an approach to defining the scope and the method for cyber security strategy development · 2016....
Post on 29-Jan-2021
4 Views
Preview:
TRANSCRIPT
-
An Approach to defining
the Scope and the Method
for Cyber Security Strategy
Development
Aleksandar Klaic, Ph.D.
Office of the National Security Council,
Croatia
-
Subjects
1. Cyber Space and the Scope of
Strategy
2. A Method for Cyber Security Strategy
Development
3. Cyber Security in Croatia, National
Strategy Drafting Process
-
Cyber Space - Importance
• Internet vs Cyber Space
– Dial-up, Broadband, Cloud SaaS, PaaS, IaaS …
– PSTN, ATM, IP, VoIP, IP TV, Triple Play, …
• Societal necessity
– Citizens
– Business
– Government
• New dimension of our living
-
Virtual Dimension of the Society • Vision / Final Goal
• . . . to derive huge economic and social value
from a vibrant, resilient and secure cyberspace,
where our actions, guided by our core values of
liberty, fairness, transparency and the rule of
law, enhance prosperity, national security and a
strong society.
• Implementation of the laws and regulations
within the new virtual dimension of the society –
cyber space.
• . . .
-
How to achieve this goal?
• Identification of Societal
Sectors/Subsectors
• Assessment of Sectoral specifics
• Implementation of Organisational
prerequisites
• Assessment of Threat Environment
• Coordination and Management Process
-
Identification of Societal Sectors • Government, Business, Citizens
– Academic Sector
– Functional areas (Cyber -Crime, -Terrorism, -Defence …)
• Communication and Inf. Infrastructure
– Public telecommunications, Gov. infrastructure
– Critical (Information) Infrastructure (CI, CII)
– Sensitive Categories of Information, Critical National
Electronic Registers, …
• e- Services
– e-Government, e-Banking, e-Commerce, …
-
Assessment of Sectoral Specifics
• Sectoral laws & regulations
– Responsible institutions
– Sensitive information & information sharing
• International requirements
– Implemented Initiatives
• Intersectoral and national initiatives
– Coordination, Inf. Sharing, Education, …
-
Organisational Prerequisites
• National Regulatory Authorities (Telecom,
Banking, Data Protection, …) - sectoral
• National CERT/CSIRT – public/national
• NSA, e-Gov, CA… - government/public
• Responsible bodies within CI/CII Sectors
• (Cyber) Crisis Management - government
• Functional areas – responsible bodies
– Cyber: Crime, Terrorism, Defence policy …
-
Threat Environment
• Shared:
– Cyber Space Environment
• Cyber Threats
• Specifics of national infrastructure,
organization, geopolitical situation, …
• Different Exposure to Risk
– Targeted threats
– National specifics (infrastructure, regional
specifics, economy, …)
-
Comprehensive Coordination
and Management Process
• Decision Making level
– Strategic decisions
– Crisis Management decisions
• Policy Planning level
– Harmonisation of sectoral policies
• Necessity of having adequate policies in functional areas
• Operational and technical level
– Security incidents treatment, information sharing
-
Cyber Security Strategy
• The way how to:
– Identify societal sectors and subsectors
– Assess sectoral specifics
– Planning of organisational prerequisites
– Recognize the threat environment
– Establish comprehensive coordination process
• Scope, Content, Requirements, Organization
-
A Method for Cyber Security
Strategy Development
• Huge scope
• Complex, heterogeneous and mutually
interrelated content
• Requirements drawn from government and
business side of certain sector/subsector
• Coordination and Management rely on
organizations from different sectors
-
Laws & Regulations in Cyber Space
-
The Basic Strategy Elements
• Goals:
– Comprehensive approach, education,
awareness, …
• Societal Sectors:
– Government, Academic, Business, Citizens
• Main principles:
– Proactiveness, subsidiarity, proportionality,
integration, …
-
Cyber Security Areas/Interrelations • Cyber Security Areas (the main recognized)
– Identifying objectives in order to reach the goals of the
Strategy
– Refer to all of the societal sectors defined, stick to the
main principles
• Interrelations among Cyber Security Areas
(functional requirements)
– Identifying objectives in order to reach the needs of
related Cyber Security Areas
– Refer to all of the societal sectors defined, stick to the
main principles
-
Correlation Between the
Strategy and the Action plan
• Cyber Security Strategy
– Cyber Security Areas/Interrelations
• identified objectives (description)
• Action Plan
– Elaboration of measures for:
• Each cyber security area/interrelation:
– Each identified objective (elaboration)
» Set of measures (one or more)
-
Illustration of the proposed Method
-
Cyber Security in Croatia
• National Information Security Programme,
March 2005
– http://www.cert.hr/sites/default/files/CCERT-
PUBDOC-2005-04-110.pdf (in Croatian)
• Public Telecommunication Threats
Assessment (2010)
• Guideline on the Protection of Security
and Integrity of Networks and Services
– www.nn.hr (NN 109/2012, in Croatian)
http://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.nn.hr/
-
National Inf. Sec. Programme (2005)
-
National Cyber Security Strategy
Drafting Process in Croatia
• Government Decision, April 2014
• UVN is coordinating and responsible body
• Interdepartmental Committee
– 20+ institutions with their representatives
– 9 specialized Working Groups (30+ institutions)
• Strategy + Action Plan
• Public discussion planned for April 2015
-
National Cyber Security Strategy Drafting
Process in Croatia
-
Action Plan – Identified Measures • Strategy = Vision
• Vision = 8 General Goals on Strategy Level
• 5 Areas + 4 Interrelations = 35 Objectives
• 35 Objectives = 78 Measures
Chapters
A B C D E F G H I
Areas 9 CSA1 CSA2 CSA3 CSA4 CSA5 IoA1 IoA2 IoA3 IoA4
Objectives 35 3 3 2 5 5 5 3 6 3
Measures 78 3 8 4 13 5 6 5 6 28
-
Thank You !
dr. sc. Aleksandar Klaić, dipl.ing.el. Assistant Director for Information Security
aleksandar.klaic@uvns.hr
aleksandar.klaic@gmail.com
Office of the National Security Council
Croatian NSA/DSA
tel. +385.1.4681 222
fax. +385.1.4686 049
www.uvns.hr
mailto:aleksandar.klaic@uvns.hrmailto:aleksandar.klaic@gmail.comhttp://www.uvns.hr/
top related