Development of Cybersecurity Strategies and Policies
Orlando Garcés Jorge Bejarano
OAS Cybersecurity Symposium
Santiago de Chile, Chile, September 25th, 2019
Disclaimer: The opinions expressed in this presentation do not necessarily reflect the views of the General Secretariat of the Organization of American States –OAS– or the governments of its member states.
Development of Cybersecurity Strategies and Policies
Context and trends in Cybersecurity
Santiago de Chile, Chile, September 25th, 2019
Cybersecurity
Source: WEF
• No universal definition
• The set of resources, policies, security concepts, security safeguards, guidelines, risk
management methods, actions, research and development, training, best practices, insurance and technologies that can be used looking for availability, integrity, authentication, confidentiality and repudiation, in order to protect the users and assets of the organization in Cyberspace (Colombian national policy, April 2016)
• The set of policies, controls, procedures, risk management methods and standards
associated with the protection of society, government, economy and national security in cyberspace and public telecommunication networks (Mexican national policy, 2017)
• The collection of tools, policies, guidelines, risk management approaches, actions, trainings,
best practices, assurance and technologies that can be used to protect the availability, integrity and confidentiality of assets in the connected infrastructures pertaining to government private organizations and citizens; these assets include connected computing
What is Cybersecurity?
• No universal definition
• The use of military capabilities in the face of cyber threats, cyber attacks or hostile acts of a cybernetic nature that affect society, national sovereignty, territorial independence, the constitutional order and national interests (Colombian national policy, April 2016)
• The entirety of intelligence and military measures leading to the disruption, suppression or
slowing down of cyber attacks, serving to identify authorship, ensuring the operational readiness of the Armed Forces in all situations, and serving to build capacities and capabilities for subsidiary support of civilian authorities (Swiss national policy, 2018)
• The means to achieve and execute defensive measures to counter cyber threats and
mitigate their effects, and thus preserve and restore the security of communication, information or other electronic systems, or the information that is stored, processed or transmitted in these systems (NATO definition April 2019).
What is Cyberdefense?
• Recommendation of the Council on Digital Security Risk Management for Economic and Social Prosperity (OECD, 2015)
• Digital security risk management: the set of coordinated actions taken within an organization and/or
among organizations, to address digital security risk while maximizing opportunities. It is an integral part of decision making and of an overall framework to manage risk to economic and social activities. It relies on a holistic, systematic and flexible set of cyclical processes that is as transparent and as explicit as possible (OECD, 2015)
• Digital security is the situation of normality and tranquility in the digital environment (cyberspace),
derived from the realization of the essential purposes of the State through (i) digital security risk management; (ii) the effective implementation of cybersecurity measures; and (iii) the effective use of cyber defense capabilities; that demands the social and political will of the multiple stakeholders and citizens of the country (Colombian national policy, 2016)
• Digital Security at the national level is the state of confidence in the digital environment resulting
from the management and application of a set of proactive and reactive measures against the risks that affect the security of people, economic and social prosperity, the national security and national
What is Digital Security and Digital Security Risk Management?
Other definitions
Vulnerability
Risk
Digital Attack
Digital Incident
Cyber space
Incident response
What is Cybercrime?
