Upload
bright-boateng
View
359
Download
0
Embed Size (px)
Citation preview
Ghana’s Experience
Eric AkumiahHead, CERT-GH
National Cyber Security Policy and Strategy: Ghana’s Experience
Ghana’s Experience05/01/2023 2
Agenda
Background
• Existing Policy and Law on the fight against cybercrime• Gaps in Existing Policy/laws and Need for Policy & Strategy
National Cyber Security Policy
• Policy Development Process• 9 Pillars of Our Policy
5 Year Strategic Action Plan
• Special Initiatives
Way Forward
Ghana’s Experience05/01/2023 4
Existing Policy & ACTS• ICT4AD (Pillar 14) 2003
– ICT4AD is Ghana’s policy guidelines for ICT development– Comprise 14 Pillars address all ICT needs in Ghana– Pillar 14
• Policy measures and mechanisms to address – national security – law and order issues
• Electronic Transaction Act (ACT 772) 2008
– Legal text embracing key instrument for the fight against cyber crime• ICT Tribunal• Cyber Inspectors• Electronic Government Services• Cyber Offenses• Protected computers and Databases• Consumer protection
• Data Protection Act (843) 2012
– Focuses on application of Principles of Data Protection• Privacy of Individual• Collection of personal data• Security measures
– Data Protection & Enforcement– Disclosure of information
Ghana’s Experience05/01/2023
Why the need for Cybersecurity Policy?
Some shortfall in policy & Laws
• ICT4AD does not adopt a PPP approach to ensuring cyber security
• All prospective target audience not properly addressed by Pillar 14
• Protection of CNII not properly addressed under policy and ETA
• Culture of cyber security across sectors not properly covered
• In adequate cyber laws and capacity building for National security agencies and law enforcement to fight cybercrime
Challenges
• Prevalence of Cyber Frauds called “Sakawa”• Defacement of multiple government websites• Several Financial establishments hit with funds of
customer stolen• Prevalent SIM Box Fraud – loss revenue to
Government on International call traffic • Lack of awareness of risk to mobile data users on
the Internet • Low awareness of risk of children using the Internet• Uncoordinated cyber initiatives across Ghana/ no
information sharing • Lack of Information security technology framework
in place 5
Ghana’s Experience05/01/2023 6
Person Specific
• Consumer User• Corporate user
Device Specific
• Telephones• Wireless Cell Devices• Personal Digital Assistant (PDA)
Network Specific
• Wireless Carrier’s Transport• Local Area, Metropolitan Area and Wireless Area• Internet
Targets: National Cyber Security Framework
Ghana’s Experience05/01/2023 7
Level 1:Home and Small Business users
Level 2: Large Enterprise Users
Level 3: Critical Sectors
Level 4: National Priorities
Level 5: Global
Levels
Ghana’s Experience05/01/2023 8
CNII Sectors Identified for Ghana
1.National Defense and
Security 2. Banking and Finance
3. Information and Communications
4. Energy
5. Transportation
6. Water
7. Health Services
8. Government
9. Emergency services
10. Food and Agriculture
Ghana’s Experience05/01/2023 10
Initiated by Ministry of Communica
tions in 2011 with support
from UNECA
National Stakeholder Meeting to review areas for
upgrade in National
ICT needs
Adhoc Technical
committee established by MOC to
develop policy and strategy
Stakeholder
meeting to
review draft
Final review by
Adhoc committe
e to include
comments
Validation
Workshop
Policy Development Process
2011 2015
Ghana’s Experience05/01/2023 11
Policy Development Process-2
• Step 1: Multi-stakeholder Adhoc Technical Committee formed
• Step 2: Defined Terms to be used• Step 3: Reviewed existing Policy and Laws to determine
gaps• Step 4: Reviewed conventions and country specific
policies and strategies.– Budapest Convention, AU draft Convention
• Step 5: Developed text of Policy
Ghana’s Experience05/01/2023 12
Vision & Mission• Vision
A secure and stable connected Ghana with Internet users working and creating wealth in a safe cyber space, with a well-researched and trained academic and professional community protecting Ghana’s cyber space equipped with global standards and responding swiftly to cyber incidents, and with up-to-date laws and systems in place to efficiently prosecute cyber criminals.
