Secondary deliverable
Section 5.11 concludes this Chapter.
5.3 High-level overview of levels 2 to
It is our experience that the national cybersecurity management tasks of selecting, prioritising and implementing functions, will not happen unless explicit responsibility is assigned to national actors. This observation of ours is supported in the ITU’s National Cybersecurity Strategy Guide [52]. We will now provide a high-level overview of the remaining NCMF levels, followed by a detailed description of each in the sections following.
5.3.1 Level 2 high-level introduction
The management tasks of selecting and prioritising the identified cybersecurity functions for implementation, lead to the requirement for a second level for the NCMF. It is our experience that these tasks will not happen unless explicit responsibility is assigned to national actors. This observation is supported in the ITU’s National Cybersecurity Strategy Guide [52]. Level 2 prescribes the establishment of an overall controlling body. The overall controlling body is needed to initiate, drive and manage these tasks. Level 2 also prescribes the establishment of a national strategic risk and threat assessment process.
This process will inform and guide the selection, and prioritisation of functions for implementation. The motivation for placing an overall controlling body at level 2, is because this body must ensure that the NCMF is implemented from the top down as intended, and to drive the selection and prioritisation of cybersecurity
115
The National Cybersecurity Management Framework Level 2 to Level 6
functions by means of the national strategic risk and threat assessment process. Responsibility for these tasks is explicit, and has to be assigned to actors by the overall controlling body.
5.3.2 Level 3 high-level introduction
After the application of level 2, we have a list of selected and prioritised national cybersecurity functions for implementation. We now need to identify the cybersecurity structures from where these functions will be offered. This allows us to identify the cybersecurity function’s structure-specific functions, services and technologies. From these functions, we can then identify overlapping and similar functions services and technologies. In level 3, we consolidate the selected and prioritised national cybersecurity functions. This consolidation provides us with a logical grouping of cybersecurity functions, and we can use this to identify their structures and services.
5.3.3 Level 4 high-level introduction
The levels following level 2 of the NCMF (levels 3 to 6) are cybersecurity function, and structure specific. This means that the focus from level 2 onwards shifts from the identification of the mandatory or non-mandatory cybersecurity functions (level 1), and the selection and prioritisation of the functions (level 2), to the consolidation of functions (level 3), and implementation of the functions and their structures. Level 3 thus serves as the demarcation point where the implementation part of the NCMF starts. Level 3 provided us with a consolidated list of cybersecurity functions. In level 4, the structures supporting these functions are identified and consolidated.
These structures have their own functions and services. We will be using level 4 to determine the structure functions and services, and identify overlaps and similarities. For developing countries, these overlapping and similar functions and services may be combined, and offered from a new structure. Combining the functions and services of multiple structures, and offering them from a single structure, realise a cost and skills saving.
5.3.4 Level 5 high-level introduction
Since our framework is aimed at improving the national cybersecurity posture of nations, but with a focus on developing countries, the level 4 structures will be national structures, and will be subject to national acts and regulations. Level 5 is used to determine authoritative sources and their prescriptions applicable to the structures. These could be prescripts found in acts and regulations such as national health and safety, or physical security regulations if the structure is considered a national key point.
A National Cybersecurity Management Framework for Developing Countries
116
5.3.5 Level 6 high-level introduction
Level 6 addresses the operational elements of the national structure. These elements are all internal and examples are the structures policy, processes and procedures. Level 6 also addresses the technology needed to make the structure operational. The NCMF six levels, and the transition in focus from identification, selection and prioritisation to implementation is shown in Figure 24.
Figure 24: Shift in Focus of NCMF Levels
Figure 24 shows that the identification of cybersecurity functions happens at level 1 of the NCMF, and that the selection and prioritisation of those functions for implementation happens at level 2. The selected and prioritised functions are then consolidated, and their corresponding structures, with their services and capabilities are identified in level 3. The framework is structure specific from level 4 onwards. Level 4 to level 6 of the NCMF is used to determine structure specific elements needed (structure types, structure functions, services and technologies) to offer the national cybersecurity function.
Levels 2 to 6 is introduced and discussed in more detail in the following sections. We start our discussion with level 2, where the national, overall controlling body, as well as the strategic risk and threat assessment
117
The National Cybersecurity Management Framework Level 2 to Level 6
function is described. During our discussion, we will use generic examples to illustrate the application of the NCMF levels, but we will also personalise the level discussions with our structures and templates, as well as South African actors, based on our experience.