Source: OAS
The attacker, motives and their targets
Source: OAS
Sources of Information - Global
NETWORK ATTACK SPAM MALICIOUS MAIL
Source: KASPERSKY, percentage of attacked devices during the last month (june 2019)
Cyber attacks in Latin America and the Caribbean -LAC-
Sources of Information – Regional ENISA
Source: ENISA
Sources of Information – Regional OAS
https://www.oas.org/es/sms/cicte/sectorbancarioeng.pdf
https://www.oas.org/documents/spa/press/Estudio-Seguridad-Digital-Colombia.pdf
https://publications.iadb.org/publications/spanish/document/Ciberseguridad-
%C2%BFEstamos-preparados-en-Am%C3%A9rica-Latina-y-el-Caribe.pdf
https://www.oas.org/en/sms/cicte/Documents/reports/The-State-of-Cybersecurity-in-the-Mexican-
Financial-system.pdf
STATE OF MATURITY AT REGIONAL LEVEL
SECTORIAL AT REGIONAL LEVEL
SECTORIAL AT THE NATIONAL LEVEL
AT THE NATIONAL LEVEL
Sources of Information – Regional OAS – Mexican Financial System
7%
10%
10%
12%
12%
14%
14%
16%
17%
18%
18%
18%
19%
20%
23%
30%
30%
33%
15%
6%
13%
25%
20%
24%
24%
19%
6%
32%
14%
33%
19%
25%
13%
18%
18%
7%
78%
77%
70%
52%
56%
55%
62%
39%
78%
34%
57%
41%
43%
43%
51%
36%
39%
60%
0% 25% 50% 75% 100%
Loss or theft of equipment or devices
Internal fraud
Loss or theft of data
Violation of clean desk policies (Clear Desk)
Backdoor (code developed to enable subsequent access)
Zero day attack
Internal sabotage
Social engineering
Man-in-the-middle
Phishing, Vishing or Smishing
DNS Spoofing
Pharming
Malicious code or Malware
SQL Injection
Attack of denial of service (DoS / DDoS)
Brute force attack
XSS or XFS
Defacement
Daily Weekly Monthly QuarterlySource: OAS
Sources of Information – Regional OAS – Mexican Financial System
Large Medium Small Total Commercial Banks 2,30% 3,05% 1,88% 2,38%
Development Banking Institutions 1,63% 2,50% 2,00% Brokerage houses 2,57% 2,57%
Cooperatives (SOCAP) 2,26% 1,65% 1,90% Popular Financial Societies (SOFIPO) 3,33% 5,00% 4,00%
Credit Unions 1,82% 1,82% Fintech Institutions 2,65% 2,65%
Mexican Financial System 2,30% 2,51% 2,04% 2,18%
Anual Budget Anual Cost
Large Medium Small Total 1,00% 1,39% 1,80% 1,42%
1,00% 1,00% 1,00% 2,50% 2,50% 2,00% 1,13% 1,56% 1,00% 1,00% 1,70% 1,70% 2,63% 2,63%
1,00% 1,54% 1,73% 1,59%
Large Medium Small Total Commercial Banks 6.325 1.492 759 2.060
Development Banking Institutions 4.843 4.613 4.740 Brokerage houses 167 167
Cooperatives (SOCAP) 39 38 38 Popular Financial Societies (SOFIPO) 84 7 43
Credit Unions 249 245 Fintech Institutions 1.544 1.544
Mexican Financial System 5.422 854 411 655
Large Medium Small Total 2.750 680 725 1.075
2.980 1.845 2.476 162 162 35 26 28 0 1 1 233 229 1.530 1.530
2.357 635 318 447
As % of EBITDA of the immediately preceding year
Estimation by financial entity / institution (US$ 000)
Source: OAS
Sources of Information – National OAS – Colombian organizations
Source: OAS
Ataques basados en web, 0.2041
DoS, 0.0802
Malware, 0.2497
Phishing, 0.1721
Ransomware, 0.1322
Otros, 0.1617
Type Increase in frequency
Decrease in frequency
It has remained at
similar levels Malware 33% 26% 42% Phishing 31% 34% 36% Ransomware 27% 32% 42% DoS 20% 28% 52% Web based attacks 20% 30% 50% Others 21% 24% 56%
DIGITAL INCIDENTS FREQUENCY OF INCIDENTS
Sources of Information – National OAS – Colombian organizations
Source: OAS
BUDGET DISTRIBUTION DYNAMICS OF BUDGET
29% 35% 35% 32% 34%
43% 42% 47% 42% 42%
11% 8% 6% 18% 9% 17% 15% 12% 8% 15%
0%
25%
50%
75%
100%
Empresa privada Entidad /Empresa pública
IE Superiorprivada
IE Superiorpública
TotalServicios especializados (ej.: gestión de seguridad, externalización, soporte) %Generación de Capacidades (ej.: capacitación, concientización, investigación) %Plataformas y medios tecnológicos (ej.: hardware, software) %Recursos Humanos (ej.: empleados, contratistas) %
Aumentó más de 50%, 0.0201 Aumentó entre el 25%
y el 50%, 0.0905
Aumentó entre un 10% y 25%, 0.1508
Aumentó hasta un 10%, 0.1759
Se mantuvo sin variación, 0.4372
Disminuyó, 0.1256
Sources of Information – National CCP - Cybercrime
Source: SIEDCO
ICT, Peace and International security and stability
States have a primary responsibility for maintaining a secure and peaceful ICT environment, and effective international cooperation
States should guarantee full respect for human rights, including privacy and freedom of expression
State should not conduct or knowingly support ICT activity that intentionally damages or otherwise impairs the use and operation of critical infrastructure
