The objective is to develop a specific version of the NIST Cybersecurity Framework (CSF) that takes into consideration the particular features of the Arab Region.

Research and development is one the major pillars that is expected to enable the deployment of sovereign solutions across the Arab region. Countries should deploy efforts to provide the appropriate trainings, facilities, funding schemes, and project management to promote research and development in the area of cybersecurity. Cybersecurity risk management is one of the areas in which consistent efforts should be spent in terms of research and development. During the last decade, artificial intelligence and machine learning algorithms made their way into critical infrastructures, organizations and information systems. They served mainly to overcome automation issues and to tune more classical functionalities such as intrusion detection, load balancing, and tasks scheduling. In addition to automation, critical infrastructures opened to external networks which simplified systems control, diagnosis and maintenance thanks to remote access to and analysis of local data. However, as they opened to external networks, critical infrastructures became the prey of hackers and malicious users.

That is, adding new communications interfaces and relying on AI for automating tasks created new threats and accentuated existing vulnerabilities. Indeed, these breaches are not only the target of classical information technologies’ attacks such as Denial of Services (DoS), but become also the target of new sophisticated attacks such as using generative adversarial models to fail machine learning algorithms, or relying on ransomware and requesting colossal amounts of money in exchange of keeping collected data private. As critical infrastructures’ security is mandatory for users’ safety, it becomes compulsory to  assess their risks and mitigate them starting from systems specification phase until their implantation and during their lifecycle.

Indeed, risk management serves to identify threats and vulnerabilities, predict their impact on a system architecture, valuable data and business (e.g., brand image and client’s trust) and then, mitigate them. Risk mitigation includes proposing countermeasures to critical threats, specifying acceptable risks and providing a recovery plan in case of a risk realization. Risks refer to external events that may result in a deviation in a system behavior, or security breaches and weaknesses provided by a system’s assets. Risk assessment methods require the definition of attack likelihoods (or probabilities) and impacts (or severities). The impact of an attack refers to its harm and possible damages.

Meanwhile, an attack probability is computed as the inverse of its potential i.e., difficulty. In fact, the more difficult to realize the attack is, the less important is its likelihood. In the following sections, we review the objectives of risk management, its components, the major standards for risk assessment and some techniques for attack description and risk computation. Risk management aims at identifying weaknesses (i.e., vulnerabilities) of a system (or its assets) and threats that may target this system. Indeed, threats are associated with the exploitation of some vulnerabilities.

Here the word system refers to any kind of  organizations, companies, infrastructures or technologies. Risk management objectives are related to the system objectives and to legal directives. For example, a company can assess the risks associated with one of its products before its manufacturing and then after its production. In this case, risk management will allow the company to identify the threats related to this product and to mitigate harmful ones. It will serve to avoid bad surprises when introducing the product to the market and differentiate it from other products. It will also reflect the seriousness of the manufacturing company and improve its brand image. Indeed, with no risk management, some companies may take the risk to offer products that do not respect legal directives and will then result in investment loss.

In order to cope with the evolution of the technical aspects of cybersecurity, substantial efforts must be spent by countries to conduct advanced training programs. In fact, the scarcity of qualified human resources is among the major obstacles to the enforcement of cybersecurity strategies and policies. The training programs should have the following charcateristics:

