CYBERWELLNESS PROFILE
MAURITIUS
BACKGROUND
Total Population: 1 314 000
Internet users, percentage of population: 39.00%
(data source: United Nations Statistics Division, December 2012)
(data source: ITU Statistics, 2013)
1. CYBERSECURITY
1.1 LEGAL MEASURES
1.1.1 CRIMINAL LEGISLATION
Specific legislation on cybercrime has been enacted through four IT legislations:
-ICT Act 2001
-Computer Misuse and Cybercrime Act 2003
-Electronic Transaction Act 2000
-Data Protection Act 2004
- Unsolicited Commercial Electronic Bill is being drafted in collaboration with the Council of Europe
1.1.2 REGULATION AND COMPLIANCE
Specific legislation and regulation related to cybersecurity has been enacted through the following instruments:
- Data Protection Act 2004 which deals with the protection of individuals with regard to the processing of personal
data
- ICT Act 2001
1.2 TECHNICAL MEASURES
1.2.1 CIRT
Mauritius has a National CERT known as Computer Emergency Response Team of Mauritius (CERT-MU). CERT-MU
operates under the National Computer Board, a statutory body under the aegis of Ministry of ICT. IT Security Unit
(ITSU) acts as the Computer Security Incident Response Team (CSIRT) for the Civil Service.
1.2.2 STANDARDS
Mauritius has officially approved national (and sector specific) cybersecurity frameworks for implementing
internationally recognized cybersecurity standards. As part of National Information and Communication Technology
Strategic Plan (NICTSP) of 2007-2011 and 2011-2014, the promotion and adoption of international information
cybersecurity standard (ISO 27001) is one of the high priority projects and is already implemented. Also a risk
assessment methodology has been defined for the Civil Service. IT Security Unit is reviewing the following standards
for adoption:
-PAS 555:2013 – Cyber security risk – Governance and management – Specification
-ISO/IEC 27032 – Information technology – Security techniques – Guidelines for cybersecurity
1.2.3 CERTIFICATION
As per the NICTSP 2007-2011, the ISO 27001 is the recommended standard for the adoption within the public sector.
The accreditation of the ISO 27001 standard is done through the Mauritius Standards Bureau. The Framework for
CIIP that covers critical sectors is being drafted and will be completed by June 2014.
1
1.3 ORGANIZATION MEASURES
1.3.1 POLICY
Cybersecurity strategy is included in NICTSP 2007-2011 and 2011-2014. A new National Cybersecurity Strategy and
Action Plan has been developed. The IT Security Unit will be responsible for carrying out information security risk
assessment exercises, to perform IT security audit based on information security standards and industry best
practices in order to provide an overall assessment of the IT security level as well as for complex and critical
Information Systems in Civil Service and to manage ICT incidents in the Civil Service through the establishment of an
effective incident handling mechanism for government information systems.
1.3.2 ROADMAP FOR GOVERNANCE
National Information Assurance and Critical Information Infrastructure Protection Policy provide a national
governance roadmap for cybersecurity in Mauritius and is in the finalization stage.
1.3.3 RESPONSIBLE AGENCY
The Agency responsible for implementing national cybersecurity strategy policy and roadmap in Mauritius is the
CERT Mauritius (CERT-MU) of the National Computer Board and for IT Security Unit for the Civil Service.
1.3.4 NATIONAL BENCHMARKING
A survey has been carried out to measure the state of Information Security in Businesses in Mauritius in 2013
December by NCB (CERT-MU). So far, this is the first exercise.
1.4 CAPACITY BUILDING
1.4.1 STANDARDISATION DEVELOPMENT
CERT-MU of the national Computer Board publishes regularly best practice and guidelines on different themes
relevant for industry and for general public on information security. IT Security Unit conducts research on ISO 27000
set of standards for information security and issues security guidelines for the Civil Service.
1.4.2 MANPOWER DEVELOPMENT
CERT-MU of the national Computer Board organizes regular trainings to train local ICT professionals on information
security. Certification courses are also organized for both public and private sectors. Postgraduate courses on cyber
security are offered at tertiary institutions such as the Ministry of Tertiary Education, Science, Research &
Technology or the Tertiary Education Commission.
1.4.3 PROFESSIONAL CERTIFICATION
As part of the capacity building exercise, the National Computer Board has organized the following internationally
recognized certification programs. There are more than 100 public sector professionals certified.
