6. Standards implementation and compliance
The testing and implementation of standards is recommended as a means of understanding and engaging in the standards development process.
Good Practice: Create a Standards Awareness Website
The creation of an internet standards awareness website is identified as a good practice. The website would provide a free and public service that raises awareness, use, and deployment of standards. Using simple, non-technical language would provide:
– Comprehensible supporting documentation on internet standards;
– Arguments and pitfalls regarding internet standards deployment;
– Real-time, check for standards, compliance.
The Internet.nl is a portal and test tool, and represents a good example of the establishment of a national multistakeholder collaboration to promote security-related internet standards. The portal allows users to test if their website, email, and Internet connection use modern and reliable internet standards.
The ISOC Open Standards Everywhere (OSE) has focused on encouraging web servers administrators and operators to deploy the latest open standards and protocols. The OSE uses the Internet.nl portal to check in websites’ support for the modern internet standards including the IPv6, the DNSSEC, the HTTPS, and Security options. The ISOC informs, educates, collaborates, and leads by example to support web server and website administrators with the deployment of the latest open standards.
Good practice: Lead by example
Leading by example is a good practice identified by the GFCE in the use of security-related standards. Governments can lead by example by:
Implementing security-related and other standards in existing systems and networks and through procurement processes.
Promoting the use of internet standards and good practices in agencies’ infrastructure.
Ensuring appropriate allocation of resources, including staff and budget, for implementing and configuring the standards.
Embedding standards requirements for the ICT products in procurement procedures and policies.
Adopting internet standards in their strategic ICT plans.
Developing roadmaps outlining tactical and operational implementation activities and stakeholder responsibilities.
Case Study: The ICT Standards in Government
ICT Authority Kenya‘s broad mandate entails enforcing the ICT standards in government and enhancing the supervision of its electronic communication.
The Authority has published and enforces compliance to standards in Government Enterprise Architecture, Cloud Computing, Data Centre, Electronic Records and Data Management, End-User Equipment, ICT Human Capital & Workforce Development, Information Security, IT Governance, ICT Networks, Systems & Applications.
Case Study: The ITU Regional Group for Africa standard implementation
At the last Meeting of the ITU-T SG17 ‘Security’, virtual, 24 August – 3 September 2021, Africa (Kenya, Ghana and Senegal) had two contribution references to Recommendation X.1060 : Framework for the creation and operation of a cyber defence centre (CDC). Those were:
C1098: Implementation of Cybersecurity Defence Centre Framework X.1060: This contribution initiated a request to Q3/17 to draft a Supplement to Recommendation X.1060 in order to assist Member States in implementing the Recommendation. This request should be added to the Q3/17 Work Programme, and if necessary, a New Work Item in this area should be established
C1099: Proposed Survey ‘Assessment Cyber Defence Centres in Africa’ survey and results arising are expected to enhance the capacity and effectiveness of the CDCs in Africa through the sharing of best practices in the provision of services as well as provide an opportunity for networking and capacity development.
The participation of members of the Regional Group for Africa implementation of the Recommendation resulted in understanding the standardisation process, stakeholder engagement, and the publishing of a questionnaire intended to assess, plan, and enhance cybersecurity services in the CDCs in Africa.
International standards are often adopted by countries or regions to become national or regional standards. Compliance to standards would generally be made mandatory by way of regulations, maintained by a national or regional authority.
The use of standards could be mandatory or voluntary, depending on the regulatory requirements in a country or jurisdiction. Ideally, governments should want entities to voluntarily comply with standards’ requirements. It is however recommended that public and private entities with a legal obligation to report security issues implement standards through regulation. The use of standards by these entities would empower them to identify the most appropriate standard and influence subsequent updates to, or proposals for new standards, reducing the risk of sanctions, lawsuits, or arrest for non-compliance.
Good Practice: Provision of economic and regulatory incentives to stimulate the adoption of Internet standards.
Economic and regulatory incentives to stimulate the adoption of internet standards may include:
Tax reductions to companies introducing IPv6 in South Korea
Tax deductions on cost of purchasing IPv6 equipment (routers, switches)
Logos and certifications for IPv6-enabled devices applied in Japan and South Korea
A subscription fee discount for the DNSSEC signed domains by country codes accredited registrars and registries
Internet registries DNSSEC signed domain registration discount campaigns: AFNIC (France), EURid (Europe, .eu registry), NORID (Norway) and the SIDN (The Netherlands).
SIDN ‘registrar scorecard’ programme to stimulate the DNSSEC and the IPv6
Reflection point
Governments have a significant role to play in the promotion and the use of standards. Using your country as an example, what economic and policy incentives should the government consider?