States should also take appropriate measures to protect their critical infrastructure from ICT threats
States should not harm the information systems of the authorized emergency response teams of another State or use those teams to engage in malicious international activity
States should encourage the responsible reporting of ICT vulnerabilities and take reasonable steps to ensure the integrity of the supply chain and prevent the proliferation of malicious ICT tools, techniques or harmful hidden functions
States should understand implications of cyber operations under IL and IHL legal frameworks
To keep in mind…
Try to have and share a common conceptual basis that all stakeholders can understand
Do not "reinvent the wheel", incorporate generally accepted definitions from recognized sources
Incorporate sources of information that raise relevance to a strategic level
Connect external data sources with data and internal aspects relevant to the particular context and priorities of your country
It is important to identify and promote the creation of primary sources of information to reveal the state of cybersecurity in the country
Development of Cybersecurity Strategies and Policies
Cybersecurity International indexes and Capacity Maturity Models
Santiago de Chile, Chile, September 25th, 2019
Cybersecurity International indexes and Capacity Maturity Models
International indexes and
CMM
Global Cybersecurity Index
(International Telecommunication
Union)
National Cybersecurity Index
(E-government Academy Estonia)
Cybersecurity Maturity Model (Oxford’s Global Cyber Security
Capacity Centre)
…
Cybersecurity International indexes and Capacity Maturity Models
Global Cybersecurity Index (International Telecommunication Union) Conceptual framework - 2018
Cybersecurity International indexes and Capacity Maturity Models
Global Cybersecurity Index (International Telecommunication Union)
Cybersecurity International indexes and Capacity Maturity Models
Global Cybersecurity Index (International Telecommunication Union)
Cybersecurity International indexes and Capacity Maturity Models
Global Cybersecurity Index (International Telecommunication Union)
Cybersecurity International indexes and Capacity Maturity Models
National Cyber Security Index - e-Governance Academy Foundation Estonia
Cybersecurity International indexes and Capacity Maturity Models
Fuen
te: h
ttps
://n
csi.e
ga.e
e/nc
si-in
dex/
Cybersecurity International indexes and Capacity Maturity Models
Fuen
te: h
ttps
://n
csi.e
ga.e
e/nc
si-in
dex/
Fuen
te: h
ttps
://n
csi.e
ga.e
e/nc
si-in
dex/
Cybersecurity International indexes and Capacity Maturity Models
Fuen
te: h
ttps
://n
csi.e
ga.e
e/nc
si-in
dex/
Cybersecurity International indexes and Capacity Maturity Models
Cybersecurity Capacity Maturity Model –CMM– GCSCC of the University of Oxford
Source: OAS
Cybersecurity Capacity Maturity Model –CMM– GCSCC of the University of Oxford
Source: OAS
Cybersecurity Capacity Maturity Model –CMM–
Source: GCSCC
Cybersecurity Capacity Maturity Model –CMM–
Source: GCSCC
Example – The evolution of Colombia in CMM
Why use indexes and maturity models?
Source: OAS
Identifying critical aspects of performance internationally
OEA/BID CMM • Política y Estrategia o Gestión de crisis o Protección de ICC
• Cultura y sociedad o Mentalidad Gobierno o Mentalidad Privado o Confianza Com. Elec.
• Educación o Formación o Desarrollo nacional
• Marcos legales o Divulgación información o Marco jurídico o Investigación Fiscalía
• Tecnologías y estándares o Cumplimiento estándares o Mercado de ciber
• Ente rector • Coordinación
nacional • Coordinación
internacional • Formación • Respuesta • Gestión de • crisis • Reporte de
incidentes
UIT GCI NCSI • Legal o Formación
• Técnico o CERT sectoriales o Protección de niñas/os
• Organizacional o Estrategia o Agencia responsable o Métricas
• Desarrollo de capacidades o Programas de educación o Incentivos o I+D
• Cooperación o Coop. nacional o Alianzas publico privadas o Alianzas entre agencias
• Indicadores generales o Información y análisis o Contribución global o Política nacional
• Línea base o Protección servicios
digitales o Protección servicios
esenciales
• Gestión de incidentes o Gestión de crisis o Respuesta a incidentes
INDEXES
Critical aspects
MATURITY
To keep in mind…
Indicators in the indexes can be an important reference on the performance in the cybersecurity aspects of a country.
