The System of Security Controls for

Cyber Security

October 3th , 2013

GOVERNMENT OF THE REPUBLIC OF MOLDOVA

Veaceslav PUȘCAȘU, CISM E-Government Center / Government CIOGovernment of the Republic of Moldova

This prezentaion is

e-Government Center2

• A summary of what was presented and discussed during the training seminars provided by Estonian e-Governance Academy

• A summary of ideas circulated and discussed during the meetings of Cyber Security Roadmap focal group which includes reprezentatives from MA, MTIC, SIS, CTS, CNPDCP, MAI

• A summary of the experience gained by some public institutions in Republic of Moldova

• A summary of experience gained by other countries, ex. Estonia

Cyber Space

Cyber Space - an environment resulted from all types of interactions by means of software hardware and communication infrastructure.

Cyber Security

e-Government Center4

Cyber Security - a normality reached as a result of applying a set of proactive and reactive measures to ensure confidentiality, integrity, availability, authenticity and nonrepudiation of information, resources and services in cyber space

Cyber Security Threats

e-Government Center5

Cyber Security in Republic of Moldova

e-Government Center6

Trends

• Increasingly usage of electronic service in public sectors including in interaction with citizens and business

• Increasingly usage of mobile device;

• Widespread of Internet and using it for business propose;

• Increasing usage of ICT in national critical infrastructure;

• Increasing usage of ICT infrastructure to launch cyber attacks against other nations.

Cyber Security in Republic of Moldova

e-Government Center7

Threats

• Lack of a common approach for cyber security at the state level;

• Lack of clear organizational structure at both the state and institutional level;

• Lack of qualified people in the field;

• Very low level of awareness of the threats and safeguards in cyberspace;

• Lack of an unique set of measures (system of security baselines/controls) that should be applied according to the criticality of the systems;

• ………

Standards and Technical Regulations

e-Government Center8

• Hotărârea Guvernului nr. 1123 din 14.12.2010 privind aprobarea Cerinţelor faţă de asigurarea securităţii datelor cu caracter personal la prelucrarea acestora în cadrul sistemelor informaţionale de date cu caracter personal;

• Reglamentare tehnică. Asigurarea securităţii informaţiei a infrastructurii informaţionale pentru autorităţile administraţiei publice, anexa nr.2 la ordinul MTIC 106 din 20 decembrie 2010.

• SM SR ISO/IEC 27001:20006

Challenges

e-Government Center9

• Define requiremets and luck of implemenation guidlines;

• Depend on the skills and knolwledge of the persons involved in implemenation;

• Mostly are based on risk assesment;

• No sicronization between them;

• etc.

System of Cyber Security Controls – Elaboration

Process

e-Government Center10

System of Cyber Security Controls - ToRs

e-Government Center11

• Adopt an international best practice;

• Mandatory for public authorities;

• Compliant with current legislations framework;

• Include : Physical measures; Technical measures; Organizational measures.

• Define security classification levels (integrity, confidentiality, availability): Low, Medium, High;

• Free of charge and updated regularly;

• Provide requirements and clear guidance on how to implement them;

Examples: Recommended Security Controls for Federal Information Systems and Organizations (NIST 800-53), BSI

(IT-Grundschutz Methodology) , ISKE ,SANS TOP 20, etc.

Compliance Certification of Authorities

e-Government Center12

Do not invent the wheel. It has already been invented…

• Outsource to private sector

• Define a compliance certification framework taking into consideration:

– International experience – ex. PCI DSS

– Local experience – ex. BNM

• Require international recognized certification (ex. CISA, CISM, CISSP, etc.)

System of Cyber Security Controls – Quick Wins

e-Government Center13

• Start with some simple things which can be implemented quickly

• Develop and expand to rich a state of “normality”

• Develop cyber security guide based on SANS 20 Critical Controls for Cyber Defense

• Encourage public authorities to implement the guide. Identify and fix the issues

• Include this guide as a part of the System of Cyber Security Controls

Summary

e-Government Center14

• One of the threats to cyber security is lack of security baselines that should be applied according to the criticality of the systems

• Defining and implementing of a System of Cyber Security Controls is a complex task which take time to do it right

• We should start with something simple which can be implemented quickly

• Further we should develop and expand to reach a state of “normality”

Thank you !

e-Government Center15