Post on 17-Jan-2018
description
transcript
PRESENTATION DURING NEW STAFF INDUCTION
ON THE
INFORMATION TECHNOLOGY (IT) DEPARTMENT
BY: MICHAEL K. KATUNDU,
Director, Information Technology (IT)
Mandate of the IT Department
1. Align Information Technology (IT) systems to the Authority’s Strategy
2. Facilitate the development of the Electronic Commerce (E-Commerce) framework in Kenya
3. Conduct technical Research and Development (R&D) on new and emerging technologies and trends
ALIGN INFORMATION TECHNOLOGY (IT) SYSTEMS TO THE AUTHORITY’S STRATEGY
Align the Information Technology (IT) systems to the Authority’s Strategy
Automation of the Authority’s systems and processesManagement of the Authority’s IT systemsAwareness creation and capacity building on IT issues (Internal and Regulatory)Advise on IT issues (Internal and Regulatory)
FACILITATE THE DEVELOPMENT OF THE ELECTRONIC COMMERCE (E-COMMERCE) FRAMEWORK IN
KENYA
Over v iew of Kenya’s National Cybersecur i ty Framework
VISION 2030
ICT Sector Policy
Kenya Information & Communications Act of 1998
National Cybersecurity Strategy
National Computer Incident Response Team/Co-ordination Centre (National KE-CIRT/CC)
National Public Key Infrastructure (NPKI)
Facilitate the development of the Electronic Commerce (E-Commerce) framework in Kenya
2.1. Coordination of the implementation of the national Cybersecurity framework
2.2. Coordination of the implementation of a framework for the administration and management of the dot KE country code Top Level Domain (ccTLD)
Coordination of the implementation of the national Cybersecurity framework
i. What is Cybersecurity:Cybersecurity is also referred to as
Information Technology (IT) security; It’s the protection of computers,
networks, programs and data from unintended or unauthorized access, change or destruction.
Coordination of the implementation of the national Cybersecurity framework (Cont’d)
ii. Types of Cybersecurity incidentsHate messages propagated through the Internet/Computer;Distributed Denial of Service (DDOS);Phishing;Website Defacement;Espionage
The National Computer Incident Response Team - Coordination
Centre
(National KE-CIRT/CC)
“ E n h a n c i n g I n t e r n e t S e c u r i t y i n K e n y a ”
Implementation of the national Cybersecurity framework (Cont’d)
The National Computer Incident Response Team-Coordination Centre (National KE-CIRT/CC)
The Authority implemented the National KE-CIRT/CC in Oct. 2012 with the technical support of the ITU The Authority is currently liaising with the ITU to upgrade the services of the National KE-CIRT/CCThe functions of the National KE-CIRT/CC are to:
a) Coordinate technical response to cybersecurity incidents in Kenya in collaboration with the national, regional and international cybersecurity actors;
Implementation of the national Cybersecurity framework (Cont’d)
The National Computer Incident Response Team-Coordination Centre (National KE-CIRT/CC)
The Authority implemented the National KE-CIRT/CC in Oct. 2012 with the technical support of the ITU The Authority is currently liaising with the ITU to upgrade the services of the National KE-CIRT/CCThe functions of the National KE-CIRT/CC are to:
a) coordinate technical response to cybersecurity incidents in Kenya in collaboration with the national, regional and international cybersecurity actors;
The functions of the National KE-IRT/CC (Cont’d):
b) To create awareness and build capacity on Cybersecurity in Kenya
Functions of the National KE-CIRT/CC: (c) Put in place Network Early Warning Systems (NEWS) in order to identify possible cybersecurity incidents in advance.
(d) Collect, compile and disseminate national statistics on cybersecurity incidents.
The National KE-CIRT/CC operates as follows:
i. Users report cybersecurity incidents to the National KE-CIRT/CC (via the website, email, telephone, a letter or by visiting)
ii. The National KE-CIRT/CC conducts technical analysisiii. Respond to the cybersecurity incidentsiv. Escalation of the cybersecurity incidents of criminal
nature to the law enforcement (for investigation and possible prosecution)
v. Providing Network Early Warning information (advisories) to stakeholders
National KE-CIRT/CC
Implement National
Cybersecurity Policies, Laws &
Regulations
Cybersecurity Awareness &
Capacity Building at the National Level
Technical Co-ordination &
Response to Cybersecurity
Incidents
Early Warning & Technical Advisories
Collect, collate and disseminate
national statistics on cybersecurity
incidents
Development & Implementation of a National Public Key
Infrastructure (NPKI)
Research & Development
(R&D) on Cybersecurity
Establish Collaboration
(National, Regional & International) on
Cybersecurity
Summary of the Functions of the National KE-CIRT/CC
National KE-CIRT/CC
National Police
Service (NPS)
NationalIntelligence Service (NIS)
Kenya Defence
Forces (KDF)Directorate of
Public Prosecutions
(DPP)
Mobile Telecom Operators &
ISPs
Financial Institutions
Academia
National, Regional &
International CIRTs
National KE-CIRT/CC Collaboration (Stakeholders)
The National Publ ic Key Infrastructure(NPKI)
“ E n h a n c i n g I n t e r n e t S e c u r i t y i n K e n y a ”
The National PKI
Anonymity on the Internet drives the tendency towards abuse.
