QUESTION 22-1/1 S ECURING INFORMATION AND COMMUNICATION NETWORKS: BEST PRACTICES FOR DEVELOPING A CULTURE OF CYBERSECURITY

Transcription

1 FINAL REPORT ITU-D STUDY GROUP 1 QUESTION 22-1/1 S ECURING INFORMATION AND COMMUNICATION NETWORKS: BEST PRACTICES FOR DEVELOPING A CULTURE OF CYBERSECURITY 5 T H S T U D Y P E R I O D T e l e c o m m u n i c a t i o n D e v e l o p m e n t S e c t o r

2 CONTACT US Website: ITU Electronic Bookshop: Telephone:

3 QUESTION 22-1/1: Securing information and communication networks: best practices for developing a culture of cybersecurity

4 ITU-D Study Groups In support of the knowledge sharing and capacity building agenda of the Telecommunication Development Bureau, ITU-D Study Groups support countries in achieving their development goals. By acting as a catalyst by creating, sharing and applying knowledge in ICTs to poverty reduction and economic and social development, ITU-D Study Groups contribute to stimulating the conditions for Member States to utilize knowledge for better achieving their development goals. Knowledge Platform Outputs agreed on in the ITU-D Study Groups and related reference material are used as input for the implementation of policies, strategies, projects and special initiatives in the 193 ITU Member States. These activities also serve to strengthen the shared knowledge base of the membership. Information Exchange & Knowledge Sharing Hub Sharing of topics of common interest is carried out through face-to-face meetings, e-forum and remote participation in an atmosphere that encourages open debate and exchange of information. Information Repository Reports, Guidelines, Best Practices and Recommendations are developed based on input received for review by members of the Groups. Information is gathered through surveys, contributions and case studies and is made available for easy access by the membership using content management and web publication tools. Study Group 1 For the period , Study Group 1 was entrusted with the study of nine Questions in the areas of enabling environment, cybersecurity, ICT applications and Internet-related issues. The work focused on national telecommunication policies and strategies which best enable countries to benefit from the impetus of telecommunications/icts as an engine of sustainable growth, employment creation and economic, social and cultural development, taking into account matters of priority to developing countries. The work included access policies to telecommunications/icts, in particular access by persons with disabilities and with special needs, as well as telecommunication/ict network security. It also focused on tariff policies and tariff models for next-generation networks, convergence issues, universal access to broadband fixed and mobile services, impact analysis and application of cost and accounting principles, taking into account the results of the studies carried out by ITU-T and ITU-R, and the priorities of developing countries. This report has been prepared by many experts from different administrations and companies. The mention of specific companies or products does not imply any endorsement or recommendation by ITU. ITU 2014 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU.

5 Table of Contents 1 Introduction to the Final Report of Q22-1/1, on Cybersecurity Best Prac ces for Cybersecurity Guide for the Establishment of a Na onal Cybersecurity Management System Introduction National Cybersecurity Management System National Cybersecurity Framework RACI Matrix NCSec Implementation Guide Implementation Guide Conclusion Public-Private Partnerships in Support of Cybersecurity Goals and Objectives Introduction The Principles of Partnership Value Proposition Partnerships and Security Risk Management Concluding Statement Case Study: U.S. Private Public Partnerships Case Study: Some U.S. Public-Private Cybersecurity Partnerships Best Practices for National Cybersecurity: Building a National Computer Security Incident Management Capability Introduction The Importance of a National Strategy for Cyber Security Key Stakeholders of National Cyber Security The Special Role of the National CIRT Analyzing Computer Security Incidents to Identify Intrusion Sets Building a Cyber Security Culture Strategic Goals and Enabling Goals for Incident Management Capability Conclusion Best Bractices for Cybersecurity Managing a National CIRT with Critical Success Factors Introduction Critical Success Factors (CSFs) Advantages of a CSF Approach Sources of CSFs Page iii

6 5.5 Identifying CSFs Defining Scope Collecting Data: Document Collection and Interviews Analyzing Data Deriving CSFs Using Critical Success Factors for National CIRTs Building a National Computer Security Incident Management Capability Selecting National CIRT Services Identifying Priorities for Measurement and Metrics Conclusion Best Prac ces for Cybersecurity Internet Service Provider (ISP) Network Protection Introduction Objective, Scope, and Methodology Analysis, Findings and Recommendations Recommendations Conclusions Future Work APPENDIX A: Introduction to Best Practices Prevention Best Practices Detection Best Practices Notification Best Practices Mitigation Best Practices Privacy Best Practices Best Practices for Cybersecurity Training Course on Building and Managing a CIRT ANNEXES Introduction Annex A: Best practices for Cybersecurity Planning and Establishing a National CIRT Annex B: Best practices for Cybersecurity Managing a National CIRT with Critical Success Factors 93 Annex C: Best practices for Cybersecurity Guide for the Establishment of a National Cybersecurity Management System Annex D: Best practices for Cybersecurity Internet Service Provider (ISP) Network Protection Best Practices Annex E: Best practices for Cybersecurity Training Course on Building and Managing National Computer Incident Response Teams (CIRTs) Page iv