.• Mission
Our mission is to determine, analyze and address the immediate cyber security threats posed on identified critical national information infrastructure by providing adequately protection for the critical national information infrastructure and over time become a self sufficient country attending to its cyber security needs.
Ghana’s Experience05/01/2023 13
9 Pillars of Our Policy
Effective Governance
Legislative & Regulatory Framework
Cyber Security Technology Framework
Culture of security and Capacity Building
Research & Development towards Self-Reliance
Compliance and Enforcement
Child Online Protection
Cyber Security Emergency Readiness
International Cooperation
Ghana’s Experience05/01/2023 15
Special Initiative 1: National Cybersecurity Awareness Program
Program to train different stakeholders on different aspects of cyber security with the intent of helping them provide a reasonable security consummate with the risks to avoid
incidences of cyber attacks.
Will take the form of identification, need assessment, training
and evaluation of different sets of stakeholders.
The program will include a cyber security awareness portal that
will establish a permanent awareness
campaign on the internet
Ghana’s Experience05/01/2023 16
Special Initiatives 2: Computer Emergency Response Teams
Establishment of National Computer Emergency
response Team (CERT-GH)
Phase I
Established with support
ITU/IMPACT
In August 2014
In January 2015 11
Government website
defaced but brought under
control with 24 hours by
CERT-GH
Sharing Alerts and Advisories
with constituents to proactive lyimprove security of
systems
Working to
establish phase II in
2015Introducing probes on
Ghanaian networks and subscribing to HORNET
and AWARE early warning systems
Phase III to be
implemented in 2016
Establishment of National Forensic
Laboratory
Ghana’s Experience05/01/2023 17
Special Initiative 3:National Cyber Security Centre
• Defines, communicates and updates (when necessary) the national cyber security programs to all the CNII.
National Cyber Security Policy Implementation:
• Closely coordinates cyber security initiatives of various key Agencies and organizations in Ghana. National Coordination:
• Promote and facilities formal and informal mechanism for information sharing across the CNII. This includes promoting cyber security awareness, training and education programs to grow the competency of information security professionals and the industry as a whole.
Outreach:•Facilitiate the monitoring of compliance to cyber security policies and standards across the CNII. Compliance Monitoring:
•Assesses and identifies cyber security threats exploiting vulnerabilities and risks across the CNII. Risk Assessment:
•Assist the National Cyber Security Council in all its function activities and help industry to test its emergency plans Support:
•Contribute to application of international standards on cyber security as well as on accreditation and certification of ICT infrastructure, services and suppliers. Contribution:
Ghana’s Experience05/01/2023 18
Special Initiative 4: National Cyber Security Council
Governance institution with full oversight of policy and ensuring full implementation of policy after its creation
To serve as the highest-level liaison
body for cyber
security
Responsible for adopting or approving the policies put forward
for implementation of the function centre.
To ensure that
appropriate policies are in place to
make Ghana a safe
destination for cyber activity
To boost national
image in its sphere of influence
and make it a leader in the region
To ensure Ghana is part of
international conventions
and is playing its role as a
leader in the region
Ghana’s Experience05/01/2023 19
Special Initiative 5:National Cybersecurity Crisis Management Plan
Conceived to ensure that a coordinated swift response is made to any cyber incidences having a bearing on national security.
Objective is to:
Increase preparedness of country
against cyber
attacks
A management committee which will be under the council where ultimate decisions are made on any major attacks and a working group created as PPP and having membership from the center, the national CERT, CNII sectors and any related agencies to enforce any tactic adopted for resolving any major attacks
Ghana’s Experience05/01/2023 20
STRATEGY TIMELINE ACTIVITIESShort Term Year 1 -2
Holistic assessment of CNII and addressing immediate Concerns & Awareness Creation – Identify issues with CNII, analyze vulnerabilities and put in place stop gap intervention to safeguard systems while setting up institutional structures and creating public awareness
Medium Term Year 3 - 4Building the infrastructure for Cyber security - Setting-up the necessary systems, process, standards and institutional arrangements (mechanisms) and building capacity amongst researchers and information security professionals
Long Term Year 5+
Developing self-reliance & international Cooperation – Adopting technology and developing capacity of professionals, monitoring the mechanisms for compliance, evaluating and improving the mechanisms and creating the culture of cyber security
Implementation Timelines
Ghana’s Experience05/01/2023 21
Way Forward
• Ghana’s Draft Policy Develop started in 2011• Submitted to Cabinet to review and approve in 2013.• Validation workshop held in 2015 for final cabinet
approval• Development of detailed implementation framework
of each policy Pillar after Cabinet approval• To develop or not to develop new Cyber security and
Cybercrime laws - discussion
Ghana’s Experience05/01/2023 22
Thank You!
