The Cyber Security Authority (CSA) has announced the commencement of the process of licensing Cybersecurity Service Providers (CSPs), accreditation of Cybersecurity Establishments (CEs) and Cybersecurity Professionals (CPs).
This is in pursuant to the Cybersecurity Act, 2020 (Act 1038), sections 4(k), 49, 50, 51, 57 and 59, which mandates the Authority to regulate the above activities.
The intent of the regime is to ensure regulatory compliance with the Cybersecurity Act, 2020 (Act 1038) and to certify that CSPs, CEs and CPs offer their services in accordance with approved standards and procedures in line with domestic requirements and industry best practices.
The licensing and accreditation regime will take effect from March 1, 2023, and will apply to existing and new CSPs, CEs and CPs. For a start, CSA will license Cybersecurity Service Providers in five key areas, namely; Vulnerability Assessment and Penetration Testing (VAPT), Digital Forensics Services, Managed Cybersecurity Services, Cybersecurity Governance, Risk and Compliance (GRC) and Cybersecurity Training. Cybersecurity professionals who have the relevant qualifications, demonstrable competence and industry experience shall also be accredited in the above areas as part of the regulations.
Accreditation of Cybersecurity Establishments will apply to Digital Forensics facilities and Managed Cybersecurity Service facilities operating in the country.
Background on the Licensing and Accreditation Regime.
Prior to the promulgation of the Cybersecurity Act, 2020 (Act 1038) and the establishment of the Cyber Security Authority (CSA), no government institution had the mandate to regulate cybersecurity service providers (CSP), cybersecurity establishments (CEs) and cybersecurity professionals (CPs) and the sector was generally not regulated.
It has become necessary that the industry is regulated by the CSA, to control cybersecurity risks and to protect the interests and safety of the Public, Children, Businesses, and Government. With the increasing rate of cybercrimes, CSPs, CEs and CPs have become critical components for mitigating cybersecurity threats and vulnerabilities within Ghana’s fast-developing digital ecosystem in line with the Cybersecurity Act, 2020 (Act 1038).
Cybersecurity services by its nature, are sensitive and intrusive. Cybersecurity service providers (CSPs), Cybersecurity Establishments (CEs) and Cybersecurity Professionals (CPs) normally gain access to clients’ critical information assets thereby gaining knowledge of existing vulnerabilities and sensitive information, which could be potentially abused or exploited. It is also possible to have CSPs, CEs, and CPs who may not be competent or who may employ substandard processes to the detriment of Ghana’s digital ecosystem. In addition, some businesses or government agencies lack the capability of ascertaining the credibility or qualification of CSPs, CEs or CPs especially since there is no repository of licensed and accredited CSPs, CEs or CPs.
Furthermore, national security considerations are driving regulations in the sector to ensure only persons and institutions which are qualified and in good standing undertake these critical services. The Government, through the CSA, regulates the sector by providing a licensing framework in accordance with Sections 49 to 59 of Act 1038 to ensure that CSPs, CEs and CPs attain a higher level of compliance with Act 1038 and standards in line with international best practices.
This is to provide assurance to the public and other key stakeholders that the cybersecurity services they procure from industry will support in securing their assets and processes.
Section 57 of Act 1038 mandates the CSA to establish a mechanism to accredit cybersecurity professionals. Such an accreditation process provides recognition to accredited cybersecurity professionals, who have proven demonstrable competence in their specific cybersecurity profession.
Section 59 of Act 1038 further mandates the CSA to enforce cybersecurity standards and monitor compliance by public and private sectors including cybersecurity establishments or institutions.
Latest Stories
-
MTN FA Cup: Bofoakwa Tano beat Dreams FC to set up final against Nsoatreman
2 hours -
3 policemen interdicted over Adugyama voters registration disturbance
2 hours -
Police cautions against violations at voter registration centre
4 hours -
Limited registration: Collins Dauda arrested over Kuokuom disturbance
5 hours -
Ibrahim Sadiq scores and assists as AZ Alkmaar beat GA Eagles in Eredivisie
5 hours -
Disregard fake post about Mahama’s absence at Asantehene’s birthday – Aide
6 hours -
Elect a competent leader, ignore tribal and religious sentiments – Dan Botwe to Ghanaians
6 hours -
Inaki Williams scores 100th Athletic Club goal in draw with Osasuna
6 hours -
I’ve announced my arrival in the best league in the world – Mohammed Kudus
7 hours -
Don’t believe every story you see about me – Safo Newman
7 hours -
Richard Ahiagbah refutes claims of causing chaos at voters’ registration centre
9 hours -
Andre Ayew hits 200-game mark in Ligue 1
10 hours -
Franklin Cudjoe lauds Afari Gyan’s pragmatic leadership during his tenure as EC boss
10 hours -
Israel orders more evacuations as Rafah fighting intensifies
11 hours -
Connielove Dzodzegbe: The childless mother
13 hours