11 - 13 August, Dar es Salaam, Tanzania

CYBER DEFENCE EAST AFRICA SUMMIT 2015

conference report

In collaboration with

Cyber Security Strategy to Protect an

Interconnected World

Cyber Defence East Africa Summit 2015 was the 3rd annual business focused multi-stakeholder knowledge sharing and

networking platform, organised by NRD EA in collaboration with TCRA, which aimed to address cyber security issues and brought

together the Government, the ICT Industry and Academia in efforts to create a better and more secure digital environment

for the states, governments, businesses and citizens.

Foreword

Key Facts & Figures

Participants

Speakers. Strategic sessions

Speakers. Technology sessions

Sponsors

Exhibition zone

NRD group in East Africa

Content

4

5

6

8

11

16

20

40

� �

�

Sebastian Marondo

CEO NRD East Africa

Head of the Organising Committee

Cyber Defence East Africa 2015

Cyber Defence East Africa Summit 2015

conference organisers would like to take this

opportunity to express their gratitude to the

government of United Republic of Tanzania,

esteemed Sponsors, Partners, Distinguished

guests and all participants for making this

event possible and for contributing to cyber

security awareness in Tanzania.

Gartner’s top 10 strategy technology trends

for 2015 cover three themes: the merging

of the real and virtual worlds, the advent of

intelligence everywhere, and the technology

impact of the digital business shift. Despite

of the many benefits, such sophistication

and interconnectedness of the technology

environment also introduce complex security

challenges. In 2015, major data breaches have

hit the headlines worldwide, elevating cyber

security practices to de facto national security

concerns and highlighting increased need

for skilled security professionals and service

providers.

During the Summit, international cybersecurity

experts, thought-leaders, policy-makers, and

technology vendors shared their views on

current cyber security landscape and trends.

Some of their observations and suggestions

are highlighted in this report.

Let us work on securing

digital environment

together!

Foreword from the Organisers

Key Facts & Figures

22 TOPICS

Participants from the EAC, e-Government Agency, TCRA, TRA, NAO, TASAF, PPF, MOF, TTCL, TANESCO, BOT, NMB Plc, Twiga Bancorp, University of Dar es Salaam, and others -

4 7 organisations

105 PARTICIPANTS

of participants indicated they would like to attend the conference again next year

11 participants had participated in previous CDEA conferences

91PERCENT

CDEA 2016

Speakers from TCRA, TRA, Ministry of Communication, Science and Technology, the Institute of Finance Management, tzNIC, Fortinet, BAIP, Cyberoam, ETRONIKA, NRD CS, IBM, NRD EA as well as independent consultants

17 SPEAKERS

Topics include Handling of Computer Security Incidents in the Country, The cyber law and

economy, Protecting critical

Advanced Penetration Testing, Cybersecurity workforce management and many others

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no� www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no �

ParticipantsThe echoe from the lips of the participants and local news headlines

Lax IT Managers Face Sanctions. The Daily News

“good and relevant to the current situation in Tanzania”

“the topics were well selected and relevant; and the next summit should target CEOs”

“the topics were very interesting and I have learnt a lot; there should be more cyber security workshops to create more awareness”

“the summit was very interesting; and there should be more days for the training in the next summit”

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no� www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no �

�

STRATEGIC SESSIONS

Opening speech by Hon Ambassdor Ombeni Sefue, the Chief Secretary of State

In the opening speech read on his behalf by the Chief Executive Officer of e-Government Agency, Dr Jabiri Bakari, the chief secretary stressed the need for IT managers to be professional.

“It is very important for every one of

us to be aware of the consequences of

poorly designed or poorly implemented

cyber-security systems, which create

opportunities for data theft and

compromise organisational function.”

“The government will continue to enact

and enforce strong laws which fairly

protect online users and transactions

involved while ensuring that such laws

do not inadvertently stifle innovation

or proscribe legitimate conduct.“

“In collaboration with private sector

the government will encourage the

promotion of cyber security awareness

across all its stakeholders. We will

continue improving competency of our

people in reacting and fighting against

the cyber incidents to be able to protect

the country’s critical IT infrastructure”.

Keynote speech by Dr Ally Y. Simba, Director General Tanzania Communications Regulatory Authority

“The internet is too complex; the

technologies have become too

sophisticated and threats have become

massive with different motivations.

This calls for coordinated approach for

protection of our infrastructure and

information from cyber threats and to

combat cybercrime in the country.”

Speakersand main discussions

The loss of trust and confidence undermines the benefits of ICT as an enabler of global

social and economic development. As our physical and digital worlds overlap, there is an

increased need to address the related challenges of ensuring security, human rights, rule

of law, good governance and economic development,” stressed Hon Amb. Ombeni Sefue.

The cyber law and its effect on Tanzanian digital economy by Josephat Mkizungo, Senior State Attorney

“Categorisation of offences in the

Cybercrime Act No 14 of 2015:

I. Offences against confidentiality,

integrity and availability,

II. Computer related offences

III. Content related offences

IV. Offences related to infringement of

copyright and related rights.”

“Procedure:

Powers to search and seize,

Disclosure of data,

Expedited preservation,

Disclosure and collection of traffic/

content data,”

“Service providers are not obliged

to monitor the traffic they are just a

conduit pipe but if it comes to their

•

•

•

•

knowledge of any criminal activity they

are obliged to report.”

Handling of Computer Security Incidents in the Country by Connie Francis, TZ-CERT

“TZ-CERT was inaugurated on 14th

May 2015 and is mandated to:

coordinate responses to cyber

security incidents at the national

level and;

collaborate with regional and

International entities involved

with the management of cyber

security incidents.

“TZ-CERT is now providing:

Incident response,

Security alerts & announcements

to community through the portal

and subscribed members,

Advisories for vulnerability and

security threats,

•

•

•

•

•

Information Security Awareness,

Technical capacity building.”

“Planned TZ-CERT services:

Penetration Testing,

Malware Analysis,

Intrusion Detection,

On-site Incident response.”

“Cyber security incidents’ statistics

up to August 2015:

185 Malware Samples Collected

424382 Network Attacks recorded

23 Network attacks from Tanzania

4836 Website attacks

384 Web attacks from Tanzania

20 Compromised websites

1950 SSL Related Vulnerabilities

1050 Critical Open Services (IPMI,

Open SNMP, Open Resolvers (Open

Recursive DNS Server), Open MS-SQL,

Netbios)

900 BotNets.”

•

•

•

•

•

•

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no� www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no �

10

Protecting critical infrastructure, effective DRP & BCP by Kenneth Wakati, Tanzania Revenue Authority

“Key Questions to Ask:

In the case of disasters how will the

leaders communicate with each

other? What are the protocols

and procedures? How and where

they will find up-to-date contact

list? Where they should convene

(initial and back-up locations)?

Which business processes are

considered critical and need to be

restored first?

What is the environment impact?

What about the security systems

or controls in place?

What would result from complete

or partial destruction of key

buildings and the records they

contain?

How will business operate in the

case of long term absence of

systems?”

•

•

•

•

•

•

The role of the executive in the ever - changing information security landscape by David Sawe, TechEquity Ltd.

“Intentional Information Security

culture can be created by deploying:

Awareness Campaigns,

Cross-functional Teams,

Management Commitment,

...through which to:

align Information Security directly

against Business Objectives,

adopt a holistic risk-based

approach to Information Security,

create balance among

Organisation-People-Process-

Technology,

encourage diverse security

strategies to converge (physical +

data),

seek new information about

the continuously changing

landscape.”

•

•

•

•

•

•

•

•

Online Child Protection in Tanzania: Issues that Matter by Dr. Jim James Yonazi, Faculty of Computing and Information Systems, Center for ICT Research and Innovations (CIRI)

“Key categories of Child Online

Protection:

Behavioral Harm,

Unwanted Content,

Online Oppression,

Strangers offline.”

Managing security projects – security shouldn’t be an after-thought by Mike Shamku, Oaknet Business

“The spending is going up – but success

rates have remained the same, across

board, including IT Security Projects.”

“Only two in five organizations believe

they have adequate risk management

•

•

•

•

in place to support the organization.

Only half believe they have adequate

risk management relative to project-

and program-related decisions.”

“The essential practices are simply

that:

Security is approached as a part of

the company’s risk management

strategy,

A holistic approach is adopted

towards security administration,

Projects are delivered along best

practice by professionals with the

right experience and leadership

capabilities,

The right decisions are taken at

critical stages of the Project.”