It is important to have a focal point that ensures that the country participates in the most recognized international assessments.
Share and discuss the results of the indexes with the agencies responsible for the different factors evaluated and determine if the gaps are real and what priority it represents to work on them.
Do not believe everything an index says, there may be problems with information sources or interpretation errors.
Development of Cybersecurity Strategies and Policies
Individual exercise
Santiago de Chile, Chile, September 25th, 2019
Individual exercise
Source: OAS
Identifying critical aspects of performance of your country
OEA/BID CMM • Política y Estrategia o Xxxx o xxxx
• Cultura y sociedad o Xxxx o xxxx
• Educación o Xxxx o xxxx
• Marcos legales o Xxxx o xxxx
• Tecnologías y estándares o Xxxx o xxxx
MATURITY
• Topic 1 • Topic 2 • …. • Topic n
UIT GCI NCSI • Legal o Xxxx o xxxx
• Técnico o Xxxx o xxxx
• Organizacional o Xxxx o xxxx
• Desarrollo de capacidades o Xxxx o xxxx
• Cooperación o Xxxx o xxxx
• Indicadores generales o Xxxx o xxxx
• Línea base o Xxxx o xxxx
• Gestión de incidentes o Xxxx o xxxx
INDEXES
Critical aspects
Development of Cybersecurity Strategies and Policies
Cybersecurity Strategies and Policies
Santiago de Chile, Chile, September 25th, 2019
Why develop a cybersecurity strategy? National level
• Evolving sophistication in cyber attacks that threaten businesses, privacy of personal information and national security must be met by a dynamic and measured response.
• Without a strategic response, national cybersecurity efforts will be
unsustainable, stove-piped, sporadic, duplicative, and not cost-effective.
• Governments’ increasing reliance on ICTs and cyberspace and
accompanying vulnerability and exposure to increased threats and risks of attacks.
Source: OAS
Benefits to implementing cybersecurity measures National level
Source: OAS
Why develop a cybersecurity strategy? Organizational level
• Cybercriminals target your employees: They are the first line of weakness and defense
• The new wave of ‘dumpster diving’: Corporate account takeover as a result
of a hacking incident is a real threat for businesses
• Increasing investment and dependence on ICT and network infrastructure,
makes a risk-based approach to the protection of their digital assets as a necessity.
Source: OAS
Benefits to implementing cybersecurity measures Organizational level
Source: OAS
What makes a strategy successful?
Source: OAS
What not to do
Source: OAS
Cybersecurity strategy development
Source: ENISA
• Cybersecurity strategy: It is a policy document that describes all the necessary activities to enhance the cybersecurity level in the country / organization by increasing resilience and security at national / organizational ICT assets that support the society / clients
• Top-down approach: from general objectives to the more specific ones and
they always have a specific timeframe
• Cybersecurity strategy lifecycle: various stages that result in a continuous
evolution of the cybersecurity in a country / organization
• Wider long-term vision of the strategy
National cybersecurity strategy lifecycle
Source: ITU
ITU
National cybersecurity strategy lifecycle
Source: ENISA
Cybersecurity strategy development
Objectives
• Define the vision and scope • Take stock of the current situation • Identify the business sectors / areas and services • Prioritize objectives in terms of impact on the: i) society, economy and citizens or ii)
shareholders, company and clients (external or internal)
Basic Activities 1. Identify and engage stakeholders (governance model) 2. Set high level objectives / goals (financial resources, vision, scope and timeframe) 3. Situation analysis (national risk assessment)
Source: ENISA
National cybersecurity strategy development
Source: ENISA
1. Stakeholders
Cooperation between stakeholders (clear governance framework, management structure, dialogue)
• Identify the stakeholders (public and private) • Define and analyze their roles and responsibilities • Define critical sectors • Establish a sector specific protection plan • Working sessions / working groups (centralized vs. decentralized approach) • Define or confirm the mandate and tasks of entities responsible
National cybersecurity strategy development
Source: GPD
1. Stakeholders
• Scoping • Formation • Drafting
Organizational cybersecurity strategy development
Source: ENISA
1. Stakeholders
• Think about who has responsibility for what? • Identify some of the key owners of critical systems and processes • Involve various actors, especially at the onset. • Create a small working team with responsibility for desk research and initial
assessment of the state of cybersecurity within the organization • Involve interest groups in order to incorporate the interest of different
stakeholders
National cybersecurity strategy development
Source: ENISA
