BOSNA IHERCEGOVINA EOCHA l,t XEPqETOBItHA

I'I I NISTA RSTI/o KO III U N I KAC IJ,.I I P ROM ET,4 M H H I|CT) PCT 80 I(OMY H II K.4 ILIIJ,1 II TPA II(: NOPT1

BOSNIAANO HERZEGOVINA
MINISTRY OF COMMUNICATIONS AND TRANSPORT

Broj : 0 1 -07- I 4-2 -4042-5 I 18

Sarajevo, 12.10.2018. godine

BOSNA I HERCEGOVINA
Driavna agencija za istrage i za5titu (SIPA),
Nikole Tesle 59,
71123 IstoEno Sarajevo

Predmet: Poziv za ucesie na radnom sastanku u organizaciji svjetske Banke, Global cyber
Security Capacity Centre (GCSCC) sa Oxford Univerziteta i Ministarstva komunikacija i
prometa Bosne i Hercegovine, dostavlja se

PoStovani,

Ministarstvo komunikacija i prometa Bosne i Hercegovine u saradnji sa Svjetskom bankom i

Global cyber Security capacrty centre (GCSCC) sa oxford univerziteta Vas poziva da
udestvujete na radnom sasranku koji 6e se odrzati 23.lo.2olg. godine sa podetkom u 12:00 sati u
zgradi Parlamenta Bosne i Hercegovine na prvom spratu (Sala t/l).
Radni sastanak, na kojem 6e glavnu rijeC imati eksperti sa Oxford Univerziteta iz oblasti cyber-
i
sigurnosti, ima za cilj procjenu zrelosti sposobnosti cyber-sigumosnih kapaciteta Bosne i
Hercegovine kroz pet dimenzija:

r Politika i strategija cyber-sigumosti;

o Cyber-kultura i druStvo;
o Edukacrja, obuka i vje5tine o cyber-sigumosti;
r Pravni i regulatomi okvir;
o Standardi, organizacija i tehnologije iz oblasti cyber-sigumosti;

Na ovaj nadin, kroz dobivene rezurtate u vidu izvjestaja za svaki aspekt, izwsit 6e
se procjena
cyber-sigurnosnih kapaciteta, te utwditi preporuke koje 6e omoguditi Bosni Hercegovini
da
unaprijedi svoje kapacitete po pitanju cyber-sigumosti.

Zbog svega gore navedenog i,.u.etno je znalajno vale prisustvo na ovom radnom sastanku,
kako
bi se izvrSita Sto bolja procjena cyber-sigumosnih kapaciteta u Bosni i Hercegovini.

Trg Bosnc i Hercegovine lrv, 71000 Sanj eyo,t l:. +387 31284 :,5O, fax:
_ fia7 33 284 i/5l
Tpr Bocue r XepuemBxHe l/tv, 7100O Capajero, rer: +387 33 2W
lSit, quX", *ltl lt ZU lSl
http://www.mkt.gov. ba
 BOSNA IHERCEGOVINA sOCHA 1,1 XEPqETOBI.lHA
T1 I N ISTA RSTYO KOM U NI KAC 1.1A 1 PR)M ETA ,II I1 H IICTA PCT N A:O MI' H U KA UII J A II TPA H ( II0 Pfl

BOSNIAAND HERZEGOVINA
MINISTRY OF COMMUNICATIONS AND TMNSPORT

Troskove prevoza i smjestaja snose sami ucesnici, a zajednidki rudak i osvjezenje snose
organizatori sastanka. Radni jezik sastanka je engleski, dok 6e Ministarstvo komunikacija i
prometa osigurati sluibenog prevodioca.

U prilogu ovog poziva nalaze se dnevni red radnog sastanka kao i katak opis same
Cybersecurity Capacity Maturity (CMM) metodologije.

Molimo vas da vase prisustvo potwdite najkasnije do 19.10.201g. godine putem e-mail adrese:
danko. luoi@mkt.gov. ba.