Domain Name System Security by Eng. Abibu R. Ntahigiye, Manager, tzNIC

“DNS by design did not consider

security (Uses UDP Protocol).”

“DNSSEC – DNS SECurity

A mechanism that adds Security

feature to the DNS.

It uses Cryptography technology

(digital signatures).

Ends up with a Chain of Trust

amongst DNS players.

Finally results in Integrity

and Authenticity of the DNS

responses.”

“.tz registry is DNSSEC ready since 2013. It was the 3rd registry in Africa to deploy DNSSEC.”

•

•

•

•

•

•

•

•

Advanced Threat Prevention by Fortinet MAM for East Africa Imran Chaudhrey

“Landscape in 2014 (source: Verizon

Breach Report 2015):

There were nearly 80,000 security

incidents with 2,122 confirmed

data breaches reported,

700 million records were lost,

representing about $400M of

financial loss to organizations to

improve cyber security.”

•

•

“Fortinet Advantage – SECURE:

Large global threat research team

located around the world,

Discovers new threats and

delivers protective services across

a rich array of in-house security

technologies,

Updates are delivered instantly,

24x365,

Independently validated as highly

effective versus today’s threats.

FortiGuard Labs Threat Research.”

•

•

•

•

“Security is no longer a luxury it’s a necessity”

TECHNOLOGY SESSIONS

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no10 www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no 11

Resilience of Critical IT Infrastructure is such attribute which is related with capabilities to cope with any type of external impact. This attribute is also closely connected with other attributes: flexibility, fault tolerance, automated functions recovery. …architecture, processes, testing… “ , Nerijus Sarnas, BAIP

Critical IT infrastructure services and solutions to ensure system resilience. CIMF methodology by Nerijus Sarnas, BAIP Systems’ integration group manager

“If IT infrastructure design and

technology selection are IT architect’s

responsibilities, implementation and

support is on IT administrator’s

duties, processes implementation is IT

manager’s responsibility, then...

... for General Manager it is enough to

know that his Critical IT infrastructure

is resilient and will cope with every

external impact...”

“Critical Infrastructure Maintenance

Framework (CIMF):

Processes: ISO 9000, ISO 20000,

ITIL,

People: Certifications, Experience

Tools: for monitoring, for

management,

Regular activities: testing, training”.

Missing Links of Security by Samson Ogada, Presales Manager at Cyberoam Kenya

“Studies show that 20% Users account

for 80% of Threats. Cyberoam has

introduced a unique capability – User

Threat Quotient (UTQ) – to help IT

security managers identify users posing

security risks with ease. Available on

Cyberoam’s Next-Generation Firewall

and UTM appliances, UTQ harnesses

•

•

•

•

information derived out of user’s web

traffic to determine risky users that

pose security and /or legal risks”.

“The User Threat Quotient helps

CSOs/ IT security managers by:

Spotting risky users based on their

web behavior at a glance without

manual efforts;

Removing complexity in analyzing

terabytes of logs to identify

suspicious or risk-prone user

behavior;

Eliminating the need for SMBs to

invest in separate SIEM tools to

spot risky users;

Enabling investigation into the

spread of risk within the network;

Facilitating corrective actions to

fine-tune user policies.”

•

•

•

•

•

BANKTRON – smart e-banking solution for a modern financial institution by Kestutis Gardziulis, CEO & Co-Founder of ETRONIKA

“BANKTRON is omnichannel online

banking platform which enables bank

clients to reach bank services over

internet anytime, anywhere and using

all modern devices”.

“BANKTRON Security is based on:

User rights and roles,

Two factor authentication:

PIN/TAN,

SMS,

E-signature integration with

PKI and wireless PKI,

VASCO DigiPass and RSA

SecurID support,

Advanced session management:

Unsuccessful login attempts,

IP blacklist,

Automatic disconnection,

Security interceptor,

Encrypted communication,

Encrypted user information,

Transaction and user logs,

Advanced Fraud Prevention.”

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Effective cyber security strategy to protect digital business environment by Ben Mann, Program Director IBM

“Why Rethink Your Cyber Security Strategy Now?

Your business could be the next

headline:

Every business is a target,

Criminals are relentless, patient

and ingenious,

Assume your perimeter is already

breached,

Security is now a boardroom issue:

Your Board and CEO demand a

strategy,

Security teams can be blind to the

business risk,

You cannot do this alone,

Vulnerabilities expose your critical

data:

Criminals want your “crown

jewels”,

Users are no longer behind a rigid

perimeter,

Applications are the weak link,

Innovations transform IT security:

•

•

•

•

•

•

•

•

•

New technologies present new

security challenges,

New technologies present

opportunities to take fresh

approaches.”

“Four Vital Elements of your Security

Strategy:

Optimize your security program.

Use experts to modernize security,

reduce complexity and lower costs

Stop advanced threats. Use

analytics and insights for smarter

and more integrated defense

Protect your critical assets. Use

context-aware controls to prevent

unauthorized access and data loss

Safeguard cloud and mobile. Use

IT transformation to build a new

and stronger security posture”.

“Leaders must fight Complacency

culture and its myths:

Your company is not infected. (It is.)

Whatever you’ve done is enough. (It

is not.)

There’s a silver bullet to protect you.

(There’s not).

You need to put your company in

lock-down. (You don’t.)”

•

•

1.

2.

3.

4.

•

•

•

•

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no1� www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no 1�

1�

Detecting, blocking and analysing digital media to create a safer society. Netclean Whitebox demonstration by Dr Vilius Benetis, CEO NRD CS

A NetClean designed system for

ISPs

Designed by ISPs for ISPs,

designed to block access to

websites containing abusive

images.

Flexible

Configuration possible to

use any URL blocking list

containing child sexual abuse

images.

Exact blocking

Blocks only the portion of the

site that needs to be blocked.

Nothing else.

Cost effective

The setup requires little

hardware which makes

license-, installation-, and

Maintenance cost low.

Easy installation & management

The system requires minor or

no changes in the ISP core due

to the use BGP. Easy overview

through SNMP traps.

Dynamic reporting

Dynamic, flexible traffic

reports.

No proxying

All non-blocked traffic is

passed unaltered.

Scalability

The WhiteBox is router based

which makes it extremely

redundant and scalable.

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Advanced persistent threat (APT): how do you identify a stealth attacker before he strikes? by Darius Dulskas, cybersecurity consultant at NRD EA

“APT characteristics:

Targeted: APTs target specific

organizations with the purpose of

stealing specific data or causing

specific damage.

Persistent: APTs play out in

multiple phases over a long period

of time.

Evasive: APTs are systematically

designed to evade the traditional

security products that most

organizations have relied on for

years.

Complex: APTs apply a complex

mix of attack methods targeting

multiple vulnerabilities identified

within the organization.”

•

•

•

•

Introduction to Ethical Hacking. Penetration testing concept and techniques by Martynas Buozis, head of NRD CIRT

“Attacks are always ongoing:

https://www.fireeye.com/cyber-

map/threat-map.html

http://map.norsecorp.com/

https://cybermap.kaspersky.com/

http://www.digitalattackmap.com/

•

•

•

•

“Because of the Internet and the ISPs people can now easily access child abuse content. That was not possible before the Internet.” Dr Vilius Benetis, CEO NRD CS

“Methods of pentesting:

Black box

No prior information about

infrastructure. Classical

approach –just give company

name.

This method simulates a

process for a real hacker.

Grey box

Limited knowledge about

infrastructure.

Mostly used for internal

penetration testing.

White box

Complete knowledge about

infrastructure.

Process to simulate company’s

employees.”

Advanced Penetration Testing by Martynas Buozis, head of NRD CIRT

“Passive information gathering:

Tools (whois, dig, nslookup),

External sources (http://who.is;

http://www.kloth.net/services;

https://archive.org/web/; https://

www.ssllabs.com/ssltest/; http://

www.netcraft.com/; www.google.

com),

Consider using anonymous proxies

and TOR browser”.

Active information gathering:

Nmap (Port scanning: -sT, -sS, -sU;

OS detection: -O; Version detection:

-sV; Hide your scan with decoy: -D),

Telnet / NC to collect banners

(OpenSSL for SSL protected

services),

wget/ curl for web,

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Vulnerability scanning tools

(Nessus, Qualys, Acunetix,

OpenVAS).”