2. High level objectives / goals Usually the objectives are standard and are based on the culture and priorities of the country (prioritization, Risk/Opportunity analysis):
• to develop a critical information infrastructure protection plan • to identify a national risk assessment methodology • to have a capacity and capability building approach • to develop an awareness raising plan • to achieve an international and national cooperation approach • to take measures to tackle cybercrime • to create information sharing mechanisms • to organize research and development activities • to create training and educational support activities • to develop personal data protection requirements • allocate the adequate funds to support all activities
Organizational cybersecurity strategy development
Source: OAS
2. High level objectives / goals
Drafting the Strategy:
• Conduct an inventory of the company’s critical assets • Understand the cyber-risks in relation to the company and critical business
processes • Determine what are the acceptable risks as it may not be able to tackle all risks
in the defensive strategy • Perform a thorough research on all the company’s operating systems, software
applications and data center equipment • Review the company’s IT policies and procedures and determine gaps and
strategic goals
Cybersecurity strategy development
Source: ENISA
3. Situation analysis
National Risk Assessment focused on critical infrastructures (information, challenges, national /organizational status, important gaps):
• Listing of developed capabilities for addressing operational cybersecurity
challenges • Identification of all regulatory measures applied in different sectors and
their impact on improving cybersecurity • Existence of public private partnerships and their impact • Analyze the roles and responsibilities of existing public agencies that have a
cybersecurity mandate • Identify overlaps or gaps
Cybersecurity strategy development
Difficulties in communication
• Lack of trust and lack of information sharing mechanisms • Difficulty of reaching consensus between stakeholders • Lack of understanding the significance of cybersecurity and the need to invest and
raise awareness • Lack of financial and human resources
Stakeholders Objectives / Goals Risk Assessment
Goals Re-visit 1
Prioritization based on: • National Aspirations • Enabling Capabilities
• Foundations
Goals Re-visit 2
Alignement with risks: • Threats
• Vulnerabilities • Exposure/likelihood
Draft goals
Identification based on: • Challenges
• Opportunities
Cybersecurity strategy development Drafting cycle
Source: OAS
National cybersecurity strategy development Basic outline
Source: OAS
Organizational cybersecurity strategy development Basic considerations
Source: OAS
Employees • Is there a cybersecurity training program in place for current and new employees? • Do you have individual accounts for each employee? • Do you limit employee's authority to install software? • Do you employ a password management system for every user in the company? • What about your contractors? • Do you secure your wireless networks within your companies?
Infrastructure • Do you have a list of the servers you use and is there a specific person designated to
ensuring that those servers are up to date? • Do you have antivirus installed on your servers and on every computer/workstation
used in your company? • Does your company have appropriate back up procedures in place to minimize
downtime and prevent loss of important data? • Do you periodically perform vulnerability scans on your servers and all the
computer/workstation used in your company? • Do you use wireless networks within your companies? Are they secured?
Cybersecurity strategy development Action plan
Source: OAS
• A strategy without a plan to implement it, is just a piece of paper
• A strategy must be a living and working document
• Develop an action plan to support the key areas identified
• Responsibility to specific agencies and timeframes for completion
• There may be several activities attached to one key area, so a
monitoring
National cybersecurity strategy development Example: Colombian CONPES Document preparation process
Source: OAS
Key issues for the preparation of a CONPES document • Deputy General Director of the DNP • Reasoned request (problem or need) • Structure and template • Curriculum vitae of the CONPES • People and entities that participate • Plan of Action and Follow-up (PAS) • Traceability of the concertation process
National cybersecurity strategy development CONPES Document preparation process
Source: OAS
Purpose of a CONPES document • What is the direction of the policy? • What is the problem that you want to address? • What are the causes and specific characteristics
of the problem? • What are the achievements that are intended to
be achieved through the implementation of the proposed actions?
