BOSNA IHERCEGOVINA EOCHA 14 XEPqETOBItHA

MI N ISTA RSTI'O KOM UN I KAC'1JA I PROM ETA M II H'ICTA PCTBO KOMY H II KA UL,I,U A T PA H( IIOPTA

BOSNIA AND HERZEGOVINA

MINISTRY OF COMLIUNICATIONS AND TRANSPORT

Broj : 0 I -07-14-2 -4042-5 I 18

Sarajevo, I 2. 1 0.201 8. godine

BOSNA I HERCEGOVINA BOSNA I HERCEGOVINA

Federalna uprava policije, Ministarstvo pravde,
Mehmeda Spahe br. 7, Trg BiH 1,
71000 Sarajevo Sarajevo 71000

BOSNAI HERCEGOVINA BOSNA I HERCEGOVINA

Ministarstvo unutralnjih poslova TuZila5tvo Bosne i Hercegovine
Republike Srpske, Kraljice Jelene 88,
Trg Republike Srpske br.l, Sarajevo 71000
78000 Banja Luka

Predmet: Poziv za udeSie na radnom sastanku u organizaciji Svjetske Banke,

Global Cyber
Security Capaciry Centre (GCSCC) sa Oxford Unierziteta i Ministarswa
komunikacija i
prometa Bosne i Hercegovine, dos tavlja se

PoStovani,

Ministarstvo komunikacija i prometa Bosne i Hercegovine u saradnji

sa Svjetskom bankom i
Global cyber Security capacity cenhe (GCSCC) sa oxford Univerziteta
vas poziva da
uiestwjete na radnom sastanku koji ie se odrzati 23.10.201g. godine
sa pocetkom u li:00 sati u
zgradi Parlamenta Bosne i Hercegovine na prvom spratu (Sala
l/l).
Radni sastanak, na kojem 6e glavnu rijei imati eksperti sa oxford
Univerzitera iz oblasti cyber-
i
sigumosti, ima za cilj procjenu zelosti sposobnosti cyber-sigumosnih
kapaciteta Bosne i
Hercegovine kroz pet dimenzija:

o Politika i strategija cyber-sigumosti;

o Cyber-kultura i druStvo;
. Edukacrjq obuka i vje5tine o cyber_sigumosti;
o Pravni i regulatorni okvir;
o Standardi, organizacija i tehnologije iz oblasti cyber_sigumosti;

Na ovaj nadin, kroz dobivene rezultate u vidu izvjestaja

za svaki aspekt, izvrsit ie se procjena
cyber-sigumosnih kapaciteta, te utvrdili preporuke kole
ie omoguiiti Bosni Hercegovini da
unaprijedi svoje kapacitete po pitanju cyber_sigumosti.
Zbog svega gore navedenog izuzetno je anacajno vase prisustvo
na ovom radnom sastanku, kako
bi se izwlila sto bolja procjena cyber-sigumosnih kupacitet
u Bosni i Hercegovini.

Trg Bosne iHercegorin" tnV, ZTOOO@

_
Tpr EocH€rr
xep(eroanne t/tv, 71000 C-ap
4."o, nn, iitiil-iw'is-ri, fi", *rtz r: zu tsr
htttr://www.rnkl.goy.ba
 BOSNA IHERCEGOVINA 6OCHA I XEPLlErOB]tHA
MINISTARSTYO KOT4UNIKACIJA I PROM ETA M14HIICTA PCTrc K0MyHtlh:AU J,t U TPAHC ItOPTt

BOSNIA AND HERZEGOVINA

MINISTRY OF COMMUNICATIONS AND TMT|SPORT

Troskove prevoza i smjestaja snose sami udesnici, a zajednidki rudak i osvjeienje snose
organizatori saslanka. Radni jezik sastanka je engleski, dok 6e Ministarstvo komunikacija i
prometa osigurati sluZbenog prevodioca.

U prilogu ovog poziva nalaze se dnevni red radnog sastanka kao i kratak opis same
Cybersecurity Capacity Maturity (CMM) metodologije.

Molimo vas da vase prisustvo potvrdite najkasnije do 19.10.2018. godine putem e-mail adrese:
danko. Iupi@mkt.gov. ba.

