Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 EDITION
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Executive Summary The world’s economies continue to develop with an ever- Capacity Centre undertook a global collaborative exercise increasing dependence on technology. If we do not ensure aimed at extracting and synthesising the community’s latest that cybersecurity capacity exists across the entirety of knowledge. The GCSCC developed change proposals based cyberspace, we will inevitably create cyber-ghettos. In such on lessons learned from CMM deployments, and undertook environments, cyber-harm may become prevalent and cyber- a series of online and offline consultations with experts, to attacks can easily be launched. The ability of countries to validate the findings and discuss the changes. Those who respond and grow capacity in the face of changing threats were consulted included the GCSCC Expert Advisory Panel, – be they due to trends in technology use, the socio-political strategic, regional and implementation partners of the climate, or evolution of the threat-actor ecosystem – has GCSCC, and other experts from academia, international and never been more important. regional organisations, governments, the private sector, and civil society. Based on their input, indicators for each Aspect The Cybersecurity Capacity Maturity Model for Nations have been identified, designed, refined, and validated. (CMM) helps nations understand what works, what does not work and why, across all areas of cybersecurity Actors around the world, ranging from individuals to nation capacity. This is important so that governments and states, need to ensure that cyberspace and the systems enterprises can adopt policies and make investments that dependent on it are resilient to increasing attacks. The have the potential to significantly enhance safety and CMM 2021 Edition and its deployment will continue to security in cyberspace, while also respecting human rights, contribute towards efforts to achieve this resilience, not only such as privacy and freedom of expression. by gaining a more profound understanding of international cybersecurity capacity, but also by increasing effective Since 2015, the Global Cyber Security Capacity Centre investment into cybersecurity capacity based on a rigorous (GCSCC, Capacity Centre) has actively promoted the CMM analysis of data collected from the deployment of the across sectors, to drive conversation around cybersecurity model. Critical gaps in all areas of international cybersecurity capacity and to help improve global technology. The will be identified and filled with scalable and effective resulting adoption of the CMM by various key international countermeasures, in co-operation with international stakeholders, and the completion of more than 120 CMM partners from the global cybersecurity community. reviews in more than 85 countries around the world, demonstrates the positive impact of the research, supports The enhancement of the CMM is not intended to be a D1 government self-assessments and informs the development static exercise; a continuous process of refinement will of industry tools and resources. be maintained to ensure the CMM remains applicable to all national contexts and reflects the global state of D2 Prompted by the changing threat landscape and cybersecurity capacity maturity. However, this evolution corresponding cybersecurity practice, the GCSCC has led a will continue to be a considered exercise, stimulated by revision of the CMM, the first to be carried out since the D3 evidence and practice. 2016 edition was issued. To produce this 2021 edition, the D4 D5 2 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Contents Executive Summary A National Cybersecurity Assessment with the CMM The Dimensions of National Cybersecurity Capacity 2 4 5 The Structure of the CMM 7 Dimension 1: Cybersecurity Policy and Strategy 9 D 1.1: National Cybersecurity Strategy 12 D 1.2: Incident Response and Crisis Management 14 D 1.3: Critical Infrastructure (CI) Protection 16 D 1.4: Cybersecurity in Defence and National Security 17 Dimension 2: Cybersecurity Culture and Society 19 D 2.1: Cybersecurity Mindset 22 D 2.2: Trust and Confidence in Online Services 23 D 2.3: User Understanding of Personal Information Protection Online 26 D 2.4: Reporting Mechanisms 27 D 2.5: Media and Online Platforms 28 Dimension 3: Building Cybersecurity Knowledge and Capabilities 29 D 3.1: Building Cybersecurity Awareness 32 D 3.2: Cybersecurity Education 34 D 3.3: Cybersecurity Professional Training 36 D 3.4: Cybersecurity Research and Innovation 37 Dimension 4: Legal and Regulatory Frameworks 38 D 4.1: Legal and Regulatory Provisions 41 D 4.2: Related Legislative Frameworks 43 D 4.3: Legal and Regulatory Capability and Capacity 45 D 4.4: Formal and Informal Co-operation Frameworks to Combat Cybercrime 47 Dimension 5: Standards and Technologies 48 D 5.1: Adherence to Standards 51 D 5.2: Security Controls 53 D 5.3: Software Quality 55 D1 D 5.4: Communications and Internet Infrastructure Resilience 56 D 5.5: Cybersecurity Marketplace 57 D 5.6: Responsible Disclosure 59 D2 Evolution of the CMM 60 Acknowledgements 61 D3 About the GCSCC 62 D4 D5 3 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
A National Cybersecurity Assessment with the CMM The CMM review of a country involves data-gathering by a • the enhancement of the internal credibility of the team of researchers who carry out in-country stakeholder cybersecurity agenda within governments; consultation and desk research. The output is an evidence- based report which: • help in defining roles and responsibilities within governments; • benchmarks the maturity of a country’s cybersecurity capacity; • providing evidence to increase funding for cybersecurity capacity building; and • details a pragmatic set of actions to contribute to the advancement of cybersecurity capacity maturity gaps; and • a foundation for country strategy and policy development. • identifies priorities for investment and future capacity- It is important that a country can evidence its achievements building, based on a country’s specific needs. in cybersecurity capacity and the CMM identifies what that evidence should be, and what it demonstrates. Such evidence According to an independent study commissioned by the gathering is in itself a multi-stakeholder process, involving a UK Foreign, Commonwealth and Development Office, the wide range of sources and organisations. Discussions can be benefits of a CMM review for a country are numerous and important to resolve differences of opinion. Whether such include: discussions can be effective if done remotely (and online), or will necessitate face-to-face meetings, will depend upon the • increased cybersecurity awareness and capacity building, country undertaking a review. and greater collaboration within government; For more information on the CMM review methodology, • networking and collaboration with business and wider process and exemplary CMM reports, visit: society; https://gcscc.ox.ac.uk/the-cmm D1 D2 D3 D4 D5 4 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Cybersecurity Policy Cybersecurity Culture Building Cybersecurity Legal and Standards and and Strategy and Society Knowledge and Regulatory Technologies Capabilities Frameworks The Dimensions of National Dimension 1 Cybersecurity Policy Dimension 2 Cybersecurity Cybersecurity and Strategy Culture and Society Capacity The CMM considers cybersecurity to comprise five Dimensions which together constitute the breadth of national capacity that a country requires to be effective in delivering cybersecurity: 1. Developing cybersecurity policy and strategy; Dimension 3 Dimension 5 Building Cybersecurity 2. Encouraging responsible cybersecurity culture within society; Standards and Knowledge and 3. Building cybersecurity knowledge and capabilities; Technologies Capabilities 4. Creating effective legal and regulatory frameworks; and 5. Controlling risks through standards and technologies. Dimension 4 D1 Legal and Regulatory Frameworks D2 D3 D4 D5 5 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
