program/Initiative Success /Initiative Factors Critical Commitment WG members of members to work to implement policy, motivation of Implementation Risk Factors Inactivity Communications of WG members or lack of needed support form Ministry of Non Additional Comments and Remarks 41 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

42 (STRUCTURING THE IMPLEMENTATION TECHNICAL APPENDIX STRATEGY PROPOSAL 2 The Implementation Strategy: Programs PROGRAMS and Initiatives AND INTIATIVE) Program Title of Program/Initiative Strategic National Cyber Security Awareness Program Objective Objectives To To define Security Awareness Goals and General To identify Public) Intended Audience ( Stakeholders, Identify define Topics to be covered Current Training Needs obtain Support establish Security Policy define Delivery Methods to be used develop a Strategy for Implementation design develop Awareness Training Evaluation Strategy Strategy Methods Relevant To create a National Awareness portal Policy Objective Achievable & Goals National ICT4D Background to Program /Initiative The Culture to stimulate, National motivate, Cyber Security and remind Awareness the audience Program what shall is be used of Cyber Security, Awareness creation 42 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

43 Description of Program/Initiative The to expected National of them. train different Cyber stakeholders Security Awareness on different Program aspects is a of program security consummate with the intent with of the helping risks to them avoid provide incidences a reasonable of cyber assessment, attacks. This will take the form of identification, cyber stakeholders. training and evaluation of different sets need awareness portal The that program will establish will include a permanent a cyber awareness security of Program/Initiative Rationale Implementation The campaign rationale the for the internet and informed take appropriate community setting preventive is able up the to measure Awareness foresee any to Campaign overcome possible attack is such that Program/Initiative attacks. and the general The campaign public to will help be develop targeted culture at main of cyber stakeholders Specific Goals Implementation To develop level of awareness in the community security. to To mitigate media and risk other of cyber awareness attacks programs by workshops, mass access develop to information a national on awareness cyber security portal and for easy Program/Initiative Time-Frame On-going downloads program. In the quick first fixes year, it is proposed that the National and responsible hand Cyber over for to ensuring Security the emerging Policy that the WG organization country begin attains work that on a will level the be program awareness to mitigate cyber incidences. of Program/Initiatives Deliverables and Target Program/Initiative Deliverables Time Bound Measurable (TBM) Target 43 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y

44 Start National Detailed Cyber Awareness Security Program Time Portal table 6-months 3-months Policy Adoption program of Delivery of Holistic Awareness 12 Months from adoption of of policy Program /Initiative: Output, Outcome and Beneficiaries and Estimated Cost National Awareness Cyber Program Security Informed cyber work in incidences emerging stakeholders information and and crimes. public. economy Citizens Outcome in and peace in business substantial to create in worth. reduction Ghana can in level Estimated Internet of protection users cost of Ghana against entire should program threats Know online for 5 how years get will themselves be about a GHC2.5m basic National Awareness Cyber Portal Security One for year stop one. shop Annual cyber budget security of alerts, about quick GHC500, downloads through on emerging threats. Interactive portal where questions and can information Estimated web cost 2.0 of applications. portal creation Outcome and maintenance will be informed year community. be one asked GHC10, GHC20, Subsequent year may be down to less than is Project Implementation Management, Monitoring and Evaluation Agencies Supporting and their Implementation Supporting Implementation Responsibilities Assignment Ministry National of Cyber Communication Agency Security Policy & Assigned Responsibility WG Security (year Council one). National and Center Cyber Oversight of program; funding, take over by end of year 2 to monitoring ( Capacity building and evaluation after year 2) National Technology Information Agency/ National Technical web portal advisory development. and guide Capacity on 44 P a g e N a t i o n a l C y b e r S e c u r i t y P o l i c y & S t r a t e g y