1. Wide coverage: Cybersecurity awareness have to be mandatory for all people, from executives to low-stage employees. it's miles specially applicable to senior-level control, as they're excessive-fee targets with get right of entry to to sensitive information that attackers discover treasured. top-down buy-in and participation are required for the most successful safety recognition and schooling applications. An incorporated strategy is the exceptional manner to create an organizational safety subculture wherein effective selections and fine practices in cybersecurity grow to be easy targets for end-users in any respect tiers.
2. Continuity: Because training has a tendency to be forgotten over time, a protection cognizance software should be ongoing. safety awareness makes it possible for personnel to understand their position in the corporation from facts protection. it might suggest setting up a curriculum that covers the most safety threats and keeps the safety often. Safety focus education must consist of Social Engineering, spear phishing, phishing, and different cyber-attacks. agencies can set up schooling programs whilst onboarding a brand new employee. Every day is an exceptional time to percentage mainstream information breach information memories to preserve security top of mind and conduct awareness activity that prepares them to defend towards threats via themselves. Set up monthly or quarterly security recognition schooling conferences to train new rules and techniques to reduce the business enterprise's danger.
3. Basic coverage: Security awareness training practices practices must teach personnel on fundamental subjects like password safety, anti-phishing techniques, spear phishing, and social engineering.
   • Password security: Citizens should be explained the importance of password security and trained in creating strong passwords with at least one unique character and avoid writing passwords on post-it notes or sharing with other peers.
   • Phishing attacks: By security awareness, practices help citizens detect harmful emails and report malicious ones; this can reduce phishing attacks. Be cautious of emails from unknown sources. Emails are used in phishing scams to gain access to systems and create disruption. Security practices include topics such as malicious links, attachments. With security awareness, training practices, employees can dramatically improve their understanding of such attacks with consistent training.
   • Social Engineering: Security awareness practices increase the awareness of risks by everyone in the organization, such as manipulating employees to access others systems or disclosing confidential information to other organizations. Security awareness training can also assist you in identifying and repairing any vulnerabilities in your networks and computer systems. Security awareness practice will then give you and your employees the best chance of avoiding social engineering attacks.
4. Testing after training: It is essential to have a process to measure the efficiency of training. A quiz is a better way to do this. Quizzes should be imposed to obtain baseline measurements and see what has changed before and after training is implemented. For instance, conducting phishing exercises is one such practice. Citizens who exhibit a significant risk after a phishing test should be given additional, context-sensitive training to address the uncovered deficiencies in the test. Early detection of phishing-related vulnerabilities is highly important due to the level of damage that can be created by cyberattacks based on a successful phishing exploit.
5. Communication: An enterprise need to instil security practices. The senior-stage control ought to communicate on danger and security threats with their employees and manual them in a more secure agency. regularly, talk the significance and intent of your focus program. employees must apprehend what is going on, why, and what their position is. focus on content material that catches your interest and may have an impact on your private lives. It takes pinnacle precedence in cybersecurity and prepares personnel higher to guard themselves and their corporations.

Having the ability and capabilities to respond and manage cyber security incidents is no longer an option in today’s word. The governments must have organizations, known as CSIRTs (Cyber Security Incident Response Teams) that can effectively manage and mitigate cyber security incidents, conduct incident analysis, provide information assurance and situational awareness services. National CSIRT capabilities to detect and systematically handle cyber security incidents also build confidence in the region’s private and public digital services. A computer security incident response team, or CSIRT, is a group of IT professionals that provides an organization with services and support surrounding the assessment, management and prevention of cybersecurity-related emergencies, as well as coordination of incident response efforts. A CSIRT is an organized entity with a defined mission, structure, and roles and responsibilities. This assumption excludes any ad hoc or informal incident response activity that does not have a defined constituency or documented roles and responsibilities.

1. Receive an incident report from a constituent. In order to receive an incident report from a CSIRT constituency, the constituency first needs to know the CSIRT exists. Constituents also need to understand what the CSIRT does and how its services are accessed, as well as the service and quality levels it can expect. Thus, the CSIRT needs to have defined its mission and services, announced itself to its constituency and published guidance on how incident services are requested. This includes publishing an incident response policy, processes, procedures, forms and resources necessary to inform and enable constituencies to file incident reports.
2. Analyze an incident report to validate and understand the incident. Once an incident report has been received, the CSIRT analyzes the report to validate that an incident or other type of activity that falls under the CSIRT mission has indeed occurred. The CSIRT then determines if it understands the report and the incident well enough to create an initial response strategy that fulfills the goals of regaining control and minimizing damage. Part of being able to analyze an incident report and respond efficiently is having staff that can perform a variety of tasks. Members of the CSIRT should have written plans, policies and procedures that document their specific roles and responsibilities.
3. Provide incident response support. Depending on how the CSIRT is organized and the services offered, a CSIRT may provide incident response support via the following:
   • on-site incident response services delivered directly to the constituent;
   • incident response services delivered over email or the phone; or
   • coordinated incident response services that combine and allocate the efforts of multiple incident response teams across multiple constituents.