1. BS25999 from BSI
2. ISO 27001 Lead Auditor from IRCA
There are public sector professionals also certified on the following internationally recognized certification programs.
Officers of the IT Security Unit currently hold the following certifications:
-Certified Ethical Hacker (CEH)
-Certified Information Systems Security Professional (CISSP)
- Certified Information System Auditor (CISA)
-Certified in Risk and Information System Control (CRISC)
-Certified Information Security Manager (CISM)
2
1.4.4 AGENCY CERTIFICATION
There are 2 public sector agencies (Passport and Immigration Office and Mauritius Planters Association) who are ISO
27001 certified as of date. The certified government and public sector agency certified under internationally
recognized standards in cybersecurity in Mauritius is the Mauritius Standards Bureau.
1.5 COOPERATION
1.5.1 INTRA-STATE COOPERATION
To facilitate sharing of cybersecurity assets across borders or with other nation states, Mauritius national CERT,
CERT-MU has officially recognized partnerships with the following organizations:
- FIRST
-IMPACT
1.5.2 INTRA-AGENCY COOPERATION
Mauritius has officially recognized national or sector-specific programs for sharing cybersecurity assets within the
public sector through the following instruments:
- CERT-MU that disseminates information security news to the public sector on a daily basis regarding vulnerability
note, advisory and virus alerts.
- The ‘National Information Security Strategy’ of the National ICT Strategic Plan (NICTSP) 2011-2014, which plans for
the setting up of a National IT Security Committee with many agencies.
1.5.3 PUBLIC SECTOR PARTNERSHIP
Mauritius has officially recognized national or sector-specific programs for sharing cybersecurity assets within the
public and private sector through information sharing between ISPs (Internet Service Providers) and ICTA regarding
Online Child Sexual Abuse. Information sharing is done in all the Sectors.
1.5.4 INTERNATIONAL COOPERATION
Mauritius is a member of the ITU-IMPACT initiative and has access to relevant cybersecurity services. Mauritius has
been a party to the Budapest Convention on Cybercrime since November 2013.
The CERT-MU is a member of FIRST and participates in the FIRST Conference.
Mauritius is among the beneficiaries of the EU/ITU co-funded project “Support for Harmonization of the ICT Policies
in Sub-Sahara Africa” (HIPSSA).
Mauritius has participated in the following Conferences:
Cyber Security Forum organized by the Commonwealth Telecommunication Organisation and the Forum of the
Council of Europe including the Conferences organized under the GLACY (Global Action on Cybercrime) Project
funded by Council of Europe.
2. CHILD ONLINE PROTECTION
2.1 NATIONAL LEGISLATION AND STRATEGY
Specific legislation on child online protection has been enacted through the following instruments:
- Sections 248, 251 and 288 of the Criminal Code.
- Section 18(m) and 46(h)(i) of the Information and Communication Technologies Act, 2001.
- Sections 13A and 15 of the Child Protection Act, 1995 (not available in pdf or html).
- Section 22 of the Computer Misuse and Cybercrime Act, 2003 (Amends the Child Protection Act.)
Mauritius has adopted the Child Safety Online Action Plan.
3
2.2 UN CONVENTION AND PROTOCOL
Mauritius has acceded, with no declarations or reservations to articles 16, 17(e) and 34(c), to the Convention on the
Rights of the Child.
Mauritius has acceded, with no declarations or reservations to articles 2 and 3, to the Optional Protocol to The
Convention on the Rights of the Child on the Sale of Children, Child Prostitution and Child Pornography.
2.3 INSTITUTIONAL SUPPORT
The Mauritian ICT Authority is responsible for regulating harmful and illegal online content. It has a procedure of
content-filtering related to child sexual abuse websites.
The National Computer Board (NCB), operating under the Ministry of Information and Communication Technologies
(MICT) and part of the Cybersecurity Emergency Response Team (CERT-MU), has issued a Child Safety Online Action
Plan.
The NCB maintains a website dedicated to promote child safety online.
The CERT-MU has a dedicated space to the information of young people and parents.
2.4 REPORTING MECHANISM
The Mauritian ICT Authority provides an online form to report child sexual abuse images. The NCB also provides an
online form to report cases related to children issues at Child Development Unit
----------------------------------------------------------------------------------------------------------------------------------------------------------DISCLAIMER: Please refer to http://www.itu.int/en/Pages/copyright.aspx
More information is available on ITU website at http://www.itu.int/en/ITU-D/Cybersecurity/Pages/default.aspx
Last updated on 12th August 2014
4