S poStovanjem,

Prilog: Dnevni red radnog sastanka (na engleskom jeziku)

Cybersecurity Capacity Maturity Deployment Information (na engleskom jeziku)

Dostaviti:
- Naslovu,
- 02,03,07,
- ala.

Trg Bosne i Hercegovine l/IV, Z

_
Tpr Bocae n xepuemlmre l/rv, 710fi) cap
i.i, rir, iiiiit-iu ii6,ffi., rttt tt zu tst
http://www.mkt.gov.ba
 Global
Cyber Security
Capacity Centre

Cybersecurity Capacity Maturity Mode!

for Nations (CMM)
Review Schedule Template

Host: Ministry of Communications and Transport of Bosnia and Herzegovina

Dates: 23 October - 25 October 2018
Venue: Parliamentary assembly of Bosnia and Herzegovina (1" floor - conference room l/1)
TRG BiH 1
71000 Sarajevo
Bosnia and Herzegovina

DAY 1

09.00 - 09.45 Team pre-meeting: Global Cybersecurity Capacity Centre (GCSCC) and host
09.30 - 10.00 Retist.ation /optbnor,,
09.45 - 10.00 Coffee break
Sesslon 1: Academla, Clull Soclety, lnternet Governance and Mlnlstry of
Educ.tlon
. Unive,sity of Sarajevo
o University of Mostar
10.00 - 11.45 . Unive.sity of Banja Luka
. Unive6ity Tel-lnformatlc Crntre - UTIC
. Asociation of lnformation Technologies in Bosnia and Herzegovina
- BAIT
. Fedeial Ministry of Education and Science
. Ministry of Science and Technology of Republika Srpska
11.45 - 12.00 Coffee break
Sesslon 2: Crlmlnal Justlce, taw Enforcemcm and Ltlrlators
. Ministry ofSecurity of Bosnia and Herzegovina
o Federal Police Administration
12.00 - 13.45 . Ministry of the lnterior of Republika Srpska
. Ministry ofjustice of Bosnia and Henegovina
. State lnvestigatlon and Protection Agency
. The Prosecutor's Office of Bosnla and Heazegovina
13.45 - 14.30 Lunch break
S$slon 3: Netlon.! S€curlty Atenclas
. Ministry of Defence of Bosnia and Helzegovina
14.30 - 16.15 . lntelliSence -
Secu;lty Agency of Bosnia and Herzegovina
. Oirectorate for Coordination of police godies of Bosnia and Herregovina
. Ministry of Securlty of Bosnia and Herzegovina
 . State lnvestigation and Protection Agency
DAY 2

08.30 - 09.00 Registration (optional)

Session 4: CSInT Team and 1T leaders from Government and ihe Private SectoT
and Cyber Task Force/ cybe]security Policy Review Team
. Ministry of Defence of Bosnia and Herze8ovina
. Ministry of Security of Bosnia and Herze8ovina
09.00 - 10.45 . Ministry of Communications and Transport of Bosnia and Herzegovina
. Department for maintenance and development of electronic business and e-
tovernment system - General Secretariat of the Council of Ministers of BiH
. Communications Retulatory Agency of Bosnia and Herzegovina
. Microsoft BiH
10.45 - 11.00 Coffee break
Sesslon 5: Crltlcal Natlonal lnfrastructure I and ll
. Communications Regulatory Agency of Bosnia and Herzegovina
. BH Telecom
tl.OO 12.45
_ . Eronet
. Mtel
. Central Bank of Bosnia and Herzegovina
. Elektroprenos BIH
. The State Electricity Regulatory Commission of Bosnia and Herzegovina
12.45 - t3.45 Lunch break
Sesslon 5: Prlvate Sector and Busin6s
. BIT alianse
. Microsoft
13.45 - 15.30
. ICT Association of Foreign Trade Chamber of Bosnia and Herzegovina
. OSCE BiH
. Regional Cooperation Council (RCC)