Organizations may employ one or more of the three main types of incident response teams: CSIRTs, SOCs and CERTs. Sometimes, these terms are used synonymously, though differences do exist, depending on the organization's use of the term(s).

The most unique of the three is the SOC. This dedicated facility monitors and defends technology and hardware and acts as a command-and-control center for the region. It protects networks, servers, applications and endpoints. A SOC's responsibilities, however, extend beyond that of just incident response.

CSIRT, CERT and the less-often-used computer incident response team (CIRT) are often used interchangeably. In general, CSIRTs, CERTs and CIRTs all handle incident response, though their specific tasks may vary by organization. The terminology used by an organization should be adequately defined, along with the goals, structure and use of resources necessary to properly respond to incidents.

It is important to note that CERT is a registered trademark of Carnegie Mellon University (CMU). Organizations may use the CERT mark after achieving authorization. However, some organizations -- likely unaware it is trademarked -- still use it to define their incident response teams.

The ACSS considers the following success factors for the regional CSIRT initiative:

Providing continuous support, rather than ad-hoc interventions

• Comprehensive understanding of wider cybersecurity context and stakeholders
• Fostering regional partnerships and regional approaches
• Remaining politically, technologically, and commercially neutral
• Thorough stakeholders’ and their drivers’ mapping
• Multi-stakeholder approach
• Coordination among various interventions
• Creating hands-on learning opportunities for beneficiaries

The ACSS will promote the establishment of domestic compliance mechanisms (both enforcement and incentives). These mechanisms should be set in place to prevent, combat, and mitigate actions directed against the confidentiality, integrity, and availability of ICT systems and infrastructures, and threatening computer data, in accordance with the aforementioned legal framework. They should inter alia cover the particularities of response to cyber incidents, criminal investigations, specialized procedures (such as lawful interception of communications), and use of electronic evidence.

Compliance requirements vary and can be imposed by law, regulatory bodies, and even private industry groups such as the Payment Card Industry. Cybersecurity Compliance involves meeting various controls (usually enacted by a regulatory authority, law, or industry group) to protect the confidentiality, integrity, and availability of data. Compliance requirements vary by industry and sector, but typically involve using an array of specific organizational processes and technologies to safeguard data. Controls come from a variety of sources including CIS, the NIST Cybersecurity Framework, and ISO 27001. Every industry is operationally different and has different cybersecurity needs. The cybersecurity requirements used to keep hospital patient records confidential is not the same as the regulations for keeping bank customers’ personal information secure. In many instances, cybersecurity regulations overlap across industries. Cybersecurity basics like encrypted data storage and transmission, breach response plans, etc. are fairly common across standards. But what systems and operations must be secured and how is specific to each standard. Cybersecurity compliance is not just good business policy, for certain industries, it is the law. Certain industries that regularly deal with sensitive personal information such as healthcare and finance are highly regulated.

The ACSS will encourage the development of cyber-law-enforcement capacity, including training and education for a range of stakeholders involved in combating cybercrime (e.g., judges, prosecutors, lawyers, law enforcement officials, forensic specialists, financial investigators, and others). Law enforcement should receive specialized training to interpret and apply domestic cybercrime laws (i.e., translate the law into technical notions and vice versa); to effectively detect, deter, investigate and prosecute cybercrime offenses while respecting human rights; and to effectively collaborate with industry and international law-enforcement entities (e.g., INTERPOL) to tackle cybercrime and to boost cybersecurity. Such training and education should be continuous and cover all relevant criminal justice and security professionals, and should be kept continuously up-to-date with current cyber-related challenges and threats. This element should take into consideration focus area 5 on Capability and Capacity Building and Awareness Raising

