What is security intelligence?

      Security intelligence is a continuous process which ensures the disposition of a system to latest security patches and the surveillance of the said system with the view to detecting in real time, attempted intrusion attacks, for the provision of a prompt and effective response.

Which legal framework governs this activity?

       Law No 2010/012 of 21 December 2010, in Article 7 states that ANTIC should carry out technology watch and issue alerts and recommendations regarding the security of electronic communications networks and certification.

How does ANTIC ensure its mission of security intelligence?

       To fulfil its security intelligence mission, ANTIC has established a Computer Incident Response Team (CIRT), which has two main responsibilities:

• Prevention: CIRT is responsible for taking steps to prevent cyber-attacks;
• Incident Response: In case of an attack or incident, CIRT promptly intervenes to clear the attack and identify the attacker.

What are the main functions of CIRT?

           The main functions of CIRT are as follows:

1. Surveillance of national cyberspace critical infrastructure and prompt response to incidents
   CIRT identifies national cyberspace critical infrastructure and installs special technical devices that permit it to be notified in real-time in case of an incident. Once notified, CIRT provides an effective prompt response which consists of blocking the attack, correcting the vulnerability exploited, identifying and locating the attacker

2. Issuance of security alerts and bulletins
   In order to prevent cyber-attacks, CIRT regularly issues security alerts and bulletins about vulnerabilities inherent in some systems and sofwtare as well as recommendations to correct them. These security bulletins are intended for IT officials and the general public who must implement the formulated recommendations in order to protect their systems.

3. Cybersecurity awareness
   The disturbing factor in the evolution of cybercriminality is that Internet users are not sufficiently aware of the subject. As such, CIRT is striving to raise cybersecurity awareness among users and IT officials. This awareness is done through the publication of Internet security guides (for parents, children, and enterprises), brochures and magazines, radio and television programmes as well as the organisation of seminars and forums.

4. Assistance to users and companies in dealing with security incidents  
       CIRT centralises and processes requests for assistance related to cybercriminality. As such, it has a phone number (242 099 164) and an e-mail address (This email address is being protected from spambots. You need JavaScript enabled to view it.) through which individuals and businesses can inform it of any incident related to computer security.
Moreover, it should be noted that according to Article 7 of Decree No 2012/1643/PM, any private or public agency is required to notify ANTIC about any computer security incident affcting its network.

5. Development of a reference framework for the security of information systems
   In order to avoid disorganised management of information systems’ security, it is imperative to set standards. These standards define the organisatinal and technical measures to be taken to ensure the security of informatin systems. They are intended for enterprises, administrations and even consumers.
So far, CIRT has developed a set of standards including the security policy of public administrations, the guide to secure websites, the standard architecture of public administrative information systems.

6. Investiatins related to cybercriminality
   Law No 2010/012 and 2010/013 of 21 December 2010 have filed the legal vacuum that existed in the area of cybercriminality. Therefore, cybercriminals can now be subjected to criminal prosecution and penalties.
Within the framework of investigations related to cybercrime, law enforcement and judicial authorities may seek technical expertise from CIRT, including the acquisition and analysis of digital evidence. The collaboration between CIRT and law enforcement authorities is prescribed by Article 52 of Law No 2010/ 012.

7. Gathering of cybercrime statistics
   To follow-up the evolution of cybercriminality in Cameroon, CIRT has developed a system of managing statistics related to cybercriminality. With this system, CIRT categorises cybercrimes perpetrated in Cameroon in terms of type, geographic location and can follow their evolution over time. This provides CIRT with sufficient data to develop adequate strategies for the fight against cybercriminality.

8. Collaboration with other CIRTs
   Cybercriminality is a cross-border phenomenon and as such Cameroon’s CIRT must work with CIRTs of other countries and other international organisatoins dealing with cybersecurity issues. It is for this reason that CIRT works with organisations such as IMPACT, INTERPOL and AFRICACERT.

  1 - What is Information System Security Audit?    

