The document discusses the National Cybersecurity Management System (NCSecMS) framework proposed by Mohamed Dafir EL KETTANI for evaluating and improving national cybersecurity. The NCSecMS includes a National Cybersecurity Framework with 5 domains and 34 processes, a Maturity Model to assess process maturity levels, a Roles and Responsibilities chart (RACI) to define stakeholder roles, and an Implementation Guide roadmap. It also summarizes Morocco's "Maroc Numeric 2013" ICT Strategic Plan and Cybersecurity Roadmap initiatives to comply with international laws, set up a CERT team, and protect critical infrastructures.
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
National Cybersecurity Management System Framework
1. National Cybersecurity
Management System
Mohamed Dafir EL KETTANI
PhD, ISO 27001 Lead Implementer
Professor
ENSIAS, University Mohammed V-Souissi, Morocco
2. Agenda
1 – Introduction
2 – National Cybersecurity Management System
NCSec Framework
Maturity Model
Roles & Responsibilities
Implementation Guide
3 – Morocco Case
ICT Strategic Plan
Cybersecurity Roadmap
4 – Conclusion
4. Introduction (1/3)
• Increasing computer security challenges in the world;
• Which entity(s) should be given the responsibility for
National Cyber Security?
– Case by case organisational structures
– Partially standardized organisational structures (for
example, CERTs)
• Self-Assessment:
– Best practices that organizations can refer to evaluate
their readiness status;
– Case by case strategies
– Gap between countries and regions
1
5. Introduction (2/3)
• But, there is lack of international standards (clear
guidance) with which a State or region can measure its
current security status.
– Lack of framework
– Lack of global vision in terms of:
• Capacity building, Certification,
• Self assessment
• Responsibilities & Roles
• Implementation process
• Measurement through indicators
• etc.
– Harmonization between countries and regions is a delicate
process 2
6. Introduction (3/3)
• The main objective of this presentation is to propose a
Model of National Cybersecurity Management System
(NCSecMS), which is a global framework that best
responds to the needs expressed by the ITU Global
Cybersecurity Agenda (GCA 2007).
– More than recommendations...
– ... result of benchmarking
– Answers real needs in terms of CyberSecurity
– Adapted to a case by case implementation process
• Working Team :
– Former members of the HLEG Working Area 3 (Organisational
Structures)
3
8. NCSecMS Components
NCSec Management System
1 NCSecFR
ITU ISO
Documents 27002 NCSec Framework 5 Domains
34 Processes
2
NCSec
NCSecMM
COBIT V4.1
Framework Maturity Model For each
Process
3 NCSecRR
National NCSec
Stakeholders Framework
Roles & RACI Chart
Responsibilities by Process
4
ISO ISO NCSecIG
27003 27001
Implementation PDCA
Guide 4
9. NCSecMS Components
ITU Q22/1
(September 2009) NCSec Management System
Moroccan Proposal
ICEGOV 2008
1 NCSecFR Conference
ITU ISO
Documents 27002 NCSec Framework 5 Domains
34 Processes
ECEG 2009
2 Conference
NCSec
NCSecMM
COBIT V4.1
Framework Maturity Model For each
Process
ECIW 2009
3 NCSecRR Conference
National NCSec
Stakeholders Framework
Roles & RACI Chart
Responsibilities by Process
ITU Tunis 2009
4 National
ISO ISO NCSecIG
27003 27001
Implementation PDCA Recommandation
Guide 6
10. NCSecMS Components
ITU Q22/1
(September 2009) NCSec Management System
Moroccan Proposal
1 NCSecFR
–Points out vulnerabilities NCSec Framework 5 Domains
34 Processes
& demonstrate them to gov.
–Provides metrics to measure
2
their achievement
NCSecMM
Maturity Model For each
Process
– Points out Roles 3 NCSecRR
and Responsibilities Roles & RACI Chart
Responsibilities by Process
– Find out needed profiles
to achieve the role of
4
a stakeholder NCSecIG
Implementation PDCA
Guide 4
13. Domain 1: Strategy and Policies (SP)
Proc Process Description
NCSec Strategy
SP1
Promulgate & endorse a National Cybersecurity Strategy
Lead Institutions
SP2 Identify a lead institutions for developing a national strategy, and 1 lead institution per stakeholder
category
NCSec Policies
SP3
Identify or define policies of the NCSec strategy
Critical Information Infrastructures Protection
SP4
Establish & integrate risk management for identifying & prioritizing protective efforts regarding CII
Stakeholders
SP5 Identify the degree of readiness of each stakeholder regarding to the implementation of NCSec strategy &
how stakeholders pursue the NCSec strategy & policies
6
14. Domain 2: Implementation and Organisation (IO)
Proc Process Description
NCSec Council
IO1
Define National Cybersecurity Council for coordination between all stakeholders, to approve the NCSec strategy
NCSec Authority
IO2
Define Specific high level Authority for coordination among cybersecurity stakeholders
National CERT
IO3
Identify or establish a national CERT to prepare for, detect, respond to, and recover from national cyber incidents
Privacy and Personnal Data Protection
IO4
Review existing privacy regime and update it to the on-line environment
Laws
IO5
Ensure that a lawful framework is settled and regularly levelled
Institutions
IO6
Identify institutions with cybersecurity responsibilities, and procure resources that enable NCSec implementation
National Experts and Policymakers
IO7
Identify the appropriate experts and policymakers within government, private sector and university
Training
IO8
Identify training requirements and how to achieve them
Government
IO9
Implement a cybersecurity plan for government-operated systems, that takes into account changes management
International Expertise
IO10 Identify international expert counterparts and foster international efforts to address cybersecurity issues, including
information sharing and assistance efforts 7
15. Domain 3: Awareness and Communication (AC)
Proc Process Description
AC1 Leaders in the Government
Persuade national leaders in the government of the need for national action to address threats to and vulnerabilities of
the NCSec through policy-level discussions
AC2 National Cybersecurity and Capacity
Manage National Cybersecurity and capacity at the national level
AC3 Continuous Service
Ensure continuous service within each stakeholder and among stakeholders
AC4 National Awareness
Promote a comprehensive national awareness program so that all participants—businesses, the general workforce,
and the general population—secure their own parts of cyberspace
AC5 Awareness Programs
Implement security awareness programs and initiatives for users of systems and networks
AC6 Citizens and Child Protection
Support outreach to civil society with special attention to the needs of children and individual users
AC7 Research and Development
Enhance Research and Development (R&D) activities (through the identification of opportunities and allocation of
funds)
AC8 CSec Culture for Business
Encourage the development of a culture of security in business enterprises
AC9 Available Solutions
Develop awareness of cyber risks and available solutions
AC10 NCSec Communication
8
Ensure National Cybersecurity Communication
16. Domain 4 :Compliance and Coordination (CC)
PS Process Description
CC1 International Compliance & Cooperation
Ensure regulatory compliance with regional and international recommendations, standards …
CC2 National Cooperation
Identify and establish mechanisms and arrangements for cooperation among government, private sector
entities, university and ONGs at the national level
CC3 Private sector Cooperation
Encourage cooperation among groups from interdependent industries (through the identification of common
threats)
Encourage development of private sector groups from different critical infrastructure industries to address
common security interest collaboratively with government (through the identification of problems and
allocation of costs)
CC4 Incidents Handling
Manage incidents through national CERT to detect, respond to, and recover from national cyber incidents,
through cooperative arrangement (especially between government and private sector)
CC5 Points of Contact
Establish points of contact (or CSIRT) within government, industry and university to facilitate consultation,
cooperation and information exchange with national CERT, in order to monitor and evaluate NCSec
performance in each sector
9
17. Domain 5: Evaluation and Monitoring (EM)
Proc Process Description
NCSec Observatory
EM1
Set up the NCSec observatory
Mechanisms for Evaluation
EM2 Define mechanisms that can be used to coordinate the activities of the lead institution, the government, the
private sector and civil society, in order to monitor and evaluate the global NCSec performance
NCSec Assessment
EM3
Assess and periodically reassess the current state of cybersecurity efforts and develop program priorities
NCSec Governance
EM4
Provide National Cybersecurity Governance
10
19. Maturity Model
• CMM's Five Maturity Levels of Software Processes:
• 1 : At the initial level, processes are disorganized, even
chaotic.
• 2 : At the repeatable level, basic project management
techniques are established, and successes could be
repeated.
• 3 : At the defined level, an organization has developed its
own standard software process.
• 4 : At the managed level, an organization monitors and
controls its own processes through data collection and
analysis.
