Bahrain Government Information Security Framework:

ABSTRACT

Information technology is perceived as an important enabler for government entities to accomplish their goals. The proliferation of electronic government services that can provide value for citizens and residents have pushed governments all over the world to adopt and deploy these services. However, governments have realized that it is critical to build proper defense to protect the information. Implementing information security by using international or national information security frameworks helps organizations to ensure the safeguard of information assets. This chapter reviews useful information security frameworks. Also, this chapter provides a proposed information security framework implemented in the Government of Bahrain, which is called CyberTrust Program. This framework was developed based on best practices and local resources and culture.

Information is an important asset for all organizations to achieve their goals as well Information technology has become a major driving force in many organizations in order to make the functions running smoothly and faster. Consequently, protecting information is perceived as a critical function that needs to be successfully accomplished and needs devotion from the entire organization’s members.

Information security is vital to all organizations that are using Information technology to protect their information and conduct their business. Whitman and Mattord define information security as “the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information” (Whitman and Mattord, 20017). Additionally, Merkow and Breithaupt define information security as “the process of protecting the confidentiality, integrity, and availability (CIA) of data from accidental or intentional misuse” (Merkow and Breithaupt, 2014).

When implementing information security, organizations and enterprises have an opportunity to follow proven standards or frameworks, that include guidelines and best practices to be followed in order to successfully achieve information security. Two examples of these standards/frameworks are United States National Institute of Standards and Technology (NIST)’s Special Publication 800-53r5 and International Standard Organization (ISO) 27001:2013 Standard.

These standards define certain information security controls to be implemented in multiple areas within the organization in order to protect information assets. These controls fall into three categories: preventive, detective, and responsive. Preventive controls will work to prevent the occurrence of any threat from the beginning, but if unluckily a threat occurred, it is the responsibility of detective controls to detect and identify the threat. Finally, a response to the threat will be the duty of responsive controls.

The controls will affect three areas within the organization: people, technology and process. Human resources within the organization should get enough knowledge regarding correct interaction with technology. This will minimize threats caused by human errors and mistakes. Technology itself should be designed with certain controls to participate in protecting information. Finally, process or procedures should be followed by each person in the organization. Procedures, when written clearly and followed by everybody, will further help in avoiding human errors.

The Kingdom of Bahrain has recognized the importance of information technology in its endeavor to achieve a better life for all citizens and residents in the Kingdom of Bahrain, within the principles of vision 2030, based on sustainability, competitiveness, and fairness. The Kingdom of Bahrain has witnessed substantial progress in the information technology sector to the extent that the provision of services and exchanging, storing, and using information electronically has become a fundamental means of work at all government entities. Therefore, it is imperative to uphold the confidentiality, integrity, and availability of government information for gaining the confidence of its constituents.

Therefore, it is necessitated to develop a framework aimed at assuring that information security in all government entities is conducted in a uniform manner yet appreciates the differences in environments. As such, the Information Government Authority (IGA) has designed a new framework titled ‘Cyber Trust Programme’ (CTP), which defines a framework to enable government entities within the kingdom to improve information security assurance, to have a unified, methodical, approach to information security, and to be able to determine information security maturity within the respective entities.

CTP designed to provide an information security framework of in competitive nature, which endeavours to raise the level of information security through governance and the support of human and technology elements, which results in a continuously trusted electronic environment for the government.

The Chapter will be a source of insight for information security researchers and officers in higher learning institutions and organizations. Its findings will help increase the implementation of security controls and measures how the security controls are implemented in government organizations.

Nowadays, there is several different types of information security frameworks, some of them issued by national and international organizations and others issued by professional organizations. This section reviews literature conducted previously in information security frameworks. In addition, this review focuses on some well-known frameworks used to implement information security within organizations which are International Organization for Standardization (ISO) 27001:2013, National Institute of Standards and Technology (NIST), COBIT, Critical Security Controls (CSC).

ISO 27001- 2013: International Organization for Standardization (ISO) developed and published ISO 27001 (formally known as ISO/IEC 27001:2013) which provides a checklist of controls for an information security management system (ISMS). An ISMS is a structure of policies and procedures that handles information security risks which can be customized to the organization’s needs.

