NCMF consolidated application

The application of the NCMF in the context of South Africa as a developing country is shown in Table 26.

Table 26: NCMF Applied to South Africa

NCMF Level South Africa

National cybersecurity identification function

NCMF Level 1 (L1)

Domain: Defensive domain.

Mandate: Critical information infrastructure protection (CIIP) and National crisis management.

Dimension: Government (SSA, DOD, DTPS, SITA) National (SABRIC) international (FIRST).

National authoritative sources: NCPF, South African Cybercrimes and Cybersecurity Bill, Protection of Critical Infrastructure Bill, The Protection of Personal Information Act 4 of 2013, Electronic Communications and Transactions Act of 2002.

National normative: COBIT 5.

Mandatory national cybersecurity functions: Incident handling and monitoring and evaluation of national ICT as prescribed by NCPF and applicable to the selected domain and mandates.

National cybersecurity selection and prioritisation function

NCMF level 2 (L2)

Overall controlling body: National Cybersecurity Advisory Council.

National strategic risk and threat assessment process: Using ISO/IEC 27005:2011.

National cybersecurity function implementation

NCMF level 3 (L3)

After application of the national strategic risk and threat assessment process, a selection and prioritisation of the identified national cybersecurity functions takes place. In our example, the national incident handling and monitoring and evaluation of national ICT functions are selected and prioritised for implementation.

NCMF level 4 (L4)

Structures identified from where the selected and prioritised national cybersecurity functions are offered from as determined by considering the Defensive Domains lifecycle phases. The structures at national level is a CSIRT, and at organisational level, a SOC. For illustration, a CSIRT is selected.

A National Cybersecurity Management Framework for Developing Countries

138 NCMF level 5

(L5)

SAPS Act 68 of 1995 [130] provides prescripts in terms of physical security, and the Occupational Health and Safety Act (No. 85 of 1993 ) [43] provides prescripts in terms of occupational health and safety.

NCMF level 6 (L6)

Policy: National incident management policy, acceptable use policy, mail policy, for example.

Process: Incident management process, escalation process, back-up process Procedure: Symantec netbackup procedure.

Table 26. Shows the dimensions, mandates and domains we have selected to illustrate the application of the NCMF, and it also shows the South African national authoritative, as well as national normative sources. We further show that we have selected the incident handling and monitoring and evaluation of cybersecurity functions. We also show that the overall controlling body and the national strategic risk and threat assessment process resides at level 2. We contextualised the overall controlling body for South Africa.

Levels 3 to 6 describe the implementation of national cybersecurity functions and their structures. Level 3 is used to consolidate the selected and prioritised functions and level 4 identifies the cybersecurity function’s complementary structures. Levels 5 and 6 are structure-specific, and identifies authoritative and normative prescripts related to the structure, as well as operational and governance requirements for the structure.

Now that the NCMF is presented, and its application illustrated in the context of South Africa as a reference developing country, a mechanism is proposed for its implementation by nation states. Appendix I proposes that the implementation of the NCMF be made a government responsibility. The responsibility for the implementation of the NCMF may be delegated to the national overall controlling body.

The NCMF should operate at the strategic level of government operations. It is important to have an implementation plan for the NCMF since, without such a plan, the NCMF will remain a framework on paper only. Following an implementation best practice will assist with defining an implementation strategy, align actors and stakeholders, and assist with assigning responsibilities in terms of implementing the NCMF. In Appendix I we provide an NCMF best practice implementation guide.

6.9

Conclusion

In this chapter, we have illustrated the working of the NCMF by applying it to South Africa as a reference developing country. Section 6.2 to Section 6.6 covered the six levels of the NCMF, and we presented a sample application of the NCMF’s six levels in the context of South Africa as a developing country.

Chapter 6 concludes our discussion of the NCMF. We have introduced the NCMF and illustrated its application in context of South Africa as a developing country as listed below:

139

Sample Application of NCMF in South Africa

• In Chapter 3 we developed level 1 of the NCMF.

• We then used the NCMF level 1 in Chapter 4 to identify thirteen of the most general cybersecurity functions. • Chapter 5 was used to develop levels 2 to 6 of the NCMF.

• In Chapter 6 we presented a sample application of the NCMF in the context of South Africa as a developing country.

The reader should now have a good understanding of our intended application and usage of the NCMF. The key aspects of the NCMF we would like to highlight are:

• The NCMF consists of 6 levels.

• Levels 1 and 2 of the NCMF identify, select and prioritise national cybersecurity functions through the identification of national and international authoritative and normative sources. It also considers input from influencing elements such as dimensions, domains and mandates. The identified, selected and prioritised cybersecurity functions are consolidated in level 3.

• Levels 4 to 6 of The NCMF describe how to implement national cybersecurity functions.

• Cybersecurity functions consist of services that are made up of capabilities. Services and capabilities are made up of people, processes and technologies, and are offered from national cybersecurity structures. • Nation states using the NCMF should follow a phased approach, and only implement one or two functions

at the most, at a time.

• The general cybersecurity functions we have identified may be analysed and compared with the functions and services offered by existing national and commercial cybersecurity structures to identify overlapping or similar services, technologies and skills needed to enable them.

• Nation states may realise costs and skills saving by combining and then offering the services and technologies from two or more functions from a single structure.

Chapter 6 concludes Part 1. In Part 1, we developed the NCMF. We have also identified thirteen general cybersecurity functions and explained in Chapter 1 that national cybersecurity functions are offered from national cybersecurity structures. In Part 2, we propose a best practice guide that nation-states can use when building, running and monitoring national cybersecurity functions. Part 2 is meant to illustrate the application of the NCMF which we developed in Part 1. It is not necessary for the reader to read Part 2 in as much detail as Part 1, since Part 2 is seen as an operational guide, and it is a secondary deliverable.