ITU National Cybersecurity Framework – Overview
Committed to Connecting the World
ITU National Cybersecurity
Framework – Overview
ITU Regional Cybersecurity Forum for
Eastern and Southern Africa
Lusaka, Zambia
25–28 August 2008
Joseph Richardson
Joseph.Richardson@ties.itu.int
for
ICT Applications and Cybersecurity Division
Policies and Strategies Department
ITU Telecommunication Development Bureau International
Telecommunication
Union
Committed to Connecting the World
This Presentation
Introduce the ITU National
Cybersecurity Framework
Identify Issues for Implementing the Framework Nationally
Introduce the ITU Self Assessment
Toolkit
August 2008 2
Committed to Connecting the World
This Presentation
Based on:
Study Group Q 22/1: Report on
Best Practices for a National
Approach to Cybersecurity: A
Management Framework for
Organizing National Cybersecurity
Efforts
August 2008 3
Committed to Connecting the World
Why a Framework?
Why is a National Strategy needed?
Cybersecurity/Critical Information
Infrastructure Protection (CIIP) is a SHARED responsibility
All “participants” must be involved
¾ Appropriate to their roles
August 2008 4
Committed to Connecting the World
Participants
“Participants” responsible for cybersecurity:
¾ “Government, business, other organizations, and individual users who develop, own, provide, manage, service and use information systems and networks”
– From “UNGA Resolution 57/239 Creation of a global culture of cybersecurity”
August 2008 5
August 2008
Culture of
Cybersecurity
National
Strategy
Government
Industry
Collaboration
Incident
Management
Capabilities
Deterring
Cybercrime
66
Committed to Connecting the World
Framework for Action
For each of these five elements, the Framework recommends:
¾ POLICY : to guide national efforts
¾ GOALS : to implement the policy
¾ SPECIFIC STEPS : to achieve goals
August 2008 7
Committed to Connecting the World
August 2008 international telecommunication union 8
Committed to Connecting the World
Implementing the
Framework Nationally
Actions by Government
Collaboration by other participants
August 2008 9
Committed to Connecting the World
Government Actions
Provide leadership, guidance and coordination
¾ Identify lead persons and institutions
¾ Develop CSIRT with national responsibility
¾ Identify cooperative arrangements and mechanisms among all participants
¾ Identify international counterparts and relationships
¾ Identify experts
¾ Establish integrated risk management process
¾ Assess and periodically reassess cybersecurity
¾ Identify training requirements
August 2008 10
Committed to Connecting the World
ITU National Cybersecurity/CIIP
Self–Assessment Toolkit
Intended to assist national authorities to review their domestic situation related to goals and actions identified in:
¾ Study Group Q 22/1: Report on Best Practices for a
National Approach to
Cybersecurity: A
Management Framework for
Organizing National
Cybersecurity Efforts
Adapted from work in APEC-
TEL http://www.itu.int/ITU-D/cyb/cybersecurity/projects/readiness.html
11 August 2008
Committed to Connecting the World
ITU Self–Assessment Toolkit
Focus: national management and policy level
Intended to assist national governments:
¾ Understand existing national approach
¾ Develop “baseline” re Best Practices
¾ Identify areas for attention
¾ Prioritize national efforts
August 2008 12
Committed to Connecting the World
Considerations
No nation starting at ZERO
No “right” answer or approach
Continual review and revision needed
All “participants” must be involved
¾ appropriate to their roles
August 2008 13
Committed to Connecting the World
The Self-Assessment Toolkit
Examines each element of
Framework at management and policy level:
¾ National Strategy
¾ Government - Industry Collaboration
¾ Deterring Cybercrime
¾ National Incident Management
Capabilities
¾ Culture of Cybersecurity
August 2008 14
Committed to Connecting the World
The Self-Assessment Toolkit
Looks at organizational issues for each element of Framework:
¾ The people
¾ The institutions
¾ The relationships
¾ The policies
¾ The procedures
¾ The budget and resources
August 2008 15
Committed to Connecting the World
The Self-Assessment Toolkit
Identifies issues and poses questions:
¾ What Actions have been taken?
¾ What Actions are planned?
¾ What Actions are to be considered?
¾ What is the Status of these actions?
August 2008 16
Committed to Connecting the World
The Framework and ITU National
Self-Assessment Toolkit
Objective: assist nations organize and manage national efforts to
¾ Prevent
¾ Prepare for
¾ Protect against
¾ Respond to, and
¾ Recover from cybersecurity incidents.
17 August 2008
Committed to Connecting the World
Next Steps
What are the next steps
¾ for your nation?
¾ for your region?
August 2008 18
Committed to Connecting the World
International
Telecommunication
Union
Committed to connecting the world
August 2008 19
