<div>Dear all </div>
<div>The UK data protection provides a good benchmark with regards to data protection and privacy. </div>
<div> </div>
<div>The act requires all organisations which handle personal information to comply with the following eight principles, which make sure that personal information is:</div>
<ul>
<li>Fairly and lawfully processed
<li>Processed for limited purposes
<li>Adequate, relevant and not excessive
<li>Accurate and up to date
<li>Not kept for longer than is necessary
<li>Processed in line with your rights
<li>Secure
<li>Not transferred to other countries without adequate protection </li></li></li></li></li></li></li></li></ul>
<div>Data protection guide UK: <a href="http://www.ico.gov.uk/Home/for_organisations/data_protection_guide.aspx">http://www.ico.gov.uk/Home/for_organisations/data_protection_guide.aspx</a></div>
<div> </div>
<div>Kind regards</div>
<div>Mwende</div>
<div>
<p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; TEXT-ALIGN: justify; mso-layout-grid-align: none"><i style="mso-bidi-font-style: normal"><span lang="EN-US"><font size="3"><font face="Times New Roman">Disclaimer: Views expressed here are the author’s own</font></font></span></i></p>
</div>
<div> </div>
<div class="gmail_quote">On Tue, May 5, 2009 at 10:57 AM, John Walubengo <span dir="ltr"><<a href="mailto:jwalu@yahoo.com">jwalu@yahoo.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><br>My take and just to drive Mwende's Challenge on how ready are we - I just googled afew kenya sites that have gone online. With intention to spread caution rather than fear, I have put some questions below each site.<br>
<br>Banking:<br><a href="https://s2b.standardchartered.com/ssoapp/login.jsp" target="_blank">https://s2b.standardchartered.com/ssoapp/login.jsp</a><br>Qtn: How sure are you that the site you are engaging in is actually what it claims to be and not a hoax operating from someone's internet laptop in Mogadishu or Bungoma?<br>
<br>Customs Services:<br><a href="https://forodha.kra.go.ke/" target="_blank">https://forodha.kra.go.ke/</a><br>Qtn: This is the KRA eCustoms site. I still dont know WHY i cannot access it using my Firefox browser, though it works with Microsoft Explorer. In Security terms, this is known as discriminatory NON-AVAILABILITY of services.<br>
<br>Utilities:<br><a href="http://www.posta.co.ke/" target="_blank">http://www.posta.co.ke/</a><br>Qtn: This site seems to have gone home with the MD! Was trying to get their postapay service. Question is what guarantees do we have that as government services get online - they do stay online?<br>
<br>Education:<br><a href="http://www.elearning.strathmore.edu/login/index.php" target="_blank">http://www.elearning.strathmore.edu/login/index.php</a><br>Qtn: Possibly the busiest educational site in sub-saharan africa. Question is, how sure are you that the assignment posted by the student was not done by the neighbor?<br>
<br>walu.<br>nb: Oh I 4got, Wash, plse check out Evans claim that KICTAnet passwords are in clear text. Otherwise I could log as the PS Ndemo and declare myself the newly appointed (coalition?) Government Cyber-Security Advisor!<br>
<br>--- On Tue, 5/5/09, Evans Kahuthu <<a href="mailto:ifani.kinos@gmail.com">ifani.kinos@gmail.com</a>> wrote:<br><br>> From: Evans Kahuthu <<a href="mailto:ifani.kinos@gmail.com">ifani.kinos@gmail.com</a>><br>
> Subject: Re: [kictanet] IG Discussion 2009, Day 7 of 10 - Data and Infrastructure Security<br>> To: <a href="mailto:jwalu@yahoo.com">jwalu@yahoo.com</a><br>> Cc: "KICTAnet ICT Policy Discussions" <<a href="mailto:kictanet@lists.kictanet.or.ke">kictanet@lists.kictanet.or.ke</a>><br>
> Date: Tuesday, May 5, 2009, 7:58 AM<br>
<div>
<div></div>
<div class="h5">> Good Morning,<br>> Mwende, further to your point regarding having not<br>> experienced critical<br>> security threat, it is important for end users and<br>> information owners to<br>> understand that just because they have not been<br>
> compromised, it does not<br>> necessarily mean that they are secure since this in<br>> security context<br>> is "Security by Obscurity".<br>> It is important to understand that hackers write code with<br>
> certain<br>> parameters of the target and thus when they execute such<br>> programs only<br>> applications that meet this criteria are compromised and<br>> thus the probabiity<br>> of them being victims is very slim.<br>
> In addition, before organisations can go on a spending<br>> spree on security<br>> programs, applications and human resource it is worthwhile<br>> for them to know<br>> that "Insiders" pose the greatest security threat<br>
> to their Information. With<br>> this in mind, there is need for internal Access Control<br>> mechanism to be<br>> implemented to help eliminate this threat.<br>><br>> As far as our current level of preparedness goes, a random<br>
> analysis of<br>> existing web applications, networks and hosting companies,<br>> its evident that<br>> we have a lot of work ahead of us.<br>> Case in point:<br>> 1. Recent "war drives" around Nairobi city center<br>
