**Report Title · Web viewSuch a vulnerability disclosure framework would address disclosure of...

Cybersecurity Capacity Review of the Republic of Mozambique

© Commonwealth Telecommunications Organisation P a g e | 1

This is the Cybersecurity Maturity Review Report for Mozambique prepared by the Commonwealth Telecommunications Organisation for the Government of Mozambique. This Report is a Deliverable Report in a technical assistance project that is funded by the Foreign and Commonwealth Office (FCO), United Kingdom, and calls on the CTO team to assist the Republic of Mozambique develop a National Cybersecurity Strategy (NCS) for Mozambique

Table of Contents

1 INTRODUCTION.................................................................................................2

2 OVERVIEW OF THE CYBERSECURITY CAPACITY MATURITY MODEL (CMM).........................................................................................................................3

3 DIMENSION 1: CYBERSECURITY POLICY AND STRATEGY.........................53.1 Brief Descriptions of Dimension 1 Factors...........................................................................................53.2 Results and Recommendations..............................................................................................................6

4 DIMENSION 2: CYBER CULTURE AND SOCIETY.........................................124.1 Brief Descriptions of Dimension 2 Factors.........................................................................................124.2 Results and Recommendations............................................................................................................12

5 DIMENSION 3: CYBERSECURITY EDUCATION, TRAINING AND SKILLS. .165.1 Brief Descriptions of Dimension 3 Factors.........................................................................................165.2 Results and Recommendations............................................................................................................16

6 DIMENSION 4: LEGAL AND REGULATORY FRAMEWORKS.......................196.1 Brief Descriptions of Dimension 4 Factors.........................................................................................196.2 Results and Recommendations............................................................................................................19

7 DIMENSION 5: STANDARDS, ORGANISATIONS AND TECHNOLOGIES....227.1 Brief Descriptions of Dimension 1 Factors.........................................................................................227.2 Results and Recommendations............................................................................................................22

APPENDIX I: CYBERSECURITY CAPACITY MATURITY MODEL (CMM) QUESTIONNAIRE....................................................................................................25

2

1 Introduction

This is a Cybersecurity Maturity Review Report for Mozambique prepared by the Commonwealth Telecommuni cations Organisation (CTO ) as part of a technical assistance project funded by the Foreign and Commonwealth Office (FCO), United Kingdom, with in-kind support from the Government of the Republic of Mozambique. The objective of the project was to assist the Government of Mozambique with the development of a National Cybersecurity Strategy (NCS) that will enable Mozambique’s approach to ensuring a safe and secure cyberspace its citizens can use to enhance productiveness and wellness in their lives.

The CTO team, supported by the national host team from the Instituto Nacional das Comunicações de Moçambique (INCM) conducted a review of the cybersecurity capacity maturity of the Republic of Mozambique with the purpose of determining the current cybersecurity posture of Mozambique, and highlighting a series of challenges and opportunities that the country would seek to address in its National Cybersecurity Strategy (NCS).

This Review included consultations with a wide range of stakeholders, from across Mozambique’s ICT/Cybersecurity ecosystem, including the Central Bank of Mozambique, the Ministry of Interior (responsible for the police forces, immigration, etc), Ministry of Science, Technology and Vocational Training, CEDSIF from the 22 - 26 August 2016. The Cybersecurity Capacity Maturity Model (CMM) developed by the University of Oxford’s Oxford Martin School was used to undertake these consultations. The CMM examines the maturity of a nation across five unique and key dimensions namely: Policy & Strategy; Culture & Society; Education, Training & Skills; Legal &Regulatory Frameworks; and Standards, Organisations, & Technologies. This Cybersecurity Maturity report aims to describe Mozambique’s current maturity level across each of the five Dimensions considered in the CMM. The rest of the document is organized as follows:

Chapter 2 provides an overview of the CMM and describes the different stages of maturity considered by the CMM.

Chapters 3 - 7 provide descriptions of the current maturity levels and situation of Mozambique when specific factors are considered across the five dimension of the CMM. These Chapters also provide some recommendations on how the maturity or posture of Mozambique can be enhanced across these specific factors.


http://www.cto.int/

Appendix I provides the CMM tool that was used to undertake consultations in Mozambique.


