Name: Salma Ashraf Gaber ID:18190324

1.Why do you need to engage your cybersecurity stakeholders?

If you are new to the idea of taking an enterprise-wide process to

cybersecurity you may question, why is this process is needed. after all,
your organization is probably spending considerable resources to train
and develop cybersecurity specialists. cyber expertise and powerful IT
security tools are indeed critical. unfortunately, your IT security team
.cannot manage this threat alone

Cybersecurity and the public sector.2

To a large extent, only national governments can lead national
cybersecurity efforts that involve all national stakeholders. In addition to
putting in place substantive measures to counter cybersecurity threats,
governments have the central task of establishing, among all
stakeholders, a common awareness and understanding of cybersecurity as
well as a common recognition of each stakeholder's roles and
.responsibilities
Role and responsibility of government 2.1
The role and responsibility of government in cybersecurity is extensive.
Given the vital role of ICTs in the nation, the wide range of threats and
vulnerabilities and the cross-sector nature of cybersecurity, many national
governments assume a variety of roles and shoulder an extensive array or
responsibilities ranging from national level policymaking to citizen level
capacity-building. the cybersecurity roles and responsibilities of
:government can be organized loosely into the following categories
. Policymaking
. Legal Measures
. Organizational Structures
o Institutional organization and coordination; and
.o Incident management and cybersecurity readiness assessment
. Capacity building
. Public-private sector cooperation and industry regulation
Policymaking (and establishing a national cybersecurity 2.1.1
strategy)
Leadership in the area of cybersecurity by national governments is
manifested largely through the government's national policy-making role.
Governmental policymaking in the area of cybersecurity provides, at the
highest level, a common understanding and vision of the problem,
allowing for coordinated national action that would realize national
.cybersecurity objectives
The preparation of a national cybersecurity strategy is an essential first
:step in addressing cybersecurity challenges. Such a statement typically
 highlights the importance of ICTs to the nation (e.g., by providing
information on the role of ICTs in the economy, society and national
security, and the industrial and governmental processes dependent on
.ICTs)
 identifies and evaluates potential risks and threats (e.g., cyber-attacks,
.cybercrime, etc.)
 establishes cybersecurity related objectives (e.g., containment of cyber-
attacks, detection and prosecution of cybercrime, protection of data
.resources, etc.)
 identifies the actions to be taken in order to achieve those objectives
(e.g., establishment of incident response centers, adoption of
cybersecurity standards, building consumer awareness, etc.). and
 sets out the roles and responsibilities of all stakeholders in the process
(including a mechanism for information sharing, cooperation and
.collaboration)

The national cybersecurity strategy can also place cybersecurity efforts

into the context of other national efforts, such as homeland security and
the development of an information society. In many countries, national
cybersecurity strategy is typically promulgated at a high level of
government, often by the head of government, in order to get the buy-in
of all stakeholders. For example, in the case of Brazil, the national
cybersecurity strategy is led from the Office of the President (see Box 1
below). At the same time, however, national cybersecurity policy is
typically developed cooperatively through consultation with all relevant
stakeholders, including other government institutions, industry, academia,
and civil society. In some countries, such policies also integrate state,
local, and community-based approaches that feed into the larger national
.context

Legal Measures 2.1.2

An effective cybersecurity effort requires the establishment, review and,
if necessary, amendment of relevant legal infrastructures that support
modern ICTs. This requires updating of criminal laws, procedures and
policies to address cybersecurity incidents and respond to cybercrime. As
a result, many countries have made amendments in their penal codes, or
are in the process of adopting amendments, taking in consideration
existing international frameworks and recommendations. As a priority,
criminal law, procedures and policy should be reviewed to ensure the
prevention, investigation, and prosecution of all forms of cybercrime. In
addition, legislation that ensures the security of information and
information infrastructures should be introduced. Such legislation
:typically deals with issues that include the following
. Security in electronic communications
. Fraudulent use of computer and computer systems
. Protection of personal data and privacy
 Certification, digital signatures and Public Key Infrastructure (PKI),
.among others
Beyond their enactment, cybersecurity laws must also be effectively
enforced. An effective anti-cybercrime effort will require the
modernization of law-enforcement agencies, the establishment of
dedicated cybercrime units, and the training of prosecutors and judges. As
many instances of cybercrime cuts across borders, participation in
international efforts to respond to cybercrime forms an integral part of the
.national cybercrime prevention effort