ension 1 ension 2 ension 3 nsion 4 imecountry’s mension 5 Dim Dim 1 Cybersecurity Dimension Dimand Strategy Policy exploresDthe capacity Di The CMM defines five Stages of maturity for all Dimensions being: start-up, to develop and deliver cybersecurity strategy, and to enhance its cybersecurity formative, established, strategic, and dynamic. These correspond to the following: resilience by improving its incident response, cyber defence and critical infrastructure initial development of capacity, being established, being world-leading, and able to (CI) protection capacities. This Dimension considers effective strategy and policy anticipate and prepare for future cybersecurity needs. in delivering national cybersecurity capability, while maintaining the benefits of a cyberspace vital for government, international business and society in general. It should be noted that there are relationships between the Dimensions; for example, Cybersecurity Policy Cybersecurity Culture Building Cybersecurity Legal and Standards and to be effective in one area of capacity often places requirements on other areas1. It nsion andeStrategy Dimension anden2siCybersecurity o Society n Culturee nand s Knowledgeio Society reviewsRegulatory and n important ens ion elements of Technologies a is also the case that resources are limited and priorities for capacity enhancements 1 Dim 2 Dim responsible 3 im DCapabilities cybersecurity culture 4 im DFrameworks such as the understanding 5 of cyber-related risks are likely to require a response which could span multiple Dimensions. Therefore, in society, the level of trust in Internet services, e-government and e-commerce a benchmarking activity reviews a country against the entire CMM and across all ension 1 ensiousers’ n 2 understanding enofsipersonal on 3 nsion 4 eprotection ension 5 Dimensions, enabling an holistic consideration of national capacity. Dim services, D im and D im information D im online. D im Moreover, this Dimension explores the existence of reporting mechanisms functioning as channels for users to report cybercrime. In addition, this Dimension reviews the role of media and social media in shaping cybersecurity values, Policy Cybersecurity Culture Building and attitudes Cybersecurity behaviour. Legal and Standards and y 2 iand sion menSociety 3 i mensionand Knowledge 4 i m ension 5 Regulatory Technologies D DCapabilities DFrameworks Dimension 3 Building Cybersecurity Knowledge and Capabilities reviews the Cybersecurity Policy Cybersecurity Culture Building Cybersecurity Legal and Standards and availability, quality and uptake of programmes for various groups of stakeholders, nsion andeStrategy anden sio Society n e Knowledgen sionand en sio Regulatoryn Technologies 1 Dim 2 including m Di the government, 3 private m i sector4and the population DCapabilities im as a 5whole, and relate DFrameworks to cybersecurity awareness-raising programmes, formal cybersecurity educational programmes, and professional training programmes. ulture Building Cybersecurity Dimension Legal4 and Standards and y3 imensionand Knowledge 4 im ensiLegal Regulatory and Regulatory on 5Dimension 1 Frameworks examines the government’s TechnologiesDimension 2 DCapabilities DFrameworks capacity to design and enact national legislation that directly and indirectly Cybersecurity Policy Cybersecurity relates to cybersecurity, with a particular and Strategy emphasis placed on the topics of Policy Cybersecurity Culture Building Cybersecurity Legal andCulture and SocietyStandards and sion 3 regulatory requirements for cybersecurity, cybercrime-related legislation and y 2 anden Dim Society imensionand Knowledge DCapabilities 4 mension 5 iRegulatory DFrameworks Technologies related legislation. The capacity to enforce such laws is examined through law enforcement, prosecution, regulatory bodies and court capacities. Moreover, this Dimension observes issues such as formal and informal co-operation frameworks curity Legal and to combat cybercrime. Standards and nd im en sio Regulatoryn 5Dimension 1 Technologies Dimension 2 s4 DFrameworks Dimension 5 Standards and Technologies addresses effective and widespread Cybersecurity Policy Cybersecurity ulture use of cybersecurity and Strategy Building Cybersecurity Legal andCulturetechnology to protect and SocietyStandards and individuals, organisations and national y3 m ensionand Knowledge i 4 im ensionThis infrastructure. Regulatory 5 Dimension specifically Technologies examines the implementation of DCapabilities DFrameworks cybersecurity standards and good practices, the deployment of processes and D1 Dimension 3 controls, Dimension 5 and the development of technologies and products in Building order toCybersecurity reduce Standards and cybersecurity risks. Knowledge and Standards and Technologies Capabilities D2 y Dimension 1 TechnologiesDimension 2 s Cybersecurity Policy Cybersecurity curity and Strategy Legal andCulture and SocietyStandards and D3 imension 5 nd Regulatory Technologies s4 DFrameworks Dimension 3 D4 DimensionFor 5 a country to reach an established level of maturity under the Aspect ‘Initiatives by Government’ in Factor 3.1 Building Cybersecurity Awareness, one of the requirements that must be met is that the content 1 Building Cybersecurity of the co-ordinated national cybersecurity awareness-raising programme includes explicit links to national cybersecurity strategy. Similarly, for a country to reach an established level of maturity under the Aspect Standards and Knowledge ‘Administration’ in Factor 3.2 Cybersecurity Education, cybersecurity education priorities and from the multi-stakeholder consultation process should be reflected in the national cybersecurity strategy. resulting Technologies DimensionCapabilities 4 Legal and Regulatory D5 Dimension 2 Cybersecurity Frameworks 6 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition ulture and SocietyStandards and y Technologies