7 Annex F: Best practices for Cybersecurity Survey on Measures Taken to Raise Awareness on Cybersecurity Annex G: Best practices for Cybersecurity Public-Private Partnerships in Support of Cybersecurity Goals and Objectives Annex H: Compendium on Cybersecurity Country Case Studies Page Figures Figure 1: National Cybersecurity Management System... 2 Figure 2: NCSec Framework Model... 4 Figure 3: Radar to Assess Maturity Levels... 8 Figure 4: Implementation Guide Steps Figure 5: NCSecIG Resolution Approach Figure 6: Risk Management Lifecycle Figure 7: CIPAC Sector Partnership Model Figure 8: Example: Three Objectives from the DHS Strategic Plan for 2008 to Figure 9: CSFs are compared to departments to determine which departments support which Critical Success Factors Page Tables Page Table 1: Deriving themes from document review Table 2: Questions to address when starting a National CIRT Table 3: Affinity analysis matrix for fictional National CIRT choosing services Table 4: Sample measurements that support the mission of a National CIRT v

8

9 Question 22-1/1 Securing information and communication networks: best practices for developing a culture of cybersecurity 1 Introduction to the Final Report of Q22-1/1, on Cybersecurity ITU-D Study Group 1 Q22-1/1 develops best practice reports on various aspects of cybersecurity. This is the final report of ITU-D Q22-1/1 on its activities over the last four year study cycle, covering the period from Q22-1/1 s work programme was established by the World Telecommunication Development Conference (WTDC) at its 2010 meeting in Hyderabad, India. In the last four years, Q22-1/1 has addressed all the items on that work programme, either partially or completely. This Q22-1/1 final report is composed of a number of best practice reports on different aspects of cvybersecurity. These include (1) a guide for the establishment of a national cybersecurity management system; (2) best practices for the creation of public-private partnerships in support of cybersecurity goals and objectives; (3) building a national computer security incident management capability; (4) managing a national CIRT with critical success factors; and (5) best practices for Internet Service Provider (ISP) network protection. In addition, an Annex E to this report provides training course materials on building and managing a CIRT. The Question also received a contribution describing additional coursework and online course for children from the Odessa National Academy of Telecommunications n.a. A.S. Popov. The Group also received information from the BDT on its activities both globally and regionally. Work continues in Q22-1/1 on a number of other reports, e.g., on a report on best practices for combating spam, on a survey of the awareness-raising programmes that Member States are engaged in, and on a compendium of reports that countries have contributed to Q22-1/1 on a their cybersecurity activities. This work is expected to be completed during the next study group cycle. 2 Best Prac ces for Cybersecurity Guide for the Establishment of a National Cybersecurity Management System 2.1 Introduction The importance of the establishment of a national cybersecurity management system cannot be emphasized enough in a digitally advanced age where countries face real risks and vulnerabilities in critical information systems, which can be exploited by adversaries. Cyberspace is far from secure today, and there is an urgent need to take action- at national as well as international levels- against all forms of cyberthreats. It is the role of governments to face computer security challenges, which are exasperated by the absence of appropriate organizational and institutional structures to deal with incidents. Therefore, sectors and lead agencies should assess the reliability, vulnerability, and threat environments of the infrastructures and employ appropriate protective measures and responses to safeguard them. The ITU has already proposed a whole process for developing and implementing a national cybersecurity plan. This proposal defines a methodology to implement a Roadmap of National Cybersecurity Governance, including a framework of Best Practices and a Maturity Model, to assess for different aspects related to National Cybersecurity. The Best Practices for Cybersecurity-Guide for the Establishment of a National Cybersecurity Management System, is intended to present «NCSecMS», the "National Cybersecurity Management System", which is a guide for the development for effective National Cybersecurity. It ensures the implementation of a National Roadmap of Cybersecurity Governance, through the 4 following components: 1

10 "NCSec Framework" proposes five domains and 34 processes for covering main issues related to Cybersecurity at the National level, as the ISO for organizations; "NCSec Maturity Model", classifies "NCSec Framework" processes depending on their level of maturity; "NCSec RACI chart" helps to define roles and responsibilities for the main stakeholders concerned by Cybersecurity in a country or a region; "NCSec Implementation Guide" is a generalization of ISO and standards at the national level. It underlines best practices that organizations can use to measure their readiness status. 2.2 National Cybersecurity Management System National Cybersecurity Management System, called NCSecMS, can be considered as a tool the goal of which is to facilitate the achievement of National Cybersecurity, at both the national and regional levels. It consists in 4 steps, containing the following components: Figure 1: National Cybersecurity Management System Step 1: NCSecFR (Framework) The best practice proposal for National Cybersecurity, called NCSecFR, is a global framework answering the needs expressed by the ITU in its Global Cybersecurity Agenda (GCA). Fully inspired from ISO standard, 1 it is a code of practice for Organizational Structures and Policies on Cybersecurity at the national level, consisting in 5 domains and 34 processes, in order to help building regional and international cooperation for watch, warning, and incident response. Step 2: NCSecMM (Maturity model) National Cybersecurity Maturity Model will make it possible to evaluate the security of a country or a whole region, making thus comparisons between them, and pointing out its forces and threats. It will aslo 1 For further information on ISO 27002, see Annex 1 of Morocco s document 1/45). 2

