QUESTION 22-1/1 S ECURING INFORMATION AND COMMUNICATION NETWORKS: BEST PRACTICES FOR DEVELOPING A CULTURE OF CYBERSECURITY

(1)

International Telecommunication Union Telecommunication Development Bureau Place des Nations CH-1211 Geneva 20 Switzerland www.itu.int SECU RING INFORMA TION AND COMMU NICA TION NETWORKS: ... 2010-2014

QUESTION 22-1/1

S E C U R I N G I N F O R M A T I O N A N D

C O M M U N I C A T I O N N E T W O R K S :

BEST PRACTICES FOR DEVELOPING

A CULTURE OF CYBERSECURITY

FINAL REPORT

(2)

Place des Nations

CH-1211 Geneva 20 – Switzerland

Email: [email protected]

Tel.: +41 22 730 5035/5435

Fax: +41 22 730 5484

Deputy to the Director and Director，Administration and Operations Coordination Department (DDR)

Infrastructure Enabling Environmnent and

e-Applications Department (IEE)

Innovation and Partnership

Department (IP) Project Support and Knowledge Management Department (PKM)

Email: [email protected] Email: [email protected] Email: [email protected] Email: [email protected]

Tel.: +41 22 730 5784 Tel.: +41 22 730 5421 Tel.: +41 22 730 5900 Tel.: +41 22 730 5447

Fax: +41 22 730 5484 Fax: +41 22 730 5484 Fax: +41 22 730 5484 Fax: +41 22 730 5484

Africa

Ethiopia Cameroon Senegal Zimbabwe

International Telecommunication Union (ITU)

Regional Office P.O. Box 60 005

Gambia Rd., Leghar ETC Building 3rd floor

Addis Ababa – Ethiopia

Union internationale des télécommunications (UIT) Bureau de zone

Immeuble CAMPOST, 3e_étage

Boulevard du 20 mai Boîte postale 11017 Yaoundé – Cameroon

Union internationale des télécommunications (UIT) Bureau de zone

19, Rue Parchappe x Amadou Assane Ndoye

Immeuble Fayçal, 4e_étage

B.P. 50202 Dakar RP Dakar – Senegal

Area Office

TelOne Centre for Learning Corner Samora Machel and Hampton Road

P.O. Box BE 792 Belvedere Harare – Zimbabwe

Tel.: +251 11 551 4977 Tel.: + 237 22 22 9292 Tel.: +221 33 849 7720 Tel.: +263 4 77 5939

Tel.: +251 11 551 4855 Tel.: + 237 22 22 9291 Fax: +221 33 822 8013 Tel.: +263 4 77 5941

Tel.: +251 11 551 8328 Fax: + 237 22 22 9297 Fax: +263 4 77 1257

Fax: +251 11 551 7299

Americas

Brazil Barbados Chile Honduras

União Internacional de Telecomunicações (UIT) Regional Office SAUS Quadra 06, Bloco “E” 11º andar, Ala Sul

Ed. Luis Eduardo Magalhães (Anatel) 70070-940 Brasilia, DF – Brazil

Area Office United Nations House Marine Gardens Hastings, Christ Church P.O. Box 1047 Bridgetown – Barbados

Unión Internacional de Telecomunicaciones (UIT) Oficina de Representación de Área Merced 753, Piso 4

Casilla 50484, Plaza de Armas Santiago de Chile – Chile

Unión Internacional de Telecomunicaciones (UIT) Oficina de Representación de Área Colonia Palmira, Avenida Brasil Ed. COMTELCA/UIT, 4.º piso P.O. Box 976

Tegucigalpa – Honduras

Tel.: +55 61 2312 2730-1 Tel.: +1 246 431 0343/4 Tel.: +56 2 632 6134/6147 Tel.: +504 22 201 074

Tel.: +55 61 2312 2733-5 Fax: +1 246 437 7403 Fax: +56 2 632 6154 Fax: +504 22 201 075

Fax: +55 61 2312 2738

Arab States

Asia and the Pacific

CIS countries

Egypt Thailand Indonesia Russian Federation

Regional Office

Smart Village, Building B 147, 3rd floor Km 28 Cairo – Alexandria Desert Road Giza Governorate

Cairo – Egypt

Regional Office

Thailand Post Training Center, 5th floor,

111 Chaengwattana Road, Laksi Bangkok 10210 – Thailand Mailing address

P.O. Box 178, Laksi Post Office Laksi, Bangkok 10210 – Thailand

Area Office

Sapta Pesona Building, 13th floor JI. Merdan Merdeka Barat No. 17 Jakarta 10001 – Indonesia Mailing address: c/o UNDP – P.O. Box 2338 Jakarta 10001 – Indonesia International Telecommunication Union (ITU) Area Office 4, Building 1 Sergiy Radonezhsky Str. Moscow 105120 Russian Federation Mailing address:

P.O. Box 25 – Moscow 105120 Russian Federation

Tel.: +202 3537 1777 Tel.: +66 2 575 0055 Tel.: +62 21 381 3572 Tel.: +7 495 926 6070

Fax: +202 3537 1888 Fax: +66 2 575 3507 Tel.: +62 21 380 2322 Fax: +7 495 926 6073

Tel.: +62 21 380 2324 Fax: +62 21 389 05521

Europe

Switzerland International Telecommunication Union (ITU) Telecommunication Development Bureau (BDT)

Europe Unit (EUR)

(3)

QUESTION 22-1/1:

Securing information and communication

networks: best practices for developing a

culture of cybersecurity

(4)

ITU-D Study Groups

In support of the knowledge sharing and capacity building agenda of the Telecommunication Development Bureau, ITU-D Study Groups support countries in achieving their development goals. By acting as a catalyst by creating, sharing and applying knowledge in ICTs to poverty reduction and economic and social development, ITU-D Study Groups contribute to stimulating the conditions for Member States to utilize knowledge for better achieving their development goals.

Knowledge Platform

Outputs agreed on in the ITU-D Study Groups and related reference material are used as input for the implementation of policies, strategies, projects and special initiatives in the 193 ITU Member States. These activities also serve to strengthen the shared knowledge base of the membership.

Information Exchange & Knowledge Sharing Hub

Sharing of topics of common interest is carried out through face-to-face meetings, e-Forum and remote participation in an atmosphere that encourages open debate and exchange of information.

Information Repository

Reports, Guidelines, Best Practices and Recommendations are developed based on input received for review by members of the Groups. Information is gathered through surveys, contributions and case studies and is made available for easy access by the membership using content management and web publication tools.

Study Group 1

For the period 2010-2014, Study Group 1 was entrusted with the study of nine Questions in the areas of enabling environment, cybersecurity, ICT applications and Internet-related issues. The work focused on national telecommunication policies and strategies which best enable countries to benefit from the impetus of telecommunications/ICTs as an engine of sustainable growth, employment creation and economic, social and cultural development, taking into account matters of priority to developing countries. The work included access policies to telecommunications/ICTs, in particular access by persons with disabilities and with special needs, as well as telecommunication/ICT network security. It also focused on tariff policies and tariff models for next-generation networks, convergence issues, universal access to broadband fixed and mobile services, impact analysis and application of cost and accounting principles, taking into account the results of the studies carried out by ITU-T and ITU-R, and the priorities of developing countries.

This report has been prepared by many experts from different administrations and companies. The mention of specific companies or products does not imply any endorsement or recommendation by ITU.

 ITU 2014

(5)

Figures

Page Figure 1: National Cybersecurity Management System ... 2

Figure 2: NCSec Framework Model ... 4

Figure 3: Radar to Assess Maturity Levels ... 8

Figure 4: Implementation Guide Steps ... 10

Figure 5: NCSecIG Resolution Approach ... 11

Figure 6: Risk Management Lifecycle ... 16

Figure 7: CIPAC Sector Partnership Model ... 20

Figure 8: Example: Three Objectives from the DHS Strategic Plan for 2008 to 2013 ... 43

Figure 9: CSFs are compared to departments to determine which departments support which Critical Success Factors ... 47

Tables

Page Table 1: Deriving themes from document review ... 43

Table 2: Questions to address when starting a National CIRT ... 45

Table 3: Affinity analysis matrix for fictional National CIRT choosing services ... 49

(8)

(9)

Question 22-1/1

Securing information and communication networks:

best practices for developing a culture

of cybersecurity

1 Introduction to the Final Report of Q22-1/1, on Cybersecurity

ITU-D Study Group 1 Q22-1/1 develops best practice reports on various aspects of cybersecurity. This is the final report of ITU-D Q22-1/1 on its activities over the last four year study cycle, covering the period from 2010-2014. Q22-1/1’s work programme was established by the World Telecommunication Development Conference (WTDC) at its 2010 meeting in Hyderabad, India. In the last four years, Q22-1/1 has addressed all the items on that work programme, either partially or completely.

This Q22-1/1 final report is composed of a number of best practice reports on different aspects of cvybersecurity. These include (1) a guide for the establishment of a national cybersecurity management system; (2) best practices for the creation of public-private partnerships in support of cybersecurity goals and objectives; (3) building a national computer security incident management capability; (4) managing a national CIRT with critical success factors; and (5) best practices for Internet Service Provider (ISP) network protection. In addition, an Annex E to this report provides training course materials on building and managing a CIRT. The Question also received a contribution describing additional coursework and online course for children from the Odessa National Academy of Telecommunications n.a. A.S. Popov. The Group also received information from the BDT on its activities both globally and regionally.

Work continues in Q22-1/1 on a number of other reports, e.g., on a report on best practices for combating spam, on a survey of the awareness-raising programmes that Member States are engaged in, and on a compendium of reports that countries have contributed to Q22-1/1 on a their cybersecurity activities. This work is expected to be completed during the next study group cycle.

2 Best

Prac ces for Cybersecurity ― Guide for the Establishment of a

National Cybersecurity Management System

2.1 Introduction

The importance of the establishment of a national cybersecurity management system cannot be emphasized enough in a digitally advanced age where countries face real risks and vulnerabilities in critical information systems, which can be exploited by adversaries. Cyberspace is far from secure today, and there is an urgent need to take action- at national as well as international levels- against all forms of cyberthreats. It is the role of governments to face computer security challenges, which are exasperated by the absence of appropriate organizational and institutional structures to deal with incidents. Therefore, sectors and lead agencies should assess the reliability, vulnerability, and threat environments of the infrastructures and employ appropriate protective measures and responses to safeguard them. The ITU has already proposed a whole process for developing and implementing a national cybersecurity plan. This proposal defines a methodology to implement a Roadmap of National Cybersecurity Governance, including a framework of Best Practices and a Maturity Model, to assess for different aspects related to National Cybersecurity.

The “Best Practices for Cybersecurity-Guide for the Establishment of a National Cybersecurity Management System”, is intended to present «NCSecMS», the "National Cybersecurity Management System", which is a guide for the development for effective National Cybersecurity. It ensures the

(10)

"NCSec Framework" proposes five domains and 34 processes for covering main issues related to Cybersecurity at the National level, as the ISO 27002 for organizations;

– "NCSec Maturity Model", classifies "NCSec Framework" processes depending on their level of maturity;

– "NCSec RACI chart" helps to define roles and responsibilities for the main stakeholders concerned by Cybersecurity in a country or a region;

– "NCSec Implementation Guide" is a generalization of ISO 27001 and 27003 standards at the national level. It underlines best practices that organizations can use to measure their readiness status.

2.2 National Cybersecurity Management System

National Cybersecurity Management System, called “NCSecMS”, can be considered as a tool the goal of which is to facilitate the achievement of National Cybersecurity, at both the national and regional levels. It consists in 4 steps, containing the following components:

Figure 1: National Cybersecurity Management System

Step 1: NCSecFR (Framework)

The best practice proposal for National Cybersecurity, called “NCSecFR”, is a global framework answering the needs expressed by the ITU in its Global Cybersecurity Agenda (GCA). Fully inspired from ISO 27002 standard,1 it is a code of practice for Organizational Structures and Policies on Cybersecurity at the national level, consisting in 5 domains and 34 processes, in order to help building regional and international cooperation for watch, warning, and incident response.

Step 2: NCSecMM (Maturity model)

National Cybersecurity Maturity Model will make it possible to evaluate the security of a country or a whole region, making thus comparisons between them, and pointing out its forces and threats. It will aslo

1

(11)

facilitate the determination of a country’s maturity, setting thus a maturity target, and planning for maturity enhancement. As long as a global national framework for Cybersecurity is defined, the “NCSecMM” is associated to this best practice proposal for National Cybersecurity, called “NCSecFR”. Inspired from Cobit's maturity model, it will enforce national Cybersecurity Management System implementation, showing thus what has to be done to improve for each process, at the national and regional levels.