eric.akumiah@cert-gh.orgwww.cert-gh.orgwww.nita.gov.ghwww.moc.gov.gh
Ghana’s Experience05/01/2023 24
Definitions-1 Cyber Security is “Enhancing security and building confidence in the use of ICT applications” (ITU GCA)
Cyber Security means the collection of tools, policies, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect organization and user’s assets on the cyber environment. Organization and user’s assets include connected computing devices, computing users, applications/services, communications systems, multimedia communication, and the totality of transmitted and/or stored information in the cyber environment. (ITU-T Recommendation X.1205)
Cybersecurity ensures the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment. The security properties include one or more of the following:– Availability
– Integrity, which may include authenticity and non-repudiation
– Confidentiality
Ghana’s Experience05/01/2023 25
Definitions -2• Critical Infrastructures (CI) are generally considered as the key
systems, services and functions whose disruption or destruction would have a debilitating impact on public health and safety, commerce, and national security, or any combination of those matters.
– Economic and industrial sectors have their own physical assets which today depend upon reliable functioning of Critical Information Infrastructure (CII) to deliver their services and to conduct business.
– Critical Information Infrastructure Protection (CIIP) protects virtual elements (such as systems and data) of the CII.
Ghana’s Experience05/01/2023 26
Policy Pillar 1 & 2• Effective Governance
Government will centralize coordination of national cyber security initiatives and promote effective cooperation between public and private sectors. In order to sustain the gains from any initiatives, government will establish formal and encourage informal information sharing exchanges.
• Legislative & Regulatory Framework
Government will in collaboration with the Attorney General’s department setup a periodic process of reviewing and enhancing Ghana’s laws relating to cyber space to address the dynamic nature of cyber security threats. In order to empower national law enforcement agencies to properly prosecute cyber security crimes, government will establish progressive capacity building programs to acquire new skills and effective ways of enforcing cyber laws. Government will ensure that all applicable local legislation is complementary to and in harmony with international laws, treaties and conventions.
Ghana’s Experience05/01/2023 27
Policy Pillar 3 & 4• Cyber Security Technology Framework
Policy measures will be put in place to develop a national cyber security technology framework that specifies cyber security requirement controls and baselines for CNII elements. This will be accompanied will mechanism to implement an evaluation/certification program for cyber security product and systems.
• Culture of security and Capacity Building
Government will invest every resource needed to develop, foster and maintain a national culture of security. As part of the process of development of culture of cyber security, government will support the standardization and coordination of cyber security awareness and education programmes across all elements of the CNII. Government will also:
– Establish an effective mechanism for cyber security knowledge dissemination at the national level
– Identify minimum requirements and qualifications for information security professionals
Ghana’s Experience05/01/2023 28
Policy Pillar 5 & 6• Research & Development towards Self-Reliance
In order Ghana become self-reliant in protecting the CNII to a level that is commensurate with the risk, government will formalize the coordination and prioritization of cyber security research and development activities enlarge and strengthen the cyber security research community. Research and development will be encouraged by promoting the development and commercialization of intellectual properties, technologies and innovations through focused research and development. Government will also put measures in place to nurture the growth of cyber security industry
• Compliance and Enforcement
In order to ensure compliance and enforcement, policy measures and mechanism will be put in place to standardize cyber security systems across all elements of the CNII. Government will also strengthen the monitoring and enforcement of standards and develop a standard cyber security risk assessment framework
Ghana’s Experience05/01/2023 29
Policy Pillar 7 & 8• Child Online Protection
Policy measures will be implemented through multi-stakeholder working by government industry, Civil Society, and relevant international child online protection agencies. Government will encourage dialogue at national and local levels to engage all concerned and create awareness of the possibilities and dangers of the Internet.
