OAS Cybersecurity Symposium...teams to engage in malicious international activity States should encourage the responsible reporting of ICT vulnerabilities and take reasonable steps

Development of Cybersecurity Strategies and Policies

Orlando Garcés Jorge Bejarano

OAS Cybersecurity Symposium

Santiago de Chile, Chile, September 25th, 2019

Disclaimer: The opinions expressed in this presentation do not necessarily reflect the views of the General Secretariat of the Organization of American States –OAS– or the governments of its member states.


Context and trends in Cybersecurity


Cybersecurity

Source: WEF

• No universal definition

• The set of resources, policies, security concepts, security safeguards, guidelines, risk

management methods, actions, research and development, training, best practices, insurance and technologies that can be used looking for availability, integrity, authentication, confidentiality and repudiation, in order to protect the users and assets of the organization in Cyberspace (Colombian national policy, April 2016)

• The set of policies, controls, procedures, risk management methods and standards

associated with the protection of society, government, economy and national security in cyberspace and public telecommunication networks (Mexican national policy, 2017)

• The collection of tools, policies, guidelines, risk management approaches, actions, trainings,

best practices, assurance and technologies that can be used to protect the availability, integrity and confidentiality of assets in the connected infrastructures pertaining to government private organizations and citizens; these assets include connected computing

What is Cybersecurity?

• No universal definition

• The use of military capabilities in the face of cyber threats, cyber attacks or hostile acts of a cybernetic nature that affect society, national sovereignty, territorial independence, the constitutional order and national interests (Colombian national policy, April 2016)

• The entirety of intelligence and military measures leading to the disruption, suppression or

slowing down of cyber attacks, serving to identify authorship, ensuring the operational readiness of the Armed Forces in all situations, and serving to build capacities and capabilities for subsidiary support of civilian authorities (Swiss national policy, 2018)

• The means to achieve and execute defensive measures to counter cyber threats and

mitigate their effects, and thus preserve and restore the security of communication, information or other electronic systems, or the information that is stored, processed or transmitted in these systems (NATO definition April 2019).

What is Cyberdefense?

• Recommendation of the Council on Digital Security Risk Management for Economic and Social Prosperity (OECD, 2015)

• Digital security risk management: the set of coordinated actions taken within an organization and/or

among organizations, to address digital security risk while maximizing opportunities. It is an integral part of decision making and of an overall framework to manage risk to economic and social activities. It relies on a holistic, systematic and flexible set of cyclical processes that is as transparent and as explicit as possible (OECD, 2015)

• Digital security is the situation of normality and tranquility in the digital environment (cyberspace),

derived from the realization of the essential purposes of the State through (i) digital security risk management; (ii) the effective implementation of cybersecurity measures; and (iii) the effective use of cyber defense capabilities; that demands the social and political will of the multiple stakeholders and citizens of the country (Colombian national policy, 2016)

• Digital Security at the national level is the state of confidence in the digital environment resulting

from the management and application of a set of proactive and reactive measures against the risks that affect the security of people, economic and social prosperity, the national security and national

What is Digital Security and Digital Security Risk Management?

Other definitions

Vulnerability

Risk

Digital Attack

Digital Incident

Cyber space

Incident response

What is Cybercrime?

Source: OAS

The attacker, motives and their targets

Source: OAS

Sources of Information - Global

NETWORK ATTACK SPAM MALICIOUS MAIL

Source: KASPERSKY, percentage of attacked devices during the last month (june 2019)

Cyber attacks in Latin America and the Caribbean -LAC-

Sources of Information – Regional ENISA

Source: ENISA

Sources of Information – Regional OAS

https://www.oas.org/es/sms/cicte/sectorbancarioeng.pdf

https://www.oas.org/documents/spa/press/Estudio-Seguridad-Digital-Colombia.pdf

https://publications.iadb.org/publications/spanish/document/Ciberseguridad-

%C2%BFEstamos-preparados-en-Am%C3%A9rica-Latina-y-el-Caribe.pdf

https://www.oas.org/en/sms/cicte/Documents/reports/The-State-of-Cybersecurity-in-the-Mexican-

