Making our Cyber Space Safe Ghana s Emerging Cyber Security Policy & Strategy William Tevie Director General 5/28/2014 1
Agenda Cyber Security Issues Background to Policy Target Audience for Framework National Strategy Level of coverage Mission & Vision Identified CNII Policy Thrusts Action Plans Implementation Plan 5/28/2014 2
Cyber Security Issues in Ghana National Image SIM Box Fraud Need to ensure protection of CNII Large Extensive Government Network by NITA Data center running cloud applications and email service Exposure to risk Low Awareness about cyber security issues Lack of empowerment to enforce law in cyberspace Need to review laws in relation to cyber security Need for capacity building of law enforcement Lack of Coordination of Cyber Initiatives 5/28/2014 3
The Genesis of ICT Policy in Ghana ICT4AD policy Driving Ghana s ICT Agenda Policy Developed and adopted in 2003 14 Pillars Addressing all sectors Pillar 14 Address Law enforcement and Cyber security 5/28/2014 4
ICT4AD Pillar 14 Policy measures and mechanisms to address national security law and order issues relating to the deployment exploitation and the utilization of ICTs within the economy and society. Address security issues relating to privacy, data and consumer protection security of computer networks and information systems and their information and data contents 5/28/2014 5
Evolution of e-government Strategy -1 14 Pillars All sectors Address 2006 Preparatory Work for e-government NITA ACT (771 Electronic Transaction Legal framework and enabling environment Design of eghana Project ACT (772) Electronic Communication ACT (775) NCA ACT (769) 2003 ICT4AD Adopted 2008 Legal Instruments enacted 5/28/2014 6
Electronic Transaction Act (ACT 772) Developed as result of Pillar 14 and other pillars Legal Instrument embracing all Electronic transaction Certifying authorities Registry ICT Tribunal Cyber Inspectors Electronic Government Services Cyber Offenses Protected computers and Databases Consumer protection 5/28/2014 7
ACT 772 Cyber Related Provisions Cyber inspectors Powers of law enforcement officers Law enforcement officer and third party assistance Preservation of evidence Disclosure of electronic information Inadmissible evidence 5/28/2014 8
ACT 772 Cyber Related Provisions Cyber offences Stealing Appropriation Representation Charlatanic advertisement Attempt to commit crimes Aiding and abetting Duty to prevent felony Conspiracy Forgery 5/28/2014 9
Why Need for Policy review Cyber Security Has grown bigger Every user is at risk Law enforcement can provide security Require full participation of everyone Element of developing culture of cyber security PPP approach to resolving cyber security issues 5/28/2014 10
Target Groups of Cyber Security Framework Person Specific Consumer User Corporate user Device Specific Telephones Wireless Cell Devices Personal Digital Assistant (PDA) Network Specific Wireless Carrier s Transport Local Area, Metropolitan Area and Wireless Area Internet 5/28/2014 11
Background to Policy Development Existing Ghana ICT4AD pillar 14 National security and law enforcement in cyber space Implemented by Electronic Transaction Act (Act 772) Some shortfall in policy Does not adopt a PPP approach All target audience not addressed Protection of CNII not covered under policy Culture of cyber security across sectors not properly covered Capacity building focused on only National security agencies and law enforcement Pillar not citizen-centric 5/28/2014 12
National Strategy Level of Coverage Level 1:Home and Small Business users Level 2: Large Enterprise Users Level 3: Critical Sectors Level 4: National Priorities Level 5: Global 5/28/2014 13
Vision Vision and Mission Our vision is to secure the Critical National Information Infrastructure (CNII) and make it resilient, and for Ghana to be self-reliant in securing its cyber space by infusing a culture of security to promote stability, social well being and wealth creation of our people. All actors in law enforcement, national security, network security practitioners in government and business, and the public will take part in the vision.. Mission Our mission is for Ghana to become a self-sufficient country attending to its cyber security needs by 2017 5/28/2014 14
Identified CNII Sectors 1. National Defense and Security 2. Banking and Finance 3. Information and Communications 4. Energy 5. Transportation 6. Water 7. Health Services 8. Government machinery 9. Emergency services 5/28/2014 10. Food and Agriculture 15
The Eight thrusts of the Policy THRUST THEME DETAIL 1 Effective Governance centralize coordination of national cyber security initiatives promote effective cooperation between public and private sectors 2 Legislative & Regulatory Framework Attorney General s department periodic reviewing and enhancing Ghana s laws relating to cyber space progressive capacity building programs to acquire new skills and effective ways of enforcing cyber laws 3 Cyber Security Technology Framework develop a national cyber security technology framework that specifies cyber security requirement controls and baselines for CNII elements mechanism to implement an evaluation/certification program for cyber security product and systems 4 Culture of security and Capacity Building invest every resource needed to develop, foster and maintain a national culture of security Establish an effective mechanism for cyber security knowledge dissemination at the national level Identify minimum requirements and qualifications for information security professionals 5 Research & Development towards Self-Reliance formalize the coordination and prioritization of cyber security research and develop activities to enlarge and strengthen the cyber security research 5/28/2014 measures in place to nurture the growth of cyber security industry 16
