Concerns. 1. Lack of enterprise security architecture framework or Security Program Strategy. This is a methodology for addressing security concerns at every and each architecture domain. The existing enterprise architecture and security architecture frameworks are not quite there yet or non-existent. The legislative arms of the government fall here too. If the architecture exist, then its is viewed as a panacea, no actioning is needed, e.g the password policy. It is general knowledge on how it should be done but implementation is shelf-based. 2. Lack of alignment with both business, IT, operations and regulatory,therefore,a need to transform the security organization, i.e placing the security capabilities as a subset of the business reference model to give understanding of how they fit within the strategy,organizational units, business functions and processes. 3. Legal regulatory and internal compliance(stakeholder business objectives and investment) conflicts . The increasing number and scope of regulatory requirements often can override business objectives or internal compliance and affects core business capabilities. Security is the viewed as hindrance. 4. A need for business-outcome-focused and risk-driven security reference architectures. In our enterprise security architecture framework, risk and business objectives are the key drivers for the selection of security controls. As this is a top-down approach, it ensures that all policies and controls are identified and owned. 5. Emerging trends and technologies, such as IoT,cloud, BYOD and mobility affect data privacy. The challenge is gaining knowledge around the relation to data privacy requirements, threat and vulnerability vectors and business objectives. Having a proper security program/architecture sanctioned by the stakeholders and mostly importantly, the executive management and the government legislation(of course without the evident greed governments) will trickle down to every unit and person. Verizon reports ( http://www.verizonenterprise.com/DBIR/2015/) that 96 percent of attacks are not sophisticated and 97 percent are easily avoidable. Blowing your mind of is that, it is due to simple stupidity(my meaning), lax access policies and internal employees. On Tue, Jul 21, 2015 at 12:00 PM, <skunkworks-request@lists.my.co.ke> wrote:

Send skunkworks mailing list submissions to skunkworks@lists.my.co.ke

To subscribe or unsubscribe via the World Wide Web, visit http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks or, via email, send a message with subject or body 'help' to skunkworks-request@lists.my.co.ke

You can reach the person managing the list at skunkworks-owner@lists.my.co.ke

When replying, please edit your Subject line so it is more specific than "Re: Contents of skunkworks digest..."

Today's Topics: ------------------------------

Message: 3 Date: Tue, 21 Jul 2015 11:53:06 +0300 From: Mwendwa Kivuva <Kivuva@transworldafrica.com> To: Jared Koyier <jaredkoyier@gmail.com>, "Security Forum All information security discussions in Africa are done here (Hacking, Decryptions, Security management, physical security, Disastor Recovery, Security Assessments etc etc)" <security@lists.my.co.ke> Cc: Skunkworks forum <skunkworks@lists.my.co.ke>, ISOC Kenya Chapter <isoc@lists.my.co.ke>, KICTAnet ICT Policy Discussions <kictanet@lists.kictanet.or.ke> Subject: Re: [Skunkworks] [Security Forum] #KeIGF15 Online Discussions Day Two: Cyber Security and Trust Message-ID: <CAEhPqwpvYfoLXV_siQ1tzndWW_Rrq=E9rSReTOoH7Ou= tdsTHw@mail.gmail.com> Content-Type: text/plain; charset="utf-8"

On 21 July 2015 at 11:00, Jared Koyier via Security < security@lists.my.co.ke

...

wrote:

...

The biggest question is whether people responsible for CyberSecurity in government have the resources and technical capacity. Good example is the recent embarrassing hackingteam exposure in which one of the officers in the NSIS is captured seeking international help in defacing a simple blog.

Just for the record, here is the email transcript where Kenyan State House operatives were allegedly seeking EXTENAL help to hack Kenya websites

https://www.wikileaks.org/hackingteam/emails/?q=kensi.org&mfrom=&mto=&title=... a

and this his how Nation reported the story:

http://mobile.nation.co.ke/news/NIS-WikiLeaks-Hacking-Team-Surveillance/-/19...

Of Interest is sometimes back, a Kenyan government agency was giving orders that all websites should be hosted locally. From the Hacking Team fiasco, we can clearly see why the government wants websites to be hosted locally. So that they can just physically seize the computer box instead of having to employ Hackers from Russia to do the dirty job for them.

I am surprised Civil Society actors have not come out very strongly to question this move of internal hacking by government. After Snowden, we saw how Civil Society in US came out very strongly to protest the violation of basic rights by the State. The US government had to apologize for the embarrassing revelations, and try to cover it's back. Of course the argument I hear this days is there is no government that does not do cyber espionage. Only that some governments are more adept in their skills than others.

Regards ______________________ Mwendwa Kivuva, Nairobi, Kenya

"There are some men who lift the age they inhabit, till all men walk on higher ground in that lifetime." - Maxwell Anderson