Organizational Structures
3.3. A Framework for Organizational Structures
Legal foundations for transposing security laws into networked and online environments;
•
Involvement of all stakeholders;
•
Developing a culture for cybersecurity;
•
Procedures for addressing ICT security breaches and incident-handling (reporting, information
•
sharing, alerts management, justice and police collaboration);
Effective implementation of the national cybersecurity policy;
•
Cybersecurity programme control, evaluation, validation and optimization.
•
A national strategy to promote cybersecurity issue is vital for national security, citizens’ safety and the nation’s economic welfare. Different stakeholders (government authorities, the private sector, citizens and users) should be aware of their roles in contributing to the prevention of, preparation for, response to, and recovery from incidents. The national strategy should be linked with the national legal framework, to ensure that it is properly grounded in law and laws may need to be updated to ensure that they address different types of cybercrime (Chapter One).
3.3. A Framework for Organizational Structures
It is duty of the state to protect the national digital heritage, critical infrastructures and sustain economic development, as well as safety of its citizens. The following sections propose an organizational framework to facilitate the establishment of organizational entities that could help promote cybersecurity and protect critical infrastructure (Figure 3.2). Three kinds of organizational structures are proposed to promote cybersecurity and address cybercrime and other information security and network security issues:
1. A National Cybersecurity Council (NCC);
2. A National Cybersecurity Authority (NCA); and 3. A National CERT and/or CSIRTs.
These organizational structures may already exist in some countries, sometimes under other names.
These structures need to be adapted with regards to the availability of resources, private/public partnerships and ICT development of each country. Each country has to define its own relevant structures, with specific allocated roles, functions and resources. For each country, it is recommended that a central focal point or specific organizational entity be established to support a national cybersecurity policy and facilitate regional and international cooperation. Countries may wish to establish a National Cybersecurity Council (NCC). Depending on the size and needs of the country, several alternative organizational structures could be designed.
An n ex Te ch ni ca l & P ro ce du ra l M easur es f or C ybersecur it y C apacit y Building O rganiza tional Str uc tur es Legal M easur es te rn at io na l c oo pe ra ti on fo r Cybersecur it y
Figure 3.2: A framework for organizational structures
3.3.1. National Cybersecurity Council (NCC)
National governments should establish an entity to formalize and coordinate its cybersecurity efforts. Different countries will choose different models, and all models should involve a close partnership with the private sector. For the purposes of this Chapter, this focal point is referred to as the National Cybersecurity Council (NCC). The NCC could be a specific (separate) entity or a component of an existing National Security Council. This NCC should be a national leader structure for coordination and adoption of cybersecurity measures, in:
defining national cybersecurity policies;
•
setting priorities for national cybersecurity initiatives;
•
coordinating cybersecurity actions at the national level;
•
identifying stakeholders and public-private relationships to address cybersecurity issues;
•
collaborating with several governmental services or agencies such as intelligence service, secret
•
service, security bureau, police forces, High-Tech Crime Unit,
collaborating with regional or international agencies (such as Europol or Interpol);
•
monitoring governmental ICT systems and infrastructures;
•
coordinating actions and development of digital identity systems and management and good
•
practices related to digital identities, among others.
In order to ensure the implementation of the national strategy, the NCC should be linked to top-level government authority and integrated with existing structures. The NCC could rely on other organizational structures, including the national CERT (or equivalent institution).
3.3.2. National Cybersecurity Authority (NCA)
In some cases, it may also be effective to set up a National Cybersecurity Authority (NCA) to implement cybersecurity goals. The NCA would facilitate the measures identified in the national policy defined by the National Cybersecurity Council. In order to guarantee separation between the definition of policy and its implementation, the NCA must have a degree of independence to avoid interference. In addition, other functions (such as compliance verification, risk audits and security evaluation) could be offered by NCA.
An n ex Te ch ni ca l & P ro ce du ra l M easur es f or C ybersecur it y C apacit y Building O rganiza tional Str uc tur es Legal M easur es te rn at io na l c oo pe ra ti on fo r Cybersecur it y
The NCA will assist NCC in all its operational activities and help organize exercises to help industry test their emergency plans. The NCA could work with industry to establish goals and guidelines for the security of ICT infrastructure and services. The NCA could also contribute to the application of international standards relating to cybersecurity and the accreditation or certification of ICT infrastructures, services or providers.
3.3.3. National Computer Emergency Response Team (CERT)1
The formation of dedicated information security teams within different organizations - firms, academic institutions, governmental agencies or at the national level - can help protect countries’ information assets and maximize returns on investments in IT infrastructure. A Computer Emergency Response Team (CERT) is an organization that monitors computer and network security to provide and coordinate incident response services to victims of attacks. It also publishes alerts concerning vulnerabilities and threats and may offer other information to help improve computer and network security. Today, there are at least 250 “official”
ones and this number is growing rapidly all the time.
A national CERT or Computer Security & Incident Response Team (CSIRT) 2 is an organization which represents a government’s information infrastructure protection, or in some cases, a point for national coordination of responses to ICT security threats. CSIRTs deliver many services. Figure 3.3 gives an overview of CSIRT services (as defined in the “Handbook for CSIRTs” published by the CERT/CC).