Step 3: NCSecRR (Roles and responsibilities)

Responsibility Charting is a technique for identifying functional areas where there are process ambiguities, bringing the differences out, and resolving them through a cross-functional collaborative effort. A “National RACI chart”, called “NCSecRR”, is provided, and defines, among the stakeholders, who are “Responsible”, “Accountable”, “Consulted” and “Informed” for each of the 34 NCSec processes. The “RACI chart” defines in detail what has to be delegated and to whom, and what kind of responsibility will be affected to one stakeholder instead of another.

Step 4: NCSecIG (Implementation guide)

The implementation guide associated to National Cybersecurity, called “NCSecIG”, offers an efficient process control mechanism, in order to guarantee a good comprehension of the interaction between these processes, using ISO 27001 and ISO 27003 approaches.2

Resolution approach

The Resolution Approach, which takes into account the already settled orientations and goals of the ITU instances, is adopted for each of the 4 steps above in order to reach the corresponding goals of ITU, which consist in the elaboration of strategies for the creation of appropriate national and regional organizational structures and policies on Cybersecurity, and the development of strategies for the creation of a global framework for watch, warning and incident response.

• Building a framework for National Cybersecurity (NCSecFR)

During this step,focus was placed on existing ITU documents and the ISO 27002 process based approach: we tried to adapt ISO 27002 approach in order to settle the main processes essential to national Cybersecurity, so that we can produce the national Cybersecurity framework. Since ISO 27002 is the international standard of Organization's Information System Security, the proposed National Cybersecurity Framework is a generalization of the ISO 27002 standard.

• National Cybersecurity Maturity Model (NCSecMM)

The “NCSec” Framework (step 1) is not enough: a maturity model should be associated to, in order to enforce national Cybersecurity governance implementation showing thus what has to be done to improve.

• Roles and Responsibilities model (NCSecRR)

In this step functional areas are identified, where process ambiguities do exist, bringing the differences out, and resolving them through a cross-functional collaborative effort. It is of a main importance to define in detail what has to be delegated and to whom, and what kind of responsibility will be affected to one stakeholder instead of another. Thus, it will aid organisations and teams to identify the responsibility for specific elements at the national level, at the process level of the NCSec Framework.

2

(12)

• Implementation Guide (NCSecIG)

Structuring every aspect of NCSec Framework is a major priority. It is important to offer an efficient process control, in order to guarantee a good comprehension of the interaction between these processes. The Implementation Guide will make it possible to structure every process using ISO 27003 and ISO 27001 approaches: ISO 27003 will provide help and guidance in implementing an ISMS (Information Security Management System), including focus upon the PDCA method, with respect to establishing, implementing reviewing and improving the ISMS itself. ISO 27001, through the “Plan-Do-Check-Act” (PDCA) model, will be used to structure every process. It will also structure the maturity model itself. PDCA approach will be automatically used within the whole process of implementation of NCSec Framework and Maturity Model.

2.3 National Cybersecurity Framework

How NCSec framework meets the needs

Cybersecurity governance is to be built essentially on a National Framework able to address and govern cyberthreat issues at a national level. In a boundless cyberspace, it should also be able to afford the needed cooperation in a regional and international level in order to meet its goals.

A Framework for National Cybersecurity Management System mainly may rest on:3

– National Legal Foundation; – Technical Measures; – Organizational Structures; – Capacity Building;

– International Cooperation.

These elements are in line with the broad goals of the Global Cybersecurity Agenda (GCA), and its five (5) strategic pillars (or Work Areas). The suggested framework should be organized so as to meet the goals of the GCA initiative, to address the global challenges related to the five (5) Work Areas.

NCSec Framework

Figure 2: NCSec Framework Model

3

(13)

NCSec Framework: Five Domains4

The National Cybersecurity Framework (NCSecFR) consists in 34 processes divided into 5 domains.5

Domain 1: Strategy and Policies (SP)

This domain typically addresses the following questions: – Is the National Cybersecurity Strategy defined?

– Is the government defining efficient national Cybersecurity policies? – Did each stakeholder understand the NCSec objectives?

– How are the risk management processes understood and being integrated into the global framework, especially for CIIP?

– Is the degree of readiness of each stakeholder at the security level appropriate for implementing NCSec strategy?

Domain 2: Implementation and Organisation (IO)

This domain typically addresses the following management questions:

– Will the stakeholders meet properly the NCSec goals when implementing the NCSec strategy? – Are NCSec services being delivered in line with NCSec strategy, for each sector/stakeholder? – Are NCSec costs optimised?

– Are the stakeholders able to use the CyberSystems productively and safely? – Are new stakeholders likely to deliver services that meet NCSec strategy? – Are new stakeholders likely to apply NCSec policies on time and within budget?

Domain 3: Awareness and Communication (AC)

This domain typically addresses the following management questions:

– Are the national leaders in the government persuaded of the need for national action to address threats to and vulnerabilities?

– Is there any comprehensive awareness program promoted at the national level so that all participants—businesses, the general workforce, and the general population—secure their own parts of cyberspace?

– How are security awareness and communication programs and initiatives implemented for all stakeholders?

– Is there any support to civil society with special attention to the needs of children and individual users?

Domain 4: Compliance and Coordination (CC)

It typically addresses the following management questions:

– Do the organizational structures ensure that controls are effective and efficient? – Are risk controls and compliance respected and reported?

4

For further information concerning the five domains, see Annex 1 (Morocco 1/45).

5

(14)

– Are adequate confidentiality, integrity and availability in place among framework components?

Domain 5: Evaluation and Monitoring (EM)

It typically addresses the following management questions:

– Is NCSec performance measured to detect problems before it is too late?

– Can NCSec performance be linked back to the strategic goals of the global NCSec framework? – Are risk, control, compliance and performance measured and reported?

The NCSec Framework key components are:6

– NCSec Governance Control Objectives / Focus Areas; – NCSec Organizational Structures/Resources;

– NCSec Stakeholders;

– NCSec Information, based on the hierarchical threat classification.7

NCSec Maturity Model

COBIT framework maturity model (Source: ISACA – ITGI)8

A national cyber-security framework must be developed for improvement in order to reach the appropriate level of management and control. This approach gains cost-benefit balance in the long term, answering the following related questions:

– What are our industry peers doing, and how are we placed in relation to them?

– What is acceptable industry good practice, and how are we placed with regard to these practices?

– Based upon these comparisons, can we be said to be doing enough?

– How do we identify what is required to be done to reach an adequate level of management and control over our IT processes?