2 Overview of the Cybersecurity Capacity Maturity Model (CMM)

Stakeholders from a range of sectors including government institutions & ministries, telecommunications service providers and ISPs, and Academia participated in a series of sessions designed to discuss the current cybersecurity posture of Mozambique, and begin the process of developing Mozambique’s NCS. Discussions on the current cybersecurity posture of Mozambique were based on the Oxford Martin’s Cybersecurity Capacity Maturity Model (CMM) which defines the five distinct Dimensions of Cybersecurity Maturity.

The following Table lists the five dimensions of the CMM, and the factors which constitute these Dimensions:

Table 1 - CMM Dimensions and Constituent Factors

Dimension Constituent Factors of Each Dimension

Dimension 1 – Cybersecurity Policy and Strategy

D1-1: Documented or Official National Cybersecurity StrategyD1-2: Incident ResponseD1-3: Critical National Infrastructure (CNI) ProtectionD1-4: Crisis ManagementD1-5: Cyber Defence ConsiderationD1-6: Digital Redundancy

Dimension 2 – Cyber Culture and Society

D2-1: Cybersecurity Mind-set

D2-2: Cybersecurity AwarenessD2-3: Confidence and Trust on the InternetD2-4: Privacy Online

Dimension 3 – Cybersecurity Education, Training and Skills

D3-1: National Availability of Cyber Education and TrainingD3-2: National Development of Cyber Security EducationD3-3: Training and Educational Initiatives within the Public and Private SectorD3-4: Corporate Governance, Knowledge and Standards


Dimension Constituent Factors of Each Dimension

Dimension 4 – Legal and Regulatory Frameworks

D4-1: Cybersecurity Legal Frameworks

D4-2: Legal InvestigationD4-3: Responsible Reporting

Dimension 5 – Standards, Organisations and Technologies

D5-1: Adherence to Standards

D5-2: National Infrastructure ResilienceD5-3: Cybersecurity Marketplace

These Dimensions and their constituent factors address a wide range of key issues critical to a nation ensuring a secure cyberspace and include: government policies, legislative structures, social awareness of cyber issues, etc, and span five key stages of maturity.

These five stages are described below according to increasing levels of maturity:

Start-up: This stage refers to the situation or context where there is no or minimal cybersecurity development. Initial discussions regarding cybersecurity might have occurred but concrete actions are yet to be taken. There is no or very little observable evidence at this stage.

Formative: Some activity or actions might have been formulated and might have commenced but they may be poorly defined, disorganised, ad-hoc or just very new. Evidence of activity or actions can be clearly demonstrated.

Established: The elements of the approach or sub-factor have been established, are in place, and are working. However, there is no comprehensive consideration of the relative allocation of resources though the approach or sub-factor is functional and defined.

Strategic: At this stage, choices or decisions have been made about what aspects of the factor are important, and which are less important for the specific nation or organisation. What this means is these choices or decisions on this factor have been made depending on the specific circumstances of that nation or organisation.

Dynamic: This is the most mature stage where clear mechanisms have been established to change strategy depending on the existing circumstances or situation of the nation such as changes to the prevailing


threat environment, changes to priority areas of concern, etc. Nations or organisations at this stage have developed methods for changing strategies in stride. Quick decision-making, reallocation of resources and constant monitoring of the changing environment are characteristics of this stage.

. .


3 Dimension 1: Cybersecurity Policy and StrategyThis chapter of this report presents the results of maturity review of Mozambique for each factor of the “Cybersecurity Policy and Strategy” Dimension and describes a series of recommendations that should enhance Mozambique’s maturity in this Dimension.

3.1 Brief Descriptions of Dimension 1 Factors

Dimension 1 seeks to examine the best ways of resisting and recovering from cyber incidents through the use of effective national cybersecurity policy and strategy. The following factors represent different aspects of this Dimension.

