National ICT Security Master Plan

1
National ICT Security Master Plan
2
National ICT Security Master Plan
3
The Need for a National-level information
Security Master Plan
4
The Current Situation

• Opportunity for Harm
• Main Types of Cyber Threats
• ICT Security Focused

5
Opportunity for harm

• by deliberate action
• by neglect

6
Main Types of Cyber threats

• Malware
• Worms
• Virus
• Trojan
• Hackers, Cyber-crime, Cyber-terrorists
• Users and System Owners
• People don't have ICT security skill, compared to
  IT staff

7
ICT Security Focused

• Perimeter Protection
• Internal Data Leaks and Security Breaches
  Protection
• Find the right mix of processes and technology
  that suit the business or organization mission

8
The Need for ICT Security Master Plan

• To organize national initiatives to build
  capabilities to protect CII
• To establish national priorities
• Public
• Private
• Social
• a 5-year Strategic Roadmap
• 2 Key thrusts
• Develop a comprehensive national plan for
  securing the key resources and critical
  infrastructures
• Provide vigilant surveillance and immediate
  response to threats or attacks on critical
  information systems

9
Addressing Key Security Domains
10
Security Policy and Organization

• Key Activities
• " Define information security, its overall
  objectives, and scope and importance of security
  to national interests.
• " Formalize security policies, principles,
  standards and compliance requirements of
  particular importance to the nation
• " Define general and specific responsibilities
  for information security management
• " Set up monitoring procedures to ensure
  compliance to the policy
• " Establish disciplinary procedures for security
  violations, as well as methods for granting
  exceptions to policies and standards
• " Establish management procedures to ensure that
  policies, standards, guidelines and procedures
  are duly maintained

11
Security Policy and Organization (2)

• Refer to International Best Practices
• Define Management Framework for Implementation
• Identify Sources of Specialist IS Advice

12
Information Systems and Network Management

• Components
• Operating Systems
• Infrastructure
• Commercial off-the-shelf products
• Services
• User-developed applications
• Secure management of network
• Software
• Platform
• Implementation standards

13
Authentication and Access Control

• Access control rules and rights for users
• Unique identification and authentication
  technique defined
• Policy on cryptographic techniques deployment

14
Human Resources Security

• Segmentation
• Large businesses
• Public agencies
• Home users
• Small businesses
• Security roles and responsibility defined
• Awareness, education and training provision

15
Information Security Incident Management

• Formal event reporting escalation procedures
• Regular monitoring of systems, alerts and
  vulnerabilities
• To coordinate response share information with
  external organizations

16
Business Continuity Management

• At a national-level
• Provide risk assessment business impact
  analysis

17
Key Initiatives to Enhance National ICT Security
18
See Table
19
National Security Policy

• Adopting ISO17799/27001 ISO27001
• Plan-Do-Check-Act via an Information Security
  Management System (ISMS)

20
National Cyber Security Operations Analysis
Centre

• NCSOAC for real-time situation awareness
• Number of Security Operation (SOC) Centres set up
• a National-level Cyber-Security Analysis Centre
  (NCSAC) linked various C-SOCs
• Crisis management support
• Coordinating with other public private sector
  agencies
• Provide advice on appropriate protective measures
  countermeasures

21
Computer Emergency Response Team (CERT)

• ???????????????????????????????????????
  (Computer Emergency Response Team ????CERT)
• ?????????????????????????????????????? (Computer
  Security Incident Response Team ???? CSIRT)
• ??????????????????????????????? (Computer
  Incident Advisory Capability ???? CIAC)

22
CERT

• ?????????????? ??????? ???????????????????????????
  ??????????????????????? ??????????????????????????
  ??????????????????????????? ???? CERT
  ??????????????????? CSIRT ????????????????????????
  ????????? ????????? ???????????
  ??????????????????????????????????????????????????
  ??????? ??????????????????????????????????????????
  ??????????????????????? ??????????????????????????
  ???????????????????????????????????
• ??????????????????????????????????????????????????
  ?? ThaiCERT ????????? ThaiCERT ??? CERT/CC
  ??????????????????????????????????????????????????
  ??????????? ??????????????????????????????????????
  ??????????????????????????????????????????????????
  ??????

23
ICT Security Scorecard

• To measure the effectiveness of information
  security, esp. of the public sector
• Set benchmark for private sector to follow
• Refer to ISO17799/ISO27001 in IS domains

24
Others

• National Electronic Authentication Infrastructure
• National Cyber Security Awareness Programmer
• National Certification for Information Security
  Professionals
• Vulnerability Assessment for Critical
  Infrastructure
• Business Continuity Readiness Assessment
  Framework
• Certification of Information Products

25
Licensing Requirements
26
To Deploy Security Systems

• Simple Network Management Protocol Version 3
  (SNMPv3)
• e-Mail encryption
• Software Vendors to provide interoperable secure
  products
• Microsoft's Vista Server
• Cisco's Security Management, Analysis and
  Response Systems (MARS)
• Enterprise Technology Trends
• IP Mobility
• Collaboration
• Interoperability
• To raise the IT security culture, Not to change
  how others work
• People
• Process
• Technology

27
To evaluate IS Consultants and Service Providers

• Experience in implementing ICT security master
  plan for other countries
• Experience in implementing government projects
• etc.