Computer Misuse and Cybercrime (The Critical Information Infrastructure and Cybercrime Management) Regulations

Section 6. Responsibilities of the Committee. Section 6(1)(a) issue prompt and timely advice to the Government on cybersecurity ("tools, policies, security safeguards, guidelines, risk management approaches, actions, trainings, best practices, assurance and technologies utilized to protect the cyber environment;") strategies relating to various technologies and sectors; Section 6(1)(b) undertake advocacy and create public awareness cybersecurity ("tools, policies, security safeguards, guidelines, risk management approaches, actions, trainings, best practices, assurance and technologies utilized to protect the cyber environment;") matters; Section 6(1)(c) receive and approve reports from the Cybersecurity Operations Centres; Section 6(1)(d) in collaboration with relevant agencies, formulate Information Security Standards; Section 6(1)(e) approve the identification and designation ("declaration of a critical information infrastructure by notice in the Kenyaas contemplated by sectionsandof the Act;") of critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical informatio...

Section 7. Conduct of business of the Committee. Section The conduct of business of the Committee shall be in the manner provided under the First Schedule of these Regulations.

Section 8. Role of theSecretariat. Section issue notices of meetings to the Committee members including organizing for the venue and time for the meetings;

Section 9. Cybersecurity Operations Centres. Section 9(1) Pursuant section 6(1)(f) and (g) , the Committee shall coordinate the collection and analysis of cyber threat through collaboration and cooperation with the Cybersecurity Operations Centres specified under paragraph (2) . Section 9(2)(a) National Cybersecurity Operations Centre ("the capability that encompasses cutting-edge technology, tools and a team of cybersecurity experts organized to protect, monitor, detect, analyse, respond and report on cybersecurity incidents and threats;") ; Section 9(2)(b) Sector Cybersecurity Operations Centres; and Section 9(2)(c) Critical Information Infrastructure Cybersecurity Operations Centres. Section 9(3)(a) real time event monitoring, analysis, log collection and aggregation; Section 9(3)(b) an alert system ("the digital or physical components that compromise a critical information infrastructure;") ; Section 9(3)(c) cybersecurity ("tools, policies, security safeguards, guidelines, risk management approaches, actions, trainings, best practices, assurance and technologies utilized to protect the cyber environment;") specialists organized to prevent, detect, analyse and respond to threats...

Section 10. NationalCybersecurity Operations Centre. Section 10(1) A National Cybersecurity Operations Centre ("the capability that encompasses cutting-edge technology, tools and a team of cybersecurity experts organized to protect, monitor, detect, analyse, respond and report on cybersecurity incidents and threats;") shall be the national focal point for monitoring, detecting, preventing, responding, investigating and attribution ("the process of tracking and identifying the perpetrators of a cyber-attack;") of cyber threats, computer and cybercrimes in Kenya. Section 10(2)(a) have visibility of threats and incidents that occur in Sector Cybersecurity Operations Centres and Critical Information Infrastructure Cybersecurity Operations Centres; Section 10(2)(b) have the capability to perform the functions of a Sector Cybersecurity Operations Centre ("the capability that encompasses cutting-edge technology, tools and a team of cybersecurity experts organized to protect, monitor, detect, analyse, respond and report on cybersecurity incidents and threats;") and Critical Information Infrastructure Cybersecurity Operations Centre ("the capability that encompasses cutting-edge technology,...

Section 11. Sector Cybersecurity Operations Centres. Section 11(1)(a) the Regulator of the specific Sector as set out in the Second Schedule in which the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") is domiciled; or Section 11(1)(b) where applicable, the relevant Ministry where the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") is domiciled, shall be deemed the Sector Cybersecurity Operation Centre. Section 11(2) A Sector Cybersecurity Operations Centre ("the capability that encompasses cutting-edge technology, tools and a team of cybersecurity experts organized to protect, monitor, detect, analyse, respond and report on cybersecurity incidents and threats;") shall be responsible for monitoring, detecting, preventing, responding and investigating cyber threats, that are specific to their respective Sector. Section 11(3)(a) collaborate, through information and threat intel...