D1-1: Documented or Official National Cybersecurity Strategy. A comprehensive national cybersecurity strategy provides a cohesive and coordinated approach of how a nation (including various agencies and industries working together) ensures a secure cyberspace. Among other things, this factor investigates whether the nation has decided where and how cybersecurity is prioritized with respect to the national agenda, whether the nation has determined areas of responsibility and mandates of key cybersecurity actors, and whether the nation has allocated resources to address emerging and existing cybersecurity issues.

D1-2: Incident Response. Considering that not all cyber incidents can be prevented, it is imperative that nations identify which events constitute national level threats, and develop a coordinated and effective approach to responding to these national level events. This factor seeks to determine or evaluate the nation’s ability to identify national level incidents, events or threats in a systematic manner, as well as the nation’s ability to organize and coordinate effective incident response.

D1-3: Critical National Infrastructure (CNI) Protection. It is critical that nations identify CNI assets and take proper steps to protect them. This factor evaluates the nation’s ability to both identify CNI and protect CNI. This would include identification of CNI assets, risks associated with CNI, response planning and protection, collaboration between or with CNI owners, etc.

D1-4: Crisis Management. Planning and evaluating crisis management applications ensures that stakeholders are capable of dealing with real world scenarios when it comes to cybersecurity. This factor seeks to understand the extent to which the various stakeholders within a nation are able to undertake crisis management and develop structured and


measurable findings that would provide the basis of recommendations to policy makers and other stakeholders as well as inform budgetary allocations.

D1-5: Cyber Defence Consideration. This factor assesses whether a nation has the capacity to develop and implement a cyber defence strategy that would address all those threats to national security. Key considerations of this factor include level of coordination between stakeholders during responses to attack on military IT systems, or whether there is designated cyber defence unit or organization for the nation.

D1-6: Digital Redundancy. Developing backup coordination links between emergency responders that do not rely on digital communications networks is critical for scenarios when electronic communications are disabled, and for enhancing cyber policy and strategy. This factor assesses the nation’s ability to plan or deploy redundancy communications among stakeholders.

3.2Results and Recommendations

The table below details the specific results of Mozambique’s maturity across each factor of Dimension 1, and specific recommendations on how to enhance Mozambique’s capacity for each specific factor.


Constituent Factors

Stage of Maturity

Brief Description Recommendations to enhance Cybersecurity in Mozambique

D1-1: Documented or Official National Cyber security Strategy

Start Up - Formative

Presently, there is no official or formal National Cybersecurity Strategy which describes the national approach to addressing cybersecurity related issues and threats in Mozambique.

Furthermore, though the Ministry of Transport and Communications, and the INCM oversee and regulate the communications sector of Mozambique respectively, there is no formally designated overarching agency or government institution that oversees or coordinates cybersecurity across Mozambique.

However, the process of developing a National Cybersecurity strategy has commenced, with key stakeholder/working groups already established and currently taking part in a series of consultations to develop the NCS for Mozambique

Finalise and adopt the National Cybersecurity Strategy for Mozambique which would set out Mozambique’s Vision and Strategic Objectives with respect to Cybersecurity. The Strategy should provide details on the implementation framework such as the identification of a national institution to oversee implementation and Implementation Log Frames which would detail a coordinated cyber programme for the nation.

D1-2: Incident Response

Start Up In Mozambique at present, there is no overarching entity which is responsible for cyber security incident response. Indeed, Mozambique does not have a national Computer Emergency Response Team (CERT). Moreover, there is no evidence to suggest that a national budget for cybersecurity incident response exists.

Consequently, there is a lack of effective and coordinated response to-, and management of incidents across Mozambique. The absence of a national CERT in Mozambique has also resulted in the lack of identification and categorization of

Establish the requisite legal and regulatory frameworks needed for the creation of, and operationalisation of a National CERT

Expedite the operationalisation of a national CERT with clear processes, defined roles and responsibilities

Develop a national incident reporting, information sharing and coordination mechanisms to address reporting of incidents and coordination in incident response

11

Constituent Factors

Stage of Maturity


national level incidents in a central registry for incidents, especially as there is no regulation in force calls for the mandatory reporting of cyber incidents.