Financial-system.pdf

STATE OF MATURITY AT REGIONAL LEVEL

SECTORIAL AT REGIONAL LEVEL

SECTORIAL AT THE NATIONAL LEVEL

AT THE NATIONAL LEVEL





https://www.oas.org/en/sms/cicte/Documents/reports/The-State-of-Cybersecurity-in-the-Mexican-Financial-system.pdf



Sources of Information – Regional OAS – Mexican Financial System

7%

10%

10%

12%

12%

14%

14%

16%

17%

18%

18%

18%

19%

20%

23%

30%

30%

33%

15%

6%

13%

25%

20%

24%

24%

19%

6%

32%

14%

33%

19%

25%

13%

18%

18%

7%

78%

77%

70%

52%

56%

55%

62%

39%

78%

34%

57%

41%

43%

43%

51%

36%

39%

60%

0% 25% 50% 75% 100%

Loss or theft of equipment or devices

Internal fraud

Loss or theft of data

Violation of clean desk policies (Clear Desk)

Backdoor (code developed to enable subsequent access)

Zero day attack

Internal sabotage

Social engineering

Man-in-the-middle

Phishing, Vishing or Smishing

DNS Spoofing

Pharming

Malicious code or Malware

SQL Injection

Attack of denial of service (DoS / DDoS)

Brute force attack

XSS or XFS

Defacement

Daily Weekly Monthly QuarterlySource: OAS

Sources of Information – Regional OAS – Mexican Financial System

Large Medium Small Total Commercial Banks 2,30% 3,05% 1,88% 2,38%

Development Banking Institutions 1,63% 2,50% 2,00% Brokerage houses 2,57% 2,57%

Cooperatives (SOCAP) 2,26% 1,65% 1,90% Popular Financial Societies (SOFIPO) 3,33% 5,00% 4,00%

Credit Unions 1,82% 1,82% Fintech Institutions 2,65% 2,65%

Mexican Financial System 2,30% 2,51% 2,04% 2,18%

Anual Budget Anual Cost

Large Medium Small Total 1,00% 1,39% 1,80% 1,42%

1,00% 1,00% 1,00% 2,50% 2,50% 2,00% 1,13% 1,56% 1,00% 1,00% 1,70% 1,70% 2,63% 2,63%

1,00% 1,54% 1,73% 1,59%

Large Medium Small Total Commercial Banks 6.325 1.492 759 2.060

Development Banking Institutions 4.843 4.613 4.740 Brokerage houses 167 167

Cooperatives (SOCAP) 39 38 38 Popular Financial Societies (SOFIPO) 84 7 43

Credit Unions 249 245 Fintech Institutions 1.544 1.544

Mexican Financial System 5.422 854 411 655

Large Medium Small Total 2.750 680 725 1.075

2.980 1.845 2.476 162 162 35 26 28 0 1 1 233 229 1.530 1.530

2.357 635 318 447

As % of EBITDA of the immediately preceding year

Estimation by financial entity / institution (US$ 000)

Source: OAS

Sources of Information – National OAS – Colombian organizations

Source: OAS

Ataques basados en web, 0.2041

DoS, 0.0802

Malware, 0.2497

Phishing, 0.1721

Ransomware, 0.1322

Otros, 0.1617

Type Increase in frequency

Decrease in frequency

It has remained at

similar levels Malware 33% 26% 42% Phishing 31% 34% 36% Ransomware 27% 32% 42% DoS 20% 28% 52% Web based attacks 20% 30% 50% Others 21% 24% 56%

DIGITAL INCIDENTS FREQUENCY OF INCIDENTS

Sources of Information – National OAS – Colombian organizations

Source: OAS

BUDGET DISTRIBUTION DYNAMICS OF BUDGET

29% 35% 35% 32% 34%

43% 42% 47% 42% 42%

11% 8% 6% 18% 9% 17% 15% 12% 8% 15%

0%

25%

50%

75%

100%

Empresa privada Entidad /Empresa pública

IE Superiorprivada

IE Superiorpública

TotalServicios especializados (ej.: gestión de seguridad, externalización, soporte) %Generación de Capacidades (ej.: capacitación, concientización, investigación) %Plataformas y medios tecnológicos (ej.: hardware, software) %Recursos Humanos (ej.: empleados, contratistas) %