11 facilitate the determination of a country s maturity, setting thus a maturity target, and planning for maturity enhancement. As long as a global national framework for Cybersecurity is defined, the NCSecMM is associated to this best practice proposal for National Cybersecurity, called NCSecFR. Inspired from Cobit's maturity model, it will enforce national Cybersecurity Management System implementation, showing thus what has to be done to improve for each process, at the national and regional levels. Step 3: NCSecRR (Roles and responsibilities) Responsibility Charting is a technique for identifying functional areas where there are process ambiguities, bringing the differences out, and resolving them through a cross-functional collaborative effort. A National RACI chart, called NCSecRR, is provided, and defines, among the stakeholders, who are Responsible, Accountable, Consulted and Informed for each of the 34 NCSec processes. The RACI chart defines in detail what has to be delegated and to whom, and what kind of responsibility will be affected to one stakeholder instead of another. Step 4: NCSecIG (Implementation guide) The implementation guide associated to National Cybersecurity, called NCSecIG, offers an efficient process control mechanism, in order to guarantee a good comprehension of the interaction between these processes, using ISO and ISO approaches. 2 Resolution approach The Resolution Approach, which takes into account the already settled orientations and goals of the ITU instances, is adopted for each of the 4 steps above in order to reach the corresponding goals of ITU, which consist in the elaboration of strategies for the creation of appropriate national and regional organizational structures and policies on Cybersecurity, and the development of strategies for the creation of a global framework for watch, warning and incident response. Building a framework for National Cybersecurity (NCSecFR) During this step,focus was placed on existing ITU documents and the ISO process based approach: we tried to adapt ISO approach in order to settle the main processes essential to national Cybersecurity, so that we can produce the national Cybersecurity framework. Since ISO is the international standard of Organization's Information System Security, the proposed National Cybersecurity Framework is a generalization of the ISO standard. National Cybersecurity Maturity Model (NCSecMM) The NCSec Framework (step 1) is not enough: a maturity model should be associated to, in order to enforce national Cybersecurity governance implementation showing thus what has to be done to improve. Roles and Responsibilities model (NCSecRR) In this step functional areas are identified, where process ambiguities do exist, bringing the differences out, and resolving them through a cross-functional collaborative effort. It is of a main importance to define in detail what has to be delegated and to whom, and what kind of responsibility will be affected to one stakeholder instead of another. Thus, it will aid organisations and teams to identify the responsibility for specific elements at the national level, at the process level of the NCSec Framework. 2 For further information on ISO and 27003, see Annex 1 (Morocco 1/45). 3

12 Implementation Guide (NCSecIG) Structuring every aspect of NCSec Framework is a major priority. It is important to offer an efficient process control, in order to guarantee a good comprehension of the interaction between these processes. The Implementation Guide will make it possible to structure every process using ISO and ISO approaches: ISO will provide help and guidance in implementing an ISMS (Information Security Management System), including focus upon the PDCA method, with respect to establishing, implementing reviewing and improving the ISMS itself. ISO 27001, through the Plan-Do-Check-Act (PDCA) model, will be used to structure every process. It will also structure the maturity model itself. PDCA approach will be automatically used within the whole process of implementation of NCSec Framework and Maturity Model. 2.3 National Cybersecurity Framework How NCSec framework meets the needs Cybersecurity governance is to be built essentially on a National Framework able to address and govern cyberthreat issues at a national level. In a boundless cyberspace, it should also be able to afford the needed cooperation in a regional and international level in order to meet its goals. A Framework for National Cybersecurity Management System mainly may rest on: 3 National Legal Foundation; Technical Measures; Organizational Structures; Capacity Building; International Cooperation. These elements are in line with the broad goals of the Global Cybersecurity Agenda (GCA), and its five (5) strategic pillars (or Work Areas). The suggested framework should be organized so as to meet the goals of the GCA initiative, to address the global challenges related to the five (5) Work Areas. NCSec Framework Figure 2: NCSec Framework Model 3 For further information on each of these five elements, see Annex 1 (Morocco 1/45). 4