However, efforts are currently ongoing to establish a national CERT for Mozambique. The private sector and government are currently working together with support from the ITU to establish a national CERT for Mozambique. Part of these efforts include the identification and consultation of private sector organizations critical to national cybersecurity, though no formal coordination and information sharing mechanisms have been established. Consequently information sharing and coordination across the private sector and the government occurs in an ad hoc manner.

D1-3: Critical National Infrastructure (CNI) Protection

Start Up There is no formal or official categorization of Mozambique’s Critical National Infrastructure or vulnerabilities though most stakeholders seem to have some understanding of what such a categorization would entail, and this includes: the telecommunications sector, the banking sector, Government IT Systems, utilities like power, water, etc

Furthermore, no national institution has been mandated to oversee Mozambique’s CNI. There is also no formal mechanism promoting collaboration

Develop a National CNI and Vulnerability Register

Create a framework for regular vulnerability disclosure

Develop a National Cyber Contingency and Incident Response Plan

Develop national risk management and CNI protection procedures and processes


Constituent Factors

Stage of Maturity


between the government and owners of critical assets resulting in little to no interaction between government ministries and owners of critical assets. Therefore response planning isn’t handled in a formal or coordinated manner. Informal procedures for dialogue between the public and private sector may exist, but formal parameters for information sharing are currently lacking. Similarly, though some informal procedures may exist, no formal procedures for information sharing and collaboration amongst CNI operators have been established in Mozambique. For instance, the Central Bank of Mozambique has established procedures of how the financial sector can share information with it, but there is no evidence to suggest that these procedures are specific to cyber incidents.

CNI Operators across Mozambique might have some basic capabilities with respect to risk management, especially on how to detect, identify, protect, respond and recover from cyber threats. However, these capabilities are not harmonized and might vary in quality. In fact, cyber security is generally subsumed into IT and data protection risk and is not recognised more broadly by CNI in Mozambique.

Undertake regular cyber emergency response drills or exercises

D1-4: Crisis Management

Start Up Currently, there is very little evidence to demonstrate that relevant stakeholders within

Develop crisis management measures


Constituent Factors

Stage of Maturity


Mozambique understand that crisis management is necessary for national security across Mozambique. Consequently, there is currently no planning for crisis management or very little understanding of crisis management from a cybersecurity perspective.

Similarly, and to date, no evaluation of cybersecurity cyber security crisis management protocols have been conducted in Mozambique or has been used to inform the national approach to crisis management.

Evaluate cyber drills to develop options on how to improve crisis management measures

Participate in international Forums for Cybersecurity Crisis Management

D1-5: Cyber Defence Consideration

Start Up In Mozambique, there is currently no National Cyber Defence Policy or Strategy though it is generally accepted that the National Security Policy and/or Defence Strategy of Mozambique might address some issues relating to digital security or information security.

Though the Ministry of Interior currently services as the de facto central command and control structure on cybersecurity issues for the defence and security forces, there is no official central command and control structure.

It was surmised from consultations with the Ministry of Interior that various national security and defence forces in Mozambique have started to consider cybersecurity issues in their day to day

Develop a Cyber defence strategy that details approaches to addressing threats to national security in cyberspace

Establish an official defence central command and control centre for cybersecurity in Mozambique

Improve defence forces’ resilience and responses to vulnerabilities of national security interests and defence network infrastructure.


Constituent Factors

Stage of Maturity


activities and national defence functions.

Similarly, it was also surmised that national armed forces currently have limited capacity with respects to cyber resilience and ability to reduce vulnerabilities of national security interests and defence network infrastructure.

D1-6: Digital Redundancy

Start up At present in Mozambique, there is not much evidence to suggest that emergency response asset priorities and standard operating procedures have been established in the event of a communications disruption. There is also no evidence demonstrating that stakeholders have formally collaborated to identify gaps and overlaps in digital emergency response asset communications and authority links. However, there are indications that service providers have already established redundancy systems and measures thereby offering some degree of digital redundancy in the communications systems that span the country.