> reveals that most wireless<br>> networks are unsecured which provides a very convinient<br>> entry point to most<br>> black hat hackers into the business network.<br>> 2. Most of the dynamic web applications have severe<br>
> database security<br>> vulnerabillties. Using default security assesment methods,<br>> it is very easy<br>> to gain access to the underlying database data and<br>> structure.<br>> 3. Though its not considered as a "Critical"<br>
> application, the "KICTANET<br>> database" stores passwords in clear text which is a<br>> violation of the<br>> database Confidentiality rule.<br>><br>> To help protect our infrastructure and data, awareness is<br>
> paramount as this<br>> sets the base on what security should be implemented and<br>> how.<br>> Also important are policies, standards procedures to help<br>> govern the<br>> process.<br>><br>> Evans<br>
><br>> On Mon, May 4, 2009 at 4:52 PM, mwende njiraini<br>> <<a href="mailto:mwende.njiraini@gmail.com">mwende.njiraini@gmail.com</a>>wrote:<br>><br>> > Good morning!<br>> ><br>> > Today we continue our discussions on cybersecurity<br>
> specifically data and<br>> > infrastructure security.<br>> ><br>> ><br>> ><br>> > It now not uncommon to hear about cyber terrorism,<br>> cyber crime, cyber<br>> > attacks, Information Warfare, etc. Recent examples of<br>
> cyber attacks in<br>> > Estonia and Georgia show that the Internet offers an<br>> inexpensive and easy<br>> > weapon of modern warfare.<br>> ><br>> ><br>> ><br>> > Fortunately, we as a country may not have yet<br>
> experienced critical security<br>> > threats possibly because majority of<br>> users/organizations have access to<br>> > ‘less than broadband speeds’ thus providing no<br>> incentive for meaningful<br>
> > exploits. This presents a situation where low usage<br>> and poor connectivity<br>> > has acted as our “security”.<br>> ><br>> ><br>> ><br>> > However, with the growing use of the Internet,<br>
> encouraged by the<br>> > availability broadband connections locally, nationally<br>> (Fibre optic national<br>> > project, operator networks) and internationally<br>> (TEAMS, SEACOM), the number<br>
> > of incidences of online security breaches are set to<br>> increase.<br>> ><br>> ><br>> > Thank you Harry Delano (email 29th April) for raising<br>> the following<br>> > important questions for our discussion today.<br>
> ><br>> > - What is our level of cybersecurity preparedness<br>> (as government,<br>> > operator, service providers, private sector<br>> organizations and educational<br>> > institutions)?<br>
> > - Have we made an assessment of our cybersecurity<br>> preparedness levels,<br>> > to date, particularly with the impending landing of<br>> international submarine<br>> > fibre optic cable?<br>
> > - What is needed to protect our data and<br>> infrastructure from increased<br>> > threats and at what cost?<br>> ><br>> ><br>> ><br>> ><br>> > Regards<br>> > Mwende<br>
> ><br>> > _______________________________________________<br>> > kictanet mailing list<br>> > <a href="mailto:kictanet@lists.kictanet.or.ke">kictanet@lists.kictanet.or.ke</a><br>> > <a href="http://lists.kictanet.or.ke/mailman/listinfo/kictanet" target="_blank">http://lists.kictanet.or.ke/mailman/listinfo/kictanet</a><br>
> ><br>> > This message was sent to: <a href="mailto:ifani.kinos@gmail.com">ifani.kinos@gmail.com</a><br>> > Unsubscribe or change your options at<br>> ><br>> <a href="http://lists.kictanet.or.ke/mailman/options/kictanet/ifani.kinos%40gmail.com" target="_blank">http://lists.kictanet.or.ke/mailman/options/kictanet/ifani.kinos%40gmail.com</a><br>
> ><br>> ><br>> _______________________________________________<br>> kictanet mailing list<br>> <a href="mailto:kictanet@lists.kictanet.or.ke">kictanet@lists.kictanet.or.ke</a><br>> <a href="http://lists.kictanet.or.ke/mailman/listinfo/kictanet" target="_blank">http://lists.kictanet.or.ke/mailman/listinfo/kictanet</a><br>
><br></div></div>> This message was sent to: <a href="mailto:jwalu@yahoo.com">jwalu@yahoo.com</a><br>
<div class="im">> Unsubscribe or change your options at<br></div>> <a href="http://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com" target="_blank">http://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com</a><br>
<div class="im"><br><br><br><br>_______________________________________________<br>kictanet mailing list<br><a href="mailto:kictanet@lists.kictanet.or.ke">kictanet@lists.kictanet.or.ke</a><br><a href="http://lists.kictanet.or.ke/mailman/listinfo/kictanet" target="_blank">http://lists.kictanet.or.ke/mailman/listinfo/kictanet</a><br>
<br></div>This message was sent to: <a href="mailto:mwende.njiraini@gmail.com">mwende.njiraini@gmail.com</a><br>Unsubscribe or change your options at <a href="http://lists.kictanet.or.ke/mailman/options/kictanet/mwende.njiraini%40gmail.com" target="_blank">http://lists.kictanet.or.ke/mailman/options/kictanet/mwende.njiraini%40gmail.com</a><br>
</blockquote></div><br>