METHODOLOGY AND CRITERIA FOR THE CYBERSECURITY REPORTS

Similar documents
Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

ENISA s Position on the NIS Directive

Bradford J. Willke. 19 September 2007

Directive on security of network and information systems (NIS): State of Play

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Cybersecurity Overview

Regulating Cyber: the UK s plans for the NIS Directive

Directive on Security of Network and Information Systems

CERT.LV activities, role in Latvia and globally. Baiba Kaskina, CERT.LV , Sofia, Bulgaria

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

Managing Jurisdictional Risks for Public Cloud Services

Network and Information Security Directive

The NIS Directive and Cybersecurity in

Cyber Security Strategic Level Landscape in Poland. Krzysztof Silicki NASK Institute, Poland ENISA MB, EB

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

Cyber Security in Europe

BHConsulting. Your trusted cybersecurity partner

TEL2813/IS2820 Security Management

Business Continuity and Disaster Recovery

FIRE REDUCTION STRATEGY. Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017

ENISA EU Threat Landscape

The Case for National CSIRTs

Security Management Models And Practices Feb 5, 2008

An Overview of ISO/IEC family of Information Security Management System Standards

Call for Expressions of Interest

Guiding principles on the Global Alliance against child sexual abuse online

RFD. for ICERT ( ) RESULTS-FRAMEWORK DOCUMENT. Department of Information Technology. Results-Framework Document (RFD) for CERT-In ( )

POSITION DESCRIPTION

Cyber Security Strategy

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

National Cyber Security Strategy - Qatar. Michael Lewis, Deputy Director

Securing Europe's Information Society

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

POSITION DESCRIPTION

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Memorandum of Agreement

Global Statement of Business Continuity

PIPELINE SECURITY An Overview of TSA Programs

Update on the Key Initiatives Recommended by NTT Data regarding the Agency Cyber Security Framework

ISACA National Cyber Security Conference 8 December 2017, National Bank of Romania

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

Legal and Regulatory Developments for Privacy and Security

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

THE CYBER SECURITY ENVIRONMENT IN LITHUANIA

CESG:10 Steps to Cyber Security WORKING WITH GOVERNMENT, INDUSTRY AND ACADEMIA TO MANAGE INFORMATION RISK

13967/16 MK/mj 1 DG D 2B

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

The Deloitte-NASCIO Cybersecurity Study Insights from

Fiscal 2015 Activities Review and Plan for Fiscal 2016

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

QCTO CERT 002/15 QCTO Certification Policy Page 2 of 14

Digital government toolkit

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

Developing a National Emergency Telecommunications Plan. The Samoan Experience November 2012

USA HEAD OFFICE 1818 N Street, NW Suite 200 Washington, DC 20036

BHConsulting. Your trusted cybersecurity partner

IQ Level 4 Award in Understanding the External Quality Assurance of Assessment Processes and Practice (QCF) Specification

Global Alliance Against Child Sexual Abuse Online 2014 Reporting Form

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

Discussion on MS contribution to the WP2018

ENISA Cooperation in the EU / NIS Directive

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

About Issues in Building the National Strategy for Cybersecurity in Vietnam

Position Description IT Auditor

ROLE DESCRIPTION IT SPECIALIST

NIS-Directive and Smart Grids

Commonwealth Cyber Declaration

BENCHMARKING PPP PROCUREMENT 2017 IN GABON

CERT community. Recognition mechanisms and schemes. November European Union Agency for Network and Information Security.

POSITION DESCRIPTION

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Awareness as a Cyber Security Vulnerability. Jack Whitsitt Team Lead, Cyber Security Awareness and Outreach TSA Office of Information Technology

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Presentation to the ITU on the Q-CERT Incident Management Team. Ian M Dowdeswell Incident Manager, Q-CERT

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

INDEPENDENT COMMUNICATIONS AUTHORITY OF SOUTH AFRICA(ICASA) CYBERSECURITY PRESENTATION AT SAIGF. 28 th November 2018

Section 1 Metrics: Community Adoption

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Google Cloud & the General Data Protection Regulation (GDPR)

GLobal Action on CYbercrime (GLACY) Assessing the Threat of Cybercrime in Mauritius

Driving Global Resilience

NERC Staff Organization Chart

Kansas City s Metropolitan Emergency Information System (MEIS)