Section 12. Critical Information InfrastructureCybersecurity Operations Centre. Section 12(1) A Critical Information Infrastructure Cybersecurity Operations Centre ("the capability that encompasses cutting-edge technology, tools and a team of cybersecurity experts organized to protect, monitor, detect, analyse, respond and report on cybersecurity incidents and threats;") shall be responsible for monitoring, detecting, preventing, responding and investigating of cyber threats, in a Critical Information Infrastructure. Section 12(2)(a) provide real-time information on cyber threats and incidents to the National Cybersecurity Operations Centre ("the capability that encompasses cutting-edge technology, tools and a team of cybersecurity experts organized to protect, monitor, detect, analyse, respond and report on cybersecurity incidents and threats;") and Sector Cybersecurity Operations Centre ("the capability that encompasses cutting-edge technology, tools and a team of cybersecurity experts organized to protect, monitor, detect, analyse, respond and report on cybersecurity incidents and threats;") ; Section 12(2)(b) collaborate with the relevant agencies, on cyber threat surveillance...

Section 13. Outsourced capabilities. Section 13(1) An owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") who intends to outsource services from an external service provider shall, in writing, notify the Committee prior to outsourcing. Section 13(2) The owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") shall enter into a written agreement with the external service provider and shall ensure that the outsourced capabilities do not confidentiality, integrity and the availability of the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") . Section 13(3) Despite paragraphs (1) and (2) , the owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical inform...

Section 14. Monthly briefs and compliance reports. Section 14(1)(a) monthly briefs of cybersecurity ("tools, policies, security safeguards, guidelines, risk management approaches, actions, trainings, best practices, assurance and technologies utilized to protect the cyber environment;") compliance status to the Committee through the Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") ; and Section 14(1)(b) annual compliance reports as envisaged under section 13(1) of the Act ("the Computer Misuse and Cybercrimes Act ();") . Section 14(2) The briefs and reports referred to under paragraph (1) shall include information on cyber risks, threats and incidents experienced by the respective Cybersecurity Operations Centres.

Section 15. Monitoring and inspection of the Cybersecurity Operations Centres. Section Subject to section 13(3) of the Act ("the Computer Misuse and Cybercrimes Act ();") , the Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") shall in collaboration with the relevant sector Regulator, and on an annual basis, monitor and inspect any Cybersecurity Operations Centres to ensure compliance with the Act ("the Computer Misuse and Cybercrimes Act ();") and these Regulations.

Section 16. Technical support to Cybersecurity Operations Centres. Section Where there is an imminent threat ("an occurrence that actually jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system;") in the nature of a cyber-attack that may result to a computer and cybercrime to any Cybersecurity Operations Centre ("the capability that encompasses cutting-edge technology, tools and a team of cybersecurity experts organized to protect, monitor, detect, analyse, respond and report on cybersecurity incidents and threats;") , the Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") may upon request, inquire or provide the requisite technical or non-technical support to the Cybersecurity Operations Centre ("the capability that encompasses cutting-edge technology, tools and a team of cybersecurity experts organized to protect, monitor, detect, analyse, respond and report on cybersecurity incidents and threats;") .

Section 17. Risk assessment and evaluation of Cybersecurity Operations Centres. Section 17(1) An owner of a critical information shall, on an annual basis, conduct a cyber-risk assessment and business impact analysis for all relevant activities including products, services, business functions and processes. Section 17(2) Despite paragraph (1) , every owner of critical information infrastructure ("the operator or authorized person in control of critical information infrastructure;") shall undertake a risk assessment within twelve months from the date of commencement of these Regulations. Section 17(3)(a) identify potential internal and external threats including single points of failures that may cause disruption to critical activities; Section 17(3)(b) assess and prioritize potential risks and evaluate potential threats based on their operational impact and probability of their occurrence; Section 17(3)(c) select required controls to manage identified risks; Section 17(3)(d) information technology disaster recovery plan; Section 17(3)(d)(i) information technology disaster recovery plan; Section 17(3)(d)(ii) crisis management plan; Section 17(3)(d)(iii) business continuity plan; Sec...

Section 18. Designation of critical infrastructure. Section 18(1)(a) identify the system ("the digital or physical components that compromise a critical information infrastructure;") being designated as a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") ; Section 18(1)(b) identify the owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") ; Section 18(1)(c) inform the owner of critical information infrastructure ("the operator or authorized person in control of critical information infrastructure;") of his responsibilities under the Act ("the Computer Misuse and Cybercrimes Act ();") and these Regulations; and Section 18(1)(d) provide the owner of critical information infrastructure ("the operator or authorized person in control of critical information infrastructure;") with particulars of the requirement to designate a chief information security officer to provide the req...

Section 19. Notice to owner ondesignation. Section 19(1) The Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") shall, within seven days of designating a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") , notify the owner in writing as contemplated under section 9 (3) of the Act ("the Computer Misuse and Cybercrimes Act ();") . Section 19(2) The notice to the owner under paragraph (1) , shall specify reasons for the designation ("declaration of a critical information infrastructure by notice in the