An organization that achieved ISO 27001, indicates that the organization have defined the risks, evaluated the consequences and set the control to minimize any breaches, guaranteed that information is precise and only be modified by authorized users, and protected their information from getting into unauthorized hands.

As well as, increasing credibility and security of systems and information, improving business resilience and management process.

The National Institute of Standards and Technology (NIST): The National Institute of Standards and Technology (NIST) was founded in 1901. Currently, NIST is part of the United States Department of Commerce. There are six research laboratories within NIST and one of them is Information Technology Laboratory (ITL). ITL publishes valuable reports and guidelines. among these reports are NIST Special Publication (SP) 800-series and 1800-series.

SP 800 series contains the output of ITL research as guidelines in the information security field to be applied in various organizations. On the other hand, SP 1800 series focuses on information security practices and guidelines (Santos,2019). Of Special interest comes NIST SP 800-53 which is a large set of information security controls. The controls span 17 areas within the information security field (Calder, 2018).

COBIT: COBIT stands for Control Objectives for Information and related Technology. COBIT was first released in 1996. Erik Guldentops is recognized as the ‘grandfather of COBIT’, while Gary Hardy is recognized as the ‘father of COBIT’ (CSC, 2019). The first release of COBIT was intended to be used by IT auditors. With the release of COBIT 3 in 2000, the focus has evolved from IT audit into IT governance. The current version of COBIT is COBIT 5 which was released in 2012 .

COBIT is released by both ITGI (IT Governance Institute) and ISACA (Information Systems Audit and Control Association). IASCA claims that COBIT 5 is “based on more than 80 frameworks and standards” (Harmer, 2014). ISACA uses the term Governance of Enterprise IT (GEIT) to describe the focus of COBIT 5 stating that it is “the only business framework for the governance and management of enterprise IT” (COBIT, 2019).

COBIT 5 is designed to achieve five principles: 1) Meeting stakeholders needs, 2) Covering the enterprise end-to-end, 3) Applying a single integrated framework, 4) Enabling a holistic approach, and 5) Separating governance from management. Also, COBIT 5 declares the need for seven categories of enablers: 1) Principles, policies and frameworks, 2) Processes, 3) Organizational structures, 4) Culture, ethics, and behavior, 5) Information, 6) Services, infrastructure, and applications, and 7) People, skill, and competencies (Harmer, 2014).

Critical Security Controls (CSC): Center for Internet Security (CIS) is non-profit organization that work together with a global IT community to protect organizations against cyber threats (9). The CIS is selected most critical controls that help organizations to effectively defend their systems and networks in a prioritized manner by providing list of 20 controls fundamental security controls that improve cyber security of the organizations with the fewest number of control implementation (Virtue & Rainey, 2015). The CSC is a framework that provides safeguards for IT security based on two main factors which are actual attacks and effective defense to protect (Jasper, 2017).

The Information and eGovernment Authority (IGA) in Bahrain encountered several challenges in the implementation of policies, procedures and technical controls related to information security across government entities. Most of the government entities were primarily dedicated to the development of Information systems and the tasks, services and the availability related to those systems. Without taking into consideration the implementation of Information security controls, as it was considered that these controls were unaffordable and will cause a delay in the delivery of services. Therefore, led to a lack of cooperation in a significant number of government entities. The IGA encountered difficulties to reach the required level of security that need to be achieved.

Consequently, a huge number of government systems were exposed to vulnerabilities and risks that led to the disruption of electronic services during that period. as it was noticed that:

The CyberTrust Program provided as a government framework that will solve the challenges mentioned earlier and raises the level of information security through governance by the application of security controls (policies, systems, and awareness of government employees to information security risks). The program is mandatory for all government entities as it helps to assist them in developing Information security within a scalable mechanism and clear standards.

The CTP supports the process of designing and providing government services in a secure manner, in addition to educating users and training cadres through establishing three graduate levels of effective standards, based on which government entities are classified according to the achievement and implementation of the standards for each level. The CTP gradually raises the level and maturity of information security at government entities through carefully planned stages, which directly serves IGA’s national strategic goals in managing information security within the Government of Bahrain. In addition, the government entities have previously carried out various initiatives to improve information security. These include the implementation of international standards and/or implementing various controls to safeguard the information and wider IT infrastructure. The CTP appreciates these initiatives by incorporating the activities within the maturity framework. Various other actions have also been incorporated into the framework to enable wider coverage of the activities to safeguard the government entities. The figure below demonstrates the three levels of maturity within the CyberTrust Programme.