Mobile device and cloud forensics by Dr Vilius Benetis, CEO NRD CS

“According to Cellebrite 2015 Trends

Survey:

95% of forensic specialists say

that mobile devices are their most

important data source;

44% of public sector users of

mobile forensic technology extract

data outside of the lab;

According to LexisNexis Survey:

8 out of 10 Law enforcement

professionals use social media as a

tool for investigations”.

“Cellebrite’s market leading and award

winning UFED Series enables physical

extraction, decoding, analysis and

reporting of data from the widest range

of mobile phones, portable GPS devices,

tablets, memory cards and phones

manufactured with Chinese chipsets.”

Preventing expensive data leaks and unnecessary staff costs. Safetica by Dr Vilius Benetis, CEO NRD CS

“78% of companies have already had a

data leak caused by an internal source. “

(Source: Ponemon Institute)

“50% of employees take sensitive data

with them when leaving a job.

•

•

•

•

80% of these plan to use this data

in their new job” (Source: Ponemon

Institute)

“96% of data breaches come from

within an organization.” (Source: SANS

Institute).

“Safetica DLP (Data Loss Prevention)

- complete protection against human

failure + risk prediction + activity

management.”

Cybersecurity workforce management by Dr Vilius Benetis, CEO NRD CS

“Workforce planning itself can become

a security enabler. This requires a clear

linkage between workforce planning

and prioritized action for securing the

enterprise”.

“Contrasted with highly-professionalized

and regulated fields such as medicine,

law, and accounting, the cybersecurity

profession remains a milieu of functions

spread across myriad roles with murky

definitions and limited ability to predict

performance”.

Cybersecurity Workforce Handbook:

A Practical Guide to Managing Your

Workforce, Council on Cybersecurity,

October 2014.

US model: http://csrc.nist.gov/nice/

EU model: http://ecompetences.eu/

•

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no1� www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no 1�

Sponsorsand exhibition zone

BAIP BAIP is a critical IT infrastructure company providing information systems’ resilience and

mobility services for the largest corporate IT users and public sector organisations. BAIP

holds certifications and competencies with worldwide recognized technological partners in

the fields of critical IT infrastructure, printing solutions and solutions for users. Company

is acknowledged as a strategic IT infrastructure architect, specialised in large scope local

and international projects and helping organisations to ensure their business continuity

processes.

www.baip.lt

FortinetFortinet is a global leader and innovator in Network Security. Our mission is to deliver the

most innovative, highest performing network security platform to secure and simplify your

IT infrastructure. We are a provider of network security appliances and security subscription

services for carriers, data centers, enterprises, distributed offices and MSSPs. Because of

constant innovation of our custom ASICs, hardware systems, network software, management

capabilities and security research, we have a large, rapidly growing and highly satisfied

customer base, including the majority of the Fortune Global 100, and we continue to set the

pace in the Network Security market. Our market position and solution effectiveness has

been widely validated by industry analysts, independent testing labs, business organizations,

and the media worldwide. Our broad product line of complementary solutions goes beyond

Network Security to help secure the extended enterprise.

www.fortinet.com

Platinum sponsors

ETRONIKAETRONIKA is NRD group’s company, specialised in e-banking and m-signature solutions.

ETRONIKA develops complex and innovative solutions for finance and online business,

integrating advanced and secure technologies across various electronic channels. ETRONIKA

was one of the first in the world to implement the commercial mobile electronic signature

solution, which is used by Lithuanian Centre of Registers and mobile operators. Company

develops and implements modern omnichannel electronic banking solutions, which received

numerous international awards. ETRONIKA for two years in a row has been selected as one

of the most innovative and disruptive European companies in the financial technology sector

by FinTech50.

www.etronika.com

Cyberoam TechnologiesCyberoam Technologies, a Sophos Company, is a global Network Security appliances provider,

offering future-ready security solutions to physical and virtual networks in organizations with

its Next-Generation Firewalls (NGFWs) and Unified Threat Management (UTM) appliances.

The virtual and hardware Cyberoam Central Console appliances offer Centralized Security

Management options to organizations, while Cyberoam iView allows intelligent logging and

reporting with one-of-their-kind, in-depth reports. Cyberoam is accredited with prestigious

global standards and certifications like EAL4+, CheckMark UTM Level 5 Certification, ICSA

Labs, IPv6 Gold logo, and is a member of the Virtual Private Network Consortium.

www.cyberoam.com

Gold sponsors

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no1� www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no 1�

RAHARAHA is Tanzania’s leading Internet Service Provider. For over 17 years company has been

providing fast, reliable, high tech and most importantly value driven connectivity to homes,

businesses and organizations.

www.raha.com

Connectivity sponsor

Safetica TechnologiesSafetica Technologies is a leading force in protecting companies against human factor failures

accidental and malicious actions by company insiders. The company’s flagship product is

Safetica, a Data Loss Prevention suite which secures companies from expensive data leaks and

unnecessary staff costs. Safetica Technologies’ partner network is built on AV distributors and

experienced system integrators. Safetica Technologies products and support are currently

available in more than 50 countries on 5 continents.

www.safetica.com

National Microfinance Bank Plc (NMB) NMB is one of the largest commercial banks in Tanzania, providing banking services to

individuals, small to medium sized corporate clients, as well as large businesses. It was

established under the National Microfinance Bank Limited Incorporation Act of 1997, following

the break-up of the old National Bank of Commerce, by an Act of parliament. Three new

entities were created at the time, namely: NBC Holding Limited, National Bank of Commerce

(1997) Limited and National Microfinance Bank Limited.

www.nmbtz.com

Silver sponsors

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no1� www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no 1�

TCRA ProfileINTRODUCTIONThe Tanzania Communications

Regulatory Authority (TCRA) is a

quasi independent Government

body responsible for regulating the

Communications and Broadcasting

sectors in Tanzania. It was established

under the Tanzania Communications

Regulatory Act No.12 of 2003 to regulate

the electronic communications, and

Postal services, and management of

the national frequency spectrum in

the United Republic of Tanzania. The

Authority became operational on 1st

November 2003 and effectively took

over the functions of the now defunct

Tanzania Communications Commission

(TTC) and Tanzania Broadcasting

Commission (TBC) respectively.

OUR VISION“To be a world-class Communications

Regulator creating a level playing

field among Communication

Service Providers, and promoting

environmentally friendly, accessible and

affordable services to consumers.”

OUR MISSION“To develop an effective and efficient

communications regulatory framework,

promote efficiency among the

Communications Services Providers,

and protect consumer interests

with an objective of contributing to

socio-economic and technological

development in the United Republic of

Tanzania.”

STRATEGIC GOALTo enhance the welfare of Tanzanians

through effective and efficient

regulatory framework that ensures

universal access to communications.

STRATEGIC OBJECTIVESTo enhance TCRA capacity, Staff

competences in regulation,

research and related fields;

•

To promote efficient, reliable

and affordable communications

infrastructure and applications;

To promote efficient

communication services and

increase access to ICTs in

underserved and un-served areas;

To protect interests of consumers

and enhance awareness of their

rights and obligations;

To monitor performance of

regulated services and enforce

compliance to legislations,

regulations and standards; and

To coordinate implementation of

regional and international sector

commitments.

QUALITY MANAGEMENT SYSTEM:

TCRA is ISO 9001: 2008 Certified

•

•

•

•

•

Exhibition zonePresented technologies, services & solutions

QUALITY POLICYTanzania Communications Regulatory

Authority (TCRA) is committed to

enhancing the welfare of Tanzanians

through provision of effective and

efficient regulatory services that ensures

Universal Access to Communication

Services, through Quality Management

System in all processes needed in our

areas of jurisdiction. TCRA continuously

improves and reviews her Quality

objectives regularly and communicates

the policy within the organization.

QUALITY OBJECTIVESTo maintain an effective Quality

Management System complying

with International Standard ISO

9001:2008;

To achieve and maintain a level of

quality which enhances the TCRA

reputation with stakeholders;

To ensure compliance with

relevant statutory and regulatory

requirements;

To endeavour, at all times to

maximize stakeholder satisfaction

with our services.

The quality objectives are measurable

and reviewed against performance goals

at each Management review meeting.

CORE VALUESTCRA has a set of core values as outlined

below:

•

•

•

•

Professionalism;

Respect;

Empowerment;

Innovation;

Integrity;

Accountability;

Teamwork;

Objectivity;

Efficiency;

Nondiscrimination.