13 NCSec Framework: Five Domains 4 The National Cybersecurity Framework (NCSecFR) consists in 34 processes divided into 5 domains. 5 Domain 1: Strategy and Policies (SP) This domain typically addresses the following questions: Is the National Cybersecurity Strategy defined? Is the government defining efficient national Cybersecurity policies? Did each stakeholder understand the NCSec objectives? How are the risk management processes understood and being integrated into the global framework, especially for CIIP? Is the degree of readiness of each stakeholder at the security level appropriate for implementing NCSec strategy? Domain 2: Implementation and Organisation (IO) This domain typically addresses the following management questions: Will the stakeholders meet properly the NCSec goals when implementing the NCSec strategy? Are NCSec services being delivered in line with NCSec strategy, for each sector/stakeholder? Are NCSec costs optimised? Are the stakeholders able to use the CyberSystems productively and safely? Are new stakeholders likely to deliver services that meet NCSec strategy? Are new stakeholders likely to apply NCSec policies on time and within budget? Domain 3: Awareness and Communication (AC) This domain typically addresses the following management questions: Are the national leaders in the government persuaded of the need for national action to address threats to and vulnerabilities? Is there any comprehensive awareness program promoted at the national level so that all participants businesses, the general workforce, and the general population secure their own parts of cyberspace? How are security awareness and communication programs and initiatives implemented for all stakeholders? Is there any support to civil society with special attention to the needs of children and individual users? Domain 4: Compliance and Coordination (CC) It typically addresses the following management questions: Do the organizational structures ensure that controls are effective and efficient? Are risk controls and compliance respected and reported? 4 5 For further information concerning the five domains, see Annex 1 (Morocco 1/45). For further information concerning these 34 processes, see Annex 1 (Morocco 1/45). 5

14 Are adequate confidentiality, integrity and availability in place among framework components? Domain 5: Evaluation and Monitoring (EM) It typically addresses the following management questions: Is NCSec performance measured to detect problems before it is too late? Can NCSec performance be linked back to the strategic goals of the global NCSec framework? Are risk, control, compliance and performance measured and reported? The NCSec Framework key components are: 6 NCSec Governance Control Objectives / Focus Areas; NCSec Organizational Structures/Resources; NCSec Stakeholders; NCSec Information, based on the hierarchical threat classification. 7 NCSec Maturity Model COBIT framework maturity model (Source: ISACA ITGI) 8 A national cyber-security framework must be developed for improvement in order to reach the appropriate level of management and control. This approach gains cost-benefit balance in the long term, answering the following related questions: What are our industry peers doing, and how are we placed in relation to them? What is acceptable industry good practice, and how are we placed with regard to these practices? Based upon these comparisons, can we be said to be doing enough? How do we identify what is required to be done to reach an adequate level of management and control over our IT processes? It can be difficult to supply meaningful answers to these questions. IT management is constantly on the lookout for benchmarking and self-assessment tools in response to the need to know what to do in an efficient manner. Starting from COBIT s processes, the process owner should be able to incrementally benchmark against that control objective. This responds to three needs: A relative measure of where the enterprise is A manner to efficiently decide where to go A tool for measuring progress against the goal Maturity modelling for management and control over IT processes is based on a method of evaluating the organisation, so it can be rated from a maturity level of non-existent (0) to optimised (5). In COBIT, a generic definition is provided for the COBIT maturity scale, which is similar to CMM but interpreted for the nature of COBIT s IT management processes. A specific model is provided from this generic scale for each of COBIT s 34 processes. Whatever the model, the scales should not be too granular, as that would render the system difficult to use and suggest a precision that is not justifiable For further information on the NCSec Framework key components, see Annex 1 (Morocco 1/45). See Annex 1 (Morocco 1/45) for the NCSec Information criteria. For further information on the COBIT Framework Maturity Model, see Annex 1 (Morocco 1/45). 6