The Structure of the CMM Dimension Indicator The five Dimensions together cover the breadth of national cybersecurity capacity assessed Indicators represent the most basic part of CMM’s structure. Each Indicator describes by the CMM. Each Dimension is constituted by a range of Factors, which capture the core the steps, actions, or building blocks that are indicative of a specific Stage of maturity. To capacities required to deliver the Dimension. Together, they represent the different ‘lenses’ have successfully reached a Stage of maturity, a country will need to convince itself that it through which cybersecurity capacity can be evidenced and analysed. can evidence each of the Indicators. In order to elevate a country’s cybersecurity capacity maturity, all of the Indicators within a particular Stage will need to have been fulfilled. Most Factor of these Indicators are binary in nature, i.e., the country can either evidence it has fulfilled the Indicator criteria, or it cannot provide such evidence. Within the five Dimensions, Factors describe what it means to possess cybersecurity capacity. These are the essential elements of national capacity, which are then measured for maturity Stage. The complete list of Factors seeks to holistically incorporate all of a nation’s cybersecurity capacity needs. Most Factors are composed of a number of Aspects which structure the Factor’s Indicators into more concise parts (which directly relate to evidence DIMENSION gathering and measurement). However, some Factors that are more limited in scope do not have specific Aspects. FACTOR Aspect Where a Factor possesses multiple components, these are Aspects. Aspects are an ASPECT organisational method to divide Indicators into smaller clusters that are easier to comprehend. The number of Aspects depends on the themes that emerge in the content of the Factor and the overall complexity of the Factor. START-UP FORMATIVE ESTABLISHED STRATEGIC DYNAMIC STAGE STAGE STAGE STAGE STAGE Stage Indicators Indicators Indicators Indicators Indicators Stages define the degree to which a country has progressed in relation to a certain Factor or Aspect of cybersecurity capacity. The CMM consists of five distinct Stages of maturity: start-up, D1 formative, established, strategic, dynamic (detailed on page 8). A CMM review will benchmark a country against these Stages, capturing existing cybersecurity capacity, from which a country can improve or decline depending on the actions taken (or inaction). Within each Stage there D2 are a number of Indicators which a country has to fulfil to successfully have reached the Stage. D3 D4 D5 7 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Dimension 5 Building Standards and Dimension 1 Cybersecurity Dimension 2 Cybersecurity Policy Cybersecurity Cybersecurity Policy Culture Knowledge Building Cy and Cybersecurity Technologies and Strategy and Society Capabilities and Strategy Culture andKnowle Society Dimension 4 Capab Legal and Regulatory Frameworks The Stages of National Dimension 5 Standards and Dimensio Building Dimension 1 Cy Cybersecurity Capacity Technologies CybersecurityKnowledge Policy Capabilities and Strategy Dimension 4 Legal and Regulatory Stages define the degree to which a country has progressed in relation to a certain Factor or Aspect of cybersecurity capacity Frameworks Dynamic (see page 7). A CMM review will benchmark a country against these Stages, capturing existing cybersecurity capacity. Dimension 5 Start-up Standards and Technologies At this Stage, either no cybersecurity maturity exists, orStart-up it is very Stage Formative embryonic in nature. There mightStage Established be initial discussions about Stage Strategic Stage Dynamic Stage cybersecurity capacity building, but no concrete actions have been taken. There may be an absence of observable evidence at Dimension 4 this Stage; Legal and Regulatory StrategicFrameworks Formative Some features of the Aspect have begun to grow and be formulated, but may be ad hoc, disorganised, poorly defined or simply Dimension 5 new. However, evidence of this activity can be clearly demonstrated; Standards and Start-up Stage Formative Stage Established Stage Technologies Strategic Stage Dynamic Stage Established Dimension 4 The Indicators of the Aspect are in place, and evidence shows that they are working. There is not, however, well thought-out Legal and Regulatory consideration of the relative allocation of resources. Little trade-off decision-making has been made concerning the relative Established Frameworks investment in the various elements of the Aspect. But the Aspect is functional and defined; Strategic Start-up Stage Formative Stage Established Stage Strategic Stage Choices have been made about which parts of the Aspect are important, and which are less important for the particular organisation or nation. The strategic Stage reflects the fact that these choices have been made, conditional upon the nation or Dimen organisation’s particular circumstances; and Legal and R Formative Frame Dynamic D1 At this Stage, there are clear mechanisms in place to alter national strategy depending on the prevailing circumstances, such as the technology of the threat environment, global conflict, or a significant change in one area of concern (e.g. cybercrime or privacy). There is also evidence of global leadership on cybersecurity issues. Key sectors, at least, have devised methods Start-up Stage Formative Stage Established Stage D2 S for changing strategies at any stage during their development. Rapid decision-making, reallocation of resources, and constant attention to the changing environment are feature of this Stage. D3 The CMM allows the benchmarking of current national cybersecurity capacity. Understanding the requirements to achieve Start-up higher levels of capacity will directly indicate areas for further investment, and how to evidence such capacity levels. The CMM can also be used to build business cases for investment and expected performance enhancements. Combining a CMM review D4 with national risk assessments, social, and economic strategies can further prioritise which capacity enhancements to make. Start-up Stage Formative Stage Establish D5 8 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
and Strategy Dimension 1: Cybersecurity Policy and Strategy imension 1 D This Dimension explores the country’s capacity to develop and deliver cybersecurity strategy and enhance its cybersecurity resilience through improving its incident response, cyber defence and critical infrastructure protection capacities. This Dimension considers effective strategy and policy in delivering national cybersecurity capability, while maintaining the benefits of a cyberspace vital for government, international business and society in general. D1 D 1.1 D 1.2 D 1.3 D 1.4 D2 D3 D4 D5 9 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor Factor D 1.1: National Cybersecurity Strategy D 1.2: Incident Response and Crisis Management Cybersecurity strategy is essential to mainstreaming This Factor addresses the capacity of the government a cybersecurity agenda across government because it to identify and determine characteristics of national helps prioritise cybersecurity as an important policy level incidents in a systematic way. It also reviews the area, determines responsibilities and mandates of key government’s capacity to organise, co-ordinate, and cybersecurity government and non-governmental