Furthermore, current emergency response assets have not been mapped and identified across the nation.

Develop National Contingency plans which identify emergency response asset priorities and standard operating procedures (SOPs)

Map out current emergency response assets

Ensure communication channels are deployed across emergency response functions, geographic areas of responsibility, public and private responders, and command authorities


4


5 Dimension 2: Cyber Culture and SocietyThis chapter of this report presents the results of maturity review of Mozambique for each factor of the “Cyber Culture and Society” Dimension and describes a series of recommendations that should enhance Mozambique’s maturity in this Dimension.


Dimension 2 seeks to examine whether networked individuals or stakeholders like business or government are aware of aware of cyber risks, know how to use the Internet safely and securely, and have the time and inclination to take the necessary steps to do so. The following factors represent different aspects of this Dimension.

D2-1: Cybersecurity Mind-set. This factor examines the values, attitudes and practices, including habits, of government, the private sector, and society-at-large in the cyber security ecosystem of the nation.

D2-2: Cybersecurity Awareness. This factor examines the need for awareness raising programmes to raise awareness of cybersecurity, especially with respects to cyber risks and threats, across the nation across a wide range of target groups of society.

D2-3: Confidence and Trust on the Internet. The level of trust in the internet determines the extent to which stakeholders provide personal data or information online and influences the degree of usage of online services in general. This factor examines the extent of stakeholders’ trust in the use of online services, especially e-commerce and e-government services.

D2-4: Privacy Online. Privacy issues include the sharing of personal data in public and private sector. This factor examines issues relating to the protection of personal data, government agenda with respect to the enactment of relevant laws or regulations, and the level of adherence of national norms with internationally recognised standards.



17

Constituent Factors

Stage of Maturity


D2-1: Cybersecurity Mind-set


When the Cybersecurity mindset across government, private sector and society-at-large in Mozambique is considered, there are indications that some leading agencies from both government institutions and the private sector have begun to place priority on cybersecurity. However, general observations suggest that, there is an absence or minimal recognition of a cyber security mind-set within government agencies. Moreover, technical staffs within government institutions and the public sector were found to be more informed on the need for cybersecurity when compared to non technical staff.

Leading firms within the private sector have also started to place priority on a cyber security mind-set by identifying high-risk practices. Similarly, financial and banking sector organizations have also started to recognize the impacts of cyber related issues like online fraud on their businesses.

Likewise, it was observed that society at large is largely unaware of cyber threats and is unable to take proactive steps or cybersecurity measures to increase their cybersecurity despite the ongoing digitization of Mozambique.

Develop and disseminate National Cybersecurity Best Practices to engrain a cybersecurity mindset in public and private sector and allow citizens to develop the necessary skills required to manage their privacy online, and protect themselves from intrusion, interference or unwanted access of information by others

Develop training and awareness programmes to promote a proactive cybersecurity mindset across society –at –large, especially for those special groups like women and children

D2-2: Cybersecurity Awareness

Start Up The need for awareness of cyber security threats and vulnerabilities across the private and public sector has just started to emerge

Develop a coordinated national awareness raising programme for various target groups, especially the more vulnerable users like

18

Constituent Factors

Stage of Maturity


across Mozambique though it still hasn’t been formally recognized at the national level. Similarly, there is no coordinated and national cybersecurity awareness raising programme in Mozambique.

children and women

D2-3: Confidence and Trust on the Internet


Currently, there is still very minimal use of online services across Mozambique.online services has been identified as a concern, with infrastructure operators are currently considering measures to promote trust in online services, though these measures have not yet been established or implemented in Mozambique. There is also a lack of awareness of how citizens’ personal data is used by online service providers leading to citizens trusting service providers blindly.

At present, Mozambique continues to promote the deployment and adoption of e-government services across the nation and its range of government e-services continues to grow. As such, the undesirable online practices, and the need for security measures to promote trust in e-services have been recognised and discussed among relevant stakeholders.