The ACSS will encourage the development of domestic cybersecurity and data protection legal frameworks, which refer to actions relevant to the prevention, monitoring, and handling of cyber-related incidents, and any other action that public and private entities should undertake to foster a secure and resilient national cyberspace. In the current absence of an international legal instrument defining the aspects of cybersecurity regulations, the country will have to rely on regional and/ or national best practices for establishing its domestic legal frameworks for cybersecurity. The ACSS will build upon current acts and regulations tackling such aspects, if any, and establish, update, and reform the legal framework for cybersecurity, including but not limited to: information security rules and their applicability to the security of information systems; identification of national critical information infrastructure; establishment of national and sectoral agencies dealing with cybersecurity aspects (i.e., national cybersecurity agencies, national and sectoral CERTs/CSIRT/CIRT); certification of cybersecurity organisations, processes, products, and policies; national/state security rules applicable to security of cyberspace; and other relevant matters. Further, the ACSS will provide guidance on how to deal with common regulatory approaches that concern both cybersecurity and cybercrime (for example, cross-sectoral exchange of information and intelligence sharing mechanisms, reporting and criminal justice statistics, joint response and public-private cooperation, among others).

The ACSS will promote the development of a domestic legal framework that clearly defines what constitutes cybercrime and related criminal offences, and that provides adequate procedural powers for effective investigation and prosecution, as well as adjudication of related cases on the basis of admissible electronic evidence. Most often, this capability takes the form of cybercrime legislation, which can be achieved by enacting specific new laws or amending existing ones (e.g., the penal code, laws regulating banking, telecommunications and other sectors). These laws should specify: substantive criminal offences (offences against or by means of computer systems or data); procedural means to collect electronic evidence (ranging from preservation of integrity of data to search and seizure, and from production order to real-time interception of content data); and tools for expedited and effective international cooperation in such cases. In order to establish clear and enforceable cybercrime legislation across borders, countries should try to harmonize their domestic legal framework with existing international and regional legal instruments on this matter. The ACSS will provide guidance also to operational aspects of cybercrime investigation and prosecution (e.g., establishment of specialized units, proper digital forensics capacities, standard operating procedures, crime reporting, etc.) that may not be set at the level of primary legislation but could be nevertheless provided as secondary regulations, guidelines, or best practices. The ACSS will also encourage the creation of a process to monitor the implementation and review of legislation and governance mechanisms, identify gaps and overlapping authorities, and clarify and prioritize areas that require modernization (e.g., existing laws such as old telecommunication laws).

It is noteworthy that the contributions complement each other to constitute a holistic landscape of security and trust modules applicable to Industry 4.0. This shows that the candidate addressed different facets related to the application of blockchcain for the deployment of security and trust policies in distributed IoT-enabled industrial platforms.

9.1 The NIST Cybersecurity Framework

Based on the programmes described in the previous section, a set of cybersecurity are compiled in this section to clarify how these programs can be operationally implemented.