actors, operationalise incident response, and whether cybersecurity and directs allocation of resources to the emerging and has been integrated into the national crisis management existing cybersecurity issues and priorities framework > Navigate to Factor > Navigate to Factor Aspects Aspects • Strategy Development: this Aspect addresses the • Identification and Categorisation of Incidents: this Aspect development of a national strategy, allocation of identifies whether internal mechanisms are in place for implementation authorities across sectors and civil society, identifying and categorising incidents; and an understanding of national cybersecurity risks and threats which drive capacity building at a national level; • Organisation: this Aspect addresses the existence of a mandated central body designated to collect incident • Content: this Aspect addresses the content of the national information, and its relationship with the public and private cybersecurity strategy and whether it is linked explicitly sector for national level incident response; and to national risks, priorities and objectives such as national security, public awareness raising, and mitigation of • Integration of Cyber into National Crisis Management: this cybercrime, incident response capability and critical national Aspect explores to what extent cybersecurity is integrated infrastructure protection; into the national crisis management framework. D1 • Implementation and Review: this Aspect addresses the existence of an over-arching programme for cybersecurity D 1.1 co-ordination, including a departmental owner or co- ordinating body with a consolidated budget; and D 1.2 • International Engagement: this Aspect explores to D 1.3 what extent the country is aware of the existence of international discussions on cybersecurity policy, and how D 1.4 the international debates on cybersecurity policy and related issues affect the country’s interests and international standing. D2 D3 D4 D5 10 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor Factor D 1.3: Critical Infrastructure (CI) Protection D 1.4: Cybersecurity in Defence and National Security This Factor studies the government’s capacity to identify CI assets, the regulatory requirements specific to the This Factor explores whether the government has the capacity cybersecurity of CI, and the implementation of good to design and implement a strategy for cybersecurity within cybersecurity practice by CI operators national security and defence. It also reviews the level of > Navigate to Factor cybersecurity capability within the national security and defence establishment, and the collaboration arrangements on Aspects cybersecurity between civil and defence entities • Identification: this Aspect addresses the existence of a > Navigate to Factor general list of CI assets, sectors and operators, and an audit of CI assets on a regular basis; Aspects • Defence Force Cybersecurity Strategy: this Aspect • Regulatory Requirements: this Aspect addresses the addresses the existence of a strategy for supporting existence of regulatory requirements specific to the cybersecurity within national security and defence, cybersecurity of CI; and and whether it is supported by appropriate legal authorities and relevant operational doctrine and rules of • Operational Practice: this Aspect explores whether CI engagement; operators implement recognised industry standards, and the existence of arrangements for collaboration across and • Defence Force Cybersecurity Capability: this Aspect within sectors. reviews the level of cybersecurity capability and organisational structures within the national security establishment; and D1 • Civil Defence Co-ordination: this Aspect examines the collaboration on cybersecurity between civil and defence entities, and the existence of adequate resources in place. D 1.1 D 1.2 D 1.3 D 1.4 D2 D3 D4 D5 11 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor - D 1.1: National Cybersecurity Strategy Aspect Start-Up Formative Established Strategic Dynamic No national cybersecurity Processes for strategy A national cybersecurity strategy Strategy review and renewal The national cybersecurity strategy exists, although development have been has been published. processes are in place. strategy and implementation planning processes for initiated. plan are both proactively An assessment of country-specific Emerging cybersecurity risks strategy development may reviewed to take account of An outline/draft national national cybersecurity risk has been are regularly assessed and used have begun. broader strategic developments cybersecurity strategy has been conducted. to update the strategy and within the country (political, Advice may have been sought articulated. implementation plan. The strategy reflects the needs economic, social, technical, legal from international partners. Consultation processes have and roles of relevant stakeholders The impact of the strategy and environmental). been agreed for key stakeholder across government (national and on risk and harm reduction is Strategy The country is an acknowledged groups, including private sector, sub-national), business and civil understood and is used to inform authority within the international Development civil society and international society. funding and priority decisions. community and is supporting partners. An implementation programme is the development of national and in place which covers the scope of global cybersecurity strategies. the strategy. Cybersecurity considerations are Mechanisms are in place to enable embedded within other relevant strategy ‘owners’ to monitor national-level strategies and achievement of outcomes, address implementation programmes. implementation issues and maintain strategy alignment. Various national policies and Content exists that reflects The content of the national The content takes account of the The content takes account of the strategies may exist that refer country-specific priorities and cybersecurity strategy is based on impact on cybersecurity risk of impact of broader developments to cybersecurity, but these circumstances. a comprehensive risk assessment emerging technologies and their on cybersecurity risk (political, are not comprehensive and that includes explicit links to use within critical infrastructure, economic, social, technical, legal Links exist between the strategy there is little evidence that wider national level economic and the wider economy and society. and environmental). (or draft strategy) and priorities D1 these reflect specific national political policies and strategies. such as national security, The outcomes defined in The content of the national priorities and circumstances. digital strategy and economic The content includes actions the strategy are specific and cybersecurity strategy promotes development, but these are to raise public and business measurable. Metrics have and encourages bilateral and D 1.1 generally ad hoc and lack detail. awareness, mitigate cybercrime, been defined which enable multilateral co-operation establish incident response stakeholders to evaluate the between countries to ensure The strategy (or draft