system of security controls
DESCRIPTION
The System of Security Controls for Cyber Security Veaceslav PUȘCAȘU E-Government Center Government of the Republic of MoldovaTRANSCRIPT
![Page 1: System of security controls](https://reader034.vdocuments.site/reader034/viewer/2022051411/546c35c8af795971298b4e60/html5/thumbnails/1.jpg)
The System of Security Controls for
Cyber Security
October 3th , 2013
GOVERNMENT OF THE REPUBLIC OF MOLDOVA
Veaceslav PUȘCAȘU, CISM E-Government Center / Government CIOGovernment of the Republic of Moldova
![Page 2: System of security controls](https://reader034.vdocuments.site/reader034/viewer/2022051411/546c35c8af795971298b4e60/html5/thumbnails/2.jpg)
This prezentaion is
e-Government Center2
• A summary of what was presented and discussed during the training seminars provided by Estonian e-Governance Academy
• A summary of ideas circulated and discussed during the meetings of Cyber Security Roadmap focal group which includes reprezentatives from MA, MTIC, SIS, CTS, CNPDCP, MAI
• A summary of the experience gained by some public institutions in Republic of Moldova
• A summary of experience gained by other countries, ex. Estonia
![Page 3: System of security controls](https://reader034.vdocuments.site/reader034/viewer/2022051411/546c35c8af795971298b4e60/html5/thumbnails/3.jpg)
Cyber Space
Cyber Space - an environment resulted from all types of interactions by means of software hardware and communication infrastructure.
![Page 4: System of security controls](https://reader034.vdocuments.site/reader034/viewer/2022051411/546c35c8af795971298b4e60/html5/thumbnails/4.jpg)
Cyber Security
e-Government Center4
Cyber Security - a normality reached as a result of applying a set of proactive and reactive measures to ensure confidentiality, integrity, availability, authenticity and nonrepudiation of information, resources and services in cyber space
![Page 5: System of security controls](https://reader034.vdocuments.site/reader034/viewer/2022051411/546c35c8af795971298b4e60/html5/thumbnails/5.jpg)
Cyber Security Threats
e-Government Center5
![Page 6: System of security controls](https://reader034.vdocuments.site/reader034/viewer/2022051411/546c35c8af795971298b4e60/html5/thumbnails/6.jpg)
Cyber Security in Republic of Moldova
e-Government Center6
Trends
• Increasingly usage of electronic service in public sectors including in interaction with citizens and business
• Increasingly usage of mobile device;
• Widespread of Internet and using it for business propose;
• Increasing usage of ICT in national critical infrastructure;
• Increasing usage of ICT infrastructure to launch cyber attacks against other nations.
![Page 7: System of security controls](https://reader034.vdocuments.site/reader034/viewer/2022051411/546c35c8af795971298b4e60/html5/thumbnails/7.jpg)
Cyber Security in Republic of Moldova
e-Government Center7
Threats
• Lack of a common approach for cyber security at the state level;
• Lack of clear organizational structure at both the state and institutional level;
• Lack of qualified people in the field;
• Very low level of awareness of the threats and safeguards in cyberspace;
• Lack of an unique set of measures (system of security baselines/controls) that should be applied according to the criticality of the systems;
• ………
![Page 8: System of security controls](https://reader034.vdocuments.site/reader034/viewer/2022051411/546c35c8af795971298b4e60/html5/thumbnails/8.jpg)
Standards and Technical Regulations
e-Government Center8
• Hotărârea Guvernului nr. 1123 din 14.12.2010 privind aprobarea Cerinţelor faţă de asigurarea securităţii datelor cu caracter personal la prelucrarea acestora în cadrul sistemelor informaţionale de date cu caracter personal;
• Reglamentare tehnică. Asigurarea securităţii informaţiei a infrastructurii informaţionale pentru autorităţile administraţiei publice, anexa nr.2 la ordinul MTIC 106 din 20 decembrie 2010.
• SM SR ISO/IEC 27001:20006
![Page 9: System of security controls](https://reader034.vdocuments.site/reader034/viewer/2022051411/546c35c8af795971298b4e60/html5/thumbnails/9.jpg)
Challenges
e-Government Center9
• Define requiremets and luck of implemenation guidlines;
• Depend on the skills and knolwledge of the persons involved in implemenation;
• Mostly are based on risk assesment;
• No sicronization between them;
• etc.
![Page 10: System of security controls](https://reader034.vdocuments.site/reader034/viewer/2022051411/546c35c8af795971298b4e60/html5/thumbnails/10.jpg)
System of Cyber Security Controls – Elaboration
Process
e-Government Center10
![Page 11: System of security controls](https://reader034.vdocuments.site/reader034/viewer/2022051411/546c35c8af795971298b4e60/html5/thumbnails/11.jpg)
System of Cyber Security Controls - ToRs
e-Government Center11
• Adopt an international best practice;
• Mandatory for public authorities;
• Compliant with current legislations framework;
• Include : Physical measures; Technical measures; Organizational measures.
• Define security classification levels (integrity, confidentiality, availability): Low, Medium, High;
• Free of charge and updated regularly;
• Provide requirements and clear guidance on how to implement them;
Examples: Recommended Security Controls for Federal Information Systems and Organizations (NIST 800-53), BSI
(IT-Grundschutz Methodology) , ISKE ,SANS TOP 20, etc.
![Page 12: System of security controls](https://reader034.vdocuments.site/reader034/viewer/2022051411/546c35c8af795971298b4e60/html5/thumbnails/12.jpg)
Compliance Certification of Authorities
e-Government Center12
Do not invent the wheel. It has already been invented…
• Outsource to private sector
• Define a compliance certification framework taking into consideration:
– International experience – ex. PCI DSS
– Local experience – ex. BNM
• Require international recognized certification (ex. CISA, CISM, CISSP, etc.)
![Page 13: System of security controls](https://reader034.vdocuments.site/reader034/viewer/2022051411/546c35c8af795971298b4e60/html5/thumbnails/13.jpg)
System of Cyber Security Controls – Quick Wins
e-Government Center13
• Start with some simple things which can be implemented quickly
• Develop and expand to rich a state of “normality”
• Develop cyber security guide based on SANS 20 Critical Controls for Cyber Defense
• Encourage public authorities to implement the guide. Identify and fix the issues
• Include this guide as a part of the System of Cyber Security Controls
![Page 14: System of security controls](https://reader034.vdocuments.site/reader034/viewer/2022051411/546c35c8af795971298b4e60/html5/thumbnails/14.jpg)
Summary
e-Government Center14
• One of the threats to cyber security is lack of security baselines that should be applied according to the criticality of the systems
• Defining and implementing of a System of Cyber Security Controls is a complex task which take time to do it right
• We should start with something simple which can be implemented quickly
• Further we should develop and expand to reach a state of “normality”
![Page 15: System of security controls](https://reader034.vdocuments.site/reader034/viewer/2022051411/546c35c8af795971298b4e60/html5/thumbnails/15.jpg)
Thank you !
e-Government Center15