Similarly, E-Commerce services offered in Mozambique are minimal with most payments made with cash. However, users and

Promote the deployment of, and awareness of e-government services, highlighting the security measures requirements to promote trust and confidence in e-services

Emphasize or highlight the security requirements or features of e-commerce services to promote trust and confidence


Constituent Factors

Stage of Maturity


stakeholders are cognisant of the need for security in e-commerce services especially if the internet users in Mozambique are potential e-commerce consumers.

D2-4: Privacy Online

Start Up Mozambique is currently undertaking various efforts to enhance its posture when it comes to privacy and data protection, and discussions and stakeholder engagement have commenced. There have also been some discussions among private sector leaders regarding privacy issues in the workplace exist.

At present, Mozambique has commenced the process of reviewing its policy, legal and regulatory frameworks which should result in the development of, and promulgation of comprehensive legislative frameworks which would address a range of issues currently observed in Mozambique ICT sector, including data protection and privacy.

Undertake a gap analysis to identify gaps in current ICT Security Legal and Regulatory Framework and develop requisite instruments to address Gaps including issues relating to privacy and data protection.


6


7 Dimension 3: Cybersecurity Education, Training and Skills

This chapter of this report presents the results of maturity review of Mozambique for each factor of the “Cybersecurity Education, Training and Skills” Dimension and describes a series of recommendations that should enhance Mozambique’s maturity in this Dimension.


Dimension 3 seeks to the examine the current state of cyber security training and education across the nation, and identify what needs to be done to improve training and education hence ensuring better cybersecurity protection now and in the future. The following factors represent different aspects of this Dimension.

D3-1: National Availability of Cybersecurity Education and Training. This factor assesses the nation’s resources and funding allocated or dedicated to ensuring the availability of high quality cybersecurity education and training options in order to make certain sufficient and sustainable supply of cybersecurity skills to cater to the needs of private and public sector institutions nationwide.

D3-2: National Development of Cyber Security Education. This factor examines existence of and development of cyber security education programmes, high quality university and further education degrees and courses on cyber security across the nation.

D3-3: Training and Educational Initiatives within the Public and Private Sector. Cyber security training programmes and knowledge exchange can enhance employees’ skillsets and promote continuous skill development. This factor examines the development of training and educational initiatives within public and private sector.

D3-4: Corporate Governance, Knowledge and Standards. This factor seeks to evaluate the understanding of private and state-owned companies (notably the highest executive level of senior management) of cybersecurity especially with respect to the risks that companies face, some of the primary methods of attack, and how their company deals with cyber issues.

22

Constituent Factors

Stage of Maturity


D3-1: National Availability of Cyber Education and Training

Start Up Currently in Mozambique, there is no recognised provider of cyber security education and no recognised accreditation in cyber security education.

Similarly, there are very few cybersecurity training programmes offered across Mozambique with most training programmes delivered nationally mainly IT Certification programmes like CISCO and not cyber security specifically.

Deploy Cybersecurity Certification programmes in public universities and colleges

Identify training needs, and develop specific programmes and courses to address training needs across Mozambique

D3-2: National Development of Cyber Security Education

Start Up At present, there are few or no professional cybersecurity instructors in Mozambique and no programmes exist to train instructors in cyber security in Mozambique.

This is consistent with the fact that there is no formal national programme to promote cybersecurity education and training across Mozambique.

Furthermore, discussions on the need for a budget for cybersecurity education and research are just commencing and are in their initial stages.

Develop a national programme to promote cybersecurity education, training and skills development for Mozambique. This programmes would include an allocated budget and other resources, training courses, seminars, etc

Enhance cybersecurity career incentives and opportunities to promote attractiveness of cybersecurity careers and hence attractiveness of cybersecurity training and education

D3-3: Training and Educational Initiatives within the Public and Private Sector

Formative

Cyber security training programmes are not implemented across Mozambique and very few trained IT personnel are designated to support cyber security issues as they occur. Cybersecurity skillsets may exist but are not strategically located and tools are limited.

Deploy international cybersecurity certification programmes as well as continuous professional development courses for cybersecurity professionals

24

Constituent Factors

Stage of Maturity


Similarly, there is limited knowledge transfer from trained cyber security employees across the nation. Furthermore, and because of limited training, there is only informal use of existing tools, models, or templates for organizations’ cyber security planning, with no automated data integration.

