I am excited as both the chairman of the Information Security Group of Africa & as a citizen of this country, to witness the first green shoots of our government taking information security and the escalating scourge of eCrime seriously!
The Department of Communications has just released a draft policy on cyber security for comment. Please read the policy (only 16 pages) & provide your feedback.
Download the draft policy here
An extract from the policy reads as such – “…a partnership between business, government & civil society. Unless these spheres of society work together, South Africa’s efforts to ensure a secured cyberspace will be severely compromised!”.
Kudos to minister Siphiwe Nyanda and the authors of the policy for highlighting this important point! Lets however not re-invent the wheel. As a community of security professionals, ISG Africa since its establishment 5 years ago as a non-profit organisation focused on creating awareness & highlighting key risks facing our country, has much to build on, namely:
- A community of over 3500 professionals across business, government & civil society (spot the link)
- An established site focussed on ecrime awareness – www.ecrime.org.za
- The first batch of experts about to be trained on CSIRT / incident management – 35 confirmed bookings to date including seats donated to SAPS / ISG CSIRT staff
- Established local partnerships within law enforcement / legal circles / content providers / security companies / press & media agencies
- Established relationships internationally – the FBI / the European Network and Information Security Agency (ENISA) / Trans-European Research and Education Networking Association (TERENA)
With this in mind let us utilise what we already have in place & see how together we can fastrack the key implementation steps highlighted in the draft policy. We look forward to working with the DOC & other stakeholders to secure SA cyberspace.
Regards
Craig Rosewarne
(ISG Africa Chairman)
Anon feedback received from security folk at banks / gov depts:
Main Concern – that it be implemented speedily and given high enough mandate in government to make it effective in implementation. Most developed countries in the world have given this serious attention recently, and they are already miles ahead of us.
Second Concern – that we will first have to face a major cyber attack before the urgent need for a coordinated, national response and structures are agreed and implemented.
I support the initiative, and can only add that the focus will also be to identify, assess and protect Critical Communication Infrastructures – which are not only held by public entities (which will be covered by Government CSIRT ito assessment and monitoring), but the private sector as well (specifically banking). Hence the focus in the cyber security policy on public-private sectors working together and the focus on a national CISRT to oversee public and private sector incidents relating to critical communication infrastructures and cyber incidents.
I believe ISGA is perfectly positioned to play a major role in the DOCs vision, thanks to the CSIRT training and eCrime initiatives. We should put in every effort to ensure that it succeeds.
Moreover, groups such as the ISG should be recognised for its efforts with this and could be engaged by the minister for its in depth knowledge, passion for IT security and willingness to commit time and resources to this mission.
Frankly, it would be ideal if the big corporates would participate through membership of ISG Africa, rather than independently.
Quotable mentions:
(Iain Campbell – ISG CSIRT lead)
A good analogy would be along the lines of road safety. How many people would drive at 60 if there was no speed limit?
In SA there is currently no “speed limit” for cybersecurity. More importantly, because there are no standards/regulations many people who are aware that they have a problem do not know how to address it aka “who you gonna call?”. This policy goes a long way to address these issues by making it crystal clear who is ultimately responsible (i.e. the DoC), and by enabling the private sector to assist in setting relevant standards.
Ultimately you want to avoid a situation where a bank is getting their “exhaust repaired at the side of the road”
At the end of the day policy needs to have two elements in order to be successful:
1. Legal teeth to ensure compliance (it can be argued whether the likes of King 3 goes far enough)
2. Ability to execute, which should be possible via PPP as recommended
Dominic White – Sensepost Security consultant)
This will hopefully not only become a paper based exercise (similar to the FISMA exercise in the USA) but allow use to track a “scoreboard” of tangible actions / deliverables. It is also vital to ensure that breach disclosures are covered.
The International Society of Cyber Security Professionals provided their input, and we look forward to working with the leadership to institutionalize the framework.
Joey Hernandez
iSCSP.org