TCRA HAS THE FOLLOWING FUNCTIONS:

To issue, renew and cancel

licenses;

To establish standards for regulated

goods and services;

To establish standards for the

terms and conditions of supply of

the regulated goods and services;

To regulate rates and charges;

To monitor the performance of the

regulated sectors in relation to:

Levels of investment;

Availability, quality and

standards of service;

The cost of services;

The efficiency of production

and distribution of services;

To facilitate the resolutions of

complaints and disputes between

operator vs operator and consumer

vs operator;

To disseminate information about

matters relevant to the functions

of the Authority.

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

In carrying out its functions, the

Authority strives to enhance the

welfare of the Tanzanian society by:

Promoting effective competition

and economic efficiency;

Protecting the interests of

consumers;

Protecting financial viability of

efficient suppliers;

Promoting the availability of

regulated services to all consumers

including low income, rural and

disadvantaged consumers;

Enhancing public knowledge,

awareness and understanding of

the regulated sectors including:

The rights and obligations of

consumers;

The way in which complaints

may be initiated and

resolved;

The duties, functions and

activities of the Authority.

CORPORATE SOCIAL RESPONSIBILITYWith success comes the responsibility

of giving back to our society in a

meaningful and sustainable fashion.

TCRA support efforts of corporate

social investment that aims to improve

lives of Tanzanians through poverty

alleviation and promoting economic

development. The focus is on three

areas, Education, Health and Economic

empowerment. These are in line with

National Development Priorities.

•

•

•

•

•

•

•

•

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no�0 www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no �1

Anti-malware technology, for example,

can detect and block viruses, botnets,

and even predicted variants of malware

with the use of technology such as

Fortinet’s patented Compact Pattern

Recognition Language (CPRL) with

minimum processing time.

Attacks can also be thwarted by reducing

the attack surface. The fewer points

of entry or potential threat vectors

available to cybercriminals the better,

meaning that carefully controlling

access and implementing VPNs is also

an important aspect of Element 1 and

part of the first line of defense against

targeted attacks. Traffic that can’t be

swiftly dealt with here gets handed off

to Element 2.

ElEmEnt 2 – DEtEct. IDEntIfy PrEvIously unknown thrEats

There are obvious advantages to

addressing threats in Element 1. The

more threats that fall into the known

category, the better. However, unknown

“zero-day” threats and sophisticated

attacks designed to hide themselves

from traditional measures are being

used every day to penetrate high-stakes

targets. Element 2 of the framework

uses advanced threat detection

technologies to examine the

behavior of network traffic, users.

and content more closely in order to

identify novel attacks.

There are a number of new approaches

that can automatically detect previously

unknown threats and create actionable

threat intelligence. Sandboxing, in

particular, allows potentially malicious

software to be handed off to a sheltered

environment so that its full behavior can

be directly observed without affecting

production networks.

Additionally, botnet detection flags

patterns of communication that suggest

command & control activity while client

reputation capabilities flag potentially

compromised endpoints based on

contextual profile.

Though incredibly powerful, this type of

threat detection is resource intensive

and thus reserved for threats that

could not be identified by more efficient

traditional methods. Detection, of

course, is only another element of the

ATP framework. The next handoff deals

decisively with these new threats.

ElEmEnt 3 – mItIgatE. rEsPonD to PotEntIal IncIDEnts

Once potential incidents and new

threats are identified in Element 2,

organizations immediately need to

validate the threat and mitigate any

damage. Users, devices, and/or content

should be quarantined, with automated

and manual systems in place to ensure

the safety of network resources and

organizational data until this occurs.

At the same time, threat detections

trigger another critical handoff:

moving the discovered information

back to the research and development

groups. Tactical protections can be put

in place. Previously unknown threats

now can be analyzed in depth, resulting

in fixes that take all of the security layers

into account, providing the right mix of

upto- date protection for every layer.

At this stage, eliminating redundancy

and creating synergy between different

security technologies is the key to

deploying a high-performing security

solution, where the unknown becomes

known. Of course, the cycle is not

completed until this actionable threat

intelligence is available at the different

enforcement points and shared globally

so that Element 1 is strengthened to

act on the new known. This keeps

cybercriminals at bay not just for one

organization but for all organizations

worldwide.

Executing detection, prevention and

mitigation in the most efficient way

possible (combining Elements 1, 2,

and 3) is essential to maintain high

levels of network performance and

maximize protection.

READ MORE: www.FORTINET.COM

SOPHISTICATED ATTACKS YIELD BIG REWARDS

The past few years have seen many

major brands and large companies

making headlines, not for some

remarkable post-recession economic

recovery or innovative product, but for

massive data breaches. More than 100

million customers had personal and/or

credit card information stolen through

just one of these bold and extended

attacks.

These types of attacks grab the attention

of consumers, lawmakers, and the

media when they manage to breach

very large organizations with dedicated

security teams and extensive

infrastructure designed to keep hackers

at bay. Nobody is immune – smaller

organizations are targets as well, either

as part of a larger coordinated attack

or through a variety of distributed

malware.

thE bottom lInE? It’s tImE for a DEEPEr, morE comPrEhEnsIvE aPProach to cybEr sEcurIty.

A SIMPLE FRAMEWORK FOR COMPLEx THREATS

The Fortinet Advanced Threat Protection

Framework consists of three elements:

Prevent – Act on known threats

and information;

Detect – Identify previously

unknown threats;

Mitigate – Respond to potential

incidents;

This framework is conceptually simple;

it covers a broad set of both advanced

and traditional tools for network,

application and endpoint security,

threat detection, and mitigation. These

tools are powered by strong research

and threat intelligence capabilities that

transform information from a variety of

sources into actionable protection.

Although elements of the framework

(and even technologies within them)

can operate in a vacuum, organizations

will achieve much stronger protection

if they are used together as part of a

holistic security strategy.

ADVANCED THREATS REQUIRE ADVANCED THREAT PROTECTION

There is no “silver bullet” to protect

organizations against the types of

advanced targeted attacks outlined

above. Rapid innovation on the malware

front, frequent zero-day attacks, and

emerging evasion techniques can all

•

•

•

render any single approach ineffective

at preventing tailored intrusion.

Instead, the most effective defense is

founded on a cohesive and extensible

protection framework that extends

from the network core through to the

end user device.

This framework incorporates current

security capabilities, emerging

technologies and a customized learning

mechanism that creates actionable

security intelligence from newly

detected threats.

The latter component is arguably most

critical to staying ahead of the threat

curve.

ElEmEnt 1 – PrEvEnt. act on known thrEats anD InformatIon

Known threats should be blocked

immediately (Element 1 in the

Fortinet Advanced Threat Protection

Framework) whenever possible through

the use of next-generation firewalls,

internal network firewalls, secure email

gateways, endpoint security, and similar

solutions that leverage highly accurate

security technologies. Examples include

anti-malware, web filtering, intrusion

prevention, and more. This is the most

efficient means of screening out

a variety of threats with minimal

impact on network performance.

The Fortinet Advanced Threat Protection Frameworka cohEsIvE aPProach to aDDrEssIng aDvancED targEtED attacks

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no�� www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no ��

BAIP is a critical IT infrastructure company providing information systems’ resilience and mobility services for largest corporate IT users and public sector organisations.

OUR ExPERTISE LAYS IN OUR SERvICES:

Critical IT infrastructure design,

deployment, development and

maintenance;

Private, hybrid and public cloud

solutions;

Migration of databases and

applications;

Data protection solutions, back-up

and recovery, disaster recovery

planning;

IT software and equipment life cycle

in the organisation management

and supply;

Enterprise mobility management;

Server, workplace support &

maintenance 24/7;

Managed printing services,

CopyPrint;

Warranty and post-warranty

services;

3D printing.

•

•

•

•

•

•

•

•

•

•

Smooth business activity often

depends on a smooth functioning of IT

infrastructure: inoperative applications,

such as financial systems, e-mail or

any other kind of database failure may

cause many problems, lead to financial

loss or even disrupt the activities of

an organization. Properly designed IT

infrastructure ensures necessary system

performance, information security,

uninterruptable operation and reduced

costs of IT equipment acquisition and

usage.

BAIP IT services and solutions for

IT infrastructure and resilience are

designed to respond to the exact needs

and nature of private and public sectors,

scientists and science institutions in

order to fully exploit IT potential.