It can be difficult to supply meaningful answers to these questions. IT management is constantly on the lookout for benchmarking and self-assessment tools in response to the need to know what to do in an efficient manner. Starting from COBIT’s processes, the process owner should be able to incrementally benchmark against that control objective. This responds to three needs:

– A relative measure of where the enterprise is – A manner to efficiently decide where to go

– A tool for measuring progress against the goal Maturity modelling for management and control over IT processes is based on a method of evaluating the organisation, so it can be rated from a maturity level of non-existent (0) to optimised (5).

In COBIT, a generic definition is provided for the COBIT maturity scale, which is similar to CMM but interpreted for the nature of COBIT’s IT management processes. A specific model is provided from this generic scale for each of COBIT’s 34 processes. Whatever the model, the scales should not be too granular, as that would render the system difficult to use and suggest a precision that is not justifiable

6

For further information on the NCSec Framework key components, see Annex 1 (Morocco 1/45).

7

See Annex 1 (Morocco 1/45) for the NCSec Information criteria.

8

(15)

because, in general, the purpose is to identify where issues are and how to set priorities for improvements. The purpose is not to assess the level of adherence to the control objectives.

By using the maturity models developed for each of COBIT’s 34 IT processes, management can identify:

– The actual performance of the enterprise—Where the enterprise is today – The current status of the industry—The comparison

– The enterprise’s target for improvement—Where the enterprise wants to be? – The required growth path between ‘as-is’ and ‘to-be’

To make the results easily usable in management briefings, where they will be presented as a means to support the business case for future plans, a graphical presentation method needs to be provided9. COBIT is a framework developed for IT process management with a strong focus on control. These scales need to be practical to apply and reasonably easy to understand. The topic of IT process management is inherently complex and subjective and, therefore, is best approached through facilitated assessments that raise awareness, capture broad consensus and motivate improvement. These assessments can be performed either against the maturity level descriptions as a whole or with more rigour against each of the individual statements of the descriptions. Either way, expertise in the enterprise’s process under review is required.

The advantage of a maturity model approach is that it is relatively easy for management to place itself on the scale and appreciate what is involved if improved performance is needed. The scale includes 0 because it is quite possible that no process exists at all. The 0-5 scale is based on a simple maturity scale showing how a process evolves from a non-existent capability to an optimised capability.

However, process management capability is not the same as process performance. The required capability, as determined by business and IT goals, may not need to be applied to the same level across the entire IT environment, e.g., not consistently or to only a limited number of systems or units. Performance measurement, as covered in the next paragraphs, is essential in determining what the enterprise’s actual performance is for its IT processes. Although a properly applied capability already reduces risks, an enterprise still needs to analyse the controls necessary to ensure that risk is mitigated and value is obtained in line with the risk appetite and business objectives. These controls are guided by COBIT’s control objectives. The maturity model is a way of measuring how well developed management processes are, i.e., how capable they actually are. How well developed or capable they should be primarily depends on the IT goals and the underlying business needs they support. How much of that capability is actually deployed largely depends on the return an enterprise wants from the investment.

A strategic reference point for an enterprise to improve management and control of IT processes can be found by looking at emerging international standards and best-in-class practices. The emerging practices of today may become the expected level of performance of tomorrow and, therefore, are useful for planning where an enterprise wants to be over time. The maturity models are built up starting from the generic qualitative model10 to which principles from the following attributes are added in an increasing manner through the levels:

– Awareness and communication – Policies, plans and procedures – Tools and automation

– Skills and expertise

9

See Annex 1 (Morocco 1/45) figure 1.2 for details.

10

(16)

– Responsibility and accountability – Goal setting and measurement

NCSecMM consists in linking national cyber security strategy to strategic national goals, providing metrics and maturity model levels to measure their achievement, and to identify the associated responsibilities of stakeholders and control objective process. This approach is derived from the maturity model that the Software Engineering Institute defined for the maturity of software development capability.

The proposed NCSecMM permits to determine what the country’s maturity is. Setting thus a maturity target, and planning for maturity enhancement.

It contains the following levels: − 0. Non Existent

− 1. Initial

− 2.Repeatable but intuitive − 3.Defined

− 4. Managed and measurable − 5. Optimized

Maturity model by process

Each of the five processes has conditions that have to be fulfilled in order to satisfy one of the five levels of maturity.11

Country assessment

To assess the maturity level of a country to its National Cybersecurity Strategy, we propose to retain 10 major processes in order to conduct an inventory at any given time, as shown in the "radar" below, which will compare different countries and assess the evolution of a country between two dates.

Figure 3: Radar to Assess Maturity Levels

11

(17)

NCSEC Roles and responsibilities

Within a global need to settle National Cybersecurity Governance, the RACI chart should be associated to a global framework. This approach has already been used in COBIT, and has proved its efficiency (IT Governance Institute 2005).

2.4 RACI

Matrix

An efficient methodology needs to be followed for identifying functional areas where there are ambiguities in terms of responsibilities, at the national level, bringing the differences out and resolving them through a cross-functional collaborative effort. Responsibility Charting enables managers from the same or different organizational levels or programs to actively participate in a focused and systematic discussion about process related descriptions of the actions. These actions must be accomplished in order to deliver a successful end product or service. But no “Responsibility Charting” models are dedicated to National Cybersecurity.

Responsibility Chart is a 5-Step Process (Smith and Erwin 2005): First, we have to identify processes.12 Second, the stakeholders, resources and information useful to chart should be determined. The RACI chart can then be developed, by completing the Chart Cells. Overlaps should be then resolved. At last, gaps should be also resolved. We will follow this methodology in order to build and produce the RACI chart table.

RACI chart approach

The RACI model is a relatively straightforward tool used to clarify roles, responsibilities, and authority among stakeholders involved in managing or performing processes; especially during organizational change process. It is useful to describe what should be done by whom to make a transformation process happen (Kelly 2006).

A RACI chart is a table that describes the roles and responsibilities of various stakeholders in operating a process.Within the context of NCSec framework, “RACI Chart” will clarify roles and responsibilities of the different stakeholders, at the national level. For each of the 34 processes of NCSec framework, it will associate to the list of stakeholder’s information about roles they have in relation to those processes. For each process, one or more letters taken from the acronym ‘RACI’ will be associated to each stakeholder, depending on his role(s) and responsibility. This acronym stands for:

– Responsible (R): Those who do work to achieve the process, including Support, which is to provide resources to complete the task in its implementation.

– Accountable (A): Those who are ultimately accountable to the correct completion of the task. It stands for the final approving authority. Accountable authority must approve work that Responsible authority provides before it is OK. There must be only one Accountable specified for each process.

– Consulted (C): Those whose opinions are sought, in a two-way communication. It stands for the authority that is asked for their input, and has information and/or capability necessary to complete the work.

