Barrack,
Thank you for your input as well. Yes I recall sometime back in 2007 I think, someone approached me and referred me to the KEBS/ISO/IEC body. He asserted they were looking for input in coming up with standards and policies to govern the fast growing IT field. However, that was the last I heard from them. I inquired how I could provide input, but no response has come since then. Whats my point? There is lack of follow through. For all I know, I try and mold existing frameworks (PCI/PA/DSS and ISO 27001) to fit my line of work because from where I stand, there maybe a laxity in actually implementing and executing the whole process. Most importantly, standards which fit our current model eg MMT's which seems to become a world wide phenomenal.
As to the question who should be involved, I believe everyone in the industry should be. From GSM Telco operators(who by the way are hardly considered as a potential entry point for some sophisticated hacks.), to ISP's Software outfits, Banks, Utility companies, you name them. Everyone has a key role to play. However, I know what am stating here isn't revolutionary. Its been preached before, but we have a knack for letting things fall through the cracks.
With the same zeal CBK, CCK, KEBS and any other regulatory body has when enforcing their standards, I believe a dedicated body should be established to research, develop and implement a certain number of realistic standards. Why do I use "realistic"? Running a Penetration Test to ensure your web server complies to what an audit firm claims to be the standard for running web services isnt good by itself. There are a million attack vectors which could cripple our economy when carefully executed. I dont mean to sound like those threat level alerts set to instill fear, but if you have had your ear on the ground for a while now, you will realize there are gaping holes which if someone only took a minute to think through and patch, would save us potential loss. Not just in terms of revenue, but also Intellectual Property-wise, reputation etc.
How about our law enforcement officers? I know the legal framework surrounding electronic wiretaps has been catered for, but are the NSIS/CID well equipped and trained to investigate cyber crime? You could argue the economy cant support the establishment of sophisticated labs etc but ask yourself, if we are aiming for vision 2030 with IT as the key driving force, why should Info Sec be an afterthought? Isnt this the time to build the base and case the joint before determined attackers come calling and catch us flat footed?
-tyrus
On Wed, Jul 6, 2011 at 12:23 PM, Barrack Otieno
<otieno.barrack@gmail.com> wrote:
Many thanks Tyrus, Aki, Peter Karunyu and Steve, you are certainly
switched on and i beleive there is much more you can contribute to
this nation in so far as Cyber Security is concerned, Tyrus you
mention ISO 27001/PCI DSS indeed there is a technical commitee at
Kenya Bureu of standards KEBS/ISO/IEC JTC1 SC27 that develops IS
Security standards, i happen to be a member so are other listers
including Evans Ikua the Chairman of LPA Kenya whom i hope will add
some insights into this discussion, one of the greatest challenges has
been the fact that the local industry has been slow to embrace the
standards which are available at the Kenya Bureu of Standards any
lister can contact me offlist incase you need further details, some of
the standards adapted by the commitee to the Kenyan environment
include KSS 2246:2011 Code of Practice for Business Continuity
Management and Ks 2247:2011 Code of Practice for ICT continutiy
Management. Plans are underway for public Fora to create awareness on
the work the commitee is doing and i hope as many listers will be
available for this. On a positive note i am glad the Police
Commissioner is open to new ideas and i suppose he might have an open
door policy going by recent events, i do hope he will be available for
the Face to Face meeting , on another thread Dr. Ndemo lauded crowd
sourcing which i suppose could be a new strategy for government
departments including Police to source for inputs into their
strategies from the public and private sector in an organised manner,
as we carry on do you think the government is taking sufficient steps
to address Cybercrime? if not what needs to be done other than
awareness, as one lister posed is there need for a national strategy
on cyber security, if so who should be the key players and why?
On Wed, Jul 6, 2011 at 11:08 AM, Solomon Mburu Kamau
<
solo.mburu@gmail.com> wrote:
> Listers,
>
> One of the things we can do as a nation is to have mechanisms that
> will inform the majority of internet users to know what is exactly
> meant by cybersecurity and privacy. There are many situations where
> someone is duped by a flowery email indicating how much they have won
> etc.
> Lack of mass education that points out how and where a person is at
> risk of cyber security is important. It can be done through the media
> and CCK's Chukua Hatua site.
> Education of the mass is critical for ensuring that the public is not
> in anyway duped into getting into some deals which might put them at
> risk.
> Public awareness is a critical element for ensuring there is
> sufficient information which will not let the public loose their money
> through dubious deals.
> _______________________________________________
> Skunkworks mailing list
>
Skunkworks@lists.my.co.ke
>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
> ------------
> Skunkworks Rules
>
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
> ------------
> Other services @
http://my.co.ke
>
Barrack O. Otieno
Afriregister Ltd (Kenya)
www.afriregister.bi, www.afriregister.com
ICANN accredited registrar