BUSINESS CONTINUITY AND DISASTER RECOVERY

Business continuity in IT is

uninterruptable performance of an

organization which is directly related to

IT operation (banks, energy institutions,

telecommunication companies, airports

etc.). Therefore proper operation of

critical IT infrastructure and pursuance

of business continuity plan means

smooth business activity.

In preparing business continuity plans,

our specialists perform analysis, name

the risks and factors which may cause

the downtime. High availability solutions

are applied as a preventive measure,

however in case of an incident disaster

recovery plans are put into action.

The latter recover the business faster,

reduce risk of data and financial loss

and ensure smooth business activity.

Backup and data archiving are means

of confidential and important data

protection from human mistakes, cyber-

attacks and hardware failures. In order

to avoid these problems, the following

tools are used: data replication,

snapshots, data migration to disks,

tapes and tape libraries.

To implement these solutions, special

software and dedicated peripheral

devices are used which ensure planning,

implementation and monitoring of

archiving and copying processes. In

order to achieve maximum data security

redundant data centres are designed

where backup and data archives are

stored to be used in case of an incident

and deliberate or unintended data

destruction.

Critical IT Infrastructure and Resilience Major BAIP projects

IN AFRICA

Reserve Bank of Zimbabwe: Designed

and renewed critical IT infrastructure

of the Central Bank. High standards of

business continuity and security were

met ensuring fast data recovery and

flexible opportunities for the expansion

of back-up data centers.

Central Bank of Burundi: Modernised

data center infrastructure, including

design, deployment in 3 sites: the

main Data Center at the Head Office

in Bujumbura and Disaster Recovery

Centers in branches Ngozi and

Gitega. The new platform supports

the Payment system applications,

the banking information system and

data interchange needs among the

Central Bank of Burundi and external

customers - Government, ministries,

banks, business.

Registrar-General‘s Department and

Government of Mauritius: E-registry

system modernisation, optimisation,

deployment and maintenance services.

The Ministry of Commerce and

Industry of Liberia: Critical IT

infrastructure design and supply.

National Bank of Rwanda: Negotiation

for contract signing concerning solutions

on networking and disaster recovery.

IN THE BALTICS

Swedbank: Internet bank terminals for

customers. The solution, developed on

the hardware and software of HP, DELL

and Microsoft, provides the customer

with a quick, easy and safe use of self-

service portal and access to online

bank account. According to a service

level agreement, terminals are always

available to the user.

SEB bank: MobileIron® Enterprise

mobility management solution for

different OS mobile devices users.

Separates personal and corporate

information.

Bank Finasta: CopyPrint managed

services.

vilnius University: High performance

computing system of 1920 cores,

3,6 TB operational memory, 620 TB

data storage. Devoted for scientific

calculations in medicine, genetics and

astrophysics. Used to analyse consumer

prices and behaviour, to create medical

and other data storage, weather

forecast.

vilnius and Gardin Universities: Cloud

computing and open architecture data

center virtualisation. Effective platform

between two states. Possibility to

aggregate technological resources and

share in different units while managing

organisational IT infrastructure in a

unified manner.

vilnius University: National Open

Access Scientific Information Repository

(MIDAS). Largest in Baltic states, long-

term data storage solution holds up

to 3 petabites. Integrated disc storage

and tape libraries implementing the

best features of both technologies in

hierarchical file system.

DPD, Archive systems: Migration of

data bases and applications. Transfer

data center and business management

application from one organisation or

state to another.

READ MORE WWW.BAIP.LT

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no�� www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no ��

Secure eCommerce purchases.

Sell and buy shares with non-

repudiation.

Sign online credit and loan

applications.

Sign corporate or financial

transactions.

Access secure eGoverment services

such as tax declarations, tender

applications, permits and voting.

Remotely access health records

provided by health care

institutions.

Conveniently access corporate

networks (VPN).

Sign documents such as PDF files

and email.

Verify anonymously client’s age for

restricted access.

Top-up mobile wallets and other

mobile applications.

And many more.

•

•

•

•

•

•

•

•

•

•

•

ETRONIKA Retail Solution (ERS) ERS automates routine management

operations and processes of retail

network points, and offers various

online services to retailer‘s customers.

HIGHLIGHTS:

Modular based - each module

can be chosen according to the

business’ needs. When there is

demand for an additional module,

it can be easily and quickly

implemented.

Supports retailer’s expansion and

growth plans.

Easily integrates with the company’s

ERP system, business applications

and third-party systems.

•

•

•

Ability to sell virtual electronic

products and services: prepaid

card replenishments, e-tickets

(transport, cinema, events, and

lottery), insurance, leasing etc.

Compatible with new generation

POS hardware. The POS is a touch

screen and supports laser printers,

scanners, a great variety of barcode

scanners.

Reporting system is customised to

meet any specific retailer’s needs.

The automation of routine

management operations and

processes is developed.

Effective communication system

between trade point and head

office: messaging, ability to share

scanned or electronic documents

and reports through POS,

Supports online and offline sales

transactions.

•

•

•

•

•

•

PARTNER PRODUCT SALE IN LESS THAN 25 SECONDS

Functioning Poc window with menu PreconFigured at the back oFFice.

•

SALES PERSON’S WORKPLACE

READ MORE WWW.ETRONIKA.COM

ETRONIKA’s award winning

Omnichannel Online Banking PlatformDIFFERENT CHANNELS - UNIFIED USER

ExPERIENCE. BANKTRON technology

enables you to deliver seamlessly

any financial service through various

devices at any point in time. Created by

using the most advanced technologies

and choosing the most relevant “touch-

points” for financial service delivery,

BANKTRON grants better customer

service through:

1) Simplicity of use,

2) Faster access to information,

3) Accelerated action performance.

SIMPLE. POWERFUL. PERSONAL. FRIENDLY.

BANKTRON IS OMNICHANNEL

PLATFORM SOLUTION THAT

ASSURES:

Unified user experience across all

channels,

Centralized delivery channels

management,

Possibility to retain the existing

legacy system,

Scalable and flexible integration

•

•

•

•

with core and back-office systems.

BANKTRON helps to amaze existing

clients and engage new ones with

entirely new value added features and

wide range of standard functions, such

as:

Offline operation,

Various authentication methods,

Advanced roles, rights,

representations, limits and complex

confirmation of bank operations,

Impressive visual interfaces and

cutting-edge usability, including

responsive design which adopts to

any screen size and resolution.

Mobile ID (Wireless PKI)Mobile signature is an electronic

signature generated by a mobile

phone with special smart SIM card.

Mobile signature is intended to:

Confirm authenticity of the signed

electronic document,

Ensure that transmitted electronic

data is not modified illegally,

Demonstrate and validate identity

of a signature holder.

Application:

Secure online bank login.

•

•

•

•

•

•

•

•

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no�� www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no ��

robust network security system which

can include a user’s human identity

as part of the firewall rule matching

criteria.

By definition, Cyberoam Layer 8

Technology over its network security

appliances treat user identity the

8th layer or the “human layer” in the

network protocol stack. This allows

administrators to uniquely identify

users, control Internet activity of these

users in the network, and enable policy-

setting and reporting by username.

BENEFITS

Identification of attackers/victims

with username

Instant visibility for administrators

into source of attacks

Controlling who is doing what in

the network

Allowing creation of identity-based

policies

Reporting to track identity-based

usage, problems, intrusions and so

forth.

Integrated security over single

Cyberoam network security appliances

(UTM, NGFW) – The Layer 8 technology

penetrates through each and every

security module of Cyberoam security

•

•

•

•

•

appliances. All security features can be

centrally configured and managed from

a single firewall page with complete ease.

Layer 8 binds these security features to

create a single, consolidated security

unit and enables the administrator to

change security policies dynamically

while accounting for user movement

– joiner, leaver, rise in hierarchy etc.

Adding Speed to security – Due to

the lack of granular identity features,

IT teams often waste time in knowing

source of attacks and attackers in case of

a security incident. Since Layer 8 offers

instant visibility into source of attacks

while identifying victims/attackers

by username, which allows proactive

remediation of security incidents. Thus

adds speed to security.

Security in wi-Fi environments

– Cyberoam secures organizations

in dynamic Wi-Fi environments

where it’s not easy to trace users by

IP addresses alone. It offers strong

user authentication, Internet access

controls and reports with identity-based

approach and offers separate Guest and

Employee network access.

