Regime to license cyber security operators starts March 1
THE Cyber Security Authority (CSA) has completed processes towards the introduction of a mandatory licensing regime for cyber security service providers.
It forms part of a strategy to sanitise the country’s cybersecurity space.
CSA would from March 1, this year, start providing license and accreditation for existing and new cybersecurity service providers (CSPs), cybersecurity establishments (CEs) and cybersecurity professionals (CPs).
It is in pursuant to the Cybersecurity Act, 2020 (Act 1038) which mandates the authority to regulate the industry.
A release issued by the authority in Accra on Tuesday after a cyber security forum stated that the regime was expected to ensure regulatory compliance to certify that CSPs, CEs and CPs offered their services in accordance with approved standards and procedures in line with domestic requirements and industry best practices.
For a start, CSA will license cybersecurity service providers in five key areas, namely; vulnerability assessment and penetration testing (VAPT), digital forensics services, managed cybersecurity services, cybersecurity governance, risk and compliance (GRC) and cybersecurity training.
Cybersecurity professionals, who have the relevant qualifications, demonstrable competence and industry experience shall also be accredited in the above areas as part of the regulations.
Accreditation of cybersecurity establishments will apply to digital forensics facilities and managed cybersecurity service facilities operating in the country.
According to the release, prior to the promulgation of the Cybersecurity Act and the establishment of the CSA, no government institution had the mandate to regulate cybersecurity service providers, cybersecurity establishments and cybersecurity professionals.
That meant the sector was generally not regulated.
It has become necessary that the industry is regulated by the CSA, to control cybersecurity risks and to protect the interests and safety of the public, children, businesses and government.
With the increasing rate of cybercrimes, CSPs, CEs and CPs have become critical components for mitigating cybersecurity threats and vulnerabilities within Ghana’s fast-developing digital ecosystem in line with Act 1038.
Cybersecurity services by their nature are sensitive and intrusive. Cybersecurity service providers, cybersecurity establishments and cybersecurity professionals normally gain access to clients’ critical information assets thereby gaining knowledge of existing vulnerabilities and sensitive information, which could be potentially abused or exploited.
It is also possible to have CSPs, CEs, and CPs that may not be competent or that may employ substandard processes to the detriment of Ghana’s digital ecosystem.
In addition, some businesses or government agencies lack the capability of ascertaining the credibility or qualification of CSPs, CEs or CPs especially since there is no repository of licensed and accredited CSPs, CEs or CPs.
Furthermore, national security considerations are driving regulations in the sector to ensure that only persons and institutions that are qualified and in good standing undertake these critical services.
The statement noted that the government, through the CSA, regulated the sector by providing a licensing framework in accordance with Sections 49 to 59 of Act 1038 to ensure that CSPs, CEs and CPs attained a higher level of compliance with Act 1038 and standards in line with international best practices.
This was to provide assurance to the public and other key stakeholders that the cybersecurity services they procured from industry would support in securing their assets and processes.
Section 57 of Act 1038 mandated the CSA to establish a mechanism to accredit cybersecurity professionals.
Such an accreditation process provided recognition to accredited cybersecurity professionals, who had proven demonstrable competence in their specific cybersecurity profession.
Section 59 of Act 1038 further mandated the CSA to enforce cybersecurity standards and monitor compliance by public and private sectors, including cybersecurity establishments or institutions.