       Law No. 2010/012 of 21 December 2010 relative to Cybersecurity and Cybercriminality in Cameroon defines security audit as a systematic examination of components and security actors, policies, measures, solutions, procedures and resources used by an organisation to protect its environment and ensure conformity of its Information Systems with laid down standards.

  2 - Which legal framework governs this activity?  

       The security audit actiity is governed by :

• Law No. 2010/012 relative to Cybersecurity and Cybercriminality in Cameroon that spells out the legal framework for security audit activities in Article 7, 13, 14,  32 and 61;
• Decree No. 2012/1643/PM of 14 June 2012 fixing the conditions and modalities of a mandatory audit of Electronic Communicatins Networks and Information Systems in Cameroon;
• Joint Order No. 00000013/MINPOSTEL/MINFI of 10 May 2013 fixing the amount and payment modalities for fees charged by ANTIC;
• Decision No. 00000094/MINPOSTEL of 30 May 2013 firing security audit fees for Electronic Communicatins Networks and Informatin Systems;
• Decision No 00000122/MINPOSTEL of 27 June 2013 fixing the modalities for the organisation and functioning of the commission responsible for making proposals for the accreditation of persons wishing to practise as expert auditors in the domain of electronic communications networks and information systems security.

  3 - Why should we audit? 

       The main objectives of an audit are to:

• Ensure compliance of Information Systems with defined security standards;
• Identify and assess risks and security vulnerabilities;
• Identify the origins and causes of incidents.

  4 - What to be audited? 

       Government Information Systems and Electronic Communicatins Networks, Electronic communications service providers such as Internet service providers, telephone operators and generally companies doing computerised processing of personal data of their clients in the provision of services via Electronic Communications Networks open to the public.
We distinguish in this context, four (04) categories of institutions to be audited:

• Public Administration ;
• Public Administration Establishments and Enterprises with public capital ;
• Telecommunications Operators and Internet Service Providers ;
• Credit and micro-finance institutions.

       However it should be noted that specific applications used in defence and national security are exempted from security audit.

  5 - Who audits? 

       The main actors in the realization of audit missions are ANTIC and external auditors (moral persons / or individuals) who have been accredited by ANTIC. 
       Their duties are as follows:

5.1 ANTIC’s Role

     According to Law No 2010/012 of 21 December 2010, ANTIC’s role relative to security audit are :

• Establish annual security audit plans and communicate to agencies concerned ;
• Define the technical specifications for auditors ;
• Develop a model Terms of Reference (TOR) of an audit operation;
• Develop audit standards ;
• Accredit external auditors ;
• Audit Public administrations ;
•  Ensure the regularity of audit missions in government and public institutions;
•  Examine the conformity of external auditors’ reports;
• Set deadlines for the realisation of audit missions and define penalties for non-respect of set deadlines;
• Conduct a field verification of the effctiveness of an audit mission after studying the report provided by an external auditor;
• Fix conditions for the rejection of audit mission reports;
• Ensure that the audited organisation implements the recommendations and proposals contained in an audit report.

5.2 The role of external auditors

      The duties of external auditors with regard to security audits are as follows:

• Ensure Information system audit of organization assigned to them by ANTIC and formulate recommendations to address vulnerabilities identified.
• Ensure post audit follow-up to accompany the audited organisation in the implementatin of the proposed solutions.
  

    6 - What are the different phases of an audit mission? 

  A security audit mission generally involves four (04) phases:

6.1 The preparatory phase of the audit

      It consists of soliciting from organisations to be audited all details, information or documents necessary in carrying out the mission. These documents include among others, security policy, architecture of the information system, information systems users’ manual, organisational chart and reports of previous audits.

6.2 The audit phase

      It consists of three components namely:

6. 2.i Organisational and physical audit

      It consists of:

• Interviewing “key employees” with respect to different procedures in force in the organisation (organisational chart, IT charter, security policy, internal rules, computer equipment acquisition and maintenance procedures )
  hardware and softare confiuration procedures, incident management plan in case of an incident and post-incident, application development standards) ;
• Assessing the conformity of the various documents with laid down procedures;
• Studying the locality and the building housing the organisation (architecture, quality of construction, type of door,type of material).