Measures for implementing quality labelling and certification

European Union Agency for Network and Information Security

Defining Computer Security Incident Response Teams

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

Chapter X Security Performance Metrics

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

_isms_27001_fnd_en_sample_set01_v2, Group A

STRATEGIC PLAN VERSION 1.0 JANUARY 31, 2015

Transcription:

METHODOLOGY AND CRITERIA FOR THE CYBERSECURITY REPORTS The cybersecurity maturity has been assessed against 25 criteria across five themes. Each of the criteria are given a Yes, No, Partial, or Not Applicable status. : There is an adopted cybersecurity strategy. adopted cybersecurity strategy. There may or may not be an adopted strategy or policy that addresses cyber or information security in part. LEGAL FOUNDATIONS 1. Is there a national cybersecurity strategy in place? 2. What year was the national cybersecurity strategy adopted? : Partial has not be used as an option for this criteria. Year ( digits) 3. Is there a protection (CIP) strategy or plan in place? : There is an adopted protection strategy in place. adopted protection strategy in place, and there is no meaningfully addresses protection in part. no adopted critical infrastructure protection strategy in place, however there is in place that meaningfully addresses critical infrastructure protection in part.. Is there legislation/policy that requires the written information security plan? written information plan. written information plan, nor has there been a written information plan otherwise adopted. no written information plan. However, a publicly available written information plan has been adopted. 5. Is there legislation/policy that requires an inventory of systems and the classification of data? government, or there is a clear and publicly available standard used by the national government, which clearly defined system. government which clearly defined system, nor does legislation or policy exist that has general information classification practices, or targeted data classification practices that are only applied to a specific type of data. no government which clearly defined system. However, legislation or policy does exist that has general information classification practices, or has targeted data classification practices that are only applied to a specific type of data. www.bsa.org/eucybersecurity 1

. Is there legislation/policy that requires security practices/ requirements to be mapped to risk levels? sensitive information and maps these security practices to risk levels. sensitive information and maps these security practices to risk levels. sensitive information, but it does not map these security practices to risk levels. 7. Is there legislation/policy that requires (at least) an annual cybersecurity audit? government that audit procedure, and requires it be conducted on at least a yearly basis. the audit procedure. There may or may not be related reporting or surveying procedures. the audit procedure, but does not require it be conducted on at least a yearly basis. 8. Is there legislation/policy that requires a public report on cybersecurity capacity for the government? a public report on cybersecurity capacity for the government. the requires a public report on cybersecurity capacity for the government; nor is there legislation that, in prescribing the responsibilities of an agency or individual, addresses a reporting or monitoring procedure for cybersecurity or information security that would address cybersecurity capacity. that, in prescribing the responsibilities of an agency or individual, describes a reporting or monitoring procedure for cybersecurity or information security that would address cybersecurity capacity to a limited extent, but does not require the dedicated cybersecurity capacity report for the government. 9. Is there legislation/policy that requires each agency to have a chief information officer (CIO) or chief security officer (CSO)? each agency to have a chief information officer or chief security officer. that requires each agency to have a chief information officer or chief security officer. There may or may not be chief information officers or chief security officers otherwise appointed by the government. : Partial has not be used as an option for this question. 10. Is there legislation/policy that requires mandatory reporting of cybersecurity incidents? the mandatory reporting of cybersecurity incidents to the relevant authority. the requires the mandatory reporting of cybersecurity incidents to the relevant authority. that requires the mandatory reporting of cybersecurity incidents in certain circumstances, or else requires particular agencies, entities, or individuals to participate in routine incident analysis processes. www.bsa.org/eucybersecurity 2

11. Does legislation/policy include an appropriate definition for critical infrastructure protection (CIP)? government that includes an appropriate definition for "critical infrastructure protection" or else includes an appropriate definition for "" in the context of critical infrastructure protection. : Partial has not been used as an option the for this criteria. includes an appropriate definition for "critical infrastructure protection," nor does legislation or policy include an appropriate definition for "" in the context of critical infrastructure protection. 12. Are requirements for public and private procurement of cybersecurity solutions based on international accreditation or certification schemes, without additional local requirements? : There is a formal commitment to use international standards and recognise international accreditation and certification schemes. : Local standards or accreditation and certification schemes are in place instead of (or in addition to) international schemes. : There is a team which is recognised by the national government as the national computer team, or else there is a team which represents, or has represented, their country in international computer team associations and at related events. team which is recognised by the national government as the national computer team, nor is there a team which represents, or has represented, their country in international computer team associations and at related events. Not applicable : No standards, certification or accreditation requirements are currently in place. OPERATIONAL ENTITIES 1. Is there a national computer team (CERT) or computer security incident response team (CSIRT)? 2. What year was the computer team (CERT) established? 3. Is there a national competent authority for network and information security (NIS)? a computer emergency response team that satisfies the criteria for "Yes" however, the functioning status or representative authority is unclear. Year ( digits) : There is a government entity, or set of entities, responsible for the management and implementation of security practices. government entity, nor a set of entities, responsible for the management and implementation of security practices. a government entity, or set of entities, with limited responsibility for the management and implementation of security practices for the country in question; or else there is a government entity, or set of entities with responsibility for network practices within a limited jurisdiction; or else in government there is a clear proposal to develop such an entity as described in the criterion for "Yes". www.bsa.org/eucybersecurity 3