strategy) D 1.2 capability, promote public-private effectiveness of the strategy in a secure, resilient and trusted defines the key outcomes against Content which success can be evaluated. partnership and protect critical reducing harm. cyberspace. infrastructure and the wider D 1.3 Consideration has been given economy. to how the beneficial outcomes Consideration has been given to of the strategy can be sustained D 1.4 how the national cybersecurity beyond the strategy’s lifetime, strategy might incorporate or including how the maintenance support wider online policy of new capabilities will be objectives such as: child protection; financed. D2 the promotion of Human Rights; the promotion of Equality, Diversity and Inclusion; and managing D3 disinformation. D4 D5 12 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor - D 1.1: National Cybersecurity Strategy Aspect Start-Up Formative Established Strategic Dynamic No overarching A co-ordinated cybersecurity A detailed implementation plan has Outcome-oriented metrics are Mechanisms are in place national cybersecurity implementation programme is been published including actions, being used to monitor the impact to make more far-reaching implementation programme being developed with relevant responsible entities and resource that the programme is having on changes to the programme in has been developed. stakeholders involved, including budgets. The implementation plan risk reduction (and other relevant the event of significant changes the private sector and civil involves relevant stakeholders across strategy goals). in circumstance (political, society. government and other sectors. economic, social, technical, legal There is evidence of these and environmental). Actions within the programme A co-ordinating body has been metrics being used to refine have been assigned to specific assigned. The body has sufficient action plans. The programme contributes ‘owners’ but the availability of authority to ensure that action to the global development of Metrics (both progress and adequate resources has not yet ‘owners’ are held to account. outcome-oriented metrics and outcome-oriented metrics) are Implementation been confirmed. their application. The resources required to deliver the drawn from a wide variety of and Review Mechanisms to review processes actions of the programme have been governmental, non-governmental are limited or ad hoc. identified and are in place. Budget and international sources. shortfalls are identified and escalated There is independent oversight to the relevant authority. and/or assurance of the Programme review processes and programme. metrics are in place that allow progress to be measured and risks, issues and dependencies to be escalated to the relevant authority. These processes are adequately funded. There is limited awareness The country is aware of the An assessment has been made of The country is actively building The country is a leading actor of the principal international existence of international how the international debates on international communities in building consensus, fostering D1 debates relating to discussions on cybersecurity cybersecurity policy and related of interest around specific inclusivity and shaping the cybersecurity policy (such policy and related issues. issues affect the country’s interests cybersecurity policy goals and international debates on key as cybersecurity norms, and international standing. Specific promoting their adoption. cybersecurity policy issues. D 1.1 The country may, on occasion, mutual legal assistance, engagement objectives have been participate in regional or The country makes a major The country is focused on the Internet Governance, data defined accordingly. Multiple international discussions on contribution to regional/ future, seeing emerging issues D 1.2 sovereignty, data protection). stakeholders have been involved in matters related to cybersecurity international operational bodies (around new technology or new International this process. The country may benefit issues, but does not generally and is actively involved in types of threat), and is initiating Engagement from regional/ international play an active role. The country is actively participating building capacity in third-party new international debates D 1.3 operational collaboration in relevant international bodies and countries. around the key issues. The country may participate networks but does not forums, either directly or through D 1.4 in relevant operational The country is actively involved actively engage. relevant representative bodies. collaboration and policy bodies in creating new regional/ Their voices are being heard and (such as FIRST*, regional CERT** international collaboration are having an impact. bodies, the IGF***, or the UN mechanisms. D2 GGE****), but takes mainly a The country actively contributes to passive role. regional/ international operational collaboration and policy bodies. D3 * Forum of Incident Response and Security Teams ** Computer Emergency Response Team D4 *** Internet Governance Forum **** The United Nations Group of Governmental Experts D5 13 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor - D 1.2: Incident Response and Crisis Management Aspect Start-Up Formative Established Strategic Dynamic No process for identifying and Some organisations and sectors Most major organisations Insights arising from national The criteria for categorising categorising national-level have internal mechanisms for have internal mechanisms for level incidents are routinely incidents are sufficiently flexible incidents exists. identifying and categorising identifying and categorising analysed in order to establish to cater for rapidly emerging incidents within their purview. incidents. lessons and inform broader changes in the underlying Identification cybersecurity policy and strategy. technological or threat A process for identifying A central registry of national- environment. and national-level incidents is under level cybersecurity incidents Categorisation development. exists and a process for timely The country is contributing escalation of incidents, from the to international best practice of Incidents There is no central registry in organisational to the national in incident identification and place but ad-hoc arrangements level, is in place. categorisation. exist for dealing with the most significant events. Individual national incidents are categorised according to severity and resources are allocated accordingly. No organisation for national-level A national CERT* might exist but A national body for incident The national body undertakes The government’s overall cyber incident response exists. lacks sufficient resources and response has been established. a wide range of engagement operational response is skills. It has the resources, skills, activities such as convening adaptive to changes in the A few organisations may have documented processes and legal communities of interest, running underlying technical and threat internal cybersecurity response Processes for managing incidents authorities required to address cross-sector exercises and