DAY 3

08.30 - 09.00 Registration fopt ono,

S€sslon 7: Pollcy Owners ln Government Mlnlstries and Lctislators
. Parliament BiH - lnformation Technology S€ctor
. Ministry of Security of Bosnia and Herzegovlna
. Ministry o, Civil Affairs of Bosnia and Henegovina
. Ministry of Finance / Finance and Treasury of Bosnia and Her.egovina
09.00 - 11.00 . Ministry of Foreign Affairs of Bosnia and Herzegovina
. Ministry of Communications and Transport of Bosnia and Herzegovina
o Minlstry of Foreign Trade and Economic Relations of Bosnia and Herzegovina
o Agency for ldentification Documentt Registers and Data Exchange of Bosnia
and Herzegovina
. fhe lnformation Society Agency of Republika Srpska
11.00 - 11.15 Coffee break

11.15 - 11.45 Concludlng Sesslon

o lssues for discussion with host
. Discussion on initial reflections and agreement on next steps

7t.45 - 12.45 Lunch break

 Global
Cyber Security
Capacity Centre

Deploying the Cybersecurity Capacity Maturity Model

for Nations (CMM)

The Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford is a leading research
centre for effective cybersecurity capacity-building across the world, promoting an increase in the
scale, pace, quality and impact of cybersecurity capacity-building initiatives globally.

Our work is focused on developing a framework for understanding what works, what doesn't work
and why - across all areas of cybersecurity capacity. This is important so that governments and
enterprises can adopt policies and make investments that have the potentialto significantly enhance
safety and security in cyberspace, while also respecting core human rights'values and interests, such
as privacy and freedom of expression.

The GCSCC has developed the Cybersecurity Capacity Maturity Modelfor Nations (CMM)r as a model
to facilitate the assessment of the malu.ity of a countvs cybersecurity capacity. Developed in
consultation with over two hundred international experts drawn from governments, international
organisations, academia, public & private sectors and civil society, the CMM reviews cybersecurity
capacity across five dimensions: Cybersecurity Policy and Strategy; Cyber Culture and Society;
Cybersecurity Education, Training and Skills; tetal and ReBulatory Frameworks; and Standards,
Organisations and Technologies.

D1 D2
Cybersecurity Cyber
Policy culture
and Stratety and Society

D5
Standaids, Cybcrsccurlty
Ortanlsations, Educalion,
and fraining and
D4 Slllls
Legal and
Re6ulatory
Fremework

I https://www.sbs,ox.ac.uk/cybersecurity-capacity/content/cybersecurity-capacity-maturity-moder-nations-
cmm-0
Each dimension consists of a number of factors that describe what it means to possess cybersecurity
capacity in that dimension; indicate how to enhance maturity. Following an example of Dimension 2.

Ut r Irust ..d Conffd.nc.

o5c

D2
cyb.r D2.2 Trust and Confidence oll the lnt€rnet
Cultur.
!nd so.iGty n8 of P€rsor
Online

/ -\
t
i-_l
A set of indicators for each aspect of those factors is used to gauge cybersecurity maturity along a
five-sta8e spectrum: start-up; formative; established; strategic; and dynamic.

Dynamic

Stratetic o
Establlshed o
Formltiva O

strrt.up a

DEPTOYING THE CMM

Oeploying the CMM involves data-tathering both through in-country stakeholder consultation
(typically over the course of three to four days) and remotefu throuSh desk research. lts aim is to
produce an evidence-based report which is submitted to the government in question and will include
recommendations to:
. benchmark the maturity of a count4y's cyb€rsecurity capacity;

. identiry possible exposure to risks; and

. identiry priorities for investment and future capacity-building.

PROCESS

The starting point of a CMM deployment is the drawing up of an agreement between the GCSCC and
the Host Country represented by a government organisation (for example a ministry or a regulator).
The GCSCC will work closely with the Local Host, who is made up of staff from the government
orBanisation with which the agreement was drawn up, in organisint the CMM review process. The
Local Host is responsible to identify the relevant stakeholders and schedule consultations in
coordination with the GCSCC. The following participants constitute several clusters of stakeholders,
which should be invited to the consultations:

. Universities
Academia, Civil Society . lnternet Society
Groups, and lnternet
. lnternet registrie
Governance
Representatives
. lnternet Governance actors
. Ministry of Education

