A high-level overview of the NCMF levels

The identification of cybersecurity functions happens at the first level of the NCMF. This is done by consulting national and international authoritative and normative sources. The selection and prioritisation of national cybersecurity functions for implementation are described, and achieved at the second level of the NCMF. This is achieved by following a national risk management approach.

The selection and prioritisation of national cybersecurity functions for implementation may be further guided by the NCMF domains and mandates. The implementation of national cybersecurity functions and their structures is described in levels 3 to 6 of the NCMF. This concept is shown in Figure 11.

45

The National Cybersecurity Management Framework

Figure 11: NCMF purpose to level mapping

During the identification of the NCMF levels, we drew from our experience in developing cybersecurity frameworks and architectures for the South African Government, as well as for the industry. Our experience includes a national collaborative project that was executed in terms of the national cybersecurity capability deployment strategy for South Africa [42].

As stated in Section 1.3, some of the characteristics of the NCMF is that it should be able to scale at the national level, and it should be flexible, and agile. With regard to satisfying these requirements, we have made a conscious decision to keep the NCMF lean and compact. Furthermore, it is our experience that a framework with more than ten levels becomes complicated, and it makes the implementation and execution thereof difficult. Experience has shown that frameworks with ten or fewer levels are easier to implement, monitor and manage.

Thus, we initially decided to constrain the development of the NCMF to ten levels, but less than ten are preferable to make it less complex, and to streamline its implementation. After having considered all the elements needed to provide an input into the NCMF to identify, select, prioritise, and implement national cybersecurity functions, we ended up with the six levels.

A National Cybersecurity Management Framework for Developing Countries

46 Our NCMF thus consists of six sequential levels, starting at level 1 and ending at level 6. Figure 11 shows that level 1 has as its purpose, the identification of cybersecurity functions, and that the purpose of level 2 is to select and prioritise the functions for implementation. Levels 3 to 6 describe the implementation of cybersecurity functions. Our NCMF’s six levels that will be discussed in detail in the following Chapters. We will provide a brief introduction to the NCMF’s six levels in the sub- sections following.

2.9.1 First level – Level 1 (L1)

The purpose of the first level, named level 1, is to identify national cybersecurity functions. This is done by identifying national and international authoritative and normative sources, and the cybersecurity function prescripts and recommendations expressed in them. The authoritative source prescripts identify mandatory national cybersecurity functions, while the normative source recommendations describe non-mandatory cybersecurity functions. Additional elements, influencing the cybersecurity management tasks, as well as their impact on cybersecurity functions, are also considered here.

The additional influencing elements are the dimensions, mandates and domains in which the framework will operate. These additional influencing elements are discussed in detail in Chapter 3. The outcome of level 1 of the NCMF is a list of mandatory and non-mandatory national cybersecurity functions, from which a selection may be made for national implementation. Level 1 also identifies and lists NCMF actors. The identification of NCMF actors is discussed in Chapter 3.

From the list of NCMF actors, some can be selected to be held responsible for the application and implementation of the NCMF. Responsibility for the national implementation of the cybersecurity functions may also be assigned to the actors identified and presented in the list — the mandates and domains selected at level 1 further influences the selection and prioritisation of national cybersecurity functions for implementation.

Level 1 is foundational in nature, in that is must be completed first, before any of the other NCMF levels can be completed. It will not be possible to progress with levels 2 to 6 unless level 1 is completed, since the rest of the framework depends on the outcomes of level 1. The outcomes of level 1 feed into the rest of the NCMF levels.

Due to its foundational nature, level 1 of the NCMF is discussed in detail on its own in Chapter 3. The next step is to do the actual selection and prioritisation of national cybersecurity functions for implementation. This step is described in level 2 of the NCMF.

47

The National Cybersecurity Management Framework

2.9.2 Second level – Level 2 (L2)

The purpose of the second level of the NCMF, named level 2, is to select and prioritise national cybersecurity functions for implementation. To ensure implementation of the NCMF, and to execute the selection and prioritisation of national cybersecurity functions for implementation, an overall controlling and coordinating body must be established. The selection and prioritisation of cybersecurity functions for national implementation may be facilitated by following a national risk management approach. The second level describes the establishment of:

• A national, overall cybersecurity controlling and coordinating body, with the purpose of implementing the NCMF, and to drive the selection and prioritisation of cybersecurity functions for national implementation, as well as,

• A national risk management approach to guide the selection and prioritisation of cybersecurity functions for national implementation.

The purpose of the national overall controlling body would be to manage, drive and apply the NCMF, and to steer, coordinate and assign responsibilities for the implementation of national cybersecurity functions. The establishment of the overall controlling body is key to the success of not only implementing and driving the NCMF and its efforts, but also the national implementation of the cybersecurity functions. The overall controlling body will only be successful with the implementation of the NCMF and the cybersecurity functions if appointed by government, allocated adequate funding and resources, and provided with a clear mandate. The national overall controlling body will also oversee the implementation of a national risk management approach and process.

From experience, we propose that a risk management approach and process is followed to help with the selection and prioritisation of cybersecurity functions at the national level. Following a risk management approach where it concerns the management of national or organisational cybersecurity risk, is also recommended by international standards such as the International

Organization for Standardization and the International Electrotechnical Commission (ISO/IEC) 27001:2013.

The outcome of the national risk management process may inform the selection of cybersecurity functions, and will primarily prioritise national cybersecurity functions for implementation. The NCMF mandates and domains may also influence the selection and prioritisation of national cybersecurity functions, while the NCMF dimensions are used to identify NCMF actors and stakeholders. The outcome of level 2 of the NCMF is a list of selected and prioritised national cybersecurity functions to be considered for implementation. Level 2’s primary function is to prioritise national cybersecurity functions for implementation. This is achieved by developing a

A National Cybersecurity Management Framework for Developing Countries

48 national cybersecurity risk management strategy that describes a risk management framework and process. This strategy and process are driven by the overall cybersecurity controlling body.

2.9.3 Third level – Level 3 (L3)

The third level of the NCMF, named level 3, serves to consolidate the national cybersecurity functions selected and prioritised in level 2. The intention is for this level to be used to group a nation’s national cybersecurity functions logically. The existing cybersecurity structures offering the cybersecurity functions are also identified here. In the absence of existing structures, new structures should be envisioned and implemented.

Level 3 is also the demarcation point in the NCMF where the implementation of national