At the heart of the CTP is the concept of continuous improvement. This is essential for any organization to meet the challenges of changing threats. The CTP was based partly on these references and the experience of IGA in working with the government entities within the Government of Bahrain. The CTP, as is the case with any novel concept or new idea, will be closely monitored and continuously improved.

In the past, IGA launched several initiatives to support the government entities in various endeavours over the years. The government entities benefited from these initiatives such as acquiring IT infrastructure, standardization, knowledge sharing, facilitating statistical information databases, and many others.

The CTP is an such initiative aimed at improving the maturity of government entities associated with information security. The Programme encourages government entities to enhance information security in a competitive way and in such a manner that builds a framework consisting of the following:

The Mission of the program is to provide an information security framework of in competitive nature, which endeavours to raise the level of information security through governance and the support of human and technology elements, which results in a continuously trusted electronic environment for the government and leads to regional and global leadership.

Encourage government entities to implement initiatives and projects that aim at protecting the IT infrastructure, information, and assets, to implement security policies and procedures, and to benefit from information security services and operations.

Encourage nationals in the government entities to enhance and enrich their capabilities in information security, and on emerging threats and challenges by exposing them to innovative technologies, new developments, providing training, and creating a platform conducive for learning and growth in gearing them to meet the challenges of the future.

Educate the government users in the fundamentals of information security, related threats, and the safeguards to proactively protect users from security incidents and raise overall security readiness.

Support the process of development, acquisition, and dissemination of knowledge in the field of information security through encouraging developmental practices and applications, research, studies and analysis, and through working on providing and disseminating a knowledge base.

Enhancing the Kingdom of Bahrain’s position locally, regionally, and internationally in the field of information security, through:

Evaluating information security practices at government entities based on well-defined and clear standards, conditions, and best practices, leading to the achievement of desired goals of information technology.

A maturity level is a well-characterized transformative level that builds up a degree of limit with regards to improving workforce capacity; every maturity level indicates certain qualities for procedures, with higher development levels having further developed attributes and is a stage towards accomplishing a develop procedure, giving a lot of objectives which, when fulfilled, places an association at the following degree of development. It additionally determines the way that a procedure follows in moving from juvenile and impromptu procedure to profoundly develop process. In this project we define three maturity levels as follows:

Maturity level 1- Practitioner: This level indicates that a government entity has achieved ‘Practitioner’ level, implementing the basic requirements of the Cyber Trust Programme. The entity has achieved initial maturity with respect to process, technology, and people requirements associated with information security and are progressing towards achieving ‘Progressive’ maturity level. Most importantly, this level reflects active efforts by the entity to prevent the overall security situation from deteriorating and is well on its way towards building an information security culture on an organizational level.

Maturity level 2 – Progressive: The ‘Progressive’ level indicates government entities have achieved all requirements of the ‘Practitioner’ level and the ‘Progressive’ level and are progressing towards the ‘Expert’ level. Such entities have implemented an extended set of information security practices leading to an increased confidence level. The entity has reached a high level of maturity of experience, practices, and awareness of information security, and their ability to respond to information security threats and incidents is greatly improved.

Maturity level 3- Expert: The ‘Expert’ level is the highest level of the Cyber Trust Programme, with entities adhering to a wider range of information security requirements, in addition to the requirements of all previous levels.

Such entities have implemented a comprehensive set of information security practices leading to an increased confidence level.

At ‘Expert’ maturity the organization has reached the highest level of confidence, focused on confidentiality, integrity, and availability of information and systems. The organization takes a leading role in promoting and sharing good information security practices with other government entities and can assist IGA in conducting audits of lower-maturity organizations.

The Programme certifies government entities into maturity levels in accordance with their achievement in information security as per Programme requirements. IGA determines the starting maturity level at the time of enrolment pursuant to an organization’s self-assessment and IGA’s verification. Thereafter, subsequent maturity levels are determined based on audits.