– Informed (I): Those who are kept up-to-date on progress, under a one-way communication. It stands for the authority that must be told about the work, and notified of results, but needs not be consulted.

12

(18)

Very often the role specified as "Accountable" can be also specified "Responsible”. But it is generally recommended that each role for each process receives at most one of the participatory role types. If double participatory types appear in the RACI chart, it means that the roles have not yet been truly resolved. It is then necessary to clarify each role on each task.

NCSec RACI methodology

The chosen methodology in the case of NCSec RACI chart will not be that different of the classical one. It will consist in completing the Chart Cells, after having identified who has the (R), (A), (C), (I) for each process. As a general principle, every process should preferably have one and only one (R). Otherwise, a gap occurs when a process exists with no (R), and an overlap occurs when multiple stakeholders have an (R) for a given process.

We will begin with the (A). Guidelines for designating roles are:

– Designate one point (role, position) of Accountability (A) for each process;

– Assign responsibility (R) at the level closest to the action or knowledge required for the task. Verify that any shared responsibilities are appropriate;

– Ensure that appropriate stakeholders are Consulted (C) and Informed (I), but limit these roles to necessary involvement only.

2.5 NCSec Implementation Guide

The purpose of the implementation guide is to assist any/all stakeholders in the NCSec to implement a traceability system in line with the NCSec Framework, NCSec Maturity Model, and NCSec Responsibility charting.

Any/all stakeholders from the NCSec framework that want to implement a National Cyber Security Governance traceability system, will use this this implementation guide, such as Government, Private Sector, Critical Infrastructure, Academia, and Civil Society.

The target audience of this guideline is any component of the previous stakeholders. In addition, this implementation guide can be used by Member States of ITU, to support the implementation efforts of their local stakholders, within a self assessment process.

Main steps

The implementation guide consists in six main steps, which are all based on the Plan-Do-Check-Act (PDCA)approach:

(19)

Figure 5: NCSecIG Resolution Approach

2.6 Implementation

Guide

• Implementation Approval

A - Overview on approval for implementation

B - Define Objectives and National Requirements for Cybersecurity C - Define Initial NCSec Governance scope

D - Obtain a high level Decision Makers approval

• Define scope and strategy

A - Overview on defining NCSecMS and strategy B - Defining National Cyberspace boundaries C - Completing boundaries for NCSecMS scope D - Developing the NCSec Strategy

• Conduct National context analysis

A - Overview on conducting National context analysis B - Defining Information security requirements

C - Defining Critical Information Infrastructure Protection (CIIP) D - Generating an National Information Security Assessment

• Design NCSec Management System

A - Overview on designing the NCSecMS B - Defining Organizational Structures

(20)

C - Designing the monitoring and measuring

D - Producing the NCSecMS implementation Program

• Implement NCSec Management System

A - Overview on implementing the NCSecMS

B - Setting up the implementation Management System C - Carrying out implementation Projects

D - Documenting the procedures and Control

2.7 Conclusion

The above proposed National Cybersecurity Management System, applicable to Cybersecurity Governance at both national and regional levels, will help a country or a whole region to determine how well Cybersecurity is being managed through self assessment based on a well defined Maturity Model. The National Cybersecurity Management Framework would allow countries and regions to reach adequate levels of management and control through continuous improvement, taking in consideration cost benefits of short and long term objectives.

3 Public-Private Partnerships in Support of Cybersecurity Goals and

Objectives

3.1 Introduction

This best practices report describes the efficacy of public-private partnerships in addressing the range of complex challenges associated with critical information infrastructure (CII) security and risk management. Managing the risk to critical infrastructure is an enormously complex but vitally important undertaking. The compromise of, or malicious exploitation of critical infrastructure, can cause significant consequences on a local, regional or even global scale. The cyber security risks to CII have become progressively more important because nations, industry and people increasingly rely on information systems and networks to support the normal functions of critical infrastructure. If left unmitigated, risks to these information systems and networks are can have important implications for national security, economic vitality, and societal well-being.

Critical infrastructure risk management at a national or global level presents an intractable challenge for government, particularly with respect to cyber security, which has both physical and logical infrastructure security challenges. First, critical infrastructure is ubiquitous. There are numerous points of vulnerability and opportunities to introduce risk. Second, the threats to infrastructure are myriad; intentional criminal or terroristic attacks, natural hazards, accidents, infrastructure dependencies, supply chain disruptions, and numerous other threats are cause for legitimate concern. Third, direct and indirect consequences can be devastating, but also difficult to accurately estimate and predict. Fourth, quantifying risk and prioritizing risk management efforts and the allocation of limited resources can be a daunting and complex challenge, particularly on a large scale (at a regional, national, or global level). Fifth, our world is increasingly interconnected, and infrastructure risk can transcend geographic boundaries and legal jurisdictions. This is particularly pertinent to CII; cyber attacks can be launched from virtually anywhere and are often forensically opaque. Lastly, while national security has traditionally been the responsibility of government, a great deal of infrastructure globally is owned and operated by private industry.

These and other concerns not only require novel risk management solutions, but also necessitate a greater level of cooperation, coordination, and collaboration among nation states, and between government and the businesses, academic institutions, non-governmental, international, other

(21)

organizations with equities in protecting critical infrastructure. Simply put, public-private partnerships often achieve some measure of success where unilateral efforts fail.

Nowhere is this more relevant than with respect to CII, where cyber crime, data protection, control system security, network defense, and cyber incident response and recovery issues present increasing challenges for government and industry alike. Tackling these and other cyber security challenges is often beyond the capability of either government or the private sector to manage independently. To best serve international, national, corporate, and even individual interests, the public and private sectors — and the international community — must share responsibility for strengthening the global cyber security posture.

3.2 The Principles of Partnership

Key Characteristics of Successful Partnerships

The efficacy of collaborative solutions to complex and ubiquitous challenges has been demonstrated repeatedly. Partnerships between government and the private sector have been applied successfully to a wide range of issues, from academic and scientific questions, to social and economic challenges, to armed conflict and efforts to combat terrorism.

A partnership is a relationship between individuals or groups that is entered into to achieve a specific goal. Partnerships are broadly characterized by mutual benefit, collaboration, shared responsibility, and shared accountability.

Participants create partnerships because they see value in the relationship and expect to accrue some level of benefit. Members also recognize that the goal of the partnership would either be more difficult to accomplish or could not be achieved without this collaborative relationship.

A number of key characteristics tend to be common to successful public-partnerships, and their

importance varies depending on the nature and circumstance of the partnership. Broadly, some of these characteristics include:

– The partnership is mutually beneficial. – The partnership is voluntary.

