Matunda,Listers,You are right.Breaches on cyber security need serious attention.The ICT Policy in 2006 summarized the matter as follows:"Electronic Security: The challenge is for the country to establish an adequate legal framework and capacity to deal with national security,network security,cyber-crime and cyber-terrorism; and to establish mechanisms for international cooperation to combat cross-border crimes.An e-security structure will be developed in collaboration with the relevant institutions."Since 2006, matters the situation has become even worse than envisaged at that time due to increasing use of on-line services and Broadband Networks.John KariukiOn Monday, 21 July 2014, 17:38, Matunda Nyanchama via kictanet <kictanet@lists.kictanet.or.ke> wrote:
_______________________________________________On this score, I have made some observations:- our people don't take seriously such breaches; I read an attitude of this sort: "it is a small irritant that will come." This is especially so for the public sector but also (to a small extent) private sector. Indeed, organizations like banks can afford to underwrite huge losses through marginal variation in interest rates.- there is no concerted effort to develop needed skills in this area in order to tackle/forestall such problems. With such skills in mind we would design, implement and continually monitor and respond to incidents based on best practices. (Note: there are no guarantees that one won't be hacked but one can minimize such damage as: reputation, loss/modification of information, etc.)- we seriously need leadership in this space nationally (both in public and private sectors); if there exists any, it is not felt. Such leadership would be evangelistic in nature pushing for appreciation of such risks and how to deal with them. Such awareness would raise concern (hopefully) and thus assure allocation of commensurate resources (people, money, technology, etc.) to confront the problem. (NB: my experience in North America tells me that this area is very much underfunded and whatever little funding comes through would be spent on easy to acquire stuff like CCTV ... some installed without requisite processes, skills, etc for maximum gain (ROI) ...)- many technology managers (and many others in management) treat security with obscurity. Keep things obscure and profess security. I once was in a discussion with a senior official in GoK and heard things such as: we cannot disclose what measures we have taken to protect government information because the same can be used by you people to target us! He failed to appreciate that you can still be hacked with use of known reconnaissance approaches. OK: if you really want help, get some of our top talent, give them security clearance and allow them to build robust systems that assure security.- a friend recently gave the story of a manager (a protege of top management) that kept his job, protected by his benefactors but who many knew wasn't performing. This manager could continually avoid bringing in talent that might help him but which talent may also expose his failing! Only when the organization was hit and top management embarrassed with loss (material, reputational) did they hire an external consultant whose report exposed the manager's fraud that he had perpetuated for years on end! ... long story short, he was given a soft landing, and slowly eased out of the organization. ... Lesson: get the right talent and skills for the job if indeed you are committed to delivering in your mandate.BTW: we are into consulting and training in this area. I know of bids we have lost on (despite presenting the best technical proposals) because of other considerations. Your guess is as good as mine as to why, but don't be surprised to have some "wired/connected" individuals winning security assignments but which they can't deliver on; and if they do, the result would be sloppy and why ... because they engage unskilled people ....- Finally (for now), the compliance regime is extremely weak! I know a thing or two about the Auditor General's office and information security skills isn't one of their strengths. The focus on financial audit (recently they reported Kshs 300 + billion unaccounted for) takes all the attention while other aspects go unattended: critical infrastructure protection, ICT specification/acquisition/deployment/management/.../disposal ... all go unattended.... there is a lot to say; let this suffice for today.----------------------------------------------------------------------------------------------
Matunda Nyanchama, PhD, CISSP; mnyanchama@aganoconsulting.com
Agano Consulting Inc.; www.aganoconsulting.com; Twitter: nmatunda; Skype: okiambe
----------------------------------------------------------------------------------------------Manage your ICT risks! We are the experts you need! The trusted partners you deserve!Call: +1-888-587-1150 (Canada) +254-20-267-0743 (Kenya) or info@aganoconsulting.comLicensed by Communications Commission of Kenya (CCK)----------------------------------------------------------------------------------------------"The best revenge is massive success" - Frank Sinatra-----------------------------------------------------------------------------------------------
This e-mail, including attachments, may be privileged and may contain confidential or proprietary information intended only for the addressee(s). Any other distribution, copying, use, or disclosure is unauthorized and strictly prohibited. If you have received this message in error, please notify the sender immediately by reply e-mail and permanently delete the message, including any attachments, without making a copy. Thank you.
kictanet mailing list
kictanet@lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/ngethe.kariuki2007%40yahoo.co.uk
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________
kictanet mailing list
kictanet@lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/lizorembo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.