Aumentó más de 50%, 0.0201 Aumentó entre el 25%

y el 50%, 0.0905

Aumentó entre un 10% y 25%, 0.1508

Aumentó hasta un 10%, 0.1759

Se mantuvo sin variación, 0.4372

Disminuyó, 0.1256

Sources of Information – National CCP - Cybercrime

Source: SIEDCO

ICT, Peace and International security and stability

States have a primary responsibility for maintaining a secure and peaceful ICT environment, and effective international cooperation

States should guarantee full respect for human rights, including privacy and freedom of expression

State should not conduct or knowingly support ICT activity that intentionally damages or otherwise impairs the use and operation of critical infrastructure

States should also take appropriate measures to protect their critical infrastructure from ICT threats

States should not harm the information systems of the authorized emergency response teams of another State or use those teams to engage in malicious international activity

States should encourage the responsible reporting of ICT vulnerabilities and take reasonable steps to ensure the integrity of the supply chain and prevent the proliferation of malicious ICT tools, techniques or harmful hidden functions

States should understand implications of cyber operations under IL and IHL legal frameworks

To keep in mind…

Try to have and share a common conceptual basis that all stakeholders can understand

Do not "reinvent the wheel", incorporate generally accepted definitions from recognized sources

Incorporate sources of information that raise relevance to a strategic level

Connect external data sources with data and internal aspects relevant to the particular context and priorities of your country

It is important to identify and promote the creation of primary sources of information to reveal the state of cybersecurity in the country


Cybersecurity International indexes and Capacity Maturity Models



International indexes and

CMM

Global Cybersecurity Index

(International Telecommunication

Union)

National Cybersecurity Index

(E-government Academy Estonia)

Cybersecurity Maturity Model (Oxford’s Global Cyber Security

Capacity Centre)

…


Global Cybersecurity Index (International Telecommunication Union) Conceptual framework - 2018


Global Cybersecurity Index (International Telecommunication Union)






National Cyber Security Index - e-Governance Academy Foundation Estonia


Fuen

te: h

ttps

://n

csi.e

ga.e

e/nc

si-in

dex/


Fuen

te: h

ttps

://n

csi.e

ga.e

e/nc

si-in

dex/

Fuen

te: h

ttps

://n

csi.e

ga.e

e/nc

si-in

dex/


Fuen

te: h

ttps

://n

csi.e

ga.e

e/nc

si-in

dex/


Cybersecurity Capacity Maturity Model –CMM– GCSCC of the University of Oxford

Source: OAS

Cybersecurity Capacity Maturity Model –CMM– GCSCC of the University of Oxford

Source: OAS

Cybersecurity Capacity Maturity Model –CMM–

Source: GCSCC

Cybersecurity Capacity Maturity Model –CMM–

Source: GCSCC

Example – The evolution of Colombia in CMM

Why use indexes and maturity models?

Source: OAS

Identifying critical aspects of performance internationally

OEA/BID CMM • Política y Estrategia o Gestión de crisis o Protección de ICC

• Cultura y sociedad o Mentalidad Gobierno o Mentalidad Privado o Confianza Com. Elec.

• Educación o Formación o Desarrollo nacional

• Marcos legales o Divulgación información o Marco jurídico o Investigación Fiscalía

• Tecnologías y estándares o Cumplimiento estándares o Mercado de ciber

• Ente rector • Coordinación

nacional • Coordinación

internacional • Formación • Respuesta • Gestión de • crisis • Reporte de

incidentes

UIT GCI NCSI • Legal o Formación

• Técnico o CERT sectoriales o Protección de niñas/os

• Organizacional o Estrategia o Agencia responsable o Métricas

• Desarrollo de capacidades o Programas de educación o Incentivos o I+D

• Cooperación o Coop. nacional o Alianzas publico privadas o Alianzas entre agencias

• Indicadores generales o Información y análisis o Contribución global o Política nacional

• Línea base o Protección servicios

digitales o Protección servicios

esenciales

• Gestión de incidentes o Gestión de crisis o Respuesta a incidentes

INDEXES

Critical aspects

MATURITY

To keep in mind…

Indicators in the indexes can be an important reference on the performance in the cybersecurity aspects of a country.

It is important to have a focal point that ensures that the country participates in the most recognized international assessments.

Share and discuss the results of the indexes with the agencies responsible for the different factors evaluated and determine if the gaps are real and what priority it represents to work on them.

Do not believe everything an index says, there may be problems with information sources or interpretation errors.


Individual exercise


Individual exercise

Source: OAS

Identifying critical aspects of performance of your country

OEA/BID CMM • Política y Estrategia o Xxxx o xxxx

• Cultura y sociedad o Xxxx o xxxx

• Educación o Xxxx o xxxx

• Marcos legales o Xxxx o xxxx

• Tecnologías y estándares o Xxxx o xxxx

MATURITY

• Topic 1 • Topic 2 • …. • Topic n

UIT GCI NCSI • Legal o Xxxx o xxxx

• Técnico o Xxxx o xxxx

• Organizacional o Xxxx o xxxx

• Desarrollo de capacidades o Xxxx o xxxx

• Cooperación o Xxxx o xxxx

• Indicadores generales o Xxxx o xxxx

• Línea base o Xxxx o xxxx

• Gestión de incidentes o Xxxx o xxxx

INDEXES

Critical aspects


Cybersecurity Strategies and Policies


Why develop a cybersecurity strategy? National level

• Evolving sophistication in cyber attacks that threaten businesses, privacy of personal information and national security must be met by a dynamic and measured response.

• Without a strategic response, national cybersecurity efforts will be

unsustainable, stove-piped, sporadic, duplicative, and not cost-effective.

• Governments’ increasing reliance on ICTs and cyberspace and

accompanying vulnerability and exposure to increased threats and risks of attacks.

Source: OAS

Benefits to implementing cybersecurity measures National level

Source: OAS

Why develop a cybersecurity strategy? Organizational level

• Cybercriminals target your employees: They are the first line of weakness and defense

• The new wave of ‘dumpster diving’: Corporate account takeover as a result

of a hacking incident is a real threat for businesses

• Increasing investment and dependence on ICT and network infrastructure,

makes a risk-based approach to the protection of their digital assets as a necessity.

Source: OAS

Benefits to implementing cybersecurity measures Organizational level

Source: OAS

What makes a strategy successful?

Source: OAS

What not to do

Source: OAS

Cybersecurity strategy development

Source: ENISA

• Cybersecurity strategy: It is a policy document that describes all the necessary activities to enhance the cybersecurity level in the country / organization by increasing resilience and security at national / organizational ICT assets that support the society / clients

• Top-down approach: from general objectives to the more specific ones and

they always have a specific timeframe

• Cybersecurity strategy lifecycle: various stages that result in a continuous

evolution of the cybersecurity in a country / organization

• Wider long-term vision of the strategy

National cybersecurity strategy lifecycle

Source: ITU

ITU

National cybersecurity strategy lifecycle

Source: ENISA


Objectives

• Define the vision and scope • Take stock of the current situation • Identify the business sectors / areas and services • Prioritize objectives in terms of impact on the: i) society, economy and citizens or ii)

shareholders, company and clients (external or internal)

Basic Activities 1. Identify and engage stakeholders (governance model) 2. Set high level objectives / goals (financial resources, vision, scope and timeframe) 3. Situation analysis (national risk assessment)

Source: ENISA

National cybersecurity strategy development

Source: ENISA

1. Stakeholders

Cooperation between stakeholders (clear governance framework, management structure, dialogue)

• Identify the stakeholders (public and private) • Define and analyze their roles and responsibilities • Define critical sectors • Establish a sector specific protection plan • Working sessions / working groups (centralized vs. decentralized approach) • Define or confirm the mandate and tasks of entities responsible