15 because, in general, the purpose is to identify where issues are and how to set priorities for improvements. The purpose is not to assess the level of adherence to the control objectives. By using the maturity models developed for each of COBIT s 34 IT processes, management can identify: The actual performance of the enterprise Where the enterprise is today The current status of the industry The comparison The enterprise s target for improvement Where the enterprise wants to be? The required growth path between as-is and to-be To make the results easily usable in management briefings, where they will be presented as a means to support the business case for future plans, a graphical presentation method needs to be provided 9. COBIT is a framework developed for IT process management with a strong focus on control. These scales need to be practical to apply and reasonably easy to understand. The topic of IT process management is inherently complex and subjective and, therefore, is best approached through facilitated assessments that raise awareness, capture broad consensus and motivate improvement. These assessments can be performed either against the maturity level descriptions as a whole or with more rigour against each of the individual statements of the descriptions. Either way, expertise in the enterprise s process under review is required. The advantage of a maturity model approach is that it is relatively easy for management to place itself on the scale and appreciate what is involved if improved performance is needed. The scale includes 0 because it is quite possible that no process exists at all. The 0-5 scale is based on a simple maturity scale showing how a process evolves from a non-existent capability to an optimised capability. However, process management capability is not the same as process performance. The required capability, as determined by business and IT goals, may not need to be applied to the same level across the entire IT environment, e.g., not consistently or to only a limited number of systems or units. Performance measurement, as covered in the next paragraphs, is essential in determining what the enterprise s actual performance is for its IT processes. Although a properly applied capability already reduces risks, an enterprise still needs to analyse the controls necessary to ensure that risk is mitigated and value is obtained in line with the risk appetite and business objectives. These controls are guided by COBIT s control objectives. The maturity model is a way of measuring how well developed management processes are, i.e., how capable they actually are. How well developed or capable they should be primarily depends on the IT goals and the underlying business needs they support. How much of that capability is actually deployed largely depends on the return an enterprise wants from the investment. A strategic reference point for an enterprise to improve management and control of IT processes can be found by looking at emerging international standards and best-in-class practices. The emerging practices of today may become the expected level of performance of tomorrow and, therefore, are useful for planning where an enterprise wants to be over time. The maturity models are built up starting from the generic qualitative model 10 to which principles from the following attributes are added in an increasing manner through the levels: Awareness and communication Policies, plans and procedures Tools and automation Skills and expertise 9 10 See Annex 1 (Morocco 1/45) figure 1.2 for details. See Annex 1 (Morocco 1/45) figure 1.3 for details. 7

16 Responsibility and accountability Goal setting and measurement Resolution approach NCSecMM consists in linking national cyber security strategy to strategic national goals, providing metrics and maturity model levels to measure their achievement, and to identify the associated responsibilities of stakeholders and control objective process. This approach is derived from the maturity model that the Software Engineering Institute defined for the maturity of software development capability. The proposed NCSecMM permits to determine what the country s maturity is. Setting thus a maturity target, and planning for maturity enhancement. The proposed NCSecMM permits to determine what the country s maturity is. Setting thus a maturity target, and planning for maturity enhancement. It contains the following levels: 0. Non Existent 1. Initial 2.Repeatable but intuitive 3.Defined 4. Managed and measurable 5. Optimized Maturity model by process Each of the five processes has conditions that have to be fulfilled in order to satisfy one of the five levels of maturity. 11 Country assessment To assess the maturity level of a country to its National Cybersecurity Strategy, we propose to retain 10 major processes in order to conduct an inventory at any given time, as shown in the "radar" below, which will compare different countries and assess the evolution of a country between two dates. Figure 3: Radar to Assess Maturity Levels 11 See 3.3 Maturity Model by Process, Annex 1 (Morocco 1/45) for the conditions. 8

17 NCSEC Roles and responsibilities Within a global need to settle National Cybersecurity Governance, the RACI chart should be associated to a global framework. This approach has already been used in COBIT, and has proved its efficiency (IT Governance Institute 2005). 2.4 RACI Matrix An efficient methodology needs to be followed for identifying functional areas where there are ambiguities in terms of responsibilities, at the national level, bringing the differences out and resolving them through a cross-functional collaborative effort. Responsibility Charting enables managers from the same or different organizational levels or programs to actively participate in a focused and systematic discussion about process related descriptions of the actions. These actions must be accomplished in order to deliver a successful end product or service. But no Responsibility Charting models are dedicated to National Cybersecurity. Responsibility Chart is a 5-Step Process (Smith and Erwin 2005): First, we have to identify processes. 12 Second, the stakeholders, resources and information useful to chart should be determined. The RACI chart can then be developed, by completing the Chart Cells. Overlaps should be then resolved. At last, gaps should be also resolved. We will follow this methodology in order to build and produce the RACI chart table. RACI chart approach The RACI model is a relatively straightforward tool used to clarify roles, responsibilities, and authority among stakeholders involved in managing or performing processes; especially during organizational change process. It is useful to describe what should be done by whom to make a transformation process happen (Kelly 2006). A RACI chart is a table that describes the roles and responsibilities of various stakeholders in operating a process. Within the context of NCSec framework, RACI Chart will clarify roles and responsibilities of the different stakeholders, at the national level. For each of the 34 processes of NCSec framework, it will associate to the list of stakeholder s information about roles they have in relation to those processes. For each process, one or more letters taken from the acronym RACI will be associated to each stakeholder, depending on his role(s) and responsibility. This acronym stands for: Responsible (R): Those who do work to achieve the process, including Support, which is to provide resources to complete the task in its implementation. Accountable (A): Those who are ultimately accountable to the correct completion of the task. It stands for the final approving authority. Accountable authority must approve work that Responsible authority provides before it is OK. There must be only one Accountable specified for each process. Consulted (C): Those whose opinions are sought, in a two-way communication. It stands for the authority that is asked for their input, and has information and/or capability necessary to complete the work. Informed (I): Those who are kept up-to-date on progress, under a one-way communication. It stands for the authority that must be told about the work, and notified of results, but needs not be consulted. 12 See RACI Matrix by Process in Annex 1 (Morocco 1/45). 9

18 Very often the role specified as "Accountable" can be also specified "Responsible. But it is generally recommended that each role for each process receives at most one of the participatory role types. If double participatory types appear in the RACI chart, it means that the roles have not yet been truly resolved. It is then necessary to clarify each role on each task. NCSec RACI methodology The chosen methodology in the case of NCSec RACI chart will not be that different of the classical one. It will consist in completing the Chart Cells, after having identified who has the (R), (A), (C), (I) for each process. As a general principle, every process should preferably have one and only one (R). Otherwise, a gap occurs when a process exists with no (R), and an overlap occurs when multiple stakeholders have an (R) for a given process. We will begin with the (A). Guidelines for designating roles are: Designate one point (role, position) of Accountability (A) for each process; Assign responsibility (R) at the level closest to the action or knowledge required for the task. Verify that any shared responsibilities are appropriate; Ensure that appropriate stakeholders are Consulted (C) and Informed (I), but limit these roles to necessary involvement only. 2.5 NCSec Implementation Guide The purpose of the implementation guide is to assist any/all stakeholders in the NCSec to implement a traceability system in line with the NCSec Framework, NCSec Maturity Model, and NCSec Responsibility charting. Any/all stakeholders from the NCSec framework that want to implement a National Cyber Security Governance traceability system, will use this this implementation guide, such as Government, Private Sector, Critical Infrastructure, Academia, and Civil Society. The target audience of this guideline is any component of the previous stakeholders. In addition, this implementation guide can be used by Member States of ITU, to support the implementation efforts of their local stakholders, within a self assessment process. Main steps The implementation guide consists in six main steps, which are all based on the Plan-Do-Check-Act (PDCA)approach: Figure 4: Implementation Guide Steps 10

19 Resolution approach Q22-1/1: Securing information and communication networks: best practices Figure 5: NCSecIG Resolution Approach 2.6 Implementation Guide Implementation Approval A - Overview on approval for implementation B - Define Objectives and National Requirements for Cybersecurity C - Define Initial NCSec Governance scope D - Obtain a high level Decision Makers approval Define scope and strategy A - Overview on defining NCSecMS and strategy B - Defining National Cyberspace boundaries C - Completing boundaries for NCSecMS scope D - Developing the NCSec Strategy Conduct National context analysis A - Overview on conducting National context analysis B - Defining Information security requirements C - Defining Critical Information Infrastructure Protection (CIIP) D - Generating an National Information Security Assessment Design NCSec Management System A - Overview on designing the NCSecMS B - Defining Organizational Structures 11

20 C - Designing the monitoring and measuring D - Producing the NCSecMS implementation Program Implement NCSec Management System A - Overview on implementing the NCSecMS B - Setting up the implementation Management System C - Carrying out implementation Projects D - Documenting the procedures and Control 2.7 Conclusion The above proposed National Cybersecurity Management System, applicable to Cybersecurity Governance at both national and regional levels, will help a country or a whole region to determine how well Cybersecurity is being managed through self assessment based on a well defined Maturity Model. The National Cybersecurity Management Framework would allow countries and regions to reach adequate levels of management and control through continuous improvement, taking in consideration cost benefits of short and long term objectives. 3 Public-Private Partnerships in Support of Cybersecurity Goals and Objectives 3.1 Introduction This best practices report describes the efficacy of public-private partnerships in addressing the range of complex challenges associated with critical information infrastructure (CII) security and risk management. Managing the risk to critical infrastructure is an enormously complex but vitally important undertaking. The compromise of, or malicious exploitation of critical infrastructure, can cause significant consequences on a local, regional or even global scale. The cyber security risks to CII have become progressively more important because nations, industry and people increasingly rely on information systems and networks to support the normal functions of critical infrastructure. If left unmitigated, risks to these information systems and networks are can have important implications for national security, economic vitality, and societal well-being. Critical infrastructure risk management at a national or global level presents an intractable challenge for government, particularly with respect to cyber security, which has both physical and logical infrastructure security challenges. First, critical infrastructure is ubiquitous. There are numerous points of vulnerability and opportunities to introduce risk. Second, the threats to infrastructure are myriad; intentional criminal or terroristic attacks, natural hazards, accidents, infrastructure dependencies, supply chain disruptions, and numerous other threats are cause for legitimate concern. Third, direct and indirect consequences can be devastating, but also difficult to accurately estimate and predict. Fourth, quantifying risk and prioritizing risk management efforts and the allocation of limited resources can be a daunting and complex challenge, particularly on a large scale (at a regional, national, or global level). Fifth, our world is increasingly interconnected, and infrastructure risk can transcend geographic boundaries and legal jurisdictions. This is particularly pertinent to CII; cyber attacks can be launched from virtually anywhere and are often forensically opaque. Lastly, while national security has traditionally been the responsibility of government, a great deal of infrastructure globally is owned and operated by private industry. These and other concerns not only require novel risk management solutions, but also necessitate a greater level of cooperation, coordination, and collaboration among nation states, and between government and the businesses, academic institutions, non-governmental, international, other 12