S po5tovanjem,

Prilog: Dnevni red radnog sastanka (na engleskom jeziku)

cybersecurity capacity Maturity Deproyment Information (na engleskom jeziku)

Dostaviti:
- Naslovima"
- 02,03,07,
- ala.

Trg Bosnc i Herce8ovine lflV, 71Ofl) Sarajevq tel: +382 33 284 1SO,
_ faxt rj,Al 33 2E4 :/sl
Tpr EocHo a xcpueroBxue |/tv, 7I0oO Cap$eao,rct: +ltt
ll iU ii6,'qi", ,ltt ll zU lSl
http://www.mkt. gov.ba
 Global
Cyber Security
Capacity Gentre

Cybersecurity Capacity Maturity Model

for Nations (CMM)
Review Schedule Template

Host: Ministry of Communications and Transport of Bosnia and Herzegovina

Dates: 23 october
25 october 2018
-
Venue: Parliamentary assembly of Bosnia and Herzegovina (1n floor - conference room 1/1)
TRG BiH 1
71000 Sarajevo
Eosnia and Herzegovina

DAY 1

09.00 - 09.4s Team pre-meeting: Global Cybersecurity Capacity Centre (GCSCC) and host
09.30 - 10.00 Registration (optionol)
09.45 - 10.00 Coffee break
Sesslon 1: Academla, Ovll Society, Intcrnet Gouernance and Mlnistry of
Educatlon
. Faculty of Electrical Engineering - University of Sarajevo
. Faculty of Criminology and Security Studles - University of Sarajevo
o Faculty of Electrical Entineering - University of Banja Luka
. Faculty of Security ftience - University of Banja Luka
10.00 - 11.45
o Faculty of lnformation Technolo8y - University "Dremal Bijedie of Mostar
o Faculty of Mechanical Engineerint and Computing - University of Mostar
o Federal Ministry of Education and Science
. Ministry ofScience and Technology of Republika Srpska
. University TeFlnfo.matic Centre - UTIC
o Asociation of lnformation Technoloties in Bosnia and Herzegovina - BAIT
11.4s - 12.00 Coffee break
Sesslon 2: Crlmlnal Justlco, Law Enfo.cement and Legislators
. Ministry of Security of Bosnia and Her.egovina
. Federal Police Administlirtion
12.00 - 13.4s
. Ministry of the lnte o. ofRepublika Srpska
. Ministry of Justice of Bosnia and Herzetovina
. The Prosecutor's Offlce of Bosnia and Henegovina
13.45 - 14.30 Lunch break
S€rslon 3: I{atlonal Sc.udty Agcncles
14.30 - 16.15 . Mlnistry of Defence of Bosnia and Hezegovlna
. lntelllgence - s€curity Agency of Bosnia and Herzegovina
 . Directorate for Coordination of Police Bodies of Bosnia and Herzegovina
. Ministry of security of Bosnia and Herzegovina
DAY 2

08.30 - 09.00 Registration (optional)

Session 4: CSIRT Team and lT leaders from Government and the Private Scctor
and Cyber Task Force/ Cybe6ecurity Pollcy Review Team
. Ministry of Defence of Bosnia and Herzegovina
. Ministry of Security of Bosnia and Herzegovina
09.00 - 10.45 . Ministry of Communications and Transport of Bosnia and Herzegovina
. oepartment for maintenance and development of electronic business and e-
government system - General Secretariat of the Council of Ministers of BiH
. Communications Regulatory ASency of Bosnia and Hezegovina
. Microsoft BiH
10.45 - 11.00 Coffee break
Session 53 Critlcal ational lnfrastruclure Iand l!
o Communications Regulatory Agency of Bosnia and Hezegovina
o BH Telecom

11.00 _ 12.45
. Eronet
. Mtel
. Central Bank of Bosnia and Herzegovina
. Elektroprenos BiH
. The State Electricity Regulatory Commission of Bosnia and Herzetovina
12.45 - 13.45 lunch break
Sesslon 5: Prlvate Sector and Buslness
. BIT alianse
. Microsoft
13.45 - 15.30
. ICT Association of Foreign Trade Chamber of Bosnia and Herzegovina
. oscE BiH
. Regional Cooperation Council (RCC)

