Upload
se-cts-cert-gov-md
View
343
Download
1
Embed Size (px)
DESCRIPTION
The System of Security Controls for Cyber Security Veaceslav PUȘCAȘU E-Government Center Government of the Republic of Moldova
Citation preview
The System of Security Controls for
Cyber Security
October 3th , 2013
GOVERNMENT OF THE REPUBLIC OF MOLDOVA
Veaceslav PUȘCAȘU, CISM E-Government Center / Government CIOGovernment of the Republic of Moldova
This prezentaion is
e-Government Center2
• A summary of what was presented and discussed during the training seminars provided by Estonian e-Governance Academy
• A summary of ideas circulated and discussed during the meetings of Cyber Security Roadmap focal group which includes reprezentatives from MA, MTIC, SIS, CTS, CNPDCP, MAI
• A summary of the experience gained by some public institutions in Republic of Moldova
• A summary of experience gained by other countries, ex. Estonia
Cyber Space
Cyber Space - an environment resulted from all types of interactions by means of software hardware and communication infrastructure.
Cyber Security
e-Government Center4
Cyber Security - a normality reached as a result of applying a set of proactive and reactive measures to ensure confidentiality, integrity, availability, authenticity and nonrepudiation of information, resources and services in cyber space
Cyber Security Threats
e-Government Center5
Cyber Security in Republic of Moldova
e-Government Center6
Trends
• Increasingly usage of electronic service in public sectors including in interaction with citizens and business
• Increasingly usage of mobile device;
• Widespread of Internet and using it for business propose;
• Increasing usage of ICT in national critical infrastructure;
• Increasing usage of ICT infrastructure to launch cyber attacks against other nations.
Cyber Security in Republic of Moldova
e-Government Center7
Threats
• Lack of a common approach for cyber security at the state level;
• Lack of clear organizational structure at both the state and institutional level;
• Lack of qualified people in the field;
• Very low level of awareness of the threats and safeguards in cyberspace;
• Lack of an unique set of measures (system of security baselines/controls) that should be applied according to the criticality of the systems;
• ………
Standards and Technical Regulations
e-Government Center8
• Hotărârea Guvernului nr. 1123 din 14.12.2010 privind aprobarea Cerinţelor faţă de asigurarea securităţii datelor cu caracter personal la prelucrarea acestora în cadrul sistemelor informaţionale de date cu caracter personal;
• Reglamentare tehnică. Asigurarea securităţii informaţiei a infrastructurii informaţionale pentru autorităţile administraţiei publice, anexa nr.2 la ordinul MTIC 106 din 20 decembrie 2010.
• SM SR ISO/IEC 27001:20006
Challenges
e-Government Center9
• Define requiremets and luck of implemenation guidlines;
• Depend on the skills and knolwledge of the persons involved in implemenation;
• Mostly are based on risk assesment;
• No sicronization between them;
• etc.
System of Cyber Security Controls – Elaboration
Process
e-Government Center10
System of Cyber Security Controls - ToRs
e-Government Center11
• Adopt an international best practice;
• Mandatory for public authorities;
• Compliant with current legislations framework;
• Include : Physical measures; Technical measures; Organizational measures.
• Define security classification levels (integrity, confidentiality, availability): Low, Medium, High;
• Free of charge and updated regularly;
• Provide requirements and clear guidance on how to implement them;
Examples: Recommended Security Controls for Federal Information Systems and Organizations (NIST 800-53), BSI
(IT-Grundschutz Methodology) , ISKE ,SANS TOP 20, etc.
Compliance Certification of Authorities
e-Government Center12
Do not invent the wheel. It has already been invented…
• Outsource to private sector
• Define a compliance certification framework taking into consideration:
– International experience – ex. PCI DSS
– Local experience – ex. BNM
• Require international recognized certification (ex. CISA, CISM, CISSP, etc.)
System of Cyber Security Controls – Quick Wins
e-Government Center13
• Start with some simple things which can be implemented quickly
• Develop and expand to rich a state of “normality”
• Develop cyber security guide based on SANS 20 Critical Controls for Cyber Defense
• Encourage public authorities to implement the guide. Identify and fix the issues
• Include this guide as a part of the System of Cyber Security Controls
Summary
e-Government Center14
• One of the threats to cyber security is lack of security baselines that should be applied according to the criticality of the systems
• Defining and implementing of a System of Cyber Security Controls is a complex task which take time to do it right
• We should start with something simple which can be implemented quickly
• Further we should develop and expand to reach a state of “normality”
Thank you !
e-Government Center15