“On the Internet, nobody knows who really is on the other end”
The ICT Sector Policy of 2006 and the Kenya Information and Communications Act of 1998 mandate the Communications Authority of Kenya (CA) to license entities to provide Electronic Certification Service Provider (E-CSP) services.
E-CSP entities issue digital certificates (virtual identities) to Internet users to enable them carry out safe and secure electronic transactions.
The National PKI
The Ministry of ICT in collaboration with the Communications Authority of Kenya (CA) and the ICT
Authority (ICTA) have implemented the National Public Key Infrastructure (NPKI).
The National PKI
The NPKI comprises of two parts:
The Root Certification Authority (RCA) A function of the Communications Authority of Kenya (CA) and is
used as a regulatory tool in the licensing of Electronic Certification Service Providers (E-CSPs). The RCA accredits (endorses) the E-CSPs so that the digital certificates they issue are recognized by the law
at the national level
The Government-owned E-CSP ICT Authority (ICTA) will be licensed to operate the government-
owned E-CSP to issue digital certificates (virtual identities) to Internet users using government services. This will be the first E-
CSP licensee for the Communications Authority of Kenya (CA).
The National PKI
REAL WORLD CYBERSPACE
National Identity (ID) Card bearing an individual’s photo and finger print is used for identification.
An Digital Certificate (virtual identity) bearing an individual’s public key is used for identification.
A re-usable hand signature or signature-seal is used for authentication.
A digital signature (virtual signature), using an asymmetric encryption method, is used for authentication. The signature is unique for each e-transaction. For example, if a document is changed, the digital signature also changes.
The National PKI
Root Certification Authority (RCA)
Technical Standards Development
Awareness Creation & Capacity Building
Licensing & Accreditation of E-
CSPsGovernme
nt-owned E-CSP
Issue
Digital Certificates
Private-
owned E-CSPsIssu
e Digital Certificates
International Co-operation
The National Public Key Infrastructure (NPKI)
Key: E-CSP: Electronic Certification Service Provider licensed by the Communications Authority of Kenya (CA) to issue Digital Certificates (Internet IDs).
25
User Environment For Electronic
SignaturesLegal and
Policy Issue
Technical Specifications
Accredit Certificate
Authorities International Cooperation
Root Certification
Authority(RCA)
Issue and manage E-CSP certificate; Audit E-CSPDevelop and
standardize
Research and development
Public awareness and Capacity Building
Support for mutual recognition
The National PKI
26
Auditing Unit
Registration Authorities
Directory Services
Subscribers
Government-owned E-CSP
Generate & issue certificates
Storage and management of Certificate revocation lists
Act as agents of Certificate Authorities
Logs, History and Integrity Checks
The National PKI
Benefits of a NPKI
• Ability to digitally sign electronic data and information to ensure integrity of the data and non-repudiation
• Ability to encrypt electronic data and information to ensure confidentiality.
Implementation of a framework for the management of the dot KE country code Top Level Domain (ccTLD)
i. What is a Domain Name System (DNS)?A system that maps IP addresses to EASY-TO-REMEMBER Domain Names (CA.GO.KE). Include ccTLDs (country identity) and gTLDs (generic).
ii. What is a ccTLD?country code Top-Level Domain, and acts as an Internet Identity for a country or territory. Examples are: dot KE (Kenya), dot TZ (Tanzania), dot UK (United Kingdom), dot US (USA).
iii. Licensing framework for dot KE ccTLDKenya Network Information Centre (KENIC) started in 2002 under facilitation by CAThe Law (KICA) requires that dot KE Registry and Registrars are licensedThe Licensing framework is awaiting final approval by the Board
CONDUCT TECHNICAL RESEARCH AND DEVELOPMENT (R&D) ON NEW AND EMERGING TECHNOLOGIES AND TRENDS
Conduct technical Research and Development (R&D) on new and emerging technologies and trends
Development of White papers on new and emerging technologies
Research and Development (R&D) in Cybersecurity trends
Structure of the IT Department
DirectorInformation Technology
(IT)
Assistant DirectorInformation Systems
(IS)
ManagerSystems Development &
Administration(SDA)
Assistant DirectorE-Commerce (EC)