21 organizations with equities in protecting critical infrastructure. Simply put, public-private partnerships often achieve some measure of success where unilateral efforts fail. Nowhere is this more relevant than with respect to CII, where cyber crime, data protection, control system security, network defense, and cyber incident response and recovery issues present increasing challenges for government and industry alike. Tackling these and other cyber security challenges is often beyond the capability of either government or the private sector to manage independently. To best serve international, national, corporate, and even individual interests, the public and private sectors and the international community must share responsibility for strengthening the global cyber security posture. 3.2 The Principles of Partnership Key Characteristics of Successful Partnerships The efficacy of collaborative solutions to complex and ubiquitous challenges has been demonstrated repeatedly. Partnerships between government and the private sector have been applied successfully to a wide range of issues, from academic and scientific questions, to social and economic challenges, to armed conflict and efforts to combat terrorism. A partnership is a relationship between individuals or groups that is entered into to achieve a specific goal. Partnerships are broadly characterized by mutual benefit, collaboration, shared responsibility, and shared accountability. Participants create partnerships because they see value in the relationship and expect to accrue some level of benefit. Members also recognize that the goal of the partnership would either be more difficult to accomplish or could not be achieved without this collaborative relationship. A number of key characteristics tend to be common to successful public-partnerships, and their importance varies depending on the nature and circumstance of the partnership. Broadly, some of these characteristics include: The partnership is mutually beneficial. The partnership is voluntary. Partners have a common (and documented) understanding of the objectives and scope of the partnership. Partners have agreed upon prioritized actions to achieve those objectives. There is clear delineation of roles and responsibilities. The partnership is broad and inclusive, with minimal barriers to entry. Each member contributes capabilities that help the partnership toward the shared goal or objective. Each partner is seen as independent and sovereign the partnership is a relationship of trusted equals. Partners work together efficiently and effectively. There is transparency within the partnership. Sufficient resources are available to accomplish the purpose of the partnership. There is equitable investment among partners, including cost and burden sharing. Often, multiple government organizations share responsibility for various and sometimes overlapping aspects of CII security. Accordingly, ongoing communication across government is important to collaborative public-private risk management efforts and to successful public-private partnerships generally. 13

22 3.3 Value Proposition Governments generally recognize that protecting their citizens from the potentially devastating consequences associated with critical infrastructure exploitation or disruption would be almost impossible without the extensive and willing participation of the private sector. Private industry owns, operates, and maintains most infrastructure, including CII, so private sector expertise, collaboration, coordination, resources, and overarching engagement are essential to government critical infrastructure risk management efforts. Private sector involvement in security partnerships occurs for more varied reasons. Corporations are primarily concerned with protecting their customers and managing risk to their organizations. Companies may not be able to achieve their overarching business risk management goals which may be closely linked to security risk without the assistance of other public and/or private partners. Public security interests often intersect with activities focused on prevention of data or product, property damage, and other corporate loss. Similarly, business continuity and the protection of employees and investments also often have a security nexus. Publicly traded companies also must respond to shareholders, who often exert pressure on corporations to take action on certain issues in support of the public good, including issues related to security, and politically sensitive issues (such as, for example, climate change). Pressure can also stem from within companies as corporate officers feel a sense of civic responsibility. If shown to be working cooperatively and in good faith with government, businesses may also receive some legal and liability protections in the event of an incident, as well as reduced insurance premiums. Voluntary partnerships also present an attractive alternative to regulation, and these and other factors may spur private businesses to pursue cooperative and collaborative, rather than adversarial or compliance-focused, relationships with government. Close working relationships with government may afford companies increased transparency to government policies, and improved ability to influence government decision making to ensure policies are acceptable, effective, and workable. Partnerships are not an end in themselves; the success of a partnership is measured by the degree to which it achieves the participants goals. Partnerships always require individuals and organizations to take specific actions or to devote resources to meeting relevant objectives. With respect to CII security and resilience, the success of the public-private partnership is ultimately the effectiveness of that partnership in managing cyber risk. The fundamental benefit of partnerships is that they enable individuals and organizations to achieve objectives or obtain capabilities that would either be more difficult or impossible to attain absent the partnership. Groups of organizations can often arrive at more effective solutions to difficult and complex problems than individual organizations acting alone, particularly if those problems involve multiple interdependencies, organizations, or nations. A focused partnership can more effectively distribute responsibilities according to capabilities and expertise, share and apply resources, share information and data, and harness greater intellectual capital to better accomplish the group s mutual goals. Organizations participating in public-private partnerships in support of critical infrastructure security including CII security can realize significant improvements in their ability to manage risk as a result of collaboration and coordination. These include: Improved identification of threats and vulnerabilities; Better reporting and sharing of threat and warning information, strengthening early detection, prevention, and mitigation of threats; Improved incident management, response, and recovery; Exchange of technical, security, risk, emergency management, and other expertise. Improved access to training and education tools; Improved preparedness through coordinated and collaborative security exercises; Increased overall capacity for risk management through shared development and widespread dissemination of common risk tools, standards, and best practices; 14