Organizational Structures 2.1.3

Institutional organization and coordination
The institutional organization and coordination of government institutions
for cybersecurity is a vital element of a successful cybersecurity effort. In
the context of the role and responsibility of government, it typically
involves the organization and coordination of cybersecurity roles and
responsibilities among appropriate government institutions in order to
carry out the actions that are required to meet cybersecurity objectives. A
detailed organization and cooperation framework is essential in order to
avoid institutional gaps in the national cybersecurity effort as well as to
avoid overlaps in responsibilities which can prove just as damaging.
Where overlaps in responsibilities exist, there is often either a tendency
towards passiveness by the institutions concerned, or at the other extreme,
.a potential for the introduction of conflicting regulations and approaches
Universally, a concerted cybersecurity effort at the government level
requires organizing and coordinating the work of multiple authorities and
government departments, who often have different mandates and
perspectives on the problem. As such, the delegation of roles and
responsibilities among government institutions is a delicate one and, in
many cases, it is undertaken by a government institution with a high-level
mandate, such as the cabinet or the presidential office, as is the case with
the National Infrastructure Security Co-ordination Centre (NISCC) in the
United Kingdom or the Department of Homeland Security in the United
States. Such high-level oversight is often necessary to efficiently settle
potential conflicts where overlaps in institutional jurisdiction and
.responsibilities exist
In practice, the actual delegation of cybersecurity roles and
responsibilities among the different government institutions varies widely
from country to country as such decisions are based on a wide range of
.considerations
Incident management and cybersecurity readiness assessment
The capability to detect, to investigate and analyze, and to respond to
cyber-threats and attacks is an indispensable component of cybersecurity.
In this respect, computer incident response teams (CIRTs) in various
forms have been established by a wide range of groups (e.g., operators,
businesses, universities, etc.) at the national and international level.
CIRTs vary dramatically in the services they provide and the constituents
they serve. Some have national responsibility while most belong to
private organizations and are established to fulfill specific functions,
depending on their situation. A key function that all CIRTs share is the
ability to provide
timely information about the latest threats and )1(
.assistance in response to incidents when needed )2(
While many CIRTs have been created from the bottom-up, it is generally
acknowledged that it is important for governments to establish an incident
management capability on a national level to prevent, prepare for,
respond to, and recover from cybersecurity incidents. National CIRTs
also typically assume responsibilities for readiness and response to large-
.scale attacks
Such an incident management capability would necessarily extend
beyond the traditional CIRT role to include coordination and
management capabilities in terms of cybersecurity crisis. It would also
make tactical or strategic information available to key stakeholders within
the public and private sectors. Examples of such CIRTs can be found in
Canada (Integrated Treat Assessment Center) and in Switzerland
.(Reporting and Analysis Center for Information Assurance, MELANI)
Given the cross-border nature of cyber threats and attacks, active
participation in international and regional cybersecurity incident
monitoring activities forms a necessary part of the CIRT national effort.
Such activities can include active participation in an international CIRT
organization (e.g., Asia Pacific Computer Emergency Response Team
(APCERT), Forum of Incident Response Security Team (FIRST), etc.) or
international incident management exercises. For example, US-CERT has
organized major international exercises (e.g., “Cyberstorm”, involving
Australia, New Zealand, and Canada), simulating large-scale attacks on
.critical sectors
The conduct of cybersecurity exercises to test readiness and
responsiveness form part of the larger role of government to evaluate and
review the level of cybersecurity preparedness of the nation. Such a role
typically involves the organization and execution of periodic
cybersecurity risk assessments and strategy reviews on both the national
and sector-specific (e.g., financial, manufacturing, retail, etc.) levels. The
result of such cybersecurity assessments can, in turn, lead to a thorough
review of existing cybersecurity-related legislation and regulation as well
as sector specific legislation and regulation, such as financial laws and
.regulation
Capacity Building 2.1.4
Generally, many end-users (including private enterprises, public entities,
and home users) lack the awareness and resources to manage cyber-
security risks adequately. Many information system vulnerabilities exist
.because of a lack of cybersecurity awareness on the part of users
End user outreach efforts, therefore, at the most basic level, entail the
development of a concerted strategy to communicate the importance of
cyber-security and their role across the country. Such a strategy would
identify practical information for dissemination to their target audiences
.and initiatives to ensure the adoption of those practices
Capacity-building in the area of cybersecurity is a necessary complement
to the building of cybersecurity awareness. For a culture of cybersecurity
to be firmly established, the level of cybersecurity competence in general
must be increased. In part, this can be achieved by making basic
cybersecurity-related training more readily available to the public (e.g.,
through interactive websites) and by promoting industry efforts to train
.personnel and to adopt widely accepted security certifications
In addition, governments must encourage academia to provide for the
education of a ready pool of trained cybersecurity professionals to meet
the increasing demands of both the public and the private sector in the
.field