DAY 3

08.30 - 09.00 Registration (optionol)

S$slon 73 Policy Owners ln Gov€rnment Mlnistrles and Letlslatols
o Parliament BiH - lnformatlon Technology S€ctor
. Ministry of Security of Bosnia and Herzegovina
. Ministry of Civil Afhirs of Eosnia and Herze8ovina
o Ministry of Finance / Finance and Treasury of Bosnia and Herzetovina
09.00 _ 1f.00
o Minlstry of Foreign Affairs of Bosnia and Herzegovina
. Ministry of Communications and Transport of Bosnia and Herzegovina
. Ministry of Forei8n Trade and Economic Relations of Eosnia and Herzegovina
. Agency for ldentification Documents, Registers and Data Exchante of Bosnia
and Herzegovina
 . The lnformation Society Agency of Republika Srpska
11.00 - 11.15 Coffee break

11.15 - 11.45 Concluding Session

. lssues for discussion with host
. Discussion on initial reflections and agreement on next steps

17.45 - 12.45 Lunch break

 Global
Cyber Security
Capacity Centre

Deploying the Cybersecurity Capacity Maturity Model

for Nations (CMM)

The Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford is a leading research
centre for effective cybersecurity capacity-building across the world, promoting an increase in the
scale, pace, quality and impact of cybersecurity capacity-building initiatives globally.

Our work is focused on developing a framework for understanding what work, what doesn't work
and why - across all areas of cybersecurity capacity. This is important so that Bovernments and
enterprises can adopt policies and make investments that have the potential to significantly enhance
safety and security in cyberspace, while also respecting core human rights'values and interests, such
as privacy and freedom of expression.

The GCSCC has developed lhe Cybersecurity Capacity Maturity Model for Nations (CMMlr as a model
to facilitate the assessment of the maturity of a countny's cybersecurity capacity. Developed in
consultation with over two hundred international experts drawn from governments, international
or8anisations, academia, public & private sectoB and civil society, the CMM reviews cybersecurity
capacity across five dimensions: Cybersecurity Policy and StrateBy; Cyber Culture and So€iety;
Cybersecurity Education, TraininB and Skills; Legal and Regulatory Frameworks; and Standards,
Or8anisations and Technologies.

D1 D2
cybersecurity Cyber
Policy culture
and Stratety and society

D5
standards, CVbe6Gcurity
OrBanisations, fducation,
and Trainlng and
o4
LcAal and
R.gulatory
Fremcworks

I https://www.sbs.ox.ac.uk/cybersecurity-capacity/content/cybersecurity-capacity-maturity-model-nations-
cmm-0
Each dimension consists of a number of factors that describe what it means to possess cybersecurity
capacity in that dimension; indicate how to enhance maturity. FollowinB an example of Dimension 2.

:u.itv Mindrel

D2
cybcl D2.2 Trust and Conndence on the lnternet
cultu.a
lnd socloty

-t
r I,l
\-

A set of indicators for each aspect of those factors is used to gauge cybersecurity maturity along a
five-staBe spectrum: start-up; formative; established; strategic; and dynamic.

Dynamic o
Strategic o
Establlshed o
Formstiv. O

st.d-up a

OEPIOYIT{G THE CMM

Deploying the CMM involves data-gathering both through in-country stakeholder consultation
(typically over the course of three to four days) and remotely through desk research. lts aim is to
produce an evidence-based report which is submitted to the government in question and will include
recommendations to:
. benchmark the maturity of a countr/s cybersecurity capacity;

. identify possible exposure to risks; and

. identifu priorities for investment and future capacity-building.