Source: GPD

1. Stakeholders

• Scoping • Formation • Drafting

Organizational cybersecurity strategy development

Source: ENISA

1. Stakeholders

• Think about who has responsibility for what? • Identify some of the key owners of critical systems and processes • Involve various actors, especially at the onset. • Create a small working team with responsibility for desk research and initial

assessment of the state of cybersecurity within the organization • Involve interest groups in order to incorporate the interest of different

stakeholders


Source: ENISA

2. High level objectives / goals Usually the objectives are standard and are based on the culture and priorities of the country (prioritization, Risk/Opportunity analysis):

• to develop a critical information infrastructure protection plan • to identify a national risk assessment methodology • to have a capacity and capability building approach • to develop an awareness raising plan • to achieve an international and national cooperation approach • to take measures to tackle cybercrime • to create information sharing mechanisms • to organize research and development activities • to create training and educational support activities • to develop personal data protection requirements • allocate the adequate funds to support all activities

Organizational cybersecurity strategy development

Source: OAS

2. High level objectives / goals

Drafting the Strategy:

• Conduct an inventory of the company’s critical assets • Understand the cyber-risks in relation to the company and critical business

processes • Determine what are the acceptable risks as it may not be able to tackle all risks

in the defensive strategy • Perform a thorough research on all the company’s operating systems, software

applications and data center equipment • Review the company’s IT policies and procedures and determine gaps and

strategic goals


Source: ENISA

3. Situation analysis

National Risk Assessment focused on critical infrastructures (information, challenges, national /organizational status, important gaps):

• Listing of developed capabilities for addressing operational cybersecurity

challenges • Identification of all regulatory measures applied in different sectors and

their impact on improving cybersecurity • Existence of public private partnerships and their impact • Analyze the roles and responsibilities of existing public agencies that have a

cybersecurity mandate • Identify overlaps or gaps


Difficulties in communication

• Lack of trust and lack of information sharing mechanisms • Difficulty of reaching consensus between stakeholders • Lack of understanding the significance of cybersecurity and the need to invest and

raise awareness • Lack of financial and human resources

Stakeholders Objectives / Goals Risk Assessment

Goals Re-visit 1

Prioritization based on: • National Aspirations • Enabling Capabilities

• Foundations

Goals Re-visit 2

Alignement with risks: • Threats

• Vulnerabilities • Exposure/likelihood

Draft goals

Identification based on: • Challenges

• Opportunities

Cybersecurity strategy development Drafting cycle

Source: OAS

National cybersecurity strategy development Basic outline

Source: OAS

Organizational cybersecurity strategy development Basic considerations

Source: OAS

Employees • Is there a cybersecurity training program in place for current and new employees? • Do you have individual accounts for each employee? • Do you limit employee's authority to install software? • Do you employ a password management system for every user in the company? • What about your contractors? • Do you secure your wireless networks within your companies?

Infrastructure • Do you have a list of the servers you use and is there a specific person designated to

ensuring that those servers are up to date? • Do you have antivirus installed on your servers and on every computer/workstation

used in your company? • Does your company have appropriate back up procedures in place to minimize

downtime and prevent loss of important data? • Do you periodically perform vulnerability scans on your servers and all the

computer/workstation used in your company? • Do you use wireless networks within your companies? Are they secured?

Cybersecurity strategy development Action plan

Source: OAS

• A strategy without a plan to implement it, is just a piece of paper

• A strategy must be a living and working document

• Develop an action plan to support the key areas identified

• Responsibility to specific agencies and timeframes for completion

• There may be several activities attached to one key area, so a

monitoring

National cybersecurity strategy development Example: Colombian CONPES Document preparation process

Source: OAS

Key issues for the preparation of a CONPES document • Deputy General Director of the DNP • Reasoned request (problem or need) • Structure and template • Curriculum vitae of the CONPES • People and entities that participate • Plan of Action and Follow-up (PAS) • Traceability of the concertation process

National cybersecurity strategy development CONPES Document preparation process

Source: OAS

Purpose of a CONPES document • What is the direction of the policy? • What is the problem that you want to address? • What are the causes and specific characteristics

of the problem? • What are the achievements that are intended to

be achieved through the implementation of the proposed actions?