– Partners have a common (and documented) understanding of the objectives and scope of the partnership.

– Partners have agreed upon prioritized actions to achieve those objectives. – There is clear delineation of roles and responsibilities.

– The partnership is broad and inclusive, with minimal barriers to entry.

– Each member contributes capabilities that help the partnership toward the shared goal or objective.

– Each partner is seen as independent and sovereign — the partnership is a relationship of trusted equals.

– Partners work together efficiently and effectively. – There is transparency within the partnership.

– Sufficient resources are available to accomplish the purpose of the partnership. – There is equitable investment among partners, including cost and burden sharing.

Often, multiple government organizations share responsibility for various — and sometimes overlapping — aspects of CII security. Accordingly, ongoing communication across government is important to collaborative public-private risk management efforts and to successful public-private partnerships generally.

(22)

3.3 Value

Proposition

Governments generally recognize that protecting their citizens from the potentially devastating consequences associated with critical infrastructure exploitation or disruption would be almost impossible without the extensive and willing participation of the private sector. Private industry owns, operates, and maintains most infrastructure, including CII, so private sector expertise, collaboration, coordination, resources, and overarching engagement are essential to government critical infrastructure risk management efforts.

Private sector involvement in security partnerships occurs for more varied reasons. Corporations are primarily concerned with protecting their customers and managing risk to their organizations. Companies may not be able to achieve their overarching business risk management goals — which may be closely linked to security risk — without the assistance of other public and/or private partners. Public security interests often intersect with activities focused on prevention of data or product, property damage, and other corporate loss. Similarly, business continuity and the protection of employees and investments also often have a security nexus. Publicly traded companies also must respond to shareholders, who often exert pressure on corporations to take action on certain issues in support of the public good, including issues related to security, and politically sensitive issues (such as, for example, climate change). Pressure can also stem from within companies as corporate officers feel a sense of civic responsibility. If shown to be working cooperatively and in good faith with government, businesses may also receive some legal and liability protections in the event of an incident, as well as reduced insurance premiums.

Voluntary partnerships also present an attractive alternative to regulation, and these and other factors may spur private businesses to pursue cooperative and collaborative, rather than adversarial or compliance-focused, relationships with government. Close working relationships with government may afford companies increased transparency to government policies, and improved ability to influence government decision making to ensure policies are acceptable, effective, and workable.

Partnerships are not an end in themselves; the success of a partnership is measured by the degree to which it achieves the participants’ goals. Partnerships always require individuals and organizations to take specific actions or to devote resources to meeting relevant objectives. With respect to CII security and resilience, the success of the public-private partnership is ultimately the effectiveness of that partnership in managing cyber risk.

The fundamental benefit of partnerships is that they enable individuals and organizations to achieve objectives or obtain capabilities that would either be more difficult or impossible to attain absent the partnership. Groups of organizations can often arrive at more effective solutions to difficult and complex problems than individual organizations acting alone, particularly if those problems involve multiple interdependencies, organizations, or nations. A focused partnership can more effectively distribute responsibilities according to capabilities and expertise, share and apply resources, share information and data, and harness greater intellectual capital to better accomplish the group’s mutual goals.

Organizations participating in public-private partnerships in support of critical infrastructure security — including CII security — can realize significant improvements in their ability to manage risk as a result of collaboration and coordination. These include:

– Improved identification of threats and vulnerabilities;

– Better reporting and sharing of threat and warning information, strengthening early detection, prevention, and mitigation of threats;

– Improved incident management, response, and recovery;

– Exchange of technical, security, risk, emergency management, and other expertise. – Improved access to training and education tools;

– Improved preparedness through coordinated and collaborative security exercises;

(23)

– Creation of a robust security communities and networks, cutting across critical infrastructure and business sectors and transcending national borders;

– Increased trust and transparency, and reduced conflict between government and the private sector;

– Creation of information sharing tools and processes, and stronger policies to support of information sharing;

– Improved efficiencies, stronger coordination, and reduction of redundancies across government at all levels, and between government and the private sector;

– Enhanced understanding of CII risk (all-hazards threats, vulnerabilities, consequences) and more sophisticated knowledge of domestic and international dependencies;

– Avoidance of costly regulation for the majority of critical infrastructure;

– Reduction of information and jurisdictional stovepipes across government and among public and private sector partners;

– Enhanced ability to gauge progress of risk mitigation and the effectiveness of programs across the critical infrastructure landscape;

– More effective prioritization and division of efforts for research and development across government and the private sector; and,

– Increased innovation in critical infrastructure risk management approaches.

Society is increasingly dependent on CII. While domestic and national security has traditionally been the domain of national governments, the challenge of CII security requires extensive and sustained partnership between the government and the private businesses that own, operate, and manage much of our infrastructure.

3.4 Partnerships and Security Risk Management

Government and the private sector each play important roles in the security risk management cycle, and should work together to optimize risk reduction efforts.

The private sector can leverage a deep pool of expertise to address challenging issues, and brings flexibility, responsiveness, and innovation. CII owners and operators best understand their infrastructure’s operating dynamics, and know their business models, core competencies, and physical and financial limitations. The private sector is also often the initial line of defense for CII threat detection and protection, as well as often serving as the primary responders for cyber incident mitigation and recovery efforts. Because in many countries the private sector owns and operates a great deal of critical infrastructure, private industry is typically the most exposed to risk through reliance on or use of CII (e.g. critical infrastructure that relies on information technology to function). Industry also provides tools and products that help manage cyber risk.

Government can also contribute significantly to security partnerships. Governments apply significant monetary, equipment, and personnel resources. Governments own the traditional intelligence apparatus, and are able to work with the private sector and foreign intelligence services to develop a comprehensive threat picture that exceeds the capability of any single private company. Government also creates laws and regulations, and holds the preponderance of authority, which enables it to exert significant influence over security priorities and the allocation of resources to assist industry. Lastly, government can serve as an effective and trusted arbiter and coordinator among companies that may otherwise be reluctant to share sensitive information in a competitive market environment. Government also has the responsibility to compare facility, regional, or sector risk against in the national and even global risk landscape. In some

(24)

cases, government can collect and protect from public disclosure risk-related data — including data that may be proprietary or competitively sensitive to private companies — to identify trends, common vulnerabilities, and relative risk to CII assets, systems, networks, and functions.13

Government historically also plays a dominant role in intelligence gathering and identification of threats. This is particularly pertinent to more traditional physical threats. With respect to cyber threats (rather than physical threats), the private sector now plays a much more prominent role in threat identification, mitigation, and warning.