. Prosecutors (e.9. inspector general of the police)

Criminal Justice and Law . Ministry of Justice
Enforcement . Judges
. Attorney General's office

. Ministry of Defence
Defence and lntelligence
. National security representatives
Community
. Relevant intelligence ministries (foreign and domestic)
. Ministry of Technology
. Ministry of Education
. Ministry of Finance and Commerce
. Ministry of Foreign Affairs
Government Ministries
. Ministry of Media
. Ministry of Transportation
. Ministry of Health
. Other ministries
tegislators/Policy . Parliamentarians
owners . Special committees members

CSIRT and lT Leaders . Ministerial information security officers

trom Government and . Major information technology companies
the Private S€ctor . National and/or sectoral incident response teams
. Telecommunications sector
. Finance sector
. Energy sector
Critical National
. Water sector
lnfrastructure l+ ll
. Health sector
. Transportation sector
. Other sectors
. Major industries and hi-tech companies
Private Sector and
. Small and medium enterprises (5ME)
Business
. Professional societies
Cyber Task Force for
. Representatives from international organisations (e.g. United Nations
lnternational
Cooperation World Bank), international non-governmental organisations
offi ces,
and relevant embassy partners
 REVIEW REPORT
Once the review has been conducted, a report is produced by the GCSCC which describes the in-
country cybersecurity context, summarises the findings for each factor and aspect, outlines the stages
of cybersecurity capacity maturity and provides recommendations enable the country to enhance its
cybersecurity capacity. After internal approval processes, the draft report is submitted to the Local
Host to elicit feedback.
Once all parties approve the draft report the Local Host will take the lead in the publication process.
Publication approval rests with the Host Country and if this is agreed the Local Host is encouraged to
publish it via an officialgovernment portal or other outlet to.

IMPACT
Actors around the world, ranging from individuals to nation states, need to ensure that cyberspace
and the systems dependent on it are resilient to increasing attacks. The CMM contributes toward
achieving this resilience not only through gaining a more profound understanding of international
cybersecurity capacity, but also by increasing effective investment into cybersecurity capacity based
on a rigorous analysis of data collected throuBh the model implementation. Through the application
of the CMM, critical Baps in all areas of international cybersecurity can be identified and filled with
scalable and effective measures, in cooperation with international partners.

We work with strategic partners such as the Organization of American States, World Banl!
Commonwealth Telecommunications Organisation and the lnternational Telecommunication Union;
and directly with governments. ln totalthe CMM was deployed in more than 60 countries.

FURTHER INFORMATION

Global Cyber Security Capacity Centre https://www.oxfordmartin.ox.ac.uk/cvbersecuritv

Cybersecurity Capacity Maturity Modelfor Nations (CMM) httos://www.sbs.ox.ac.uk/cvbersecuritv-

we encourage allcountries we work with to publish the reports that we produce as an outcome of
the review. These are some examples:
. Cyptus httDs://www.sbs.ox.ac.uk/cvbersecuritv-caoaciw/content/crprus-cvbersecuritv-
caoacitv-review-2017
. Lithuania
capaciW-review-2017
. Kry8yz Republic
cvbersecuritv-caoacitv-review-2017
Senetal
caoacitv
. M"drtrr."r httor,//***..br.or....rk/.vb"r.".rritr-.ro..itv/.ont"nt/r.d"s"r."r_
cvbersecuritv-caoaciW-review-2016
' United Kingdom httos://www.sbs.ox.ac.uk/cvbersecuritv-capacitv/content/cvbersecuritv-
caoacitv-uk
. ReBional study by the OAS: Cybersecurity: Are We Ready in Latin America and the
Caribbean? https://oublications.iadb.orslhandle/11319/7449?locale-
attribute=en&fl sthash.WHigKrBR.douf

CONTACI
Global Cyber Security Capacity Centre
Oxford Martin School, University of Oxford, 34 Broad Street, Oxford OXI 3BD,
Tel: +tl4 (0)1865 287434, Fax: +44 lO)1865 287435
Email: cvbercaoacitv@oxfordmartin.ox.ac.uk