• What are the financial resources necessary and available for the materialization of the strategy?

• What is the time horizon for its execution?

Structure of a CONPES document: • Executive Summary • Classification and keywords • Table of Contents • Acronyms and abbreviations • Introduction • Background and justification • Conceptual framework • Diagnosis • Definition of the policy • Overall objective • Specific objectives • Action plan • Tracing • Financing • Glossary, Bibliography and Annexes

National Cybersecurity Strategies Approaches

General Principles

Operational Principles

Awareness, Skills and Empowerment

Human Rights and fundamental values

Responsability

Co-operation

Risk assessment cycle

Security measures

Innovation

Preparedness and continuity

National policies / strategy

Conditions for all stakeholders to manage the cybersecurity risk in

all the economic and social activities

Measures that enable the National Government to carry out a series

of actions

• Dimensions • Pillars • Objectives • Strategies • Actions

LAC National Cybersecurity Strategies

Colombia (National Policies in 2011 & 2016)

Guatemala (National Strategy in 2018)

Mexico (National Strategy in 2017)

Brazil (National Policy in 2018) Chile (National Policy in 2017)

Ecuador (Draft policy in 2019)

Peru (Digital Security definition in 2018)

Jamaica (National Strategy in 2015)

• GOVERNANCE ISSUES

• Sole responsible in the Government vs. several instances • Lack of a single authority vs. several uncoordinated instances • Leadership by military authorities vs. civil authorities

• POLITICAL ISSUES

• State policy vs. government policy • New policies vs updates • Continuity saves at least two years (Chile, Colombia, Mexico)

• LEGAL ISSUES

• Lack of capacity and technical advice in the legislative branch • Lack of capacity and technical advice in the judicial branch • Lack of political consensus in the issuance of new laws • Regulatory frameworks around outdated cybercrime

To keep in mind – Challenges…

• ECONOMIC / FINANCIAL ISSUES

• From policy to action • Prioritize cybersecurity in the face of other issues • Financing of policies / strategies in the context of reducing

spending and public investment

• TECHNICAL ISSUES

• Lack of trust to report to maximum instances by highly digitized sectors

• Lack of CSIRTs

• SOCIAL ISSUES

• Lack of participation of civil society in discussions • Differentiated levels of education and training

To keep in mind – Challenges…

To keep in mind – Opportunities…

Academia

Private Sector

Government

Civil Society

• Articulation with other socio-economic policies

• Instruments of trust generation among parties

• Commitment of the private sector with concrete agenda and results

• Technologies of the 4th industrial revolution

• Capacity building model based on a maturity model

• Relationship with privacy and intellectual property issues

• Regulatory and legal adaptation derived from

adhesion to the Budapest Convention


Policy development example – Colombian experience


Institution Building

Security and Privacy

group in ICT

Ministry

Presidential Instruction

2011 2012 2013 2014 2016

Cybersecurity Cyberdefense

National Policy

National Risk Management

Model

Digital Security National

Policy

2017 2018 2019

Creation of Governmen

t CSIRT

Budapest Convention

on cybercrime

• Guidelines • Institutions and awareness • National security and defense • Cybernetic field

• National policy • Set of principles, dimensions, objetives, action plan • Economic and social prosperity objectives • Digital environment

The experience of Colombia

Digital Security Legal and Regulatory

Framework

Human Capital for Digital Security

Civil culture for Digital Security

Governance in the Digital Environment

Systematic Digital Security Risk Management Fundamentals

human rights Inclusive and collaborative

approach

Shared responsibility

Risk-based approach to promote economic and social prosperity

SET OF PRINCIPLES STRATEGIC DIMENSIONS

The Digital Security National Policy of Colombia


Absence of a strategic vision based on risk management

Multiple stakeholders do not maximize their opportunities when developing socio-economic activities in the digital environment

It is necessary to strengthen cybersecurity capabilities with a digital security risk management approach It is necessary to strengthen cyberdefense capabilities with a digital security risk management approach The efforts of cooperation, collaboration and assistance, national and international, are insufficient and disjointed