Fundamental services appear in bold font. A distinction is made between reactive and proactive services.
Proactive services seek to prevent incidents mainly through awareness, information-sharing, security tools deployment and training, while reactive services deal with the handling of incidents and mitigating resulting damage.
Figure 3.3: The main services provided by CERTs/CSIRTs
Reactive Services Proactive Services Artifact Handling
An n ex Te ch ni ca l & P ro ce du ra l M easur es f or C ybersecur it y C apacit y Building O rganiza tional Str uc tur es Legal M easur es te rn at io na l c oo pe ra ti on fo r Cybersecur it y
CSIRTs vary dramatically in the services they provide and the constituents they serve. Some are CSIRTs with national responsibility. Most CSIRTs belong to private organizations and are established to fulfill specific functions, depending on their situation. Their mandate, services, constituents, activity, size and structure all vary widely. Many owe their status to the fact they are members of the Forum for Incident Security and Response Teams (FIRST). One key function that all CERTs share is that they should be able to provide timely information about the latest relevant threats and to provide assistance in incident response when needed. The cyberthreat environment is evolving relentlessly and CSIRTs need to keep abreast of these changes, making it even more essential that different CSIRTs find ways to share as much information as possible.
National CSIRTs almost always assume responsibilities for readiness and response to large-scale attacks. For example, the main mission of US-CERT is to protect US critical infrastructures. US-CERT has organized major international exercises (e.g. “Cyberstorm”, involving Australia, New Zealand, and Canada), simulating large-scale attacks on critical sectors. APCERT also organizes a drill every year along similar lines, to test the ability of CSIRTs from different countries to cooperatively respond to large-scale contingencies.
In early 2007, CERT/CC published a list of some 40 CERTs recognized as having “national” responsibilities.3 If countries do not yet have a CERT/CSIRT, they could be encouraged to establish one.
CERTs often also undertake “watch, warning, incident response and recovery” for ICT-related incidents.
This focal point would also provide up-to-date and free information over dedicated communication channels (e.g., e-security web portals, email distribution list) on cyber-threats, cyber-risks and alerts, as well as good practices. A multilingual information-sharing and alert system should be established to link together existing or planned national public and private initiatives. Outreach campaigns could reach a large part of the population through a combination of advertisements, partnering with ISPs and providers of ICT security solutions. Awareness campaigns could make use of websites and portals, seminars directed at general IT users and system administrators, training, brochures and workshops. Some countries have laws requiring firms to evaluate information security through risk audits. Awareness campaigns should also be tailored to specific audiences - a one-size-fits-all strategy might be easier to develop, but it is far less effective.
The ITU-D’s ICT Applications and Cybersecurity Division website provides a wealth of information about CERTs, CSIRTs and Warning, Advice and Reporting Points (WARPs). ITU-D has developed detailed research reports on key activities for addressing cybersecurity at the national level, about preparations for, the detection, management and responding to cyber-incidents through the establishment of watch, warning and incident response capabilities. Effective incident management requires consideration of funding, human resources, training, technological capability, government and private sector relationships, and legal requirements. Collaboration at all levels of government and with the private sector, academia, regional and international organizations, is necessary to raise awareness of potential attacks and steps toward remediation.
These CERT/ CSIRT resources include:
Incident Management Capability Metrics Version 0.
• 1 (pdf)
Creating a Computer Security Incident Response Team: A Process for Getting Starte
• d
Action List for Developing a Computer Security Incident Response Team (CSIRT
• )
Steps for Creating National CSIRT
• s (pdf)
Defining Incident Management Processes for CSIRTs: A Work in Progres
• s (pdf)
Staffing Your Computer Security Incident Response Team – What Basic Skills Are Needed
• ?
Handbook for Computer Security Incident Response Teams (CSIRTs
• ) (pdf)
Organizational Models for Computer Security Incident Response Teams
• (pdf) | html
State of the Practice of Computer Security Incident Response Team
• s (pdf) | html
3 “National Computer Security Incidents Response Teams”, published by SEI/CERT, 2007.
An n ex Te ch ni ca l & P ro ce du ra l M easur es f or C ybersecur it y C apacit y Building O rganiza tional Str uc tur es Legal M easur es te rn at io na l c oo pe ra ti on fo r Cybersecur it y
CSIRT Frequently Asked Question
In addition to reactive services, such as incident response, CSIRTs and CERTs nowadays also often provide their customers with a variety of other security services, including alerts and warnings, advisories, technical assistance and security-related training. Other information resources include:
ENIS
• A: CSIRT Step-by-Step guide, 2006 CPN
• I, United Kingdom: The WARP Toolbox GOVCERT.n
• l, The Netherlands: CSIRT in a Box
Training resource for incident response teams organized by TERENA’s TF-CSIRT and funded by
• the European Commission
Clearing House for Incident Handling Tools (CHIHT) resource
• s (includes a listing of incident
handling tools).