environment. mechanisms in place but co- are still in development. the range of cyber incident promoting best cybersecurity ordination is minimal. The country is contributing to Some organisations from scenarios that the country is likely practices. international best practice on public and private sectors have to face (including out-of-hours The national body innovates to how to organise operational internal cybersecurity response capability, if appropriate). provide a range of additional responses to cybersecurity mechanisms in place but co- ordination with the national Relationships and protocols services that improve the threats. D1 are in place to enable incident country’s ability to prevent, CERT is ad hoc. management co-ordination detect, respond and recover The role of sub-national bodies between the national body and from threats. D 1.1 Organisation is unclear. other elements of the public and The national body is widely Bilateral co-operation with private sectors. recognised as an authoritative D 1.2 international partners is limited The role of sub-national bodies voice on cybersecurity within the or ad hoc. in incident response is clear country. and mechanisms are in place to D 1.3 The effectiveness of the national enable co-ordination between the body in reducing cyber risk and national and sub-national levels. D 1.4 harm is regularly evaluated There is regular sharing of threat and benchmarked against and vulnerability information, international good practice. and operational good practices D2 between the national body and a wide range of public and private sector organisations, as well as D3 international partners. D4 * Computer Emergency Response Team D5 14 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor - D 1.2: Incident Response and Crisis Management Aspect Start-Up Formative Established Strategic Dynamic No framework exists for national- A national crisis management Cybersecurity is fully integrated Lessons learnt from cyber crisis The country is contributing to level crisis management. framework is in development into the national crisis exercises are used to inform the debate on the integration and a specific organisation has management framework and the both national crisis management of cyber into national and Cybersecurity has not been been allocated responsibility organisation responsible for crisis policy and the national international crisis management. considered as a potential for leading national-level crisis management is equipped to deal cybersecurity strategy and national-level crisis scenario. Emergency communications response. with a range of cybersecurity- implementation plan. capabilities are capable of Emergency communication related scenarios. Cybersecurity has been International crisis planning operating beyond the country’s capabilities are limited. recognised as relevant to The role of a cyber incident and exercising with partners border in order to support third- national crisis management, management authority within exists and routinely includes party countries and global crisis Integration of both as a factor in its own right the crisis management process is cybersecurity as an element. responses. Cybersecurity and as an element of other crisis well defined and established, and The resilience of emergency scenarios. escalation thresholds are fully into National understood. communications has been stress- Crisis An exercise programme is in tested against a wide range of development and includes National crisis management potential scenarios. Management cybersecurity-based scenarios. scenarios with cybersecurity components are regularly Emergency communication exercised. capabilities are in place but may not be well integrated or lack Emergency communication resilience to cyber disruption. systems are regularly tested for cyber resilience against a range of cybersecurity-related scenarios. D1 D 1.1 D 1.2 D 1.3 D 1.4 D2 D3 D4 D5 15 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor - D 1.3: Critical Infrastructure (CI) Protection Aspect Start-Up Formative Established Strategic Dynamic There may be some A list of general CI assets, sectors The list of CI assets has been The list of CI assets is adaptive to There is flexibility in the process appreciation of what and operators has been created. formalised and incorporates a range of strategic shifts in the underlying for identifying CI assets to cater constitutes a CI asset, but no appropriate public and private sector technical, social and economic for rapidly emerging changes in formal categorisation of CI organisations. environment. the underlying technological or assets has been produced. threat environment. Specific operators have been identified Interdependencies between Identification and are aware of their status. sectors are managed. The country is actively involved in the identification and The list is kept up to date to Cross-border dependencies are prioritisation of global CI assets. reflect changes in the country’s managed. circumstances. Cross-sector and cross-border dependencies are mitigated. Cross-border dependencies have been identified. There are no existing The need for baseline CI operators are mandated by Novel approaches to regulatory Regulatory frameworks are regulatory requirements standards to govern CI assets is regulation to meet appropriate supervision are being developed sufficiently flexible to cater for specific to the cybersecurity acknowledged but these are not cybersecurity standards (either in to improve CI cybersecurity while rapidly emerging changes in of CI. explicitly mandated in regulation. the form of specific cyber regulation also facilitating effective and the underlying technological or or as part of broader regulatory efficient CI service delivery. threat environment. Sector regulators do not requirements). Regulatory routinely assess CI operators for The country is promoting best The country is actively involved compliance. Mandatory breach reporting and practice regulatory approaches at in establishing regulatory Requirements vulnerability disclosure requirements an international level. approaches to assuring global CI. are in place. Formal processes are in place to evaluate CI operator compliance with regulatory standards and incident and D1 vulnerability disclosure. D 1.1 A few CI operators may Many CI operators are CI operators are consistently There is extensive collaboration The country and its CI operators be implementing good implementing good cybersecurity implementing recognised industry among CI operators and with are contributing to the cybersecurity practices, but practice. standards and the effectiveness public authorities to develop international debate on global D 1.2 this is inconsistent. of their cybersecurity controls are strategies that enhance collective critical infrastructure resilience. There is some self-assessment regularly assessed. cybersecurity. D 1.3 against recognised industry Experts from the regulators standards. Mechanisms are in place for operators The resilience of the critical and CI operators are recognised to share threat and vulnerability infrastructure ecosystem as internationally for their D 1.4 