Discussion: Shaping Kenya’s Cybersecurity Ecosystem

The Common Criteria (CC) should be considered and ISO27001 & 27017 & 27018 & 27701.

Then there are some specific ones, like in the networks space, there is the Network Equipment Security Assurance Scheme/Security Assurance Specifications (NESAS/SCAS) and in the cloud space there is the CSA Cloud Controls Matrix (CCM).

There are also others in various domains like payment card standards, health informatics standards etc.

Regards
Adam

From: A Mutheu <[email protected]>
Sent: Friday, 16 August 2024 12:43
To: Kenya’s premier ICT Policy engagement platform <[email protected]>
Cc: Adam Lane <[email protected]>
Subject: Re: [kictanet] Re: Discussion: Shaping Kenya’s Cybersecurity Ecosystem

Dear Adam,
Thanks for your insights, are there any specific standards from your experience in the sector you think should be considered? If so, do you have suggestions as regards specific international standards that can be studied, and then localized, if deemed relevant.
Stay happy,
Mutheu.
[https://ci3.googleusercontent.com/mail-sig/AIorK4ycZElduDI_OCeFuCX6-aFKg4ENKsdzoKuudmbXwbzUZc02FZnjefpSg8R-WLOvRxarqMuc4DU]

On Thu, Aug 15, 2024 at 12:55 PM Adam Lane via KICTANet <[email protected]<mailto:[email protected]>> wrote:
Hi David
In my engagements with policy makers I emphasize the need for the government to intentionally identify relevant cybersecurity standards (either international, local or international ones that are localized) and then implement them within government and encourage the rest of the industry in the country to also adopt and implement. These standards are a good benchmark to define “secure” (though one must never accept reaching a standard as the end goal and not get complacent) and can be specific to certain areas (such as cloud, telcom networks, software etc) or be about certain processes and can be tested and certified against. This can grow the cybersecurity ecosystem (labs, certifiers, standards consultants etc) and support talent training and development as well.

Such standards may not need to be legally required necessarily, but this would be a discussion worth having.

Adam

From: David Indeje via KICTANet <[email protected]<mailto:[email protected]>>
Sent: Thursday, 15 August 2024 08:38
To: Adam Lane <[email protected]<mailto:[email protected]>>
Cc: David Indeje <[email protected]<mailto:[email protected]>>
Subject: [kictanet] Re: Discussion: Shaping Kenya’s Cybersecurity Ecosystem

Dear Listers,

Day 3:

The CMCA has profound implications for businesses, individuals, and the digital economy in Kenya. Its effectiveness in balancing innovation with cybersecurity, addressing emerging technologies, and protecting individual rights is a subject of ongoing debate. Today, we encourage discussion on the challenges and opportunities presented by the CMCA and explore potential solutions to enhance its effectiveness in shaping a secure and vibrant digital future for Kenya.

Section 5: Impact on Businesses and Individuals.

1. How has the CMCA impacted businesses in Kenya in terms of cybersecurity practices and investments?
2. Do you believe the CMCA adequately protects the rights of individuals in the digital space?
3. Have there been any unintended consequences of the CMCA on businesses or individuals?
4. How has the CMCA affected the digital economy in Kenya?

Section 6: An analysis of the effectiveness of the CMCA to embrace emerging technologies and the cyberthreats they pose therein.

1. How does the CMCA balance the need for innovation with cybersecurity?
2. Does the Act create an environment conducive to technological advancement or are there any provisions that stifle innovation?
3. How well does the CMCA address emerging technologies such as artificial intelligence, blockchain, Internet of Things (IoT), quantum computing and cryptocurrency? What can be done to enhance its ability to address these lacunas (if any).
4. How can the legal framework provided by the CMCA be enhanced to regulate the use of emerging technologies, while protecting individual digital rights?

Section 7: General Questions.

1. Are there any legal uncertainties or ambiguities in the Act that hinder its effectiveness?
2. What are the capacity-building needs of law enforcement and the judiciary in addressing cybercrimes related to emerging technologies?
3. Is the country’s cybersecurity infrastructure sufficiently robust to address the challenges posed by emerging technologies?
4. Any other relevant comment that you may wish to include as regards the CMCA?