Boosting productivity – Cyberoam’s

content and application filtering feature

manages indiscriminate Internet surfing

by users through custom policy setting

for users and groups, thereby setting

access limitations based on time

duration and predefined blocked sites

across 82+ categories.

Cyberoam network security appliances

also offer a user, time and role-based

bandwidth management approach

which prevents users from consuming

huge amounts of bandwidth for non-

productive surfing and downloads.

Instant Messaging Controls allow

administrators to control who can chat

with whom over text chat, webcam, file

transfer.

Cyberoam iView logging and reporting

– Cyberoam’s Layer 8 identity-based

reporting, Cyberoam iView, pinpoints

precise network activity for each and

every user. Its dashboard shows all

network attacks on a single screen with

third level drill-down reports (1200+

reports) for investigating the attacks,

and the users behind them.

Regulatory Compliance – Through

Layer 8 identification and controls,

Cyberoam network security appliances

enable enterprises to comply with

regulatory compliance norms such as

HIPAA, CIPA, PCI-DSS, GLBA, etc.

READ MORE: WWW.CYBEROAM.COM

CYBEROAM CORPORATE INTRODUCTION

Visionary Vendor;

Industry leading R&D with 550+

employees globally;

Sales, channel and customer

presence in 125+ countries;

Recognized as a “Network Security

Innovator” by SC Magazine;

Hold Patent for Identity-based

Management;

World’s 1st network security vendor

with ISO 20000:2011 certified

Global Customer Support Services.

•

•

•

•

•

•

CYBEROAM IN TANzANIA

Cyberoam in Tanzania since 2007;

More than 6000 active appliances

we are supporting;

Enterprise and SME customers

across all industries like Banking

Industry, Manufacturing, e-

Government, Hospitals, education

sector etc;

Training in Tanzania (over 300

Engineers trained in 2015);

PoC can be arranged immediately;

New Firmware Available

(Copernicus) Released in October.

•

•

•

•

•

•

Current corporate policies surrounding network security often neglect the most critical and weak security component: the human element. An organization’s overall security is only as strong as its weakest link – the user.

In order to address the concerns of

gaining visibility and controls on user

activity in the network, Cyberoam UTM’s

Layer 8 technology over its network

security appliances (UTM appliances

and Next Generation Firewalls) has

been derived out of the need for a more

Cyberoam Layer 8 TechnologySECURITY BUILT AROUND THE USER’S IDENTITY

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no�� www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no ��

Cyber security incident response coordination:

In case of an incident, we promptly allocate

a team of cyber specialists that can stop

the cyber-attack, eliminate the harm done

or prevent it from increasing, confidentially

perform forensic incident investigation,

cooperate with law enforcement institutions

and initiate pro-active defence actions.

NRD CS can assist the Client in preparation of

the documents, necessary for initiating the

incident investigation, and consult regarding

further actions.

In case the source of the incident is outside

of the territorial boundaries of the country

that the Client operates in, incident response

and further actions are coordinated with

other national CERTs.

Employee trainings:

Once a month an electronic newsletter that

covers new IT security trends, relevant new

attack technologies and vectors, methods to

avoid them and other relevant information is

distributed among the employees.

Trainings to employees can be arranged

upon request.

* The scope and price of the services is defined based

on the analysis of individual needs of each organisation,

the component parts to be monitored and technologies

to be used. READ MORE: www.NRD.CS

Technology partnerships:

•

•

•

•

•

•

•

Managed Cybersecurity incident detection and response services - NRD CIRT

EVERY ORGANISATION IS RESPONSIBLE FOR ITS OWN CYBER SECURITY

NRD CIRT - private information security

agency. NRD CIRT is member of FIRST

and Trusted Introducer.

NRD CIRT provides services to companies

and organisations that face fraud,

intellectual property theft, industrial

espionage, network compromises,

employee misuse or malware but:

Do not have enough time, human,

technology and information

resources to manage the incident

response effectively;

have no prepared, functional

processes and procedures to

communicate about the incidents

(internally and with external

bodies);

need experienced professionals,

•

•

•

capable of initiation and

implementation of cyber security

incident investigation that

complies to effective laws as well

as proper evidence collection and

preservation.

NRD CIRT services include:

Collection of information in the

component parts, monitoring and

correlation using SIEM and other

technology solutions for ensuring

cyber security:

If the incident is detected,

the Client is informed within

two hours, he is given

recommendations and NRD

assists the Client in incident

response and resolution

coordination.

Websites security scan:

Every two months NRD runs

an automated security scan

•

•

•

•

and risk assessment on

the agreed websites, and

provides recommendations

for improving security.

Infrastructure component

assessment using automated

tools:

Every two months NRD runs

an automated scan and

risk assessment on all IT

infrastructure component

parts, and provides

recommendations for

improving security.

Websites security monitoring:

Agreed websites are being

constantly monitored for the

potentially installed malware.

If malware is found, the Client

is informed within two hours,

and recommendations for

resolution are provided.

•

•

•

•

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no�0 www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no �1

In order to understand and mitigate

the cyber threats to your digital

assets in the most efficient way, we

propose vulnerability and compliance

assessment services.

Continuous vulnerability assessment

and management is security best

practice – a defensive measure to

protect against today’s threats. It means

in reality identification of security

exposures before potential attackers do.

NRD CS uses top ranked independent

vulnerability’s scanners, among them:

QualysGuard, Tenable Nessus Professional, Acunetix.

These scanners analyse known

vulnerabilities of organization’s digital

assets such as unpatched servers,

applications, insecure software

configuration, and susceptibility to

malware, as well as web applications

vulnerabilities.

According to well-known security

frameworks (Center for Internet Security

20 Critical Security Controls, ISO 27001),

using two independent vulnerability

scanning tools together minimize the

risk that some vulnerabilities will be not

found during an assessment.

Our approach

We use state of the art assessment

tools in combination with proprietary

methodology and security assessment

best practices.

Multiple assessment types can be

performed:

Vulnerability scanning – assessing

systems, networks and applications

for weaknesses;

•

Configuration auditing – ensuring

that IT assets are compliant with

policy and standards;

Compliance checks – auditing

system configurations and content

against standards;

Web application scanning

– discovering web server and

services weaknesses and OWASP

vulnerabilities;

Sensitive data searches – identifying

private information on systems or

in documents;

Control system auditing - assessing

SCADA systems, embedded devices

and ICS applications

WE RECOMMEND USING TwO DIFFERENT SCANNERS: QUALYS GUARD & TENABLE NESSUS PROFESSIONAL – TO MINIMISE THE SECURITY RISK.

•

•

•

•

•

Vulnerability and Compliance Assessment

QualysGuard® Vulnerability

Management (VM) automates the

lifecycle of network auditing and

vulnerability management across the

enterprise, including network discovery

and mapping, asset prioritization,

vulnerability assessment reporting

and remediation tracking according to

business risk.

Driven by the most comprehensive

vulnerability Knowledge Base in

the industry, QualysGuard delivers

continuous protection against the latest

worms and security threats without

the substantial cost, resource and

deployment issues associated with

traditional software. As an on demand

Software-as-a-Service (SaaS) solution,

there is no infrastructure to deploy or

manage, besides dropped virtual or

physical scanner probe, fully instructed

from SaaS.

QualysGuard VM enables small to large

organizations to effectively manage their

vulnerabilities and maintain control over

their network security with centralized

reports, verified remedies, and full

remediation workflow capabilities with

trouble tickets.

Nessus is the industry’s most widely-

deployed vulnerability, configuration,

and compliance scanner. Nessus features

high-speed discovery, configuration

auditing, asset profiling, malware

detection, sensitive data discovery,

patch management integration and

vulnerability analysis. With the world’s

largest continuously-updated library of

vulnerability and configuration checks,

and the support of Tenable’s expert

vulnerability research team, Nessus sets

the standard for speed and accuracy.

1. O N - P R E M I S E IMPLEMENTATION

Services include software acquisition,

installation, first time assessment and

training organization’s staff on making

assessments. Services include Tenable

Nessus and QualysGuard VM software

licences for 1 year and professional

services. With the software licenses

organization’s IT staff will be able to

perform vulnerability assessments

every day or once a week for a year.

Professional services are performed

onsite.

RESULTS

Continuous vulnerability

management in your organization

by using fully configured and

implemented QualysGuard VM and

Tenable Nessus solutions;

Established vulnerability

management procedures within

organization;

Trained staff to use implemented

solutions and procedures;

Prioritized and objective security

•

•

•

•

strengthening efforts within your

organization.