• 5 : At the optimizing level, processes are constantly being
improved through monitoring feedback
11
20. Maturity Model
PS Process Level 1 Level 2 Level 3 Level 4 Level 5
Description
SP1 Promulgate & Recognition of the NCSec is NCSec is NCSec is under NCSec is under
endorse a National need for a announced & operational for all regular review continuous
Cybersecurity National strategy planned. key activities improvement
Strategy
SP2 Identify a lead Some institutions Lead institutions Lead institutions Lead institutions Lead institutions
institution for have an are announced are operational are under regular are under
developing a national individual cyber- for all key for all key review continuous
strategy, and 1 lead security strategy activities activities improvement
institution per
stakeholder
category
SP3 Identify or define Ad-hoc & Similar & Policies and National best Integrated
policies of the Isolated common procedures are practices are policies &
NCSec strategy approaches to processes defined, applied procedures
policies & announced & documented, &repeatable Transnational
practices planned operational best practice
SP4 Establish & Recognition of the CIIP are Risk management CIIP risk CIIP risk
integrate risk need for risk identified & process is management management
management management planned. Risk approved & process is process evolves
process for process in CIIP management operational for all complete, to automated
identifying & process is CIIP repeatable, and workflow &
prioritizing announced lead to CI best integrated to
protective efforts practices enable
regarding NCSec improvement
(CIIP) 11
23. RACI Chart / Stakeholders
NCSec Strategy
Promulgate & endorse a
SP1 National I A C C R C C C I I R I I I
Cybersecurity
Strategy
Lead Institutions
Identify a lead institutions
for developing a
SP2 national strategy, I I A C R C C I I R C C C C
and 1 lead institution
per stakeholder
category
NCSec Policies
Identify or define policies
SP3 A C R C I C I R I I
of the NCSec
strategy
Critical Infrastructures
Establish & integrate risk
management for
SP4 identifying & A R R C I R C R I
prioritizing protective
efforts regarding
NCSec (CIIP)
13
R = Responsible, A = Accountable, C = Consulted, I = Informed
28. “Maroc Numeric 2013”
Morocco ICT Strategic Plan consists of…
2 Accompanying 2 Implementation
4 Strategic Priorities
Measures Modes
User-Oriented
Social Computerization IT Industry Human
Transformation
Development of
of SMEs Development Capital Cybersecurity Governance Budget
Public Services
Ensuring Access Public SMEs Entrepreneurial Supervision and Financial
to Education Administration Professional Regulatory Follow-up
and Areas of
Cluster TI Governance Resources
Players Efficiency Solutions Cluster TI Framework Structures
Excellence
Internet
Citizens’ Raising Organizational
Broadband IT Offshoring
Offshoring TI Training Plans IT Observatory
Services Awareness Offshoring TI Structures
Access
Local Content Enterprises’ Mobilization of New Training Promotion and
Development Services prescriptions Courses Awareness
18 Initiatives
51
actions
16
28
29. Cybersecurity (1/2)
Ambition Objectives 2013
• Compliance of IT Moroccan Laws (Protection of
Ensure business trust, enhance Personal Data, Consumer Protection, Legal Electronic
Cyber-confidence security capabilities, and secure Data Exchange) with common international Laws
critical information infrastructures • 60 000 Electronic Certificates delivered
Initiatives Projects Description
Protection of
Set up the National Commission for Data Protection (CNDP)
Personal Data
Regulatory Consumer
Framework Elaborate the necessary legal and regulatory texts to protect online Consumers
Protection
ICT Legal Study Upgrade/update the legal and regulatory framework in order to face the
Cybersecurity challenges and harmonize it with the partners countries
Electronic
Certification Provider Support the creation of PKI provider for ensuring electronic signature
Creation of Computer
Organizational Emergency Response Set up the National Computer Emergency Response Team (MA-CERT)
Structures Team (ma-CERT)
Critical Information
Infrastructures Encourage the development of backup sites to ensure the Business Continuity
Protection of Critical Information Infrastructures in Morocco
17
29
30. Cybersecurity (2/2)
Initiatives Projects Description
Awareness and Child/Younger Arise awareness of the children, younger and parents on the Cybersecurity
Online Protection
Communication and cyberconfidence issues
s Administration and
Enterprise Arise awareness of the administration and enterprises on the Cybersecurity
awareness and cyberconfidence issues
ISS integration in the Integrate the Information Security Systems (ISS) in the Higher Scientific
Higher Education Education and training programs
Judge/Magistrate
Capacity ISS Training Ensure training on ISS for judges/magistrates
building
Continuous Training Ensure continuous training for administration employees/officials on ISS
18
30
32. Conclusion
• NCSecMS:
– More than a best practice document related to National
CyberSecurity.
– Affords a complete environment with indicators at the
national level,
– Provides metrics to measure their achievement, and to
identify from a cybersecurity viewpoint the associated
responsibilities of stakeholders and control process.
• Extensions:
– Quality of implementation measurement for each element
– Security metrics : a meaningful gauge of NCSec perf.
– Costs and benefits of an organized, mature and high-
quality security program can be better understood
19
33. Conclusion
• National Cybersecurity Capacity Building:
– Affords a complete environment describing needs and
profiles at the national level,
– Might provide metrics to measure their achievement,
– Identifies from a cybersecurity viewpoint the associated
responsibilities of stakeholders and the needed profiles
(certification, etc.)
• Extensions :
– Quality of implementation measurement for each element
– Capacity Building metrics
– High-quality security adequate profiles can better answer
national needs
20
34. Conclusion
• Results:
– NCSecMS: Adopted as a National Recommandation
by the ITU during the ITU Regional Cybersecurity Forum
for Africa and Arab States (4-5 June 2009, Tunis)
– NCSecMS & ITU: Q22.1- september 2009
• Extension of this work:
– Questionnaire elaboration
– A benchmarking tool for evaluating CyberSecurity at the
trans-national level, in collaboration with the ITU within
its Global CyberSecurity Agenda: some national case
studies
21
35. Thank you for your attention
Email : dafir@ensias.ma