As it is researched, cybersecurity is well achieved by implementing a suitable set of:
- Cybersecurity governance and management frameworks
- Cybersecurity risk management and assessment frameworks
- Cybersecurity strategies and policy
- Incident management frameworks
- Business continuity and disaster recovery strategies and frameworks
- Various types of controls such as administrative, technical, operational, and physical controls.
- Security procedures, industry standards, guidelines, baselines, and applying best practices.
- Organizational security structures that should be integrated with the overall organizational structures.
All of the above stated recommendations are presented below.
A. Cybersecurity governance and management frameworks
Cybersecurity governance framework should mainly focus on the responsibilities and practices that should be exercised and addressed by top level management of organizations (board and executive management) having the following main goals: provide strategic direction towards securing the IT system that supports the business function; ensuring that security objectives are well defined and achieved; making sure that security risks are assessed and managed properly and validating that enterprise resources are well spent for securing the assets. Cybersecurity governance framework plays a vital role in achieving the security objectives of an organization for both current issues and future challenges.
To address current security issues, the researcher recommends for the security governance framework to cover the following issues:
If there is already an existing security policy, it needs amendment and review periodically. If there is no security policy, it is recommended to develop security policy at national and organizational level; the implementation of appropriate technological controls; implementation of periodic security audit and assessment; to design and provide security awareness and training programs among citizens.
For future cybersecurity challenges, the security governance framework should address the following points and are recommended here; consider the emerging threat factor; address the fastest moving technological revolution; continually work on people’s attitude towards security to create a cyber-aware workforce; focus on the work culture transformation.
In general, it is recommended for the cybersecurity governance framework to incorporate the following component:
- A cybersecurity risk management and assessment methodology
- A comprehensive cybersecurity strategy that should be in line with business and IT objectives
- Appropriate security policies that transform and address each aspect of security strategies.
- A complete set of security standards for each security policy to be transformed into a suitable set of security procedures and guidelines.
- Monitoring mechanism to ensure compliance and the effectiveness of the framework.
- A suitable set of processes to continually evaluate and update the security policies, standards, guidelines, and procedures.
- Designing effective and efficient organizational security structure.
It is also recommended for the governance framework to include roles and responsibilities, and accountabilities of various stakeholders, which includes the following:
- Designing SETA program (security awareness training and education program)
- Enhancing research and development programs towards cybersecurity at national and organizational level (in collaboration with universities and center of excellence)
- Designing international and regional collaboration framework
- Designing framework to enhance public-private partnership collaboration.
- Enhancing incident management capabilities.
- Enhancing business continuity and disaster recovery capabilities.
- Enhancing change management capabilities.
To design the outlined security governance framework, the following major tasks are identified and recommended:
- Develop cybersecurity strategies, which are relevant to the country.
- To effectively implement security strategy, there is a need to design cybersecurity policy
- Define mechanism to obtain senior management’s commitment
- Define roles and responsibilities at national and organizational level
- Establish communication and reporting mechanisms, which will support security governance framework
- Develop security procedures and guidelines using standards that support the security policy.
- Establish legal and regulatory framework.
B. Cybersecurity risk management and assessment frameworks
The researcher strongly recommends that any organization should perform risk assessment periodically to alleviate the ever increasing cyber-attack dimensions. As an initial risk management framework recommendation, the following guidelines are recommended that can be refined according to organizational context.
- Formation of a risk assessment team from different departments in a given organization and even at country level is the first step.
- Assignments of responsibilities and creation of awareness and training on risk management framework
- There is a need to understand and have a clear view of the institution’s security setup and readiness.
- Identifying security holes or vulnerabilities (weakness in their defense mechanism) are important steps that should be performed intensively.
- Develop a new and/or adopt risk management framework from international standards according to the context of the country.
- Establish and maintain incident management, disaster recovery, and business continuity programs.
In general, the following three major risk management practices are recommended: 1) to design risk assessment methods, 2) to propose risk mitigation techniques; and 3) to devise mechanisms to periodically evaluate the assessment and mitigation plans and procedures.
C. Security strategies and policies
Once risk assessment is performed at organizational and at national level, according to the risk profile, appropriate cybersecurity strategy and policy should be designed. The following initial security strategy development framework is recommended:
When cybersecurity strategy is developed at national level that can later on be refined into organizational level, the following key areas was identified by the researcher that should be incorporated in the strategy:
Key cybersecurity strategic areas include:
- Governance framework should be prepared at national and organizational level.