Ultimately, the effectiveness of public-private partnerships focused on CII security is measured by the degree to which the partnership manages and mitigates risk. Figure 6 illustrates a typical security risk management lifecycle that can be applied broadly to most circumstances.

Figure 6: Risk Management Lifecycle

When addressing CII security risk, it is vital that those intimately involved in managing risk reach accord on the desired outcomes of their collaborative efforts. Government and industry should clearly agree on the risk management goals and objectives that their joint efforts are intended to address.14 Government and private sector partners work together establish and commit to the specific risk management goals they will jointly pursue. As risk is assessed and mitigated (or otherwise managed), new priorities emerge and goals are readjusted to accommodate changes to the risk environment.

13

In the United States, for example, the private sector voluntarily submits important threat, vulnerability, and other information to the government via the Protected Critical Infrastructure Information (PCII) program. PCII is an information-protection program that enhances information sharing between the private sector and the government. The U.S. Department of Homeland Security use PCII to analyze and secure critical infrastructure and protected systems, identify vulnerabilities and develop risk assessments, and enhance recovery preparedness measures. PCII cannot be used for regulatory purposes and is protected from various public disclosure requirements.

14

In the United States, for example, the Federal government works with State, local, regional, and international public- and private-sector partners to establish sector-wide goals for not only the Information Technology Sector, but for 17 other critical infrastructure sectors, which are all to varying degrees dependent on CII.

Identify Organizational Objectives Conduct Risk Assessment Apply Risk to Organizational Decisions Implement Risk Reduction Efforts Evaluate Effectiveness Monitor and Update Efforts

(25)

Once risk management goals are mutually determined, identifying and assessing security risk requires further extensive collaboration between government and the private sector. Both government and the private sector bring significant capabilities to this stage of the risk management cycle.

In some cases, it is appropriate for government analysts to work directly with private industry (e.g. facility or system managers and administrators) to conduct risk assessments. Because private sector owners know their systems and networks best, their participation is essential to ensuring a comprehensive and robust risk assessment process. Government can also assist private sector owners and operators with determining facility or enterprise level risk by providing them with assessment and self-assessment tools (and methodologies and analytic techniques). These products can save both cost and time, and enable companies to assess facility and enterprise-level risk.15

Once risk to CII is assessed, government can incorporate aggregated and prioritized risk results into its overarching budgetary, policy, and decision-making process. Private sector corporations can perform similar analysis and decision-making at the enterprise level.

The simple fact that in many countries the majority of CII is owned or operated by the private sector means that implementation of risk reduction efforts falls largely to private corporations. Because a partnership is by definition a voluntary engagement whereby parties agree to work together to further a mutual interest, the government cannot usually force private sector organizations to adopt risk management or mitigation programs.

In some instances, however, security or safety risk to critical infrastructure is perceived as so great that the government requires regulatory oversight.16 In other instances, voluntary critical infrastructure and CII security programs have worked well. In recognition of the resource limitations many private companies face when deciding how to manage infrastructure security risk, particularly low probability-high consequence risk, it is desirable for governments to work closely with the private sector partners to develop and provide a portfolio of risk management products and tools, based both on private sector need and risk priorities. These include risk assessment and analysis tools, best practices and standards, information sharing mechanisms, security awareness products, preparedness exercises, incident management products, training and education resources, and myriad other tools, initiatives, products and programs. By developing these tools and products collaboratively, there can be greater certainty that the products are cost-effective and useful, and that there are resources to available to enhance CII preparedness, prevention, protection, resilience, response, and recovery efforts for both government and private sector CII. Governments may also work with their private sector partners to conduct outreach to further educate and raise awareness of security issues and available products.

As programs are put into place to mitigate risk, government and the private sector work together to assess the performance and effectiveness of those programs, and measure the overarching progress made against risk management goals. Cost, time, level of effort, flexibility, and other factors are included in the assessment of both specific initiatives and the overarching risk program and measured against the assessed level of risk and newly identified or changed risk. As metrics are developed and reported, new priorities are established and existing priorities are reordered based on the changed risk posture.

15

For example, the National Cyber Security Division within the U.S. Department of Homeland Security developed the Cyber Security Evaluation Tool (CSET) for users to assess the cyber security posture of their cyber networks and industrial control systems. CSET desktop software guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards. CSET provides a prioritized list of recommendations for improving the security of the organization's enterprise and industrial control cyber systems (http://www.us-cert.gov/control_systems/satool.html).

16

For example, the U.S. government maintains security regulations for commercial nuclear reactors and certain high-risk chemical facilities.

(26)

3.5 Concluding

Statement

Public-private partnerships are an essential element to building and sustaining a successful CII security program. It is beyond the capability of government or of the private sector alone to effectively and comprehensively manage risk to CII and the vital national security, economic, and societal functions and capabilities it supports. Collaborative and committed partnerships, however, bring together the collective resources of all, improve information sharing and communication, strengthen incident response, and improve the ability of partners to manage risk at all levels and throughout the risk management lifecycle. Over the last decade, the United States has built a public-private partnership model that provides a solid foundation for its national critical information infrastructure security program. As this and other public-private partnerships expand and extend beyond national borders and geographic boundaries, the strategic and operational outcomes of such relationships will strengthen national-level security capabilities, and create a truly global CII risk management architecture.

3.6 Case Study: U.S. Private Public Partnerships

While partnership between government and industry is not new, over the last several decades, there has been an increased recognition by governments that successful critical infrastructure security programs require the extensive, sustained, and active participation of infrastructure owners and operators. In the 1990s the U.S. government began a concerted effort to build sustained partnerships between the public and private sectors specifically to improve the security of critical infrastructure.

A Commitment to Security Partnerships

In 1998, President Bill Clinton signed Presidential Decision Directive-63 (PDD-63), for the first time formally acknowledging the need to foster expanded and ongoing security partnerships between government and the private sector for critical infrastructure security. PDD-63 recognized the importance of critical infrastructure to the security and economic well-being of the United States, and made protection of infrastructure from a terrorist attack, a Federal priority. The partnership framework established by PDD-63 was voluntary, stating that partnerships should be, “… genuine, mutual and cooperative.”17 Key elements of PDD-63 included specifically citing six “critical” infrastructure sectors; the creation of the National Infrastructure Protection Center to share information across government, and between government and the private sector; the promotion of private-sector Information Sharing and Analysis Centers (ISACs); and the creation of a National Infrastructure Assurance Council comprised of private sector industry leaders and State and local government officials.