In addition, there still exists cybersecurity skill gaps across Mozambique and further technical training is required as evidenced by the lack of data on the exact number of public sector professionals certified under internationally recognized certification programs in cybersecurity like CISSP, CISA, CEH, etc

D3-4: Corporate Governance, Knowledge and Standards

Formative

In Mozambique at present, there is some understanding of cybersecurity issues at Management or Board Level across different organizations. Management or Boards have some awareness of cyber security issues, but not how they might affect the organization, or what direct threats they might face

Undertake mandatory training of Management or Board Members of different organisations to enhance their understanding of cyber issues and how their organisations address these threats


8


9 Dimension 4: Legal and Regulatory FrameworksThis chapter of this report presents the results of maturity review of Mozambique for each factor of the “Legal and Regulatory Frameworks” Dimension and describes a series of recommendations that should enhance Mozambique’s maturity in this Dimension.


Dimension 4 seeks to examine how governments can encourage the development of a secure Internet and online environment using law and regulation. The following factors represent different aspects of this Dimension.

D4-1: Cybersecurity Legal Frameworks. This factor examines the extent to which governments have developed sufficient legal frameworks that enable the development of a secure internet and online environment in the country. Examples of legal frameworks considered here include: legal frameworks on ICT’s, privacy, human rights and data protection, and both substantive and procedural cybercrime law.

D4-2: Legal Investigation. The effective implementation of legal and regulatory frameworks through investigative tools also contributes to improving the cybersecurity posture of a nation. As such, this factor assess the capacity of the nation to investigate, combat and prosecute cyber incidents, attacks, crimes and electronic evidence based cases.

D4-3: Responsible Reporting. A responsible disclosure framework not only provides specific guidelines and statements addressing how vulnerabilities will be disclosed, but also enhances the capacity to address the vulnerability and prevent any future damage. This factor seeks to examine if the nation has a functional responsible disclosure in force and whether there is sufficient capacity across the private and public sector to fully implement and leverage this framework to address vulnerabilities.


The table below details the specific results of Mozambique’s maturity across each factor of Dimension 4, and specific recommendations on how to enhance Mozambique’s capacity for each specific factor

27

Constituent Factors

Stage of Maturity


D4-1: Cybersecurity Legal Frameworks

Start Up Mozambique is currently making efforts to develop legislation or legal frameworks for ICT security, especially as currently there is no promulgated legislation that comprehensively addresses ICT security.

As such, and to ensure any updates to the current ICT legal frameworks of Mozambique address all cyber security related issues, there is a need to assess the requirements to develop various regulatory instruments relating to ICT Security to ensure that there are no gaps, and the legislative and regulatory frameworks for ICT Security are comprehensive.

Undertake a gap analysis to identify gaps in current ICT Security Legal and Regulatory Framework and develop requisite instruments to address Gaps.

D4-2: Legal Investigation

Start-up - Formative

Evidence suggests that all three key stakeholders actively involved in the detection, investigation and prosecution of cybercrimes in Mozambique have limited capacity when it comes to investigating and prosecuting cybercrimes.

In fact, law enforcement in Mozambique does possess some investigative capacity to investigate computer related crimes, in accordance with domestic law.

Similarly, a limited number of prosecutors have the capacity to build a case based on digital information, but this capacity is largely ad-hoc, un-institutionalised and lack formal collaboration mechanisms with law enforcement.

Like law enforcement forces and prosecutorial services, and considering that there are no specialized cybercrime courts in Mozambique, judges across the nation have a limited capacity in presiding over cases on cybercrime

Enhance the national capacity to investigate and prosecute cybercrimes by strengthening human resources through training programmes, technological resources, procedures, etc

Enhance national and international collaboration in the detection, investigation and prosecution of cybercrimes

28

Constituent Factors

Stage of Maturity


and involving electronic evidence, and lack formal collaboration mechanisms with law enforcement.

D4-3: Responsible Reporting

Start Up Currently, the need for a responsible disclosure policy in public and private sector organisations is not acknowledged across Mozambique. Consequently, no official responsible vulnerability disclosure framework exists in Mozambique.

Such a vulnerability disclosure framework would address disclosure of issues like DDOS attack, Malicious activities, malware and phishing attacks and would include among other things details on a disclosure deadline, scheduled resolution, and an acknowledgement report.

Develop a responsible vulnerability disclosure framework to enable and promote information sharing on vulnerabilities within the public sector and CNI


10


11Dimension 5: Standards, Organisations and Technologies

This chapter of this report presents the results of maturity review of Mozambique for each factor of the “Standards, Organisations and Technologies” Dimension and describes a series of recommendations that should enhance Mozambique’s maturity in this Dimension.

11.1Brief Descriptions of Dimension 1 Factors

Dimension 5 examines the nation’s best practice in the use of technology and associated business processes, and looking at how to ensure good uptake of products. The following factors represent different aspects of this Dimension.

D5-1: Adherence to Standards. This factor assesses the nation’s ability to design/adapt and implement cybersecurity standards and minimal acceptable practices, by private and public sector, as well as standards on procurement and software development.

D5-2: National Infrastructure Resilience. This factor examines how the nation deploys and manages infrastructure technologies to ensure national resilience.

D5-3: Cybersecurity Marketplace. This factor examines the extent of availability of network and information cyber security technologies and specialist support for deployment across the nation. This factor also examines the extent of availability of cyber insurance as a way of protection against losses resulting from cyber security events.


The table below details the specific results of Mozambique’s maturity across each factor of Dimension 5, and specific recommendations on how to enhance Mozambique’s capacity for each specific factor

31

Constituent Factors

Stage of Maturity


D5-1: Adherence to Standards

Start Up At present, information security standards and practices have not been formally identified or implemented through a concerted effort across the nation. Consequently, there is still room for improvement as there is very minimal implementation of standards relating to cybersecurity or information security.

Furthermore, there is no evidence to suggest that public procurement processes in Mozambique take into account or include cybersecurity related standards; at present, national procurement processes across Mozambique tend to focus more or promoting transparency and accountability and do not consider cybersecurity requirements.

Similarly, evidence suggests that there is very little identification of, or take up of software development standards in the public and private sector.

Create a national programme to promote the adaptation and adoption of information security standards across government institutions and CNI in Mozambique

Promote the adoption of ICT security standards in government procurement processes and by SMEs

D5-2: National Infrastructure Resilience

Start-Up - Formative

The level of resilience of the internet services infrastructure can be further enhanced across Mozambique, as evidenced by the non-strategic deployment of technology and processes in public and private sectors. In fact though government services, information and digital content are available online, there is limited availability of technology to support e-commerce and business interaction. No formal or coherent approach has been established to address these issues.

Develop a national programme to enhance internet infrastructure development and resilience.

Develop a national government programme to deploy and manage government technology infrastructure

32

Constituent Factors

Stage of Maturity


Furthermore, national infrastructure is managed informally, with no documented processes, roles and responsibilities. Likewise, Mozambique is dependent on unreliable third party markets for cybersecurity related products as few or no technologies are produced domestically and international offerings may be restricted or sold at a premium.

D5-3: Cybersecurity Marketplace

Start Up Few or no cybersecurity technologies are produced domestically in Mozambique. Similarly, the need for a market in cybercrime insurance has not been identified in Mozambique which explains the lack of a cybercrime insurance market in Mozambique.

Promote collaboration between -, and investment by -, the private sector and academia in R&D in cybersecurity technological products and cybercrime insurance products


Appendix I: Cybersecurity Capacity Maturity Model (CMM) Questionnaire

34


For more information, please contact:Fargani TambeayukSenior Programme Officer, Technical Support and ConsultancyT. +44 208 600 3808E. [email protected]

mailto:[email protected]

**Report Title · Web viewSuch a vulnerability disclosure framework would address disclosure of...

Documents

Transcript of **Report Title · Web viewSuch a vulnerability disclosure framework would address disclosure of...