Kenya Cyber Security Report 2015
Serianu Cyber Security Framework
Over the years, Serianu has obtained extensive experience working with
different SME and Sub-Saharan Africa- based organisations in an effort
to implement information security programs. Most of these programs
were based on global best practice such as ISO 27001/2, PCI DSS, NIST,
COBIT.
Based on these experiences and industry wide
may not be determinable. The Serianu Cybersecurity
consultations, we have noted that while compliance
baseline controls Framework identifies 4 core
to these security standards is great and increases an
areas: Cybersecurity Program Governance and Strategy,
organisation’s credibility, it is quite a daunting and
Vulnerability and Threat Management, User Provisioning
complex task. It requires discipline, proper documentation
and Access Management and Continuous Monitoring and
and enforcement of policies and procedures, deployment
Incident Response. Within these areas it drills down to a
of the right tools and technology, on boarding of qualified
total of 14 categories.
and well trained information security professionals’ and
most importantly, support from top-level management.
Importantly, it will help small businesses in Sub-Saharan
Africa to identify and prioritize specific risks and steps
Our experience working with organisations has enabled
that can be taken to address them. It also identifies some
us to identify the challenges most African organisations
of the most relevant threats and barriers to successful
face especially, the difficulty in determining risk exposure
risk management. It is particularly helpful to small and
and the return on specific and general cybersecurity
medium-sized businesses seeking to implement the Global
investments. Based on several studies and our experience
frameworks (NIST, PCI DSS, ISO 27001 and SANS Controls),
we know that cost is the single biggest barrier to
breaking down more complex categories and analysis into
implementing adequate cybersecurity, particularly for
14 controls that simplify analysis and implementation.
smaller organisations.
Organisations intending to be compliant to any of
As the 2015 report shows, most SMEs and African based
the information security best practices should also be
companies of all sizes are unable to withstand cyber
prepared to invest heavily in time and money. Over
security attacks. In addition, most governments and
Kshs.50Millionis spent to assess the scope of the particular
critical infrastructure companies could be at risk from
standard and in meeting its requirements. All this in an
thousands of connections to smaller players whose
effort to safeguard an organisation’s infrastructure from
implementation of the Global cybersecurity best practices
cybercrime both internally and externally.
44