23 Creation of a robust security communities and networks, cutting across critical infrastructure and business sectors and transcending national borders; Increased trust and transparency, and reduced conflict between government and the private sector; Creation of information sharing tools and processes, and stronger policies to support of information sharing; Improved efficiencies, stronger coordination, and reduction of redundancies across government at all levels, and between government and the private sector; Enhanced understanding of CII risk (all-hazards threats, vulnerabilities, consequences) and more sophisticated knowledge of domestic and international dependencies; Avoidance of costly regulation for the majority of critical infrastructure; Reduction of information and jurisdictional stovepipes across government and among public and private sector partners; Enhanced ability to gauge progress of risk mitigation and the effectiveness of programs across the critical infrastructure landscape; More effective prioritization and division of efforts for research and development across government and the private sector; and, Increased innovation in critical infrastructure risk management approaches. Society is increasingly dependent on CII. While domestic and national security has traditionally been the domain of national governments, the challenge of CII security requires extensive and sustained partnership between the government and the private businesses that own, operate, and manage much of our infrastructure. 3.4 Partnerships and Security Risk Management Government and the private sector each play important roles in the security risk management cycle, and should work together to optimize risk reduction efforts. The private sector can leverage a deep pool of expertise to address challenging issues, and brings flexibility, responsiveness, and innovation. CII owners and operators best understand their infrastructure s operating dynamics, and know their business models, core competencies, and physical and financial limitations. The private sector is also often the initial line of defense for CII threat detection and protection, as well as often serving as the primary responders for cyber incident mitigation and recovery efforts. Because in many countries the private sector owns and operates a great deal of critical infrastructure, private industry is typically the most exposed to risk through reliance on or use of CII (e.g. critical infrastructure that relies on information technology to function). Industry also provides tools and products that help manage cyber risk. Government can also contribute significantly to security partnerships. Governments apply significant monetary, equipment, and personnel resources. Governments own the traditional intelligence apparatus, and are able to work with the private sector and foreign intelligence services to develop a comprehensive threat picture that exceeds the capability of any single private company. Government also creates laws and regulations, and holds the preponderance of authority, which enables it to exert significant influence over security priorities and the allocation of resources to assist industry. Lastly, government can serve as an effective and trusted arbiter and coordinator among companies that may otherwise be reluctant to share sensitive information in a competitive market environment. Government also has the responsibility to compare facility, regional, or sector risk against in the national and even global risk landscape. In some 15

24 cases, government can collect and protect from public disclosure risk-related data including data that may be proprietary or competitively sensitive to private companies to identify trends, common vulnerabilities, and relative risk to CII assets, systems, networks, and functions. 13 Government historically also plays a dominant role in intelligence gathering and identification of threats. This is particularly pertinent to more traditional physical threats. With respect to cyber threats (rather than physical threats), the private sector now plays a much more prominent role in threat identification, mitigation, and warning. Ultimately, the effectiveness of public-private partnerships focused on CII security is measured by the degree to which the partnership manages and mitigates risk. Figure 6 illustrates a typical security risk management lifecycle that can be applied broadly to most circumstances. Figure 6: Risk Management Lifecycle Identify Organizational Objectives Monitor and Update Efforts Conduct Risk Assessment Evaluate Effectiveness Apply Risk to Organizational Decisions Implement Risk Reduction Efforts When addressing CII security risk, it is vital that those intimately involved in managing risk reach accord on the desired outcomes of their collaborative efforts. Government and industry should clearly agree on the risk management goals and objectives that their joint efforts are intended to address. 14 Government and private sector partners work together establish and commit to the specific risk management goals they will jointly pursue. As risk is assessed and mitigated (or otherwise managed), new priorities emerge and goals are readjusted to accommodate changes to the risk environment. 13 In the United States, for example, the private sector voluntarily submits important threat, vulnerability, and other information to the government via the Protected Critical Infrastructure Information (PCII) program. PCII is an informationprotection program that enhances information sharing between the private sector and the government. The U.S. Department of Homeland Security use PCII to analyze and secure critical infrastructure and protected systems, identify vulnerabilities and develop risk assessments, and enhance recovery preparedness measures. PCII cannot be used for regulatory purposes and is protected from various public disclosure requirements. 14 In the United States, for example, the Federal government works with State, local, regional, and international publicand private-sector partners to establish sector-wide goals for not only the Information Technology Sector, but for 17 other critical infrastructure sectors, which are all to varying degrees dependent on CII. 16