Upload File

an approach to defining the scope and the method for cyber security strategy development · 2016....

  • Home
  • Documents
  • An Approach to defining the Scope and the Method for Cyber Security Strategy Development · 2016. 1. 20. · An Approach to defining the Scope and the Method for Cyber Security Strategy
23
An Approach to defining the Scope and the Method for Cyber Security Strategy Development Aleksandar Klaic, Ph.D. Office of the National Security Council, Croatia

Upload: others

Post on 29-Jan-2021

4 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • An Approach to defining

    the Scope and the Method

    for Cyber Security Strategy

    Development

    Aleksandar Klaic, Ph.D.

    Office of the National Security Council,

    Croatia

  • Subjects

    1. Cyber Space and the Scope of

    Strategy

    2. A Method for Cyber Security Strategy

    Development

    3. Cyber Security in Croatia, National

    Strategy Drafting Process

  • Cyber Space - Importance

    • Internet vs Cyber Space

    – Dial-up, Broadband, Cloud SaaS, PaaS, IaaS …

    – PSTN, ATM, IP, VoIP, IP TV, Triple Play, …

    • Societal necessity

    – Citizens

    – Business

    – Government

    • New dimension of our living

  • Virtual Dimension of the Society • Vision / Final Goal

    • . . . to derive huge economic and social value

    from a vibrant, resilient and secure cyberspace,

    where our actions, guided by our core values of

    liberty, fairness, transparency and the rule of

    law, enhance prosperity, national security and a

    strong society.

    • Implementation of the laws and regulations

    within the new virtual dimension of the society –

    cyber space.

    • . . .

  • How to achieve this goal?

    • Identification of Societal

    Sectors/Subsectors

    • Assessment of Sectoral specifics

    • Implementation of Organisational

    prerequisites

    • Assessment of Threat Environment

    • Coordination and Management Process

  • Identification of Societal Sectors • Government, Business, Citizens

    – Academic Sector

    – Functional areas (Cyber -Crime, -Terrorism, -Defence …)

    • Communication and Inf. Infrastructure

    – Public telecommunications, Gov. infrastructure

    – Critical (Information) Infrastructure (CI, CII)

    – Sensitive Categories of Information, Critical National

    Electronic Registers, …

    • e- Services

    – e-Government, e-Banking, e-Commerce, …

  • Assessment of Sectoral Specifics

    • Sectoral laws & regulations

    – Responsible institutions

    – Sensitive information & information sharing

    • International requirements

    – Implemented Initiatives

    • Intersectoral and national initiatives

    – Coordination, Inf. Sharing, Education, …

  • Organisational Prerequisites

    • National Regulatory Authorities (Telecom,

    Banking, Data Protection, …) - sectoral

    • National CERT/CSIRT – public/national

    • NSA, e-Gov, CA… - government/public

    • Responsible bodies within CI/CII Sectors

    • (Cyber) Crisis Management - government

    • Functional areas – responsible bodies

    – Cyber: Crime, Terrorism, Defence policy …

  • Threat Environment

    • Shared:

    – Cyber Space Environment

    • Cyber Threats

    • Specifics of national infrastructure,

    organization, geopolitical situation, …

    • Different Exposure to Risk

    – Targeted threats

    – National specifics (infrastructure, regional

    specifics, economy, …)

  • Comprehensive Coordination

    and Management Process

    • Decision Making level

    – Strategic decisions

    – Crisis Management decisions

    • Policy Planning level

    – Harmonisation of sectoral policies

    • Necessity of having adequate policies in functional areas

    • Operational and technical level

    – Security incidents treatment, information sharing

  • Cyber Security Strategy

    • The way how to:

    – Identify societal sectors and subsectors

    – Assess sectoral specifics

    – Planning of organisational prerequisites

    – Recognize the threat environment

    – Establish comprehensive coordination process

    • Scope, Content, Requirements, Organization

  • A Method for Cyber Security

    Strategy Development

    • Huge scope

    • Complex, heterogeneous and mutually

    interrelated content

    • Requirements drawn from government and

    business side of certain sector/subsector

    • Coordination and Management rely on

    organizations from different sectors

  • Laws & Regulations in Cyber Space

  • The Basic Strategy Elements

    • Goals:

    – Comprehensive approach, education,

    awareness, …

    • Societal Sectors:

    – Government, Academic, Business, Citizens

    • Main principles:

    – Proactiveness, subsidiarity, proportionality,

    integration, …

  • Cyber Security Areas/Interrelations • Cyber Security Areas (the main recognized)

    – Identifying objectives in order to reach the goals of the

    Strategy

    – Refer to all of the societal sectors defined, stick to the

    main principles

    • Interrelations among Cyber Security Areas

    (functional requirements)

    – Identifying objectives in order to reach the needs of

    related Cyber Security Areas

    – Refer to all of the societal sectors defined, stick to the

    main principles

  • Correlation Between the

    Strategy and the Action plan

    • Cyber Security Strategy

    – Cyber Security Areas/Interrelations

    • identified objectives (description)

    • Action Plan

    – Elaboration of measures for:

    • Each cyber security area/interrelation:

    – Each identified objective (elaboration)

    » Set of measures (one or more)

  • Illustration of the proposed Method

  • Cyber Security in Croatia

    • National Information Security Programme,

    March 2005

    – http://www.cert.hr/sites/default/files/CCERT-

    PUBDOC-2005-04-110.pdf (in Croatian)

    • Public Telecommunication Threats

    Assessment (2010)

    • Guideline on the Protection of Security

    and Integrity of Networks and Services

    – www.nn.hr (NN 109/2012, in Croatian)

    http://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.nn.hr/

  • National Inf. Sec. Programme (2005)

  • National Cyber Security Strategy

    Drafting Process in Croatia

    • Government Decision, April 2014

    • UVN is coordinating and responsible body

    • Interdepartmental Committee

    – 20+ institutions with their representatives

    – 9 specialized Working Groups (30+ institutions)

    • Strategy + Action Plan

    • Public discussion planned for April 2015

  • National Cyber Security Strategy Drafting

    Process in Croatia

  • Action Plan – Identified Measures • Strategy = Vision

    • Vision = 8 General Goals on Strategy Level

    • 5 Areas + 4 Interrelations = 35 Objectives

    • 35 Objectives = 78 Measures

    Chapters

    A B C D E F G H I

    Areas 9 CSA1 CSA2 CSA3 CSA4 CSA5 IoA1 IoA2 IoA3 IoA4

    Objectives 35 3 3 2 5 5 5 3 6 3

    Measures 78 3 8 4 13 5 6 5 6 28

  • Thank You !

    dr. sc. Aleksandar Klaić, dipl.ing.el. Assistant Director for Information Security

    [email protected]

    [email protected]

    Office of the National Security Council

    Croatian NSA/DSA

    tel. +385.1.4681 222

    fax. +385.1.4686 049

    www.uvns.hr

    mailto:[email protected]:[email protected]://www.uvns.hr/

Defining the Scope of “Possession, Custody, or Control

CHARTING YOUR COURSE. CYBER SECURITY GOVERNANCE. · 2019-11-27 · Achieving effective cyber security governance requires defining and establishing the organisation’s cyber security

Defining the role and scope of practice of allied health

Cyber Risk for Insurers – Challenges and Opportunities...3.1 Defining and understanding cyber risks 7 ... spective as well as the challenges and opportunities for the European cyber

The Project One-Pager: A Simple Tool for Collaboratively Defining Project Scope

DEFINING THE SCOPE OF EXTORTION LIABILITY AFTER SCHEIDLER ... · \\jciprod01\productn\N\NYL\14-1dr\nyl106.txt unknown Seq: 1 9-MAR-11 17:00 DEFINING THE SCOPE OF EXTORTION LIABILITY

Defining Agency and Its Scope

Defining Scope of Practice for Nurse Practitioners: A ... NP Summit Presentation.… · Defining Scope of Practice for Nurse Practitioners ... Provision of license and/or ... Defining

SCOPE - ASEAN Regional Forumaseanregionalforum.asean.org/files/Archive/21st/ARF Workshop on... · 15-1-2014 · Cyber Terrorism Cyber War Hacktivism Political Cyber Espionage Economic

Environmental Protection Goods – Defining the Scope

Defining Scope of Practice

INFORMATION TECHNOLOGY PROJECT MANAGEMENT CHAPTER 5 Defining and Managing Project Scope

Section 3: Scope Management - codot.gov · Scope Management Purpose: Scope Management is the process of fully defining what needs to ... a Scope Management Plan. 7 Validate and control

Defining the Project - NUST€¦ · 4–4 Step 1: Defining the Project Scope •Project Scope –A definition of the end result or mission of the project—a product or service for

Defining the Scope of Business Premises Security Needs

Standard for Credentialling and Defining the Scope of Clinical Practice

Defining resilience analytics for interdependent cyber ...oklahomaanalytics.com/wp-content/uploads/2015/08/Defining-resilienc… · an example. Descriptive, predictive, and prescriptive

The cyber security ecosystem: Defining a taxonomy of

THE CRISIS IN PATENT COVERAGE: DEFINING SCOPE OF AN ...DEFINING SCOPE OF AN INVENTION BY FUNCTION Paul M. Janicke* INTRODUCTION One of the most important issues in the current debate

Defining a Cyber Jurisprudence - Scholarly Commons

What is an issue? Differentiating Categorizing Defining Scope CGW4U Percy

Defining Scope, Quality, Responsibility, and Activity Sequence 4

Defining Scope of Practice for Nurse Practitioners: A Regulatory

Defining the Future of Cyber Security · 2016-08-25 · Defining the Future of Cyber Security Erick Foy Director, Channel Sales NAM + + 2 ... web attacks blocked last year Discovered

Defining the Scope of Practice for Nurse Practitioners in MIAM

DefiNiNg autoNomy, military aND Cyber-relateD impliCatioNS€¦ · DefiNiNg autoNomy, military aND Cyber-relateD impliCatioNS part 1. 2 ... buyer of industrial robots, overtaking

RECENT PREGNANCY DISCRIMINATION LITIGATION: DEFINING … · recent pregnancy discrimination litigation: defining the jurisdictional scope of the pregnancy discrimination act ... wetzel

Cyber Security: Past, Present and Future• The future ... 5 Information Security Group Defining cyber security • There is no generally agreed definition for the term cyber security

PIN 2008-01, Defining Scope of Project and Policy for Requesting

Developing a Project at Ohmsett : Defining the Scope of ... a Project at...Developing a Project at Ohmsett : Defining the Scope of Work and Budget Developing test or training ing program

- CMPE 142: Introduction to Cyber-physical Systems … · 2014-10-03 · CMPE 142: Introduction to Cyber-physical Systems (CPS) ... Broad Scope of Cyber-physical Systems Cyber-physical

Hacking humanitarians: Defining the cyber perimeter and

Credentialing and defining the scope of clinical practice · 2018-02-01 · Credentialing and defining the scope of clinical practice Effective From: 23 October 2017 Page 3 of 17

Section 17(a) of the '33 Act: Defining the Scope of

DEFINING AND DETERRING CYBER WARindianstrategicknowledgeonline.com/web/DEFINING AND DETERRIN… · DEFINING AND DETERRING CYBER WAR Cyberspace is the nervous system—the control