6.2. ii Technical audit

      It is to carry out a very detailed logical analysis of the security infrastructure of the information system to be audited. The following are thus assessed by using tools and an audit reference framework (technical files): computers, UPS, routers, IPS, HIDS, NIDS, switches, filewalls, printers, copiers, etc.

6.2.iii Analysis and evaluation of risks

      After identifying organisational, physical and technical security vulnerabilities, follow a methodological approach to evaluate the risks they pose to the security of the audited organisation.

6.3 Synthesis of recommendations

      It begins at the end of the audit phase and consists of realising a synthesis to establish the list of security vulnerabilities (classified according to gravity or impact), evaluating the risks, and drafting a summary of suitable recommendations.

6.4 Post-audit follow-up phase

      This follow-up is realised by the auditor (ANTIC or an accredited auditor) and consists of optionally providing to audited organisations, resources for follow-up during the 3 (three) months following the audit. The extent of support may include the review of the effectiveness of the first critical measures implemented and any other action deemed appropriate by the auditor.

  7 - How is a security audit mission charged? 

Pursuant to Article 4, paragraph 2 of Decree No 2012/1643/PM of June 14, 2012, audit fees are borne by the organisation being audited based on the official scale, the number of auditors in a team and the duration of the mission.

1. What are they?  

• What is an IP address? : It is a unique identification number assigned to each device or equipment connected to a computer network that uses the Internet Protocol (IP) for communication ;
• What is a domain name? : It is an identifier having a set of properties that permit computers to communicate through IP addresses ;
• Who is the Registrar of “.cm ”: Legal person authorised to serve as a registrar of domain names, “.cm ”
• What is a LIR (Local Internet Registry)? : Legal person authorised to serve as a manager of an IP address.

  2 . Why regulate domain name and IP address resources? 

       Domain name and IP address resources are essential elements in computer networks that need to be regulated to ensure equitable sharing for a rational and harmonious use between operators of these networks in order to maintain healthy competition.
       The control of these resources also ensures interoperability and functioning of the Internet (and the services it offers) which is a powerful catalyst for economic and social development. The regulation anticipates the need for resources in the evolution of different networks and the entry of new operators in the market.

  3. What should be regulated? 

      The regulation of naming and addressing resources shall include:

• The management of domain names, which permits a unique visual identification of Internet services available on the web ;
• The management of IP addresses , which permits to uniquely identify and locate geographically, sources of electronic data available on the web ;
• Information and communication technologies sectors ;
• Electronic communications services ;
• Costs.

  4 . Who controls domain names and IP addresses in Cameroon? 

      According to Article 96 of Law No 012/2010 of 21 December 2010 on electronic communications and Decree N O 2013/0402/PM of 27 February 2013 laying down modalities for the management of naming and addressing resources, ANTIC has been mandated as the regulator of such resources.

  5. How does ANTIC regulate domain name and IP address? 

      As a regulator of domain names and IP addresses in Cameroon and to effctively engage the process of regulation, ANTIC has developed a number of regulatory tools in this area notably: the development of a national strategy for migration from IPv4 to IPv6 Internet Protocol in collaboration with all stakeholders (public sector, private sector and civil society). Regarding domain names, ANTIC is the registrar of “.cm.” The registration of domain names is done by fourteen (14) registrars accredited by ANTIC in conformity with Decree N o 0402/2013/PM of 27 February 2013. The registrars are:

• MTN
• RINGO
• NETCOM
• WORLD VOICE
• ICC SOFT
• HTT TELECOM
• CAMTEL
• GRID ENGINEERING
• INET
• INFO_GENIE
• MATRIX TELECOM
• MANYAKA
• CREOLINK
• ISERVICES