STATE OF CYBER SECURITY IN ETHIOPIA



Similar documents
Business Case. for an. Information Security Awareness Program

Advantages of Managed Security Services

Exam 1 - CSIS 3755 Information Assurance

HIPAA Compliance and the Protection of Patient Health Information

Top tips for improved network security

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Subject: Internal Audit of Information Technology Disaster Recovery Plan

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Cyber Security Risk Management

ICASAS505A Review and update disaster recovery and contingency plans

Information Security Services

T141 Computer Systems Technician MTCU Code Program Learning Outcomes

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

FACT SHEET: Ransomware and HIPAA

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

(BDT) BDT/POL/CYB/Circular

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系

Rulebook on Information Security Incident Management General Provisions Article 1

Safeguarding Company IT Assets through Vulnerability Management

Executive Overview...4. Importance to Citizens, Businesses and Government...5. Emergency Management and Preparedness...6

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

Preparing for the HIPAA Security Rule

Bridging the HIPAA/HITECH Compliance Gap

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

Trust the Innovator to Simplify Cloud Security

Cybersecurity for the C-Level

The Attacker s Target: The Small Business

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Security Incident Procedures Response and Reporting Policy

Process Solutions. Staying Ahead of Today s Cyber Threats. White Paper

Deploying Firewalls Throughout Your Organization

EXIN Information Security Foundation based on ISO/IEC Sample Exam

ISO Information Security Management Systems Foundation

LINCOLN COLLEGE INTERNET, , AND COMPUTER ACCEPTABLE USE POLICY

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

HIPAA and Mental Health Privacy:

Basics of Internet Security

Internet Safety and Security: Strategies for Building an Internet Safety Wall

Introduction to Cyber Security / Information Security

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

ITU National Cybersecurity/CIIP Self-Assessment Tool

Promoting Network Security (A Service Provider Perspective)

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

ORDER OF THE DIRECTOR OF THE COMMUNICATIONS REGULATORY AUTHORITY OF THE REPUBLIC OF LITHUANIA

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Security in the smart grid

Organisational Systems Security

THE HUMAN FACTOR AT THE CORE OF FEDERAL CYBERSECURITY

IT Security Incident Management Policies and Practices

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY

Print4 Solutions fully comply with all HIPAA regulations

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

A Decision Maker s Guide to Securing an IT Infrastructure

PRINCIPLES AND PRACTICE OF INFORMATION SECURITY

Information Security and Risk Management

VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK


TCOM 562 Network Security Fundamentals

Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media

General Computer Controls

Ohio Supercomputer Center

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Intro to Firewalls. Summary

PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS DA-1

10 Hidden IT Risks That Might Threaten Your Law Firm

IMS-ISA Incident Response Guideline

Information Security Summit 2005

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

BSA-ISSA Information Security Study Online Survey of ISSA Members

Employing Disinformation Security to Protect Corporate Networks with NetBait. A NetBait Whitepaper June 2003

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

PUBLIC RELEASE OFFICE OF THE CHIEF INFORMATION OFFICER. Management Attention Is Needed To Assure Adequate Computer Incident Response Capability

GOVERNMENT OF THE REPUBLIC OF LITHUANIA

FFIEC Cybersecurity Assessment Tool

ISO IEC ( ) TRANSLATED INTO PLAIN ENGLISH

HIPAA Compliance Guide

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Security Transcends Technology

Keyfort Cloud Services (KCS)

Norwich University Information Assurance Security Policy. Final Version 10.0 for Implementation

CYBERSPACE SECURITY CONTINUUM

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

How Secure is Your SCADA System?

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Network Security: Policies and Guidelines for Effective Network Management

Defending Against Data Beaches: Internal Controls for Cybersecurity

GAO CRITICAL INFRASTRUCTURE PROTECTION. Comments on the National Plan for Information Systems Protection. Testimony

Transcription:

ETIOPIAN TELECOMMUNICATIONS AGENCY STATE OF CYBER SECURITY IN ETHIOPIA By Mr. Balcha Reba Ethiopian Telecommunications Agency Standards and Inspection Department Head, Standards Division email: tele.agency@ethionet.et June 2005

Table of Contents 1. INTRODUCTION... 2 2. BACKGROUND... 2 3. STATUS OF CYBERSPACE SECURITY IN ETHIOPIA... 4 4. EXISTING SECURITY TECHNOLOGY... 5 5. CONCLUSION... 6 1

1. INTRODUCTION Information security (InfoSec) is the protection of information and its critical elements, including the systems and hardware which use, store and transmit that information. Information security includes the broad areas of information security management, computer and data security management, computer and data security, and network security. To protect information and its related systems, tools such as policy, awareness, training and education, and technologies are of vital importance. Security is the quality or state of being secure, to be free from danger. In other words, security can be defined as building protection against adversaries. The security of information and its systems entails securing all components and protecting them from potential misuse by unauthorized users. As global networks expand the interconnection of the world s information systems, the smooth operation of communication and computing solutions becomes vital. However, recurring events such as virus and worm attacks and the success of criminal attackers illustrate the weaknesses in current information technologies and the need to provide heightened security for these systems. To put in another way, as the world becomes more and more dependent on networks of computers, it also becomes increasingly and dangerously vulnerable to cyber intrusion and cyber terrorism. Thus, requiring implementation of information security. Now days, the internet has brought millions of unsecured computer networks into communication with each other. The security of each computer s stored information is contingent on the level of security of every other computer to which it is connected. 2. BACKGROUND The creation of information security program begins with the creation and/or review of the organization s information security policies, standards and practices. Policies shall be considered as the basis for all information security planning, design, and deployment. 2