• What are the financial resources necessary and available for the materialization of the strategy?
• What is the time horizon for its execution?
Structure of a CONPES document: • Executive Summary • Classification and keywords • Table of Contents • Acronyms and abbreviations • Introduction • Background and justification • Conceptual framework • Diagnosis • Definition of the policy • Overall objective • Specific objectives • Action plan • Tracing • Financing • Glossary, Bibliography and Annexes
National Cybersecurity Strategies Approaches
General Principles
Operational Principles
Awareness, Skills and Empowerment
Human Rights and fundamental values
Responsability
Co-operation
Risk assessment cycle
Security measures
Innovation
Preparedness and continuity
National policies / strategy
Conditions for all stakeholders to manage the cybersecurity risk in
all the economic and social activities
Measures that enable the National Government to carry out a series
of actions
• Dimensions • Pillars • Objectives • Strategies • Actions
LAC National Cybersecurity Strategies
Colombia (National Policies in 2011 & 2016)
Guatemala (National Strategy in 2018)
Mexico (National Strategy in 2017)
Brazil (National Policy in 2018) Chile (National Policy in 2017)
Ecuador (Draft policy in 2019)
Peru (Digital Security definition in 2018)
Jamaica (National Strategy in 2015)
• GOVERNANCE ISSUES
• Sole responsible in the Government vs. several instances • Lack of a single authority vs. several uncoordinated instances • Leadership by military authorities vs. civil authorities
• POLITICAL ISSUES
• State policy vs. government policy • New policies vs updates • Continuity saves at least two years (Chile, Colombia, Mexico)
• LEGAL ISSUES
• Lack of capacity and technical advice in the legislative branch • Lack of capacity and technical advice in the judicial branch • Lack of political consensus in the issuance of new laws • Regulatory frameworks around outdated cybercrime
To keep in mind – Challenges…
• ECONOMIC / FINANCIAL ISSUES
• From policy to action • Prioritize cybersecurity in the face of other issues • Financing of policies / strategies in the context of reducing
spending and public investment
• TECHNICAL ISSUES
• Lack of trust to report to maximum instances by highly digitized sectors
• Lack of CSIRTs
• SOCIAL ISSUES
• Lack of participation of civil society in discussions • Differentiated levels of education and training
To keep in mind – Challenges…
To keep in mind – Opportunities…
Academia
Private Sector
Government
Civil Society
• Articulation with other socio-economic policies
• Instruments of trust generation among parties
• Commitment of the private sector with concrete agenda and results
• Technologies of the 4th industrial revolution
• Capacity building model based on a maturity model
• Relationship with privacy and intellectual property issues
• Regulatory and legal adaptation derived from
adhesion to the Budapest Convention
Development of Cybersecurity Strategies and Policies
Policy development example – Colombian experience
Santiago de Chile, Chile, September 25th, 2019
Institution Building
Security and Privacy
group in ICT
Ministry
Presidential Instruction
2011 2012 2013 2014 2016
Cybersecurity Cyberdefense
National Policy
National Risk Management
Model
Digital Security National
Policy
2017 2018 2019
Creation of Governmen
t CSIRT
Budapest Convention
on cybercrime
• Guidelines • Institutions and awareness • National security and defense • Cybernetic field
• National policy • Set of principles, dimensions, objetives, action plan • Economic and social prosperity objectives • Digital environment
The experience of Colombia
Digital Security Legal and Regulatory
Framework
Human Capital for Digital Security
Civil culture for Digital Security
Governance in the Digital Environment
Systematic Digital Security Risk Management Fundamentals