PROCESS

The startinB point of a CMM deployment is the drawinB up of an a8reement between the GCSCC and
the Host Country represented by a government organisation (for example a ministry or a regulator).
The GCSCC will work closely with the Local Host, who is made up of staff from the government
organisation with which the agreement was drawn up, in organising the CMM review process. The
l-ocal Host is responsible to identify the relevant stakeholders and schedule consultations in
coordination with the GCSCC. The following participants constitute several clusters of stakeholders,
which should be invited to the consultations:

. Universities
Academia, Civil Society . lnternet Society
Groups, and lnternet . lnternet registrie
Governance
Representatives
. lnternet Governance actors
. Ministry of Education

. Prosecutors (e.9. inspector general of the police)

. Ministry of Justice
. Judges
. Attorney General's office

. Ministry of Defence
Defence and lntelligence . National security representatives
Community
. Relevant intelligence ministries (foreren and
. Ministry of Technology
. Ministry of Education
. Ministry of Finance and Commerce
. Ministry of Foreign Affairs
Government Ministries
. Ministry of Media
. Ministry of Transportation
. Ministry of Health
. Other ministries
Legislators/Policy . Parliamentarians
owners . Special committees members

CSIRT and lT Leaders . Ministerial information security officers

from Government and . Major information technology companies
the Private Sector . National and/or sectoral incident response teams
. Telecommunications sector
. Finance sector
. Enerty sector
Critical National
. Water sector
lnfrastructure l+ ll
. Health sector
. Transportation sector
. Other sectors
. Major industries and hi-tech companies
Private Sector and
. Small and medium enterprises (SME)
Business
. Professional societies
Cyber Task Force . Representatives responsible for
. Representatives from international organisations United Nations
lnternational
offices, World Bank), international non-governme organisations
Cooperation
(NGO), and relevant embassy partners
 REVIEW REPORT
Once the review has been conducted, a report is produced by the GCSCC which describes the in-
country cybersecurity context, summarises the findin8s for each factor and aspect, outlines the stages
of cybersecurity capacity maturity and provides recommendations enable the country to enhance its
cybersecurity capacity. After internal approval processes, the draft report is submitted to the Local
Host to elicit feedback.
Once all parties approve the draft report the Local Host will take the lead in the publication process.
Publication approval rests with the Host Country and if this is agreed the l-ocal Host is encouraged to
publish it via an officialgovernment portal or other outlet to.

IMPACT
Actors around the world, ranging from individuals to nation states, need to ensure that cyberspace
and the systems dependent on it are resilient to increasing attacks. The CMM contributes toward
achievin8 this resilience not only through gaining a more profound understanding of international
cybersecurity capacity, but also by increasing effective investment into cybersecurity capacity based
on a rigorous analysis of data collected through the model implementation. Through the application
of the CMM, critical Eaps in all areas of international cybersecurity can be identified and filled with
scalable and effective measures, in cooperation with international partners.

We work with strategic partners such as the OrBanization of American States, World Bank,
Commonwealth Telecommunications Or8anisation and the lnternational Telecommunication Union;
and directly with governments. ln totalthe CMM was deployed in more than 60 countries.

FURTHER INFORMATION

Global Cyber Security Capacity Centre https://www.oxfordmartin.ox.ac.uk/cvbersecuritv

Cybersecurity Capacity Maturity Modelfor Nations (CMM) httos://www.sbs.ox.ac.uk/cvbersecuritv-

we encourage all countries we work with to publish the reports that we produce as an outcome of
the review. These are some examples:
' cYPrus
caoacitv-review-2017
. Lithuania
caoacitv-review-2017
' Kryty2 RePublic httos://www.sbs.ox.ac.uk/cvbersecuritv-caoacitv/content/kvrqvz-reoublic-
cvbersecu ritv-caoaciW-review-2017
Senegal
caoacitv
' Madatascar httos://www.sbs.ox.ac.uk/o/bersecuritv-caDacitv/content/madaqascar-
cvbersecuritv-capacitv-review-201G
united Kintdom https://www.sbs.ox.ac.uk/cvbersecuritv-caoaciw/content/cvbersecuritv-
caoacitv-uk
. Regional study by the OAS: Cybersecurity: A.e We Ready in Latin America and the
Caribbean? httos://oublications.iadb.orqlhandle/11319/7449?locale-
attribute=en&#sthash.WHi9KrBR.douf

CONTACT
Global Cyber Security Capacity Centre
Oxford Martin School, University of Oxford, 34 Broad Stree! Oxford OXI 3BD,
Tel: +44 (0)1865 287434, Fax: +44 (0)1865 287435
Email: cvbercaoacitv@oxfordmartin.ox.ac.uk