The Eight thrust of the policy Thrust THEME DETAILS 6 Compliance and Enforcement standardize cyber security systems across all elements of the CNII strengthen the monitoring and enforcement of standards and develop a standard cyber security risk assessment framework 7 Cyber Security Emergency Readiness develop effective cyber security incident reporting mechanisms o include the development and strengthening of the national CSIRT development of a standard business continuity management framework and perform periodic vulnerability assessment programs 8 International Cooperation encourage the active participation of Ghana in all relevant international cyber security bodies and conferences 5/28/2014 17
Action Plans Item Thrust Action Plan Policy Drivers 1. Effective Governance Setup Governance Structure and institutions to enable long term substance of Cyber Security activity including information exchange. Institutions include: National Cyber Security Council National Cyber Security Center National Computer Emergency Response Team National Cyber Security Policy Working Group Ministry of Communications, National Security Council, NITA, NCA 2. Legislative and Regulatory Framework 3. Cyber Security Technology Framework 5/28/2014 Setup Cyber Law Review Committee under the Attorney Attorney General s General s Department to do a study on the laws of Department Ghana to accommodate legal challenges in the Cyber environment and review every three year Stage 1: identifications of issues in the cyber environment Stage 2. Review current laws on cyber environment Stage 3. Make recommendations for amendment of national laws Review and adopt international cyber security Ministry of standard such as MS ISO/IEC 27001 to increase Communications, NITA robustness of CNII sectors NSC Expansion of national certification scheme for information security management & assurance 18
Action Plans Item Thrust Action Plan Policy Drivers 4. Culture of Cyber Security & Capacity Building Reduce number of Information security incidents through improved awareness & skill level Ministry of Communications, Ministry of Information, (National o Increase Certification course on information and cyber security, Cyber Security Council, National Cyber Security Center, National Develop a National Cyber Security Awareness program and portal targeted at stakeholders by content providers using different packaging for different demographics CSIRT, National Cyber Security Policy Working Group) 5. Research & Development towards Self Reliance o o o o Develop National R&D Roadmap for Cyber Security Identify technologies relevant & desirable for CNII Provide domain competency development Nature growth of Cyber Security Industry Update roadmap regularly National Cyber Security Council, National Cyber Security center, National CERT, Universities, CSIR, Professional certification Centers 6. Compliance & Enforcement Develop Risk Assessment framework for CNII 7. 5/28/2014 Cyber Security Emergency Readiness Frame work for cyber attack responds Mitigation of National Cyber Security Council Cyber attacks National and sector CSIRTs National Cyber Crises management Committee National Cyber Crises Management WG 19
Action Plans Item Thrust Action Plan Policy Drivers 8. International Cooperation Engage in relevant international cyber security meetings Prioritize international engagements, sign and ensure compliance of International/regional conventions Ministry of Communications Ministry of Foreign Affairs Attorney Generals Department National Security Council 5/28/2014 20
Implementation Period Issues to be Addresses Activities Short Term (0-1 Years) Identifying CNII and Addressing Immediate Concerns - Identify Critical National Information Infrastructure - Stop-gap measures to address fundamental vulnerabilities to the cyber security of the CNII - Creating a centralized platform for security mechanism - Establish Cyber Incidence Response readiness - Raising awareness of cyber security and its implications Medium Term (2-3 Years) Building the Infrastructure - Setting-up the necessary systems, process, standards and institutional arrangements (mechanisms) - Building capacity amongst researches and information security professionals Long Term (Year 4-5): Developing Self-Reliance - Developing self-reliance in terms of technology as well as professionals - Monitoring the mechanisms for compliance - Evaluating and improving the mechanisms - Creating the culture of cyber security 5/28/2014 21
Structure of Initiatives within Strategy 5/28/2014 22
Opportunities for Security Communities Information System Security practitioners are key drivers Critical mass of expertise needed to drive whole process Capacity building to be driven by practitioners Risk Management framework and strategies for maintaining CNII require skill set that can be found in the community ISACA and related professional bodies have a critical role in emerging cyber security strategy 5/28/2014 23
Thank You! Visit our Websites @ http://www.nita.gov.gh http://www.eservices.gov.gh http://www.data.gov.gh Contact: William.tevie@nita.gov.gh, Phone: 0302-661777 5/28/2014 24