In the wake of the September 11 attacks, momentum for this effort accelerated dramatically as the attacks highlighted the vulnerabilities and importance of critical infrastructure to America’s well-being. In December 2003, President George W. Bush issued Homeland Security Presidential Directive-7 (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection. HSPD-7 refined and updated PDD-63. HSPD-7 further defined the partnership framework outlined in PDD-63 and assigned the new Secretary of Homeland Security with specific responsibilities for the security and protection of critical infrastructure against all hazards.

HSPD-7 expanded the list of critical infrastructure sectors and re-emphasized the importance of voluntary partnerships between government and infrastructure owners and operators, including the private sector.

17

(27)

It directed the Secretary to partner with the private sector to, “identify, prioritize, and coordinate the protection of critical infrastructure and key resources; [and] to facilitate sharing of information about physical and cyber threats, vulnerabilities, incidents, potential protective measures, and best practices.”18 HSPD-7 also required the Secretary for Homeland Security to develop a national plan for protecting critical infrastructure. This resulted in the National Infrastructure Protection Plan (NIPP), which was last updated in 2009.

The NIPP provides the unifying framework for integrating disparate efforts to protect and improve the resilience of U.S. critical infrastructure. The NIPP codifies risk management and public-private partnership frameworks, establishes 18 critical infrastructure sectors, and identifies the primary government department and agencies responsible for managing public-private partnerships in each sector. In addition to the partnership framework, the U.S. Congress exempted some partnership discussions and activities from certain public disclosure laws to ensure the free and open exchange of critical infrastructure security information between government and the private sector.

The Sector Partnership Model

The sector partnership model and the risk management framework described in the NIPP, as well as the NIPP itself, were developed in close consultation and collaboration with the private sector.

The U.S. Department of Homeland Security (DHS) and its partners — including the private sector — now lead efforts to manage critical infrastructure risk through the Critical Infrastructure Partnership Advisory Council (CIPAC), which serves as the entity that manages these partnerships. CIPAC includes public and private sector representatives from 18 critical infrastructure sectors, State and local government, and regional consortia. These organizations are in turn linked to numerous other partnership networks, together forming a nationwide system of alliances and mutually beneficial relationships that strengthen the overarching infrastructure risk posture.

CIPAC provides a forum for the U.S. federal government and the private sector to work together to enhance the resilience and protection of critical infrastructure. It consists of more than 700 institutional government and private sector members, including more than 200 trade associations representing corporations of all sizes. CIPAC members partner to create strategies, programs, and products that build infrastructure protection and resilience capabilities against the range of homeland security threats, including accidents, crime, terrorism, pandemic disease, and natural disasters. Members develop initiatives to reduce risk to specific infrastructure sectors as well as across sectors.

The CIPAC framework is designed to encourage and facilitate open dialogue while balancing homeland security mission needs. The sector partnership framework includes sector-specific and cross-sector councils, which facilitate communication and coordination among partners on a wide range of protection and resilience activities. The framework is depicted in Figure 7.

18

(28)

Figure 7: CIPAC Sector Partnership Model

Within CIPAC, Government Coordinating Councils (GCCs) in each sector work with Sector Coordinating Councils (SCCs), which are self-governed entities established by critical infrastructure owners and operators. SCCs are the principal private sector entity for working with the U.S. government to coordinate activities in a given infrastructure sector. Specific membership varies by sector, but includes a broad base of owners, operators, and trade associations. GCCs are the federal government counterparts to the SCCs, and facilitate interagency coordination, planning, and the implementation of government protection and resilience initiatives.

The State, Local, Tribal, and Territorial Government Coordinating Council (SLTTGCC) works closely with GCCs and SCCs across all sectors, and represents non-federal government partners. Members are geographically diverse and offer broad institutional knowledge and expertise from a wide range of professional disciplines. The Regional Consortium Coordinating Council provides a forum to address regional critical infrastructure issues. Members include public, private, and regional organizations that facilitate the collaboration needed to implement the critical infrastructure mission among regional partners

The Critical Infrastructure and Key Resource (CIKR) Cross-Sector Council comprises the leadership of all SCCs. The council provides senior-level, strategic coordination with federal agencies, disseminates best practices across infrastructure sectors, and advises and participates in national homeland security policy and planning efforts. The Federal Senior Leadership Council (FSLC) coordinates and communicates critical infrastructure risk reduction efforts across the federal government, and is the government counterpart to the CIKR Cross-Sector Council. Members include the Sector-Specific Agencies for each sector — including DHS — and several other federal departments and agencies.

This partnership structure is supported and enhanced by other public-private partnerships at the issue-specific, subnational, and international levels. For example, under the CIPAC framework the Cross-Sector Cyber Security Working Group (CSCSWG) brings government and the private sector together to collaboratively address cyber risk across critical infrastructure sectors. Through the CSCSWG, DHS provides cyber security expertise and guidance to partners and assists them in understanding and mitigating cyber risk and developing effective and appropriate protective measures. This includes conducting formal cross-sector pilots with sector partners to address a range of cyber security risk

QUESTION 22-1/1 S ECURING INFORMATION AND COMMUNICATION NETWORKS: BEST PRACTICES FOR DEVELOPING A CULTURE OF CYBERSECURITY

QUESTION 22-1/1

S E C U R I N G I N F O R M A T I O N A N D

C O M M U N I C A T I O N N E T W O R K S :

BEST PRACTICES FOR DEVELOPING

A CULTURE OF CYBERSECURITY

FINAL REPORT

Africa

Americas

Arab States

Asia and the Pacific

CIS countries

Europe

QUESTION 22-1/1:

Securing information and communication

networks: best practices for developing a

culture of cybersecurity

Table of Contents

Figures

Tables

Question 22-1/1

Securing information and communication networks:

best practices for developing a culture

of cybersecurity

1

Introduction to the Final Report of Q22-1/1, on Cybersecurity

2 Best

Prac ces for Cybersecurity ― Guide for the Establishment of a

National Cybersecurity Management System

2.1 Introduction

2.2

National Cybersecurity Management System

2.3

National Cybersecurity Framework

2.4 RACI

Matrix

2.5

NCSec Implementation Guide

2.6 Implementation

Guide

2.7 Conclusion

3

Public-Private Partnerships in Support of Cybersecurity Goals and

Objectives

3.1 Introduction

3.2

The Principles of Partnership

3.3 Value

Proposition

3.4

Partnerships and Security Risk Management

3.5 Concluding

Statement

3.6

Case Study: U.S. Private Public Partnerships