[kictanet] EAIGF, Cyber Security and Kenya CIRT-CC

Evans Ikua ikua.evans at gmail.com
Tue Jul 17 18:21:57 EAT 2012


At the ongoing EA IGF at Jacaranda Hotel, Brian Longwe pointed out an
important issue that relates to Cyber security. He pointed out that there
needs to be a sort of a "cyber security police" kind of organization that
enforces cyber security among users, knowing that users are the biggest
point of weakness when it comes to information security. He is right on.
But looking at it from another perspective, knowing that users include or
belong to organizations, its important to point out that what Brian was
referring to is called Compliance. But one may ask, compliance to what, and
who is there to enforce the compliance across the board?

One question I always ask participants in our information security
trainings is how well they have secured their networks. Very few people are
able to answer this question in a satisfactory manner. The thing is, when
you secure your information assets, what benchmark do you use, and how can
you tell how well you are doing based on that benchmark? Thats called
capability maturity.

To tie my argument, what is required is a framework that lays down the
enforcement of information security within organizations in particular
industries, and even down to individuals. Call it data protection, and
bring in the issue of the data protection legislation that is being worked
on. From my point of view, this data protection bill lacks in depth in
specifying this framework which can be used across the industry by all, be
it in the private sector or public sector. If we were to compare this to
the SOX Act or HIPAA, we will find that ours is quite shallow and still
needs a lot of depth so that it can effectively provide this "policing"
framework.

Touching on what CCK informed regarding the CIRT-CC, I realized that there
is no adequate representation there from the private sector, apart from
TESPOK which is made up infrastructure owners. It would be good to include
professional bodies like ISACA as they do have excellent skills that they
can contribute on a policy level. Another important body missing in action
is the Kenya Bureau of Standards, which is involved on an international
level in making the actual standards that are relied on for information
security.

These are just the comments that I would have made there but the time was
very limited so I hope those responsible can take note.

-- 
*----------------------------------------------------
Kind Regards,
Evans Ikua,*
lanetconsulting.com,
lpi-eastafrica.org,
ict-innovation.fossfa.net,
Skype: @ikuae
Cell: +254-722-955831
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20120717/b8d40c03/attachment.htm>


More information about the KICTANet mailing list