Comments on: Draft SA CyberSecurity Policy released for comment http://www.isgafrica.org/blog/?p=419 The Information Security Group of Africa is a registered non-profit company established in 2005 and is not biased toward any single vendor, technology or company. The Security Sangoma is the Group's leader & together with his 3000 strong impi are the unofficial cyber-protectors of Africa. Thu, 08 Apr 2010 12:04:35 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Joey Hernandez http://www.isgafrica.org/blog/?p=419&cpage=1#comment-471 Joey Hernandez Thu, 25 Mar 2010 14:20:02 +0000 http://www.isgafrica.org/blog/?p=419#comment-471 The International Society of Cyber Security Professionals provided their input, and we look forward to working with the leadership to institutionalize the framework. Joey Hernandez iSCSP.org The International Society of Cyber Security Professionals provided their input, and we look forward to working with the leadership to institutionalize the framework.

Joey Hernandez
iSCSP.org

]]> By: Security_Sangoma http://www.isgafrica.org/blog/?p=419&cpage=1#comment-431 Security_Sangoma Fri, 26 Feb 2010 12:38:53 +0000 http://www.isgafrica.org/blog/?p=419#comment-431 Quotable mentions: (Iain Campbell – ISG CSIRT lead) A good analogy would be along the lines of road safety. How many people would drive at 60 if there was no speed limit? In SA there is currently no "speed limit" for cybersecurity. More importantly, because there are no standards/regulations many people who are aware that they have a problem do not know how to address it aka "who you gonna call?". This policy goes a long way to address these issues by making it crystal clear who is ultimately responsible (i.e. the DoC), and by enabling the private sector to assist in setting relevant standards. Ultimately you want to avoid a situation where a bank is getting their "exhaust repaired at the side of the road" At the end of the day policy needs to have two elements in order to be successful: 1. Legal teeth to ensure compliance (it can be argued whether the likes of King 3 goes far enough) 2. Ability to execute, which should be possible via PPP as recommended Dominic White – Sensepost Security consultant) This will hopefully not only become a paper based exercise (similar to the FISMA exercise in the USA) but allow use to track a “scoreboard” of tangible actions / deliverables. It is also vital to ensure that breach disclosures are covered. Quotable mentions:

(Iain Campbell – ISG CSIRT lead)
A good analogy would be along the lines of road safety. How many people would drive at 60 if there was no speed limit?
In SA there is currently no “speed limit” for cybersecurity. More importantly, because there are no standards/regulations many people who are aware that they have a problem do not know how to address it aka “who you gonna call?”. This policy goes a long way to address these issues by making it crystal clear who is ultimately responsible (i.e. the DoC), and by enabling the private sector to assist in setting relevant standards.
Ultimately you want to avoid a situation where a bank is getting their “exhaust repaired at the side of the road”
At the end of the day policy needs to have two elements in order to be successful:
1. Legal teeth to ensure compliance (it can be argued whether the likes of King 3 goes far enough)
2. Ability to execute, which should be possible via PPP as recommended
Dominic White – Sensepost Security consultant)
This will hopefully not only become a paper based exercise (similar to the FISMA exercise in the USA) but allow use to track a “scoreboard” of tangible actions / deliverables. It is also vital to ensure that breach disclosures are covered.

]]> By: Security_Sangoma http://www.isgafrica.org/blog/?p=419&cpage=1#comment-430 Security_Sangoma Fri, 26 Feb 2010 12:38:24 +0000 http://www.isgafrica.org/blog/?p=419#comment-430 Anon feedback received from security folk at banks / gov depts: Main Concern - that it be implemented speedily and given high enough mandate in government to make it effective in implementation. Most developed countries in the world have given this serious attention recently, and they are already miles ahead of us. Second Concern - that we will first have to face a major cyber attack before the urgent need for a coordinated, national response and structures are agreed and implemented. I support the initiative, and can only add that the focus will also be to identify, assess and protect Critical Communication Infrastructures – which are not only held by public entities (which will be covered by Government CSIRT ito assessment and monitoring), but the private sector as well (specifically banking). Hence the focus in the cyber security policy on public-private sectors working together and the focus on a national CISRT to oversee public and private sector incidents relating to critical communication infrastructures and cyber incidents. I believe ISGA is perfectly positioned to play a major role in the DOCs vision, thanks to the CSIRT training and eCrime initiatives. We should put in every effort to ensure that it succeeds. Moreover, groups such as the ISG should be recognised for its efforts with this and could be engaged by the minister for its in depth knowledge, passion for IT security and willingness to commit time and resources to this mission. Frankly, it would be ideal if the big corporates would participate through membership of ISG Africa, rather than independently. Anon feedback received from security folk at banks / gov depts:

Main Concern – that it be implemented speedily and given high enough mandate in government to make it effective in implementation. Most developed countries in the world have given this serious attention recently, and they are already miles ahead of us.
Second Concern – that we will first have to face a major cyber attack before the urgent need for a coordinated, national response and structures are agreed and implemented.
I support the initiative, and can only add that the focus will also be to identify, assess and protect Critical Communication Infrastructures – which are not only held by public entities (which will be covered by Government CSIRT ito assessment and monitoring), but the private sector as well (specifically banking). Hence the focus in the cyber security policy on public-private sectors working together and the focus on a national CISRT to oversee public and private sector incidents relating to critical communication infrastructures and cyber incidents.
I believe ISGA is perfectly positioned to play a major role in the DOCs vision, thanks to the CSIRT training and eCrime initiatives. We should put in every effort to ensure that it succeeds.
Moreover, groups such as the ISG should be recognised for its efforts with this and could be engaged by the minister for its in depth knowledge, passion for IT security and willingness to commit time and resources to this mission.
Frankly, it would be ideal if the big corporates would participate through membership of ISG Africa, rather than independently.

]]>