Problems in 2016 Establish an institutional framework for digital security consistent with a risk management approach

Create the conditions for the parties to manage the risk in their socio-economic activities and generate confidence in the use of the digital environment

Strengthen the security of individuals and the State in the digital environment, at a national and transnational level, with a risk management approach

Strengthen national defense and sovereignty in the digital environment with a risk management approach

Generate permanent and strategic mechanisms to promote cooperation, collaboration and assistance in digital security, nationally and internationally

Specific objectives 2016-2019

Institutional framework

Conditions for trust promotion

National Security

National Defense

Cooperation, Collaboration & Assistance

S1.1. Governance S1.2. Risk management model

S2.1. Participation mechanisms S2.2. Legal and regulatory framework S2.3. Impact evaluation S2.4. Confidence S2.5. Training levels

S3.1. Strengthening of entities S3.2. Legal framework on cyber crimes S3.3. Typologies of cyber crimes S3.4. Capabilities of officials

S4.1. Strengthening of entities S4.2. Legal framework S4.3. Protection and defense of CI S4.4. Identification, prevention, management S4.5. Capabilities of officials

S5.1. At international level S5.2. At national level

• All stakeholders • Responsible use of the digital environment • Strengthen capabilities • Digital security risk management • Maximizing benefits • Foster economic, political and social

prosperity

MAIN OBJECTIVE ACTION PLAN AND FOLLOW-UP


Lifecycle of the national policy

Action Plan

• Developed the Action Plan • Determined initiatives to be

implemented • Allocated human and

financial resources for the implementation

• Set timeframes and metrics

• Executing the formal process

• Monitoring the progress of the implementation of the action plan

• Evaluating the outcome of the national policy

• Diagnostic of the implementation

• Independent evaluation • Roadmap for a new policy • Elaboration phase • Discussion phase • Socialization phase

IMPLEMENTATION MONITORING

Decission to issue new policy

Judicialization

Government

CSIRT

Public awareness

Leader in Government of

the Digital Security policy

Coordination of the necessary actions in the

face of Cybersecurity emergencies

Safeguard national

interests in cyberspace

Investigation and response

to cyber crimes

The digital security governance in Colombia

Digital Security Committee

National Coordinator - High Presidential Adviser

Guidelines and recommendations for execution and monitoring under risk management

approach with multistakeholder partipation

Implementation of the policy through continuous monitoring and coordination among parties

Positive impact of implementation

48% 43% 52% 57%

-5%

10%

25%

40%

55%

70%

85%

100%

Private firm Public entityNo Yes

CMM Does your organization adopt any digital security risk management

practice?

Implementation of the

Action Plan

Coordinador Nacional

Enlace en Entidades

Definir instancia máx.

Modelo de gestión de riesgos

Ajuste marco normativo TIC

Modelo de coordinación

Agenda Nacional

Acompañamiento a sectores, aprobación, sensibilización y concientización de partes

Contenidos Educativos

Adopción /Aplicación de modelo de gestión

Fortalecer COLCERT

Nuevas instancias y capacitación avanzada de funcionarios Estudio viabilidad instancias

Apoyo a la creación de CSIRT sectoriales y socializar tipología comunes de ataques

Plan de fortalecimiento

2016 2017 2018 2019

Promoción del uso de metodología a partes

Ciberseguridad bajo el enfoque de gestión de riesgos con múltiples partes interesadas

Estudio viabilidad instancias

Defensa y Protección de Infraestructuras críticas nacionales

Creación de nuevas instancias y puesta en funcionamiento

Capacitación avanzada a funcionarios

Marco institucional

Condiciones y Confianza

Seguridad Nacional en entorno digital

Defensa Nacional en entorno digital

Cooperación Nacional e Internacional

Agenda estratégica nacional

Cooperación, colaboración y asistencia internacional en seguridad digital

Presencia continua en organismos y eventos

Evaluación socioeconómica

Coherencia constitucional y legal para ajuste marco jurídico

Entes territoriales

Ejecutar plan de fortalecimiento COLCERT

Tanque de pensamiento

Estudio Colombia

Evaluación de efectividad

Plan de fortalecimiento Ciberdefensa bajo el enfoque de gestión de riesgos con múltiples partes interesadas

Seguimiento y monitoreo Presentación de acuerdos

Agenda estratégica internacional

Recommendations to improve progress in the implementation of the current policy - CONPES 3856

LEADERSHIP IN IMPLEMENTATION

PARTICIPATION OF STAKEHOLDERS

COORDINATION AND ARTICULATION

EXECUTION WITH POLICY VISION

QUANTITATIVE AND QUALITATIVE FOLLOW UP RESOURCES AND TIMELINE

ANALYSIS OF DECISIONS WITH IMPACT

PRIORITIZE REGULATION ADAPTATION (BUDAPEST)

INCORPORATE KEY ASPECTS IN LAW INICIATIVES

DIGITAL SECURITY NATIONAL POLICY AC

ADEM

Y

CIVI

L SO

CIET

Y

LEG

ISLA

TIVE

BRA

NCH

JUD

ICIA

L BR

ANCH

PUBLIC ORGANIZATIONS

LOCAL GOVERNMENTS

DIGITAL SECURITY RISK MANAGEMENT MODEL

NATIONAL GOVERNMENT

PRIVATE ORGANIZATIONS

1 2 3 4 1 2 3 4

NATIONAL PLAN OF DEFENSE AND PROTECTION OF CI Critical

Infrastructures –IC–

Handbook

Critical Information Infrastructures –CII–

Critical Information Infrastructures –CII–

Source: GFCE-MERIDIAN

OECD - Draft recommendation of the council on digital security of critical activities (July 2019)

Source: OECD

• The concept of CII is dated

• Focus on essential services rather than information infrastructures

• Dependencies and interdependencies are fundamental challenges

• Co-operation and partnerships are fundamental

• Whole-of-government approach

Government

Operators

Digital security and the 4th Industrial Revolution

Source: WEF

WORLD ECONOMIC FORUM -WEF-

Digital security and the 4th Industrial Revolution Presidency of Colombia

Digital security and the 4th Industrial Revolution Presidency of Colombia

Issue

– Gestión de riesgos y manejo de crisis – Protección de infraestructura crítica – CSIRTs Sectoriales – Gobernanza – Tecnologías emergentes – Big Data – Alfabetización en seguridad digital – Gestión del conocimiento – Emprendimiento – Transformación de sectores productivos – Condiciones para economía colaborativa – Condiciones para comercio electrónico – Identidad digital – Territorios inteligentes – Digitalización de trámites – Servicios ciudadanos digitales – Regulación inteligente – Propiedad intelectual – Masificación conectividad – Privacidad

Proposal to address the issue

– Gestión ágil de riesgos y crisis cibernéticas – Protección de ICCN con nuevo soporte legal – CSIRTs sectoriales priorizados certificados – Implementación de Modelo de Gobernanza Nacional – Evaluación de impacto de T.E. en cuanto a S.D. – Articulación con CONPES 3920 / 18 – Educación a todo nivel en S.D. – I+D+i – Articulación productos Academia – Incentivos soluciones S.D. y desarrollo seguro – Recomendaciones de S.D. en transformación sectores – Adecuar Marco regulatorio – Adecuar Marco regulatorio – Articulación mecanismos de A.E. con identidad RNEC – Requisitos de S.D. en territorios inteligentes – Nuevo modelo de Seguridad y Privacidad – Requisitos de S.D. en territorios inteligentes – Hoja de ruta regulatoria para Economía Digital – Protección de obras y generación de patentes (S.D.) – Marco regulatorio S.D. para conectividad – Adecuación de marco normativo

3 PROBLEMAS 3 OBJETIVOS

3 LOGROS 3 ASPECTOS CRITICOS

3 RETOS 3 APORTES

Discussion

Orlando Garcés ICT, Infrastructure and Cybersecurity consultant

[email protected]

orlandogarcescorzo

Jorge Bejarano E-Government and Cybersecurity consultant

[email protected]

jorge-fernando-bejarano-lobo-91abb2124

mailto:[email protected]


