CSA commences licensing, accreditation of Cybersecurity Service Providers
The Cyber Security Authority (CSA) has commenced the licensing of Cybersecurity Service Providers (CSPs) and accreditation of Cybersecurity Establishments (CEs) and Cybersecurity Professionals (CPs).
This is pursuant to the Cybersecurity Act, 2020 (Act 1038), sections 4(k), 49, 50, 51, 57 and 59.
A statement issued and signed by the CSA said the purpose of the regime was to ensure regulatory compliance with the Cybersecurity Act, 2020 (Act 1038) and to certify that CSPs, CEs and CPs offered their services in accordance with approved standards and procedures in line with domestic requirements and industry best practices.
It said given the critical role Cybersecurity Establishments such as digital forensic laboratories and managed cybersecurity services played in securing Ghana’s digital ecosystem, it was imperative that processes and technology used by such establishments were in line with international best practices and standards adopted by the Authority.
The statement said it had, therefore, become essential that the Authority, in line with Section 59(3) of Act 1038, took the necessary measures such as licensing CSPs and accrediting CEs and CPs to ensure that recognised standards had been met.
It said the regulatory process started with the licensing of existing and new CSPs, which would subsequently be followed by the accreditation of CEs and CPs.
The statement said the CSA would license CSPs and accredit CPs with requisite expertise in Vulnerability Assessment and Penetration Testing, Digital Forensics Services, Managed Cybersecurity Services, Cybersecurity Governance, Risk and Compliance.
It said accreditation of Cybersecurity Establishments would focus on Digital Forensics Facility and Managed Cybersecurity Service Facility.
The statement said under the regime, existing CSPs, that were already engaged in the business of providing cybersecurity services would be given six months (from March 1 to September 30, 2023) to apply for a licence.
It said a CSP that failed to obtain a licence within the period would have to cease operation until a licence was obtained from the Authority.
The statement said it had become necessary that the industry was regulated to control cybersecurity risks and protect the interests and safety of the Public, Children, Businesses, and Government.
It said with the increasing rate of cybercrimes, CSPs, CEs and CPs had become critical components for mitigating cybersecurity threats and vulnerabilities within Ghana’s fast-developing digital ecosystem in line with the Cybersecurity Act, 2020 (Act 1038).
The statement said cybersecurity services by the nature of their operations were intrusive, and as a result, CSPs, CEs and CPs always gained access to clients’ critical information assets, thereby gaining knowledge of existing vulnerabilities and sensitive information, which could be potentially abused or exploited.
“It is also possible to have CSPs, CEs, and CPs who may not be competent or who may employ substandard processes in their offerings to the detriment of Ghana’s digital ecosystem. In addition, some businesses or government agencies lack the capability of ascertaining the credibility or qualification of CSPs, CEs or CPs especially, since there is no repository of licensed and accredited CSPs, CEs or CPs.”
“This process is to ensure that the targeted entities have the requisite skillset and competence and meet the established standards for offering sufficient protection of the computer systems and networks in the country’s digital ecosystem.”
The statement said CSA would ensure that qualified professionals with the appropriate certification, provided cybersecurity services to support a secure and resilient digital ecosystem, and consequently give recognition to the cybersecurity profession as a critical profession to support and sustain the current digital transformation agenda.
It said national security considerations were driving regulations in the sector to ensure only qualified persons and institutions in good standing undertook those critical services.
The statement said Government, through the CSA, regulated the sector by providing a licensing framework in accordance with Sections 49 to 59 of Act 1038 to guarantee that CSPs, CEs and CPs attained a higher level of compliance with Act 1038 and standards in line with international best practices.
It said that was to provide assurance to the public and other key stakeholders that the cybersecurity services they procured from the industry were effective.
The statement said Section 57 of Act 1038 mandated the CSA to establish a mechanism to accredit cybersecurity professionals and such an accreditation process provided recognition to accredited cybersecurity professionals, who had proven demonstrable competence in their cybersecurity domain.
It said Section 59 of Act 1038 further mandated the CSA to enforce cybersecurity standards and monitor compliance by the public and private sectors including Cybersecurity Establishments or institutions.
The statement said CSPs who engaged in the business of providing cybersecurity services without the requisite licence after September 30, 2023, shall be in contravention of the Cybersecurity Act, 2020 (Act 1038) and shall be liable to pay administrative penalties.
However, a CSP who applied for a licence by September 30, may continue to provide its service until a decision on the application had been made by the Cyber Security Authority.
It said a licence or accreditation granted was valid for two years from the date of issuance as provided for in Section 53(1) of Act 1038.
“Further information on the licensing and accreditation process is available at www.csa.gov.gh. Queries on the process may be sent to firstname.lastname@example.org.”