. Is there an incident reporting platform for collecting cybersecurity incident data? : There is active platform through which individuals or agencies can report cybersecurity incidents to the relevant government body. This platform may or may not restrict reporting to registered parties. platform through which individuals or agencies can report cybersecurity incidents to the body. : Partial has not been used as an option for this question. 5. Are national cybersecurity exercises conducted? : The national government has The country in question may or may not have participated in a multinational exercise. : The national government has not cybersecurity exercise, nor has the country in question participated in a multinational : The national government has not cybersecurity exercise, but the country in question has participated in a multinational. Is there a national incident management structure (NIMS) for responding to cybersecurity incidents? : A clear hierarchy and management structure to respond to policy or similar. : No clear hierarchy and management structure to respond to policy or similar. Nor do particular relevant agencies have certain reporting requirements in the case of a cybersecurity incident : No clear hierarchy and management structure to respond to policy or similar. However, particular relevant agencies have certain reporting requirements in the case of a cybersecurity incident. PUBLIC-PRIVATE PARTNERSHIPS 1. Is there a defined public-private partnership (PPP) for cybersecurity? : There is a clear, publicly acknowledged, cybersecurity; or else there is a clear, publicly focus. clear, publicly acknowledged, cybersecurity; nor is there a clear, publicly focus; nor are there entities who liaise with the private sector as part of their duties. no clear, publicly acknowledged, publicprivate partnership cybersecurity; nor is there a clear, publicly focus. However, there are entities that liaise with the private sector as part of their duties. 2. Is industry organised (i.e. business or industry cybersecurity councils)? : There is an industryled entity or association cybersecurity. industryled entity or association cybersecurity, nor is there an industry-led body that represents the wider information and communication technology industry industry. : There is no industry-led entity or association cybersecurity, however there is an industry-led body that represents the wider information and communication technology industry industry. www.bsa.org/eucybersecurity

3. Are new s in planning or underway (if so, which focus area)? : There is no operating, however there is a clear commitment,, to establish a cybersecurity dedicated public-private partnership. operating, and there is no clear commitment,, to establish a cybersecurity dedicated public=private partnership. no operating, however there is a commitment,, for government agencies to establish closer links with the private sector. Not Applicable : There is already a cybersecurity dedicated public-private partnership operating. SECTOR-SPECIFIC CYBERSECURITY PLANS 1. Is there a joint public-private sector plan that addresses cybersecurity? : There is policy or legislation, adopted by, which includes a plan that provides a sector-based approach information security; or else there is legislation or policy, adopted by the,. policy or legislation, adopted by, which includes a plan that provides a sector-based approach information security and there is no legislation or policy, adopted by the,. no policy or legislation, government, which includes a plan that provides a sectorbased approach information security and there is no legislation or policy, adopted by the,. However, there is policy or legislation that provides a sectorbased approach information security for one particular sector, or a limited number of sectors. 2. Have sector-specific security priorities been defined? : There is policy, specific sectors. policy, specific sectors. policy, specific sectors. However, as part of a sector based approach, the government has defined the security priorities for those participating in public private sector platforms. 3. Have any sector-specific cybersecurity risk assessments been conducted? : Any number of sector-specific cybersecurity risk assessments have been conducted. : No sector-specific cybersecurity risk assessments have been conducted. : An education strategy has been implemented or a commitment to implementation is available. education strategy or commitment in place. EDUCATION 1. Is there an education strategy to enhance cybersecurity knowledge and increase cybersecurity awareness of the public from a young age? : Some education initiatives are in place, but a formal strategy is missing. Or education is in place, but is not targeting young people. www.bsa.org/eucybersecurity 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback