GFCE Cybersecurity Knowledge Modules

Previous Lesson
Next Lesson

6. How to develop a critical infrastructure and critical information infrastructure protection policy

GFCE Cybersecurity Knowledge Modules 6. How to develop a critical infrastructure and critical information infrastructure protection policy

The GFCE-MERIDIAN good practice guide reference to EC 2008 defines Critical Information Infrastructure Protection (CIIP) as: ‘All activities aimed at ensuring the functionality, continuity and integrity of CII in order to deter, mitigate and neutralise a threat, risk or vulnerability or minimise the impact of an incident.’ 

CIIP is a vital element of cyber security and included as a component of the national cyber security strategy.  A country may consider developing a CIIP policy to establish coherence and coordination of the activities, resources and initiatives necessary to secure critical infrastructure from natural disasters and cyber related incidents.

A national policy for the protection of the CI and CII is guided by a set of principles determined by the government and influenced by international and regional conventions, standards, and best practices.  The objective of the policy is to establish a national framework for the harmonisation and coordination of critical infrastructure protection.

The Internet Infrastructure Guidelines for Africa recommend that policymakers use four essential principles as a guide in developing strategies and policies for Internet infrastructure security.  These principles are: 

  1. Awareness: An understanding of security risks, their impact on the Internet infrastructure ecosystem.
  2. Responsibility: Stakeholder accountability and understanding of potential impacts of one’s actions, or inactions.
  3. Cooperation: Dialogue to encourage cooperation and collective responsibility among all stakeholders.
  4. Fundamental rights and Internet properties: Adherence to transparency and non-infringement on the fundamental properties of the internet: voluntary collaboration, open standards, reusable technological building blocks, integrity, permission-free innovation, and global reach.

Good practice: G8 Principles for Protecting Critical Information Infrastructures

G8 Principles for Protecting Critical Information Infrastructures include national, regional, and international coordination and collaboration, information sharing, identification of interdependencies, determination of stakeholders’ roles and responsibilities, enhancement of capabilities, adequate legal provision, research and development, and application of internationally certified standards.

The basic steps of developing and maintaining a current CIIP policy are:  

Step 1. Make the CIIP a national priority:  The effectiveness of a CIIP policy is improved if embedded in the National Risk Profile (NRP) and National Cybersecurity Strategy and implemented by a committee with high ranking multisectoral stakeholder representation.

Step 2. Identification of critical information infrastructure: Critical infrastructure can be identified by using the four methodological stepping stones inspired by the European Critical Infrastructure Directive (EC2008). The four stepping stones are:

  1. Apply sector-specific criteria;
  2. Assess criticality;
  3. Assess dependencies;
  4. Apply cross-cutting criteria.

Step 3. Development of a critical information infrastructure protection policy including: 

  • A risk-based approach (in comparison to an ad-hoc approach); See lesson 4
  • Embedding of a CII(P) in national crisis management; See lesson 7
  • Support for networking and information sharing; protection of critical infrastructure relies on reliable, secure, and efficient communication among various stakeholders.

Good practice: Adopt a multi-agency approach and start information sharing

Governments should adopt a multi-agency approach to address the risk and complexity associated with the CIIP at strategic, tactical and operational and technical levels.

Regular meetings of stakeholders selected based on their legal mandate, ownership and operation of critical infrastructure should be considered. These stakeholders include government ministries and agencies, national security, defence and police, the national Computer Security Emergency Response Team and private sector owners and operators of critical infrastructure.

Other networking and information sharing good practices are:

  1. Stimulate the sharing of cybersecurity-related information;
  2. Establish clear roles in CIIP in sharing initiatives;
  3. Be informed about information sharing standards;
  4. Take note of the guide to cyber threat information sharing;
  5. The buddying system;
  6. Various organisational forms of public-private partnerships for CIP/CIIP;
  7. Cyber security council at the national level;
  8. Traffic Light Protocol (TLP).
Source: Chapter 7 GFCE-MERIDIAN good practice guide on Critical Information Infrastructure Protection for governmental policy-makers.

Step 4. Monitoring and continuous improvement: The successful implementation of the policy depends on periodic monitoring and evaluation (M&E).  Monitoring involves the tracking of the proposed interventions, initiatives, and resources against the expected policy outcomes while evaluation involves the determination of the value of the policy implementation and achievements. The M&E results are shared with stakeholders and feedback is provided to enhance future initiatives.

Previous Lesson
Back to Course
Next Lesson

New post

Your email address will not be published. Required fields are marked *

Post a comment
Skip to content