• Cyber Security Emergency Readiness
To ensure cyber security emergency readiness, government together with all stakeholders will develop effective cyber security incident reporting mechanisms. This will include the development and strengthening of the national computer security incidence response team (CSIRT) and sector CSIRTs, dissemination of vulnerability advisories and threat warnings in a timely manner and the development of a standard business continuity management framework. The government will also encourage all elements of the CNII to monitor cyber security events and perform periodic vulnerability assessment programs.
Ghana’s Experience05/01/2023 30
Policy Pillar 9
• International Cooperation
Policy measures will be put in place to encourage active participation of Ghana in all relevant international cyber security bodies, panels and multi-national agencies. Government will make every effort to promote active participation in all relevant international cyber security activities by hosting an annual international cyber security conference.
Ghana’s Experience05/01/2023
Action Plan 2016 -2020
31
Item Thrust Actions and Special Initiatives Policy Drivers
1. Effective Governance Setup Governance Structure and institutions to enable long –term substance of Cyber Security activity including information exchange. Institutions include: National Cyber Security Council National Cyber Security Center National Cyber Security Policy Working Group
Ministry of Communications, National Security Council, NITA, NCA
2. Legislative and Regulatory Framework
Setup Cyber Law Review Committee under the Attorney General’s Department to do a study on the laws of Ghana to accommodate legal challenges in the Cyber environment and review every three year Stage 1: identifications of issues in the cyber
environment Stage 2. Review current laws on cyber
environment Stage 3. Make recommendations for
amendment of national laws
Attorney General’s Department
3. Cyber Security Technology Framework
Review and adopt international cyber security standard such as MS ISO/IEC 27001 to increase robustness of CNII sectors
Expansion of national certification scheme for information security management & assurance
Ministry of Communications, NITA NSC
Ghana’s Experience05/01/2023
Action Plan 2016 -2020
32
Item Thrust Actions and Special Initiatives Policy Drivers4. Culture of Cyber
Security & Capacity Building
Reduce number of Information security incidents through improved awareness & skill levelo Increase Certification course
on information and cyber security,
Develop a National Cyber Security Awareness program and portal targeted at stakeholders by content providers using different packaging for different demographics
Ministry of Communications, Ministry of Information, (National Cyber Security Council, National Cyber Security Center, National CSIRT , National Cyber Security Policy Working Group)
5. Research & Development towards Self–Reliance
Develop National R&D Roadmap for Cyber Security
o Identify technologies relevant & desirable for CNII
o Provide domain competency development
o Nature growth of Cyber Security Industry
o Update roadmap regularly
National Cyber Security Council, National Cyber Security center, National CERT , Universities, CSIR, Professional certification Centers
6. Compliance & Enforcement
Develop Risk Assessment framework for CNII
Ghana’s Experience05/01/2023 33
Action Plan 2016 - 2020
Item Thrust Actions & Special Initiatives Policy Drivers
7.Child Online Protection Develop a framework for the protection of
children as they engage with the Internet which ensures that agencies and stakeholders work together to address children’s online risk by
1. Ensuring that Organizational Structures put in place for
A Monitoring Framework Technical and Procedural Measures for
working with all stakeholders 1. Capacity Building – Awareness raising and
public education.2. Legal Measures 3. Implementation and International
Cooperation
Ministry of Communications Ministry of Gender, Children and Social Protection; Ministry of Interior, Ministry of Educations
Ghana’s Experience05/01/2023 34
Action Plan 2016 -2020
Item Thrust Actions & Special Initiatives Policy Drivers
8 Cyber Security Emergency Readiness
Frame work for cyber attack responds – Mitigation of Cyber attacks National and sector CSIRTs National Cyber Crises management
Committee National Cyber Crises Management WG
Private Sector and Government Network Operators, Academic, Financial Sectors, Security agencies, Utilities, National Cyber Security Council,
9.International Cooperation
Engage in relevant international cyber security meetings
Prioritize international engagements, sign and ensure compliance of International/regional conventions
Ministry of CommunicationsMinistry of Foreign AffairsAttorney Generals’ DepartmentNational Security Council