8. Infrastructure security audits and vulnerability assessments

The Cybersecurity Audit  Baseline Requirements for Cyber Information Infrastructure provide a minimum, common, and harmonised baseline criterion for cyber security audits.  It provides guidance to auditors and auditees and is mandatorily applicable to owners and regulators of Critical Information Infrastructure.

Cyber Security audit baseline is defined as the minimum controls to be audited for cybersecurity of an organisation which are grouped into six categories:

1. Management
2. Protection
3. Detection
4. Response
5. Recovery
6. Lessons learnt and improvements

The outcome of the risk assessment is the classification of the organisation as high, medium or low-risk information infrastructure.

Source: National Critical Information Infrastructure Protection Centre (NCIIPC).

The Guide to Developing a National Cybersecurity Strategy recommends that countries identify and follow good practice elements that support the vision and objectives of the National Cybersecurity Strategy. Defining minimum cybersecurity strategy is one of these good practice elements.

Legislation or regulations should outline the minimum cybersecurity baselines for CI and CII operators.  To ensure consistency, better outcomes, greater efficiency and interoperability, security baselines should be outcome-focused and should reference internationally recognized standards and best practices.

The security baselines address:

• High-Level risk management priorities;
• Specific cybersecurity practises;
• Identification of cyber risks;
• Establishment of risk management governance structures;
• Measures for the protection of data and systems;
• Monitoring of the digital environment and detection of anomalies/events;
• Response and recovery from incidents;
• Procurement requirements.

Ghana’s Directive for the Protection of Critical Information Infrastructure (CII) establishes audit measures and procedures to ensure compliance pursuant to Section 38 of the Cybersecurity Act, 2020. The audit of a designated CII is carried out by the Cyber Security Authority (CSA) or its authorised auditor reference to submit reports, risk register, and any cybersecurity activities conducted.  Planned significant changes in design, configuration, security, or operation of the CII must be approved by the Authority.

The baseline security requirements for designated CII owners are:

• Policy
• Technical and organisational measures
• Incident reporting

The French Network and Information Security Agency, Agence nationale de la sécurité des systèmes d’information (ANSSI) has defined cross-sectoral, security rules for CII and CI operators, based on operational experience and existing international standards which mostly include cyber hygiene measures and fall within 20 categories:

• Information assurance policies
• Security accreditation
• Network mapping
• Security maintenance
• Logging good practice
• Logs correlation and analysis
• Detection
• Security incidents handling
• Security alerts handling
• Crisis management
• Identification
• Authentication
• Access control and privileges management
• Administration access control
• Administration Systems
• Segregation in systems and networks
• Traffic monitoring and filtering
• Remote access
• Systems set up
• Indicators