Some informal arrangements information, best practices and lessons a whole has been assessed contribution to addressing Operational exist for collaboration across and learned from incidents and near against a range of scenarios, and global infrastructure protection Practice within sectors. misses. measures are in place to address challenges. D2 systemic risks to the economy CI operators participate fully in and society. national incident response and crisis management planning and exercising. D3 Mechanisms are in place for public authorities to provide information and other practical support to CI operators, D4 both pre- and post- incident. D5 16 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor - D 1.4: Cybersecurity in Defence and National Security Aspect Start-Up Formative Established Strategic Dynamic The potential impact of The potential impact of A strategy for cybersecurity for Defence strategy includes Strategy and doctrine are cybersecurity on national cybersecurity on national national security and defence appropriate considerations of not static but are adaptive to security and defence may have security and defence has been has been formally adopted deterrence. changing capabilities and to the been considered but has not assessed and a strategy for (stand-alone or as part of a wider geo-political and technical threat The country’s defence and been formally articulated. addressing these risks is under document). environment. national security establishment development. The strategy is supported by (alongside other stakeholders) The strategy is designed to This analysis includes risks to the appropriate legal authorities and is actively engaged in the promote stability in cyberspace. ability of the country’s military relevant operational doctrine global debate on international This includes measures to predict and other national security and rules of engagement. These humanitarian law and norms and influence the strategies and assets to operate in a contested are consistent with international of behaviour as they relate actions and reactions of potential Defence Force cyber environment. humanitarian law. to conflict in cyberspace. allies and adversaries. Cybersecurity Declaratory strategy and The dependence of national Strategy security and military entities on published doctrine may be part of this. the cybersecurity of other parts of the critical national infrastructure is understood and is addressed in the defence cybersecurity strategy. Cybersecurity considerations inform other elements of national security and defence strategy, where relevant. Specialist cybersecurity capability Specialist cybersecurity capability Capabilities and organisational Relevant deterrence and Defence cybersecurity within the national security requirements are understood, structures are in place and defence/resilience capabilities capabilities are able to support D1 establishment is limited. and relevant organisational have been tested. Resourcing is are in place, forming part of the multilateral responses to shared structures have been defined. provided through the national country’s defence cybersecurity national security challenges. Initial steps have been taken to military estimate or equivalent strategy. D 1.1 establish these. process. Cybersecurity is embedded in Operational doctrine and rules of wider operational and command D 1.2 Defence Force engagement are fully embedded training within the country’s Cybersecurity in training. military forces. Capability D 1.3 Specialist intelligence resources are being applied to provide support and are appropriately D 1.4 resourced. Mechanisms to facilitate collaboration with allies are in D2 place and have been tested. D3 D4 D5 17 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor - D 1.4: Cybersecurity in Defence and National Security Aspect Start-Up Formative Established Strategic Dynamic Collaboration on cybersecurity Informal collaboration on Collaboration on cybersecurity Civil defence collaboration on The country is leading the between civil and defence cybersecurity between civil between civil and defence entities cybersecurity is built into the international debate on best entities is limited. and defence entities may exist exists and has been formalised. strategic planning of both sectors practice in cross-governmental, but has not been formalised. and designed to address a range civil-defence cybersecurity Respective roles have been Defence entities have not been of future crisis scenarios. collaboration. defined within the country’s crisis formally resourced to undertake management procedures. Mechanisms are in place that this work. enable defence and the national The resources required within security community to draw on the defence and national security the skills and capabilities of the Civil Defence community, to support civil and broader economy and society. Co-ordination CI authorities, have been formally (For example, via a formal cyber assessed and assigned. reserve force) Formal mechanisms are in place to determine military/ national security cybersecurity dependencies on civil and CI infrastructure. The ability of civil and CI infrastructure operators to provide these services has been assured. D1 D 1.1 D 1.2 D 1.3 D 1.4 D2 D3 D4 D5 18 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
nd Strategy and Society Dimension 2: Cybersecurity Culture and Society mension1 imension 2 D This Dimension reviews important elements of a responsible cybersecurity culture such as the understanding of cyber- related risks in society, the level of trust in Internet services, e-government and e-commerce services, and users’ understanding of personal information protection online. Moreover, this Dimension explores the existence of reporting mechanisms functioning as channels for users to report D1 cybercrime. In addition, this Dimension reviews the role of media and social media in shaping cybersecurity values, D2 attitudes and behaviour. D 2.1 D 2.2 D 2.3 D 2.4 D 2.5 D3 D4 D5 19 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor Factor D 2.1: Cybersecurity Mindset D 2.2: Trust and Confidence in Online Services This Factor evaluates the degree to which cybersecurity This Factor reviews critical skills, the management of is prioritised and embedded in the values, attitudes, and disinformation, the level of users’ trust and confidence in practices of government, the private sector, and users the use of online services in general, and of e-government across society at large. A cybersecurity mindset consists and e-commerce services in particular. of values, attitudes and practices–including habits > Navigate to Factor of individual users, experts, and other actors–in the cybersecurity ecosystem that increase the capacity of users Aspects to protect themselves online • Digital Literacy and Skills: this Aspect examines whether > Navigate to Factor Internet users critically assess what they see or receive online; Aspects • Awareness of Risks: this Aspect examines the level of • User Trust and Confidence in Online Search and awareness of cybersecurity risks within the government, Information: this Aspect examines whether users trust in private sector and users; the secure use of the Internet based on indicators of website legitimacy; • Priority of Security: this Aspect examines the extent to which the government, private sector and users make • Disinformation: this Aspect examines the existence of tools cybersecurity a priority; and and resources to address online disinformation; • Practices: this Aspect examines whether the government, • User Trust in E-government Services: this Aspect examines D1 private sector and users follow safe cybersecurity practices. whether there are government e-services offered, whether trust exists in the secure provision of such services, and if efforts are in place to promote such trust in the application D2 of security measures; and • User Trust in E-commerce Services: this Aspect examines D 2.1 whether e-commerce services are offered and established in a secure environment and trusted by users. D 2.2 D 2.3 D 2.4 D 2.5 D3 D4 D5 20 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor Factor Factor D 2.3: User Understanding of Personal D 2.4: Reporting Mechanisms D 2.5: Media and Online Platforms Information Protection Online This Factor explores the existence of reporting mechanisms that This Factor explores whether cybersecurity is a common subject This Factor looks at whether Internet users and stakeholders function as channels for users to report Internet-related crime of discussion across mainstream media, and an issue for broad within the public and private sectors recognise and such as online fraud, cyber-bullying, child abuse online, identity discussion on social media. Moreover, this Factor looks at the understand the importance of protecting personal theft, privacy and security breaches, and other incidents. role of media in conveying information about cybersecurity to information online, and whether they are sensitive of their > Navigate to Factor the public, thus shaping their cybersecurity values, attitudes privacy rights. and online behaviour. > Navigate to Factor Aspects > Navigate to Factor • Reporting Mechanisms: (as above) Aspects Aspects • Personal Information Protection Online: (as above) • Media and Social Media: (as above) D1 D2 D 2.1 D 2.2 D 2.3 D 2.4 D 2.5 D3 D4 D5 21 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
Factor - D 2.1: Cybersecurity Mindset Aspect Start-Up Formative Established Strategic Dynamic The government has minimal Leading government agencies There is widespread awareness Government agencies across all Government agencies at all levels or no level of awareness of have a minimal level of of cybersecurity risks within most levels are aware of cybersecurity are fully aware of cybersecurity cybersecurity risks. awareness of cybersecurity government agencies. risks and proactively anticipating risks and use them to update risks. new risks. cybersecurity policies and The private sector has minimal There is widespread awareness operational practices. or no level of awareness of Leading private firms have a of cybersecurity risks within most Private sector actors at all levels are Awareness of cybersecurity risks. minimal level of awareness of private firms. fully aware of cybersecurity risks Most private sector actors across cybersecurity risks. and are anticipating new risks. all levels mitigate cybersecurity Risks Users have minimal or no level A growing number of Internet risks and use them to update of awareness of cybersecurity A limited proportion of Internet users within society have Users are fully aware of cybersecurity policies and risks. users have awareness of awareness of cybersecurity risks. cybersecurity risks and try to operational practices. cybersecurity risks. anticipate new risks. Most users identify and anticipate cybersecurity risks and try to adapt their behaviour. The government has minimal or Leading government agencies Most government agencies at all Government agencies across all Government agencies at all levels no recognition of the need to and private firms recognise the levels are making cybersecurity levels routinely prioritise and habitually, as a matter of course, prioritise cybersecurity. need to prioritise cybersecurity. a priority. reassess cybersecurity priorities in prioritise cybersecurity. response to changing threats to the Private sector actors have Private firms recognise the Most private firms at all levels Private sector actors at all population. minimal or no recognition of the need to prioritise cybersecurity. are making cybersecurity a levels habitually prioritise need to prioritise cybersecurity. priority. Most private sector actors across cybersecurity, as a matter of A limited proportion of Internet all levels routinely prioritise and course. Users have minimal or no users recognise the need to A growing number of Internet reassess cybersecurity priorities in recognition of the need to prioritise cybersecurity. users within society make Users habitually prioritise D1 Priority of response to changing threats to the prioritise cybersecurity. cybersecurity a priority. cybersecurity and take steps to Security Surveys and metrics to assess population. improve their security online. No surveys or metrics exist knowledge of cybersecurity Surveys and metrics to evaluate Most users routinely prioritise D2 to document cybersecurity in within the nation are limited or knowledge of cybersecurity Survey results and metrics are cybersecurity and seek to take government, private sector, or ad hoc. within the nation are available. used to refine cybersecurity proactive steps to improve across users. policies, inform operational cybersecurity. practices and IT-related initiatives D 2.1 Surveys and metrics are routinely within the nation. conducted and publicised in fields of government, business and D 2.2 industry, and among users. D 2.3 The government agencies do Leading government agencies Most government agencies at all Government agencies across Government agencies at all not follow safe cybersecurity follow safe cybersecurity levels follow safe cybersecurity all levels routinely follow safe levels habitually follow and D 2.4 practices. practices. practices. cybersecurity practices. also develop safe cybersecurity practices. D 2.5 Private sector companies do Leading private firms follow Most private firms at all levels Most private sector actors, not follow safe cybersecurity safe cybersecurity practices. follow safe cybersecurity practices. (including SMEs) across all levels Private sector actors at all levels Practices practices. A limited but growing Most Internet users within this routinely follow safe cybersecurity habitually follow and develop practices. safe cybersecurity practices. D3 In this country, very few Internet proportion of Internet country know and follow safe users follow safe cybersecurity users know or follow safe cybersecurity practices Most users know and routinely Nearly all users know practices or take protective cybersecurity practices. follow safe cybersecurity practices. and habitually follow safe D4 measures to ensure their cybersecurity practices as a security. matter of course. D5 22 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition
You can also read