- Risk management methods. In this strategic area, focuses can be to design risk management approach; identify mechanisms for the management of cyber-risk; the development of policies, standards, and regulations; development of sectorial or organizational risk management profile
- Incident management and preparedness plan: which is composed of establishment of contingency plan for crisis management; establishment of incident handling and management capabilities to protect the national cyberspace and digital ecosystem; establishment of Computer Incident Response Teams (CIRTs) with national and organizational responsibility. There is ethio-CERT at national level. However, we recommend this CIRT to be decentralized at least at sectoral level; establishment of public-private partnership for incident detection and response capabilities; development of disaster recovery and business continuity plans.
- Securing critical infrastructures
- Capacity development and awareness that includes development of research and development towards cybersecurity; creation of cybersecurity awareness program; creation of training, education and skill development program; development and implementation of cybersecurity curricula at elementary, high school, and colleges and universities; legal and cybercriminal framework; development of legal frameworks; establishment and promotion of agency that will implement the legal framework; establishment of international cooperation towards cybercriminal; development of capacity building to law enforcement agencies.
- Regional and international collaboration; establishment of cooperation and collaboration partnership with international and regional countries and security agencies.
- Institutional cybersecurity framework that includes establishment of national security advisory board; establishment of agencies responsible for cybersecurity at national level.
- Government cybersecurity enhancement program, which includes establishment of a digital ecosystem that is reliable and convenient for e-commerce and e-government with national public key infrastructure (PKI); development of public-private partnership framework (the partnership can be local and international).
The following additional strategic areas are also identified and are recommended as part of national cybersecurity strategic areas: data protection, privacy, rights, freedom of expression, and information sharing among different stakeholders; security strategies on new emerging technologies such as cloud computing security, security in internet of things (IoT), securing huge amount of data (big data analysis); national data security management and hosting; cyber-physical infrastructure regulatory framework development such as smart grids, industrial control system, robotics system, medical monitoring.
To implement the aforementioned strategic areas, researcher recommends the following initial cybersecurity strategy development guidelines that will be refined later on according to nation’s context:
- Vision and mission of the organization and the nation should be clearly identified and presented.
- Should follow a comprehensive and holistic approach; cybersecurity should be seen from multi-dimensional perspectives and it is a cross-sector issue that address areas such as law enforcement; national, regional, and international relationship and cooperation; trade negotiation; assuring sustainable economic, social development,…
- Active participation of multiple stakeholders; when security strategy is developed, active participation of multiple stakeholders should be involved and it should address their interests, needs along with definition of roles and responsibilities.
- Consideration of economic and social prosperity; one of the primary goals of cybsersecurity strategy is to create a cyberspace or digital ecosystem which is secured and resilient to any type of cyber threats. If this primary goal is achieved, it is possible to create economic and social prosperity. It is also possible to maximize the application of ICT to sustainable development.
- Addressing fundamental human rights; the strategy should respect all human rights that are agreed in regional and international laws.
- Risk management and resilience; the strategy should be developed in such a way that risk at national and regional level should be managed effectively and create a resilient environment.
- Assignment of resources, roles, and responsibilities; Assignment of roles and responsibilities at national and organizational level; Allocation of enough human and financial resources for the effective implementation of the strategy.
- Establish a trusted digital ecosystem; the strategy should enable to create a trusted cyberspace that can be trusted by business and citizens for the efficient delivery of e-commerce, e-government, and digital transactions.
Finally, for the development of national cybersecurity strategy, the researcher identified for the involvement and active participation of the following stakeholders: The government of Ethiopia ( both the executive and legislative branch of government); CI owners and operators; The judiciary branch of the nation; Law enforcement agencies such as general attorney, police department, etc; Local and international vendors; Academia such as universities; International partners; Citizens that can be represented through parliament and civil societies.
D. Cybersecurity policy development
Once risk assessment is conducted both at national and organizational level and a set of strategy is developed, security policy will fall quickly in place. Cybersecurity policy can be determined based on feedback from risk assessment results. The risk assessment result will derive security policy creation on the following identified and recommended items such as: change management policy; access management policy; firewall and proxy policy; patch management policy; employee hiring and termination policy; system setup and configuration policy; backup policy; datacenter policy; data encryption policy; email, internet usage policy, etc.
In general, the researcher recommends the following types of policies that should be developed and implemented at national and organizational levels: general policy at national level; program policy at organizational level; issue-specific policy; system-specific policy; advisory policy; informative policy; regulatory policy; procedures, guidelines, standards, best practices, and guidelines.