2. SOFTWARE AS A SERVICE IMPLEMENTATION

Vulnerability configuration and

compliance assessment services

include all required licences and will

be performed by qualified specialists.

This is a one-time service mostly used

by organisations to identify security

situation “as is” and decide on feature

actions. During the assessment,

specialists will perform a scan of the

organization’s IT environment with NRD

CS QualysGuard VM and Tenable Nessus

licenses and will provide a high quality

analysis of Vulnerability assessment

results. Service in most cases is provided

remotely.

RESULTS

Detailed report on identified

and ranked risks in your digital

environment;

Prioritization of actions required to

mitigate identified cyber risks;

Results presentation to top

management.

•

•

•

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no�� www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no ��

NRD EA team has broad experience

and certifications in implementation of

the ISO 27001, ISO 9001, ISO 20000-1

standards as well as CIS Critical Security

Controls, COBIT 5 and other related

frameworks.

NRD group and cyber security

competence centre experts - NRD CS -

are contributors to COBIT 5 framework

as well as CIS Critical Security Controls.

ISO 20000

ISO 20000 is an international IT standard

that allows companies to demonstrate

excellence and prove best practice in

IT management. The standard ensures

companies can achieve evidence-based

benchmarks to continuously improve

their delivery of IT services. ISO/IEC

20000 was released in 2005 based on

the IT infrastructure library (ITIL®) best

practice framework, and updated in

2011.

ISO 27001

ISO 27001 specifies the requirements for

establishing, implementing, operating,

monitoring, reviewing, maintaining and

improving a documented Information

Security Management System within

the context of the organization’s overall

business risks. It specifies requirements

for the implementation of security

controls customized to the needs

of individual organizations or parts

thereof.

COBIT 5

COBIT 5 is a globally accepted set of tools

for IT governance based on industry

standards and best practices. COBIT 5

provides management guidance and

tools in the following areas:

Strategic alignment of IT with

business goals;

Value delivery of services and new

projects;

Risk management;

Resource management;

Performance measurement.

COBIT 5 allows management to design IT

processes and map the IT-related roles

and responsibilities within an enterprise

to four main process areas following the

•

•

•

•

•

plan, build, run and monitor life cycle.

Within these domains, the management

of IT in an enterprise is organized into

processes with clear ownership and

responsibilities. Measurement tools

enable IT goals to be aligned with

strategic goals of the enterprise.

THE CIS CRITICAL SECURITY CONTROLS

The CIS Critical Security Contols are a

recommended set of actions for cyber

defense that provide specific and

actionable ways to thwart the most

pervasive cyber attacks. Previously

developed as the SANS Institute’s Top 20

Critical Security Controls, the Center for

Internet Security (CIS) now updates and

develops the Controls since its integration

with The Council on CyberSecurity in

2015. New versions of the CIS Controls

are updated and reviewed through an

informal community process including

practitioners from government,

industry, and academia. To learn more

about the CIS Critical Security Controls,

please visit www.CISecurity.org/Critical-

Controls.

ISO 20000/270001, COBIT 5, CIS Critical Security Controls. Implementation and support

Critical IT infrastructure company BAIP

implemented an enterprise mobility

management (EMM) solution in SEB

bank across the Baltics. The EMM

solution allows employees to access and

use company data via e-mail, calendar

in their personal mobile devices in

a quick, convenient and safe mode

while separating corporate data from

personal at the same time.

BAIP implemented an enterprise mobility

management solution in SEB bank

Lithuania, Latvia, and Estonia as well as

agreed on long-term maintenance and

support services.

„While developing information

management, security and resilience

solutions as well as discussing these

issues with our clients we have realised

that corporations are concerned about

the possibilities to separate personal

and corporate information in the mobile

devices, and manage it in a unified

mode. The feeling of insecurity and the

risk of damaging sensitive information

held in mobile devices gives a potential

for the EMM solutions market to grow.

We expect annual 30-50 percent market

growth in the next 4 years. Considering

this trend, we have invested in the

EMM solutions and services with our

partner MobileIron. We are happy as

the solution has met our expectations

and BAIP has implemented its first EMM

projects in SEB bank across the Baltics

as well as a public sector organisation

in Lithuania“, – Gytis Umantas, CEO of

BAIP shared the best practice.

„Now bank‘s employees can access

company’s e-mail, calendar and other

data from their personal mobile devices

– phones or tablets in a safe mode.

It saves time and allows employees

to take prompt decisions when they

are out of office, on a business trip.

The effectiveness of IT unit will be

increased as we can support all

mobile devices simultaneously with

the EMM solution. We chose BAIP to

implement this project as a partner and

company which is enterprise mobility

management solutions certified and

has dedicated professionals“, – says

Jonas Gudmundsson, Operations and IT

manager of SEB bank Baltics.

ABOUT MOBILEIRON

Building a wide ecosystem with its

technological partners and mobile apps

developers, MobileIron with its EMM

solution transformed into mobile first

more than 8 000 companies all over the

world, among them big corporations

from finance, banking and insurance,

healthcare, transport and logistics,

tobacco. Also public organisations.

READ MORE WWW.MOBILEIRON.COM

Enterprise mobility management solution and maintenance In sEb bank across thE baltIcs

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no�� www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no ��

storages, file sharing, external storage

devices (USB keys, CDs / DVDs), e-

mail attachments, anti-virus software,

connecting new devices to the network.

3. Using the Internet

Online threats, online spam, acceptable

usage of the internet, downloading files

from the Internet, web browser and

its capabilities, online e-mail, online

communications, online data storage,

spyware software, secure online

banking, online anonymity and privacy,

right to be forgotten.

4. Remote access to the

organization’s resources

Working from home, personal

computer, laptop security, mobile

device usage, data encryption tools,

wireless connectivity, security of wireless

connectivity, public wireless Internet

hot-spots, e-mail in the browser, VPN

connection, security of organisations’

values, physical security.

5. Prevention and response

Incident response, online security

solutions, selecting security tools,

standard Windows security tools, anti-

virus and anti-spyware tools, updates,

constant monitoring, newer software

version selection, anonymity online.

* Topics for the IT personnel and IT

security managers cover cyber security

technologies and methodologies (e.g.

CIS Critical Security Controls).

* CEOs and CFOs receive shorter,

individual security trainings.

Trainers – experienced cyber security professionals:

Romualdas Lecickis, NRD CS

Cyber security and IT

governance expert

CISA, CISM, CRISC, CGEIT, PRINCE2

MEMBERSHIP AND ExPERIENCE

Membership director of the ISACA

Lithuanian Chapter;

Established and lead Information

Technology Department at the

National Paying Agency under the

Ministry of Agriculture;

•

•

15 years of experience in the IT

sector.

Šarūnas virbickas, NRD CS

Information security legal adviser

LL.M (Stockholm University, Law

and Information Technology), ACE

(AccessData Certified Examiner)

MEMBERSHIP AND ExPERIENCE

Member of ISACA Lithuanian

Chapter;

Member of Corporate Lawyers

Division of the Lithuanian Lawyers’

Association;

10 years of experience in legal

field;

Previously – Chief specialist at

the Ministry of the Interior of the

Republic of Lithuania, responsible

for drafting of legislation and

coordination of legislative

procedures.

READ MORE: www.NRDCS.LT

•

•

•

•

•

Cyber security trainings are tailored to match the individual needs of each organisation (organisational structure, compliance requirements, etc.).

During the trainings, participants are

introduced to cyber security threats and

practice to respond to them.

Training target groups:

All employees of the organization

IT personnel

IT security managers (CISOs)

Top management of the

organization – CEOs, CFOs, etc.

(individual trainings)

1.

2.

3.

4.

Training groups – up to 20 people.

Length of the course – 1 full day.

During the trainings participants

are given practical tasks and work

in groups.

Participants receive course

completion certificates.

Trainings can be held in various

locations.

Training topics for all employees of the organisation:

Laws, regulations and

information security

methodologies

Information and its values, information

•

•

•

•

•

1.

security principles, information risks

and risk management, personal

responsibility of the user, information

security standards and methodologies

(ISO/IEC 27001/27002, COBIT 5, ITIL, CIS

Critical Security Controls).