Policies do not specify the proper operation of equipment or software. This information should be placed in the standards, procedures and practices of users manuals and systems documentation. A policy is a plan or course of action used by an organization to convey instructions from its senior- most management to those who make decisions, take actions, and perform other duties on behalf of the organization. Polices are organizational laws in that they dictate acceptable and unacceptable behavior within the context of the organization s culture. Like laws, policies must define what is right, and what is wrong, what the penalties are for violating policy, and what the appeal process is. Standards, on the other hand, are more detailed statements of what must be done to comply with policy. The information technology revolution has changed the way business is transacted, government operates, and national defense is conducted. These three functions now depend on an interdependent network of critical information infrastructures that we refer to as cyberspace to secure this cyberspace a national policy shall be defined in such a way that to prevent or minimize disruptions to critical information infrastructures and thereby protect the people, the economy, the essential human and government services and the national security. Disruptions that do occur should be infrequent, of minimal duration and manageable and cause the least damage possible. Consistent to the policy in force, the national strategy to secure cyberspace shall have the following objectives: - Prevent cyber attacks against critical infrastructures. - Reduce national vulnerabilities to cyber attack and, - Minimize the damage and recovery time from cyber attacks that do occur. Despite the facts mentioned above there is no functional cyberspace security policy in Ethiopia. Currently, the Ethiopian ICT Development Authority is preparing national information security standards. However, information security policy should have been 3

developed earlier to guide the preparation of standards. Due to lack of national cyberspace security policy and associated standards, ICT development programs have very little focus on security components. Similarly, the national network infrastructure and telecommunications service provider, the Ethiopian Telecommunications Corporation, also performs its duties without clearly defined national strategic procedures and guidelines in place. Instead, the Corporation is relying on security elements proposed by vendors and system installers. 3. STATUS OF CYBERSPACE SECURITY IN ETHIOPIA In 2001, a national taskforce coordinated by the National Computer and Information Center of the Ethiopian Science and Technology Commission initiated Data Disaster Prevention and Recovery Management (DDPRM) program which mainly sought to address data integrity and physical security. The objective of this project was to formulate a policy, which facilitates enabling environment and paves the way for designing of a secure institutional data center. The over all intention was to protect data stored, processed and transmitted through computer system. In addition to this, the project was also supposed to develop guidelines and procedures that support corporate enterprises to put in place their own organizational data security in house policy. As compared to data security, information security is a broader system which deals with all critical elements and components of an information system namely: Software, Hardware, Data, People, Procedures and Networks. With regard to this, the Data Disaster Prevention and Recovery Management guideline developed by a taskforce organized by Ethiopian Science and Technology Commission is a good move towards adopting strategies to determine the level of protection required for applications, systems, facilities in ICT development and recover from any disaster without serious business discontinuity and major damages and loss to the system and data. However, escalation of the specific data security issue to more general information security systems was found to be mandatory. 4

In 2004, not long after the restructuring of IT sectors, the Ethiopian Telecommunications Agency took the initiative to invite the Ethiopian Information and Communication Technology Development Authority (EICTDA) and the Ethiopian Telecommunications Corporation (ETC) to discuss on issues of cyberspace security and encryption policy. On this initiative, the three institutions agreed on importance of cyberspace security policy and formed a joint technical committee, which follows up the process of formulating information security policy and standards. The institutions have also reached at a common understanding that EICTDA has more broader legal framework and resources to lead the initiative. On the basis of this, EICTDA has employed a consultant to conduct a general assessment on how to go forward to develop a national information security strategy and action plan. Currently, the Ethiopian ICT Development Authority is working on preparation of information security standards. The final document is expected to be finalized and endorsed by the government for implementation as of September 2005. As part of the capacity building process for the ongoing information security programs, the EICTDA has organized training on Information Security Principles to selected government employees working on ICT and related sectors. 4. EXISTING SECURITY TECHNOLOGY As mentioned in earlier sections, Ethiopia has not yet formulated information security policy and standards. However, currently the ISP is utilizing firewalls, network Intrusion Prevention Systems (IPS), Dial-up protection and packet filtering mechanisms to protect the internet infrastructure, corporate VPNs and Leased lines. Latest spam guards to get rid of viruses or malicious software (malware) are also in place to protect the system. The existing ISP security systems are based on technical proposal submitted by network installers and vendors. Therefore, it cannot be referred to as a system developed fulfilling all-rounded national information security policy and standards. In addition to this, when 5

implementing information security in an organization, there are many human resource issues that must be addressed. The organization should thoroughly examine the options possible for staffing information security function. In this regard, in Ethiopia there is a shortage of information security professionals. Hence, organizations are forced to draw on the current pool of information security practitioners. 5. CONCLUSION In Ethiopia, currently cyber security policy and standards are inexistent. Information security law, ethics and relevant legislation and regulation concerning the management of information in an organization is not yet developed. With absence of these conditions, it will be impossible to think of reliable cyber security issues. Therefore, formulation of cyber security policy and standards shall be given due attention. Furthermore, to develop more secure computing environments in the future, staffing of information security function has to count on the next generation of professionals to have the correct mix of skills and experience necessary to anticipate and mange the complex information security issues. Accordingly, trainings on information security principles are needed to prepare and create professionals of technology to recognize the threats and vulnerabilities present in existing systems and to learn to design and develop the security systems needed in near future. To this effect, the supports being given by Ministry of Capacity Building (MoCB) on promotion of ICT programs is encouraging. The training arranged in collaboration with Ethiopian ICT Development Organization and Kennesaw State University of USA on principles of information security is one to be cited. To put concisely, information security issue is not only a problem that technology can address alone but also a problem of a management to solve. Therefore, legal frameworks in the form of policy and standards are the most prerequisites to establish efficient and reliable cyber security systems. In line with this, Ethiopia has to do a lot yet to address the requirements for cyber security in the evolvement of information society. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information