human rights Inclusive and collaborative
approach
Shared responsibility
Risk-based approach to promote economic and social prosperity
SET OF PRINCIPLES STRATEGIC DIMENSIONS
The Digital Security National Policy of Colombia
The Digital Security National Policy of Colombia
Absence of a strategic vision based on risk management
Multiple stakeholders do not maximize their opportunities when developing socio-economic activities in the digital environment
It is necessary to strengthen cybersecurity capabilities with a digital security risk management approach It is necessary to strengthen cyberdefense capabilities with a digital security risk management approach The efforts of cooperation, collaboration and assistance, national and international, are insufficient and disjointed
Problems in 2016 Establish an institutional framework for digital security consistent with a risk management approach
Create the conditions for the parties to manage the risk in their socio-economic activities and generate confidence in the use of the digital environment
Strengthen the security of individuals and the State in the digital environment, at a national and transnational level, with a risk management approach
Strengthen national defense and sovereignty in the digital environment with a risk management approach
Generate permanent and strategic mechanisms to promote cooperation, collaboration and assistance in digital security, nationally and internationally
Specific objectives 2016-2019
Institutional framework
Conditions for trust promotion
National Security
National Defense
Cooperation, Collaboration & Assistance
S1.1. Governance S1.2. Risk management model
S2.1. Participation mechanisms S2.2. Legal and regulatory framework S2.3. Impact evaluation S2.4. Confidence S2.5. Training levels
S3.1. Strengthening of entities S3.2. Legal framework on cyber crimes S3.3. Typologies of cyber crimes S3.4. Capabilities of officials
S4.1. Strengthening of entities S4.2. Legal framework S4.3. Protection and defense of CI S4.4. Identification, prevention, management S4.5. Capabilities of officials
S5.1. At international level S5.2. At national level
• All stakeholders • Responsible use of the digital environment • Strengthen capabilities • Digital security risk management • Maximizing benefits • Foster economic, political and social
prosperity
MAIN OBJECTIVE ACTION PLAN AND FOLLOW-UP
The Digital Security National Policy of Colombia
Lifecycle of the national policy
Action Plan
• Developed the Action Plan • Determined initiatives to be
implemented • Allocated human and
financial resources for the implementation
• Set timeframes and metrics
• Executing the formal process
• Monitoring the progress of the implementation of the action plan
• Evaluating the outcome of the national policy
• Diagnostic of the implementation
• Independent evaluation • Roadmap for a new policy • Elaboration phase • Discussion phase • Socialization phase
IMPLEMENTATION MONITORING
Decission to issue new policy
Judicialization
Government
CSIRT
Public awareness
Leader in Government of
the Digital Security policy
Coordination of the necessary actions in the
face of Cybersecurity emergencies
Safeguard national
interests in cyberspace
Investigation and response
to cyber crimes
The digital security governance in Colombia
Digital Security Committee
National Coordinator - High Presidential Adviser
Guidelines and recommendations for execution and monitoring under risk management
approach with multistakeholder partipation
Implementation of the policy through continuous monitoring and coordination among parties
Positive impact of implementation
48% 43% 52% 57%
-5%
10%
25%
40%
55%
70%
85%
100%
Private firm Public entityNo Yes
CMM Does your organization adopt any digital security risk management
practice?
Implementation of the
Action Plan
Coordinador Nacional
Enlace en Entidades
Definir instancia máx.