2. Common principles of computer

security (or Basic computer

security precautions)

Secure work with computer, passwords

and their security, data encryption

tools, identity theft, social engineering,

recognising phishing emails, recognising

malicious applications, e-mails and web

links, secure work with documents,

back-up copies, security of data storage,

new software installation, network data

Cyber Security Trainings for Organisations

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no�� www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no ��

Infobank Uganda Ltd. is a Ugandan -

Norwegian capital company providing

reliable information on particulars

of Ugandan businesses. Company is

registered and operating in Kampala

and specializes in serving financial

sector. Infobank is setting up an efficient

processes with various registries in

order to be able to access information

stored there quickly and reliably.

Company provides information on

business entities in Uganda based on the

data from Uganda Registration Service

Bureau, Registry of Lands, and other

registries. Though registries in Uganda

currently are paper based, company

provides information to users based

on technological platforms giving them

a modern digital experience. Infobank

provides the state-of-art web interface

that allows searching the company

name in their complete Ugandan

business names database and offers

a possibility to choose their services

conveniently, wherever customers are,

as well as provides options to integrate

information services to existing

customers’ systems.

SERVICES

Infobank Uganda focuses on the

financial sector customers as well as

major corporate customers in other

areas with significant information

needs. Customers are provided with

web interfaces to search for companies

and request information products,

which shall be delivered electronically

and / or as certified documents.

STANDARD INFOBANK UGANDA SEARCH REPORTStandard Search Report on specific

company will provide a digest of

information from specified company

file in URSB. The search document will

specify: date of incorporation, names

of shareholders and shares they are

holding, objective, notice of situation of

registered office, names of directors.

CUSTOMER SPECIFIC SEARCH REPORTCorporate clients who have signed

the contracts with Infobank Uganda

may choose to define contract specific

template adjusted to their specific needs

based on information from multiple

registries.

LIGOMARC ADVANCED DUE DILIGENCE REPORTDetailed joint research product by

Infobank Uganda and Ligomarc

Advocates. Besides collecting

information from company file in

registries, Ligomarc advocates make

a review and inspection of document,

verify information in detail and advise

on trustworthiness of records.

REGISTRAR CERTIFIED COPIES AND ELECTRONIC COPIES OF COMPANY FILE RECORDS

Information distribution services

Integrated One-Stop-Centre solution

Norway Registers Development AS is developing an integrated One-Stop-Centre solution for investor registration and licensing at Uganda Investment Authority.

Norway Registers Development AS signed

a contract with National Information

Technology Authority-Uganda (NITA-U)

to design and implement an integrated

One-Stop-Centre solution for investors,

traders, and entrepreneurs to facilitate

start of business in Uganda.

During the project, a long-term reform

plan will be created and a single

digital platform that will interface with

specific agencies in areas of business

registration, licensing and investment in

Uganda will be developed. Seven Primary

Licensing agencies in accordance with

their mandates are partnering to ensure

efficient service delivery to the private

sector.

The Integrated One-Stop-Centre solution

will automate the current Uganda

Investment Authority’s One-Stop-Centre

processes and will include a dynamic

and transactional web portal. The web

portal will serve as a central source

of information regarding business

operations and will enable investors and

entrepreneurs (local and international)

to apply for business registration,

business licenses, tax registration, and

primary permits required for doing

business in Uganda.

“Uganda demonstrates ambition

to facilitate foreign and domestic

investments by streamlining relevant

processes, reducing red tape and using

ICT. Norway Registers Development

brings extensive experience of high-

impact organizational reforms as well

as deep technological know-how to

assist the country with this challenging

task and develop a long-term, functional

reform plan for improving the business

climate”, commented the managing

director of NRD Rimantas Žylius.

The project involves the most significant

organizations for investors are

stakeholders of the project, namely

Uganda Investment Authority (UIA),

Uganda Registration Services Bureau

(URSB), Kampala Capital City Authority

(KCCA), Uganda Revenue Authority

(URA), Directorate of Citizenship and

Immigration Control (DCIC) under the

Ministry of Internal Affairs, National

Environment Management Authority

(NEMA) and Ministry of Lands, Housing

and Urban Development (MOLHUD).

It is expected that further reform shall

integrate other agencies that register

and issue Secondary licenses for doing

business in Uganda to the One-Stop-

Center solution.

READ MORE: www.NRD.NO

www.Infobank-uganDa.com

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no�� www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no ��

Through INVL Technology platform,

NRD group cooperates and implements

projects with its competence centers

for IT infrastructure (BAIP) and cyber

security (NRD CS). NRD CS facilitates

NRD group’s mission of creating a

secure digital environment.

NRD in East Africa

With financial support from the

Norwegian Agency for Development

Cooperation (NORAD), NRD AS

has established partnerships with

individuals and companies and

expanded its operations in the East

African Community in 2012.

TANzANIA. In autumn 2012, NRD

AS and a local NGO ISACA Tanzania

Chapter signed a Memorandum of

Understanding on cooperation in the

development and implementation

of consultative Tanzanian National

Cyber security framework. The draft

Framework was presented on the 16th

of January, 2014.

In March 2013, NRD has invested in the

East African region and acquired 70

per cent shares of Tanzanian company

which is now called Norway Registers

Development East Africa Ltd (NRD EA).

Currently, NRD EA has 8 full-time

employees, develops its own portfolio

of services and provides on-site delivery

of NRD group services in East Africa.

NRD EA organises annual cyber

security conferences, supports

Tanzanian companies in the delivery

of information security technologies as

a value added distributor and assists

other organizations investing in East

Africa in the creation, development,

maintenance and security of their

information technology infrastructure.

NRD AS and NRD EA are also

currently participating in Fredskorpset

Norway (FK Norway) financed young

employee Exchange Program. 11

young proffessionals have already

participated in the exchange, and over

200 ICT students in Tanzania have

benefited from seminars, conducted

by FK Norway participants.

UGANDA. NRD AS owns 30 per cent

of Infobank Uganda Limited shares

since March, 2015. NRD group is also

currently developing an integrated

One-Stop-Centre solution for investor

registration and licensing at Uganda

Investment Authority, and partners

with Uganda Technology and

Management University.

Latest NRD group activities in East

Africa also include projects in zanzibar,

Burundi, Rwanda, Mauritius and

zimbabwe.

NRD group acts as a strategic management advisor with local presence and close, personal approach to the client as well as global delivery capacity, international best-practice experience and deep technological know-how.

NRD group in East AfricaBusiness climate improvement and e-governance

NRD group is a brand that

unites companies and competences

needed to promote and execute

successful business environment

improvement reforms in East Africa,

South and South East Asia regions.

NRD group companies represent

a diverse portfolio of services and

products. They act independently

in their home markets but share

competences and resources in complex

international projects, in more than 50

countries worldwide.

NRD group currently consists of a

development consulting company

Norway Registers Development

AS (NRD AS) and its subsidiaries in

Lithuania (NRD, UAB and ETRONIKA,

UAB), Tanzania (NRD East Africa Ltd)

and Uganda (Infobank Uganda Ltd).

NRD group consolidates understanding

of policy making and its dynamics,

tested best practices, experienced legal

team, IT skills and engineering capacity

for building vital economy facilitating

infrastructure.

NRD group is a part of INVL Technology

portfolio, leads its business climate

improvement and e-governance

business line, and supports business

development of other INVL Technology

companies in frontier markets.

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no�0 www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no �1

Norway Registers Development East Africa Limited (NRD EA) works in the field of security for digital environment as a daughter company of

Norway Registers Development AS.

NRD EA provides on-site delivery of NRD services, supports Tanzanian companies in the delivery of information security technologies as a value

added distributor and assists other organizations investing in East Africa in the creation, development, maintenance and security of their information

technology infrastructure.

Together with NRD CS, NRD EA is responsible for cyber-defense strategy design and implementation services for Government and corporate

institutions. Read more: www.nrd.co.tz

SERVICES:• Information system audit & IT governance;• Trainings;• ICT infrastructure architecture implementation and maintenance;• Cyber defence products and consultations;• Disaster recovery and business continuity solutions;• Supply and distribution of IT &Telecommunications equipment.

www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no�� www.nrd.no n www.nrd.co.tz n www.nrdcs.lt n info@nrd.no ��

Norway Registers Development East Africa Limited

3rd floor, Elite tower, Azikiwe Street,P.O.Box 78533

Dar es Salaam, Tanzania

Web: www.nrd.co.tzPhone: +255 222 110 895

E-mail: info@nrd.no