Public-private sector cooperation and industry regulation 2.1.5

A comprehensive national cybersecurity effort requires the establishment
of a coordination and cooperation framework through which all
stakeholders, from both the public and private sector, can collaborate in
the development and refinement of cybersecurity policy and cooperate in
the implementation of cybersecurity operational efforts. Such a
framework would allow governments, businesses, civil society and
individual users to work together to develop and implement measures that
incorporate technical (e.g., standards), procedural (e.g., guidelines,
standards, or mandatory regulations) and personnel (e.g., best practices)
safeguards. Such measures include, for example, promoting government
and industry adoption of international standards related to cybersecurity
(e.g., ISO 27001 on Information Security Management System) and the
.implementation of certification schemes (e.g., Public Key Infrastructure)
Governments in almost all countries have recognized the importance of
public-private sector cooperation in cybersecurity. The development of a
close mutually beneficial relationship facilitates the overall management
of cyber threats and cybersecurity. Realistically, many governments
actively promote cooperation and information-sharing with the private
sector, as large parts of critical infrastructures are owned and operated by
private business. Only by understanding the cybersecurity challenges
facing the private sector can an effective national cybersecurity strategy
and policy be adopted. Cooperation between government and industry is
also essential in the response and recovery phase of cybersecurity
.incidents
The exact approach countries take to achieve public-private sector
cooperation varies based on local conditions and needs. Examples include
government-led task forces, industry-led forums, and joint public-private
initiatives. In countries such as Switzerland, Republic of Korea, the
United Kingdom, and the United States, strong links have already been
established between the private business community and various
.government organizations in the area of cybersecurity
A key challenge presented to governments and industry alike in this
context is the search for a balance between national cybersecurity
requirements and business efficiency imperatives. Satisfying shareholder
interests by maximizing company profits has often led to minimal
security measures on the part of the private sector partly because
businesses tend to view cyber-threats as a tolerable risk. In these
situations, governments have sometimes found it necessary to introduce
measures that compel or encourage the private sector to prioritize
.cybersecurity and to adopt sufficient safeguards
To the extent that government supports science and technology and
research and development (R&D) activities, some of its efforts should be
directed towards cybersecurity and the protection of information
infrastructures. Through partnerships with the private sector and
academia, governments can help shape the development of cybersecurity
related technologies, techniques, standards and processes that further the
.national cybersecurity agenda