Importance of accreditation, licensure for Cybersecurity practitioners, providers
In the light of Ghana’s digitisation agenda and establishment of the Cybersecurity Authority comes a firm commitment and assurance from the government to promote Information Communication and Technology (ICT) and secure the ICT infrastructure of the country.
Highlighting the proceedings since the establishment is the willingness of the government to push from its current third position in the Africa cybersecurity ranking to the first position by 2023.
Enforcing the Cybersecurity law, formulating the Cybersecurity Licensure framework, forcibly implementing the licensure of cybersecurity solutions and products and lastly, issuing accreditation for Cybersecurity professionals and practitioners are the major bridges the government will have to cross if it wants to achieve this feat.
The steaming anticipation for most people in the sector since the inception of the Act has been pivoted around areas concerning accreditation for Cybersecurity professionals and practitioners and the licensure of cybersecurity solutions and products.
Even though the specifics and particulars of the accreditation and licensure are not yet spelt out, it is worth stating the advantage it gives to professionals, practitioners, the industry and what it means going forward.
Act 1038 establishes the Cyber Security Authority to regulate cybersecurity activities in the country, promote the development of cybersecurity in the country and provide for related matters.
A major inclusion in the Act is the Critical Information Infrastructure (CII) directive. The CII directive aligns with the strategic imperatives of our National Cybersecurity Policy and Strategy which seeks to build a resilient digital ecosystem, secure digital infrastructure, develop national capacity, deter cybercrime and strengthen cooperation.
The underlying objective of this directive is to establish baseline cybersecurity requirements for all designated CII owners, establish the requirements and procedures for incident response, including reporting mechanisms of cybersecurity incidents by designated CII owners and establishing the procedures for audit and compliance pursuant to section 38 of the Cybersecurity Act, 2020 (Act 1038).
Handling critical infrastructure and sensitive data means it should be handled by qualified and competent practitioners or authorised companies. Qualified and competent means persons who are truly certified and are equipped with the required technicalities and knowledge in the field. Authorised companies must have met all the requirements needed to provide the solution or sell the product.
A profound approach to validating and verifying this qualification and authorisation is through the issuance of licence and accreditation.
Therefore, it is in that order that the government seeks to build a framework or scheme that will see to this course.
This means that practitioners and organisations, by virtue of the accreditation and licence, are bound to a code of conduct and ethics of practice which will ensure some sanity in the industry and protect the interest of practitioners, organisations and their clients.
Business owners or managers are therefore assured of some level of confidence in persons securing or handling their infrastructure.
Furthermore, this will promote cybersecurity awareness in the country, lead to the establishment of more cybersecurity training institutions or certification bodies, challenge institutions to improve upon their solutions, trainings and curricula to fit the needs of industry, and ultimately promote research and development programmes aiming at streamlining and improving Information security governance, risk and compliance.
The writer is a researcher in ICTs