Requirements for each level are grouped into three logical groupings as ‘People’, ‘Technology’ and ‘Process’. The requirements for each maturity level are structured and described in the following figure.

Participation in the CTP is obligatory for all government and semi-government entities. A resolution of the Supreme Committee of ICT obliged all such organizations to participate and achieve the lowest level within a set period of time. Private organizations are at liberty to enrol in the Programme at their discretion.

The Programme will extend a wealth of benefits to participating government entities, including:

This section provides a brief overview of the CTP model, presenting a holistic view of the Program lifecycle. Key requirements in the Program are explained in brief. The following figure depicts the overall lifecycle of the Program.

Enrolment: A Government entity enrols to the CTP by completing the ‘Cyber Trust Programme Application Form’, which is available at cybersecurity.iga.gov.bh after signing the agreement.

The Programme is open for any government entity irrespective of its current information security maturity level. Once the application is received, the IGA will assess it and determine the most suitable target maturity level, statement of applicability, and boundary covered within the current scope. The IGA, in collaboration with the applicant, then determines the “Maturity roadmap” for the government entity to reach the highest maturity level from current standing.

The government entity together with the IGA then agrees on the “Implementation Plan” for the scope specified during the enrolment; the performance of the entity shall be measured based on the aforementioned “Implementation Plan”.

The enrolled government entity is allowed one year to achieve the “Practitioner” level at a minimum.

Implementation and Self-Assessment: Government entities enrolled with the CTP must start the implementation based on the agreed implementation plan between the government entity and IGA.

Furthermore, government entities must perform a quarterly Programme self-assessment. The assessment includes all mandatory requirements of lower levels and requirements of the current maturity level of the entity (i.e. an entity in “Progressive” level should assess the requirements for both “Practitioner” level and “Progressive” level).

External Audit: Government entities are required to conduct an annual external audit. The external audit may be carried out directly by the IGA, or by any suitably qualified and pre-approved third-party auditing firms or a governmental audit team from various government entities. The purpose of the annual audit is to:

Certification and Recognition: IGA awards the certification after the ‘External audit’ process if the entity conforms to the criteria required by the maturity level by substantially attaining its requirements. Certified government entities are granted the right to use branding material of the achieved maturity level.

Certification will remain valid if the entity conforms to the criteria of the Programme requirements pertaining to the respective maturity level. Certification may be suspended, downgraded, or revoked based on audit findings and the actions (or lack thereof) taken by the government entity.

Furthermore, at this part of the Programme Lifecycle, there is an annual recognition of those entities who perform exceptionally well during the period of focus. Entities are ranked within different groups based on maturity, complexity, the scope of Information security, etc. The process of recognition and granting honors and awards is governed by terms to be developed by a dedicated evaluation committee.

As the usage of the electronic services in Bahrain government increases, the potential of cyber-attacks also rises. Therefore, it is significant to raise the level of the information security for the government entities by using an information security framework. This study focuses on and describes one of the Bahrain government initiatives which is CyberTrust Program that helps to enhance the level of information security in government entities. The CTP was developed with considering best practices and local resources, cultures and qualifications as well it was implemented in several government entities. this study makes the following recommendations:

Calder, A. (2018). NIST Cybersecurity Framework – A pocket guide . IT Governance Publishing. doi:10.2307/j.ctv4cbhfx

CSC. (2019). Critical Security Controls. Retrieved from https://www.cisecurity.org/about-us/

Harmer, G. (2014). Governance of Enterprise IT based on COBIT®5: A Management Guide . IT Governance Publishing.

ISO/IEC 27001:2013. (2019, June 3). Retrieved from https://www.iso.org/standard/54534.html

Jasper, S. (2017). Strategic Cyber Deterrence: The Active Cyber Defense Option . Rowman & Lttlefield.

Merkow, M. S., & Breithaupt, J. (2014). Information Security: Principles and Practices . Pearson.

National Institute of Standards and Technology (NIST). (n.d.). Retrieved from https://www. nist.gov

Santos, O. (2019). Developing Cybersecurity Programs and Policies . Pearson Education.

Whitman, M., & Mattord, J. H. (2017). Principles of Information Security. Cengage Learning.

Chapter 10

Bahrain Government Information Security Framework: