Professional Documents
Culture Documents
3
Introduction (1/2)
4
Introduction (2/2)
6
NCSecMS Components
NCSecFR
1
ITU ISO 5 Domains
Documents 27002 NCSec Framework 34 Processes
NCSecMM
2
NCSec For each
COBIT V4.1 Maturity Model
Framework Process
NCSecRR
3
National NCSec
Stakeholders Framework
Roles & RACI Chart
Responsibilities by Process
4
ISO ISO
NCSecIG
27003 27001
Implementation PDCA
Guide
7
2.1 – National Cybersecurity
Framework
8
NCSec Framework : 5 Domains
9
NCSec Framework : 34 processes
EM4 IO1 SP1 CC1
Nat Govce NCC AC1 Cyb Strat Coop Multi
GvtLeader
IO4 AC8
AC4 SP4 CC3
Privacy Cyb Culture
EM2 COP CIIP Privat Sect
Ass Prog
NCSec Strategy
SP1
Promulgate & endorse a National Cybersecurity Strategy
Lead Institutions
SP2 Identify a lead institutions for developing a national strategy, and 1 lead institution per stakeholder
category
NCSec Policies
SP3
Identify or define policies of the NCSec strategy
Critical Infrastructures
SP4 Establish & integrate risk management for identifying & prioritizing protective efforts regarding NCSec
(CIIP)
Stakeholders
SP5 Identify the degree of readiness of each stakeholder regarding to the implementation of NCSec strategy &
how stakeholders pursue the NCSec strategy & policies
11
Domain 2: Implementation and Organisation (IO)
PS Process Description
14
Domain 5: Evaluation and Monitoring (EM)
NCSec Observatory
EM1
Set up the NCSec observatory
NCSec Assessment
EM3
Assess and periodically reassess the current state of cybersecurity efforts and develop program priorities
NCSec Governance
EM4
Provide National Cybersecurity Governance
15
2.2 – Maturity Model
16
Maturity Model
PS Process Level 1 Level 2 Level 3 Level 4 Level 5
Description
SP1 Promulgate & Recognition of the NCSec is NCSec is NCSec is under NCSec is under
endorse a National need for a announced & operational for all regular review continuous
Cybersecurity National strategy planned. key activities improvement
Strategy
SP2 Identify a lead Some institutions Lead institutions Lead institutions Lead institutions Lead institutions
institution for have an are announced are operational are under regular are under
developing a national individual cyber- for all key for all key review continuous
strategy, and 1 lead security strategy activities activities improvement
institution per
stakeholder
category
SP3 Identify or define Ad-hoc & Similar & Policies and National best Integrated
policies of the Isolated common procedures are practices are policies &
NCSec strategy approaches to processes defined, applied procedures
policies & announced & documented, &repeatable Transnational
practices planned operational best practice
SP4 Establish & Recognition of the CIIP are Risk management CIIP risk CIIP risk
integrate risk need for risk identified & process is management management
management management planned. Risk approved & process is process evolves
process for process in CIIP management operational for all complete, to automated
identifying & process is CIIP repeatable, and workflow &
prioritizing announced lead to CI best integrated to
protective efforts practices enable
regarding NCSec improvement
(CIIP) 17
2.3 - Roles and Responsibilities
(RACI Chart)
18
RACI Chart / Stakeholders
Min
Tra
Na
Ac
Min
Na
Pri
He
Min
Le
Na
C iv
CS
IC
Cr
Mi
Go
ad
gi s
itic
no
tC
va
tC
ad
tC
de
IRT
il S
ve
of
of
of I
Au
em
te
al
iA
ER
yb
fD
rn
of
yb
Un
oc
Fin
Ed
s
tho
nt
Se
Inf
me
uth
ia
G
ef
Co
T
Au
ion
u
ras
ov
rity
ct
n
un
th
NCSec Strategy t
Promulgate & endorse a
SP1 National I A C C R C C C I I R I I I
Cybersecurity
Strategy
Lead Institutions
Identify a lead institutions
for developing a
SP2 national strategy, I I A C R C C I I R C C C C
and 1 lead institution
per stakeholder
category
NCSec Policies
SP3 Identify or define policies A C R C I C I R I I
of the NCSec
strategy
Critical Infrastructures
Establish & integrate risk
management for
SP4 identifying & A R R C I R C R I
prioritizing protective
efforts regarding
NCSec (CIIP)
19
R = Responsible, A = Accountable, C = Consulted, I = Informed
2.4 – Implementation Guide
20
NCSec Implementation Guide & PDCA
1
Approve
Implementation
2
Define Scope
& Strategy
3
Conduct
National context
Analysis
4
Conduct Risk
Assessment
5
Design
NCSec Management
System
6
Implement
NCSec Management
System
Plan
Establish
NCSecMS
Maintain Implemente
Act & Improve & Operate Do
Monitor 21
& Review
Check
High Level
NCSec Decision Makers Implementation Guide
1
HL Approve HL
Awarness Implementation Commitment
2
HL NCSec NCSec
Commitment Framework Define Scope Strategy
& Strategy
3
NCSec NCSec Nat. Inf Sec
Conduct
Strategy Maturity Model Assessment
National Context
Analysis
4
Nat. Inf Sec NCSec Processes
Conduct Risk Selected
Assessment Framework Assessment
5
NCSec
Processes NCSec Design
Managnt Syst
Selected RACI Chart NCSec Managnt
System
6
ISO Implement NCSec MS
NCSecIG
27001 NCSec Managnt Implemt Prg
System 22
3 – Research Papers
ACM Publication
ECEG 2009
9th European Conference on e-Government
Westminster Business School, University of Westminster, London, UK
29-30 June 2009
Abstract: Security Maturity Model is a systematic approach that replaces traditional security metrics.
There is more than one Security Maturity Model (SMM, COBIT, CERT/CSO, ISM3), and each of
them has only five levels of maturity, providing the blueprint for a complete security program,
telling management the order in which to implement security elements (ISM3 Consortium 2007),
and leading toward the use of best practice standards (e.g., BS 17799). But very few of them are
dedicated to National Cybersecurity.
We propose in this paper a “National CyberSecurity Maturity Model”, that will make it possible to
evaluate the security of a country or a whole region, making thus comparisons between them, and
pointing out its forces and threats.
4 – Morocco Case
26
Morocco ICT Strategic Plan
Objectives:
Set up a National Cybersecurity policy that aims to ensure business trust,
enhance security capabilities, and secure information critical
infrastructures.
Contact Information:
Phone : +212 537 26 86 21/22
Email : t.debbagh@technologies.gov.ma
30