Modelo de gestión de riesgos
Ajuste marco normativo TIC
Modelo de coordinación
Agenda Nacional
Acompañamiento a sectores, aprobación, sensibilización y concientización de partes
Contenidos Educativos
Adopción /Aplicación de modelo de gestión
Fortalecer COLCERT
Nuevas instancias y capacitación avanzada de funcionarios Estudio viabilidad instancias
Apoyo a la creación de CSIRT sectoriales y socializar tipología comunes de ataques
Plan de fortalecimiento
2016 2017 2018 2019
Promoción del uso de metodología a partes
Ciberseguridad bajo el enfoque de gestión de riesgos con múltiples partes interesadas
Estudio viabilidad instancias
Defensa y Protección de Infraestructuras críticas nacionales
Creación de nuevas instancias y puesta en funcionamiento
Capacitación avanzada a funcionarios
Marco institucional
Condiciones y Confianza
Seguridad Nacional en entorno digital
Defensa Nacional en entorno digital
Cooperación Nacional e Internacional
Agenda estratégica nacional
Cooperación, colaboración y asistencia internacional en seguridad digital
Presencia continua en organismos y eventos
Evaluación socioeconómica
Coherencia constitucional y legal para ajuste marco jurídico
Entes territoriales
Ejecutar plan de fortalecimiento COLCERT
Tanque de pensamiento
Estudio Colombia
Evaluación de efectividad
Plan de fortalecimiento Ciberdefensa bajo el enfoque de gestión de riesgos con múltiples partes interesadas
Seguimiento y monitoreo Presentación de acuerdos
Agenda estratégica internacional
Recommendations to improve progress in the implementation of the current policy - CONPES 3856
LEADERSHIP IN IMPLEMENTATION
PARTICIPATION OF STAKEHOLDERS
COORDINATION AND ARTICULATION
EXECUTION WITH POLICY VISION
QUANTITATIVE AND QUALITATIVE FOLLOW UP RESOURCES AND TIMELINE
ANALYSIS OF DECISIONS WITH IMPACT
PRIORITIZE REGULATION ADAPTATION (BUDAPEST)
INCORPORATE KEY ASPECTS IN LAW INICIATIVES
DIGITAL SECURITY NATIONAL POLICY AC
ADEM
Y
CIVI
L SO
CIET
Y
LEG
ISLA
TIVE
BRA
NCH
JUD
ICIA
L BR
ANCH
PUBLIC ORGANIZATIONS
LOCAL GOVERNMENTS
DIGITAL SECURITY RISK MANAGEMENT MODEL
NATIONAL GOVERNMENT
PRIVATE ORGANIZATIONS
1 2 3 4 1 2 3 4
NATIONAL PLAN OF DEFENSE AND PROTECTION OF CI Critical
Infrastructures –IC–
Handbook
Critical Information Infrastructures –CII–
Critical Information Infrastructures –CII–
Source: GFCE-MERIDIAN
OECD - Draft recommendation of the council on digital security of critical activities (July 2019)
Source: OECD
• The concept of CII is dated
• Focus on essential services rather than information infrastructures
• Dependencies and interdependencies are fundamental challenges
• Co-operation and partnerships are fundamental
• Whole-of-government approach
Government
Operators
Digital security and the 4th Industrial Revolution
Source: WEF
WORLD ECONOMIC FORUM -WEF-
Digital security and the 4th Industrial Revolution Presidency of Colombia
Digital security and the 4th Industrial Revolution Presidency of Colombia
Issue
– Gestión de riesgos y manejo de crisis – Protección de infraestructura crítica – CSIRTs Sectoriales – Gobernanza – Tecnologías emergentes – Big Data – Alfabetización en seguridad digital – Gestión del conocimiento – Emprendimiento – Transformación de sectores productivos – Condiciones para economía colaborativa – Condiciones para comercio electrónico – Identidad digital – Territorios inteligentes – Digitalización de trámites – Servicios ciudadanos digitales – Regulación inteligente – Propiedad intelectual – Masificación conectividad – Privacidad
Proposal to address the issue
– Gestión ágil de riesgos y crisis cibernéticas – Protección de ICCN con nuevo soporte legal – CSIRTs sectoriales priorizados certificados – Implementación de Modelo de Gobernanza Nacional – Evaluación de impacto de T.E. en cuanto a S.D. – Articulación con CONPES 3920 / 18 – Educación a todo nivel en S.D. – I+D+i – Articulación productos Academia – Incentivos soluciones S.D. y desarrollo seguro – Recomendaciones de S.D. en transformación sectores – Adecuar Marco regulatorio – Adecuar Marco regulatorio – Articulación mecanismos de A.E. con identidad RNEC – Requisitos de S.D. en territorios inteligentes – Nuevo modelo de Seguridad y Privacidad – Requisitos de S.D. en territorios inteligentes – Hoja de ruta regulatoria para Economía Digital – Protección de obras y generación de patentes (S.D.) – Marco regulatorio S.D. para conectividad – Adecuación de marco normativo
3 PROBLEMAS 3 OBJETIVOS
3 LOGROS 3 ASPECTOS CRITICOS
3 RETOS 3 APORTES
Discussion
Orlando Garcés ICT, Infrastructure and Cybersecurity consultant
orlandogarcescorzo
Jorge Bejarano E-Government and Cybersecurity consultant
jorge-fernando-bejarano-lobo-91abb2124