• ID.AM-1: Physical devices and systems within the organization are inventoried
• ID.AM-2: Software platforms and applications within the organization are inventoried
• ID.AM-3: Organizational communication and data flows are mapped
• ID.AM-4: External information systems are catalogued
• ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
• ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
• ID.BE-1: The organization’s role in the supply chain is identified and communicated
• ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated
• ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
• ID.BE-4: Dependencies and critical functions for delivery of critical services are established
• ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)
• ID.GV-1: Organizational cybersecurity policy is established and communicated
• ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
• ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
• ID.GV-4: Governance and risk management processes address cybersecurity risks
• ID.RA-1: Asset vulnerabilities are identified and documented
• ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources
• ID.RA-3: Threats, both internal and external, are identified and documented
• ID.RA-4: Potential business impacts and likelihoods are identified
• ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
• ID.RA-6: Risk responses are identified and prioritized
• ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders
• ID.RM-2: Organizational risk tolerance is determined and clearly expressed
• ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
• ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
• ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process
• ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
• ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
• ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers
• PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
• PR.AC-2: Physical access to assets is managed and protected
• PR.AC-3: Remote access is managed
• PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
• PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)
• PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
• PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
• PR.AT-1: All users are informed and trained
• PR.AT-2: Privileged users understand their roles and responsibilities
• PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
• PR.AT-4: Senior executives understand their roles and responsibilities
• PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities
• PR.DS-1: Data-at-rest is protected
• PR.DS-2: Data-in-transit is protected
• PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
• PR.DS-4: Adequate capacity to ensure availability is maintained
• PR.DS-5: Protections against data leaks are implemented
• PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity
• PR.DS-7: The development and testing environment(s) are separate from the production environment
• PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity
• PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
• PR.IP-2: A System Development Life Cycle to manage systems is implemented
• PR.IP-3: Configuration change control processes are in place
• PR.IP-4: Backups of information are conducted, maintained, and tested
• PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met
• PR.IP-6: Data is destroyed according to policy
• PR.IP-7: Protection processes are improved
• PR.IP-8: Effectiveness of protection technologies is shared
• PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
• PR.IP-10: Response and recovery plans are tested
• PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
• PR.IP-12: A vulnerability management plan is developed and implemented
• PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools
• PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
• PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
• PR.PT-2: Removable media is protected and its use restricted according to policy
• PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
• PR.PT-4: Communications and control networks are protected
• PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations
• DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed
• DE.AE-2: Detected events are analyzed to understand attack targets and methods
• DE.AE-3: Event data are collected and correlated from multiple sources and sensors
• DE.AE-4: Impact of events is determined
• DE.AE-5: Incident alert thresholds are established
• DE.CM-1: The network is monitored to detect potential cybersecurity events
• DE.CM-2: The physical environment is monitored to detect potential cybersecurity events
• DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
• DE.CM-4: Malicious code is detected
• DE.CM-5: Unauthorized mobile code is detected
• DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events
• DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
• DE.CM-8: Vulnerability scans are performed
• DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability
• DE.DP-2: Detection activities comply with all applicable requirements
• DE.DP-3: Detection processes are tested
• DE.DP-4: Event detection information is communicated
• DE.DP-5: Detection processes are continuously improved
• RS.CO-1: Personnel know their roles and order of operations when a response is needed
• RS.CO-2: Incidents are reported consistent with established criteria
• RS.CO-3: Information is shared consistent with response plans
• RS.CO-4: Coordination with stakeholders occurs consistent with response plans
• RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness
• RS.AN-1: Notifications from detection systems are investigated
• RS.AN-2: The impact of the incident is understood
• RS.AN-3: Forensics are performed
• RS.AN-4: Incidents are categorized consistent with response plans
• RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)
• RS.MI-1: Incidents are contained
• RS.MI-2: Incidents are mitigated
• RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks
• RS.IM-1: Response plans incorporate lessons learned
• RS.IM-2: Response strategies are updated
• RC.RP-1: Recovery plan is executed during or after a cybersecurity incident
• RC.IM-1: Recovery plans incorporate lessons learned
• RC.IM-2: Recovery strategies are updated
• RC.CO-1: Public relations are managed
• RC.CO-2: Reputation is repaired after an incident
• RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams

These controls, that are in conformance to the NIST Cybersecurity Framework, should be at the heart of Security Policies (SPs) in order to improve the security and resiliency of the national cyberspaces. Such security policies can be driven by various reasons, which depend essentially on the organization’s nature and on the context in which it operates. As is outlined in this section, SPs can be directed toward the panoply of needs. Thus, fixing a set of objectives to the SP development process would be very hard. However, what would be interesting at this level is to describe a spectrum of potential objectives and show how these can be ranked according to the enterprise characteristics. The objectives that we consider are listed here. They have been divided into two major categories: business-oriented objectives and regulatory objectives.

1. Business-oriented objectives: The reasons for developing and implementing SPs should align with the basic organizational objectives. The benefits of having an SP can be either direct or indirect. Some can be easily assessed in monetary terms (e.g., preventing critical assets from being attacked) whereas the others are abstract (e.g., preserving the reputation of the enterprise).
2. Regulatory objectives: The security measures of the SP are often developed as a regulatory obligation. Organizations that operate in sensitive sectors are particularly concerned with this issue. In the following, we illustrate our reasoning by using two significant examples: banks and CAs. The former category is accountable for the operations it carries whereas the latter handles various types of critical information (e.g., key pairs, private user information).

The lifecycle of the security policies that should be deployed to implement the controls of the ACSS should be as follows:

1. Risk analysis: It includes essentially a mission statement, asset evaluation, and threat assessment. It is worth mentioning that some parts of the SP can be written in this step. In fact, the risk analyst needs some rules to assign a security level to each resource, meaning
2. that the data classification policy should have already been constructed at this level.
3. Development: This step consists of selecting the security rules that best fit the requirements of the organization. The SP development team must use convenient languages to model and validate the SP. The main characteristic of this step is that it is performed progressively to move from an abstract representation toward a more concrete one.
4. Approval: It relies on a multidisciplinary committee that validates the security policy. At every layer (i.e., abstraction degree) of the development process, the SP should be validated against (a) the upper layer and (b) the security objectives.
5. Raising awareness: This ensures that the security policy is accessible to everyone who is authorized to access it. Thus, the SP is published correctly and every user of the secured system must possess the skills that are suitable to his or her responsibilities.
6. Implementation: It enforces the application of the security policy. During this step, operational and technical controls are put in place. Operational controls are security mechanisms that are essentially implemented and executed by the users themselves, whereas technical controls include the automated security countermeasures.
7. Reassessment: It guarantees a continuous monitoring of the security policy through scheduled revisions and analyses. This process is essential to practically test the efficiency of the SP because new threats can occur.

With a collection of strategic risk models, the strategic method on which the SP is built can be used to provide meaningful answers to such questions as how much is enough risk assessment, mitigation, or control effort in which to invest. This question is critically important as in practice it is not feasible to implement exhaustive risk reduction because of constraints on resources (e.g., budget, personnel schedule, technology limitations). Even without such constraints, it is frequently impossible to reduce a risk to zero or even determine all possible risks for any given system. The best we can strive for is to reduce risk as much as possible within the given resources and uncertainties.

For the sake of efficiency, the ACSS deployment will start with a plan to identify resources that require protection. Resources, from a general perspective, refer to tangible or physical items with associated values. In reality, intangible resources such as company financial information, sensitive documents, and mission-critical services should also be included. Additionally, during the identification process, information such as equipment description and specification, equipment location, and individual’s responsibility should also be defined.

Once the resources have been identified, assessment of the degree of protection is required. At this stage, considerations such as the resource’s criticality to the business operation, available budget, government regulations, corporate requirements, industry standard practices, possible threats and vulnerabilities of the resource, and damages if resources cease to operate are reviewed and assessed.

Finally, on the basis of the assessment, rules and procedures are designed and formulated. The complexity may vary, but ease of deployment should be taken into consideration. Sufficient authentication, records, and logs should be generated for future cross-reference and trace.

9.2 Securing 5G networks

It is also important to mention that, with the advent of 5G networks in the Arab region, new security threats have to be taken into consideration. 5G networks face security challenges and opportunities stemming from the new services they provide, the nature of the architectures and technologies they exploit, as well as the normal requirements for protecting the privacy and data of the end user.

• In terms of new services, 5G networks empower vertical industries and shall provide better security capabilities for industry applications to meet the security requirements of such industries.
• In terms of new architectures, new 5G software architectures and network deployment architectures introduce new interfaces and boundaries. The new Service Based Architecture (SBA) and slice architecture shall adapt to new security requirements. In 5G network deployment, the UPF on the core network is moved from the central equipment room to the Mobile Edge Computing (MEC), introducing new boundaries. The convergence of connection and computing also brings new security challenges.
• In terms of new technologies, cloudification and virtualization technologies are widely used on 5G core networks, bringing security risks to infrastructure resource sharing and virtualization.
• Businesses are motivated today, more than ever, to ensure they are compliant with regulations such as Egypt Law No. 151 of 2020 and other laws and regulations implemented around the globe. Millions of people have been affected by the sloppy data protection practices which organizations have used in the past.

The history proves that the emergence of any new technology will be accompanied by challenges, and it also proves that these challenges will be overcome through all the stakeholders’ efforts. The industry as a whole is working together to address new security risks faced by 5G services, architectures, and technologies, and address potential security challenges through global unified 5G cyber security standards, common 5G security concepts and best practices, and an agreed 5G security framework. The GSMA and 3GPP jointly define NESAS (Network Equipment Security Assurance Scheme) and SCAS (Security Assurance Specification) to assess the security of mobile network equipment assessment. The GSMA 5G cybersecurity knowledge base (CKB) proposes the security concept of shared responsibility, and proposes the baseline security controls help operators understand and develop their security posture to a foundation (base) level, ensure that 5G network security is manageable and verifiable. The top-down design principles of the 5G security architecture ensure a systematic, dynamic, and adaptive security framework to enhance cyber resilience continuously.

The GSMA cybersecurity knowledge base analyzes various threats comprehensively in mobile networks and describes the attack methods and impacts of each threat. Based on the responsibility sharing model, the paper expounds the risk mitigation responsibilities of service providers, mobile network operators, equipment vendors and other stakeholders.

The Knowledge Base facilitates and encourages collaboration to protect networks and services against disruption and unauthorized access as well as the prevention and mitigation of risks. It adopts Layered Cyber Security Model for the collaborative eco-system of cyberspace.  The 3-layer security model is widely accepted in the telecom industry including 3GPP, 5G PPP, etc.

The GSMA has developed the 5G Cybersecurity Knowledge Base to provide useful guidance on a range of 5G security risks and mitigation measures. In order to put this framework in place, the GSMA has conducted a comprehensive threat analysis involving industry experts from across the ecosystem including MNOs, vendors, service providers, and regulators, as well as collecting input from public sources such as 3GPP, ENISA and NIST.

The 5G Knowledge Base objective is to let the GSMA members and actors of the 5G industry, get the guidance and the combined knowledge of the 5G ecosystem to increase trust in 5G networks and make the interconnected world as secure as possible. 5G knowledge base provides essential insights for the stakeholders’ risk management strategy as well as guidance covering best practices and risk mitigation measures. This guidance is to assure a 5G digital trust, a trust that can only be based on facts that can be independently verified through international common standards compliance.

The 5G knowledge base defines security control baselines for mobile network reference implementation, which are classified into Business controls and Technology controls.

Business Controls are controls related to how the overall enterprise manages security. They are not necessarily technical in nature and may involve reporting or communication procedures that are critical to the operator's support of business objectives regarding security. These controls are likely to be understood and managed by the Security Leadership Team (SLT), which will be able to provide an assessment of how these controls will be implemented.

For security capabilities requirements, NESAS/SCAS as a global unified security assessment system for 5G network elements widely supported in industry. It was jointly defined by GSMA and 3GPP, the telecom industry’s leading standards-setting organizations. It is also named in GSMA cybersecurity knowledge base document FS31 BC-010 as the industry standard assessment programmers to assure vendor products. For 5G networks elements, it provides the right kind of standards: customized, global, efficient, unified, open, and constantly evolving. That’s a benchmark we can all use to make sure networks elements of vendors are secure.

NESAS defines security requirements and an assessment framework for secure product Development and Product Lifecycle Processes, as well as security test cases for the security evaluation of network equipment. NESAS is of value to both operators and vendors, it is intended to be used alongside other mechanisms to ensure a network is secure, in particular an appropriate set of security policies covering the whole lifecycle of a network.

Within the 5G Knowledge base, GSMA and 3GPP, jointly defined the Network Equipment Security Assurance Scheme (NESAS) and developed the Security Assurance Specification (SCAS) for the evaluation and security audit of mobile network equipment. To create NESAS/SACS, they consulted major carriers, vendors, regulators, and industry partners around the world.

Cyber security assessment mechanisms shall follow globally accepted uniform standards to ensure that their operations are cost-effective and sustainable for the ecosystem. NESAS jointly defined by the GSMA and 3GPP is used to assess the security of mobile network equipment. It provides an industry-wide security assurance framework to improve the security level across the mobile industry. NESAS defines the security requirements and assessment framework for security product development and lifecycle processes, and uses security test cases in the Security Assurance Specifications (SCAS) defined by 3GPP to assess the security of network equipment. Currently, 3GPP has initiated security evaluation of multiple 5G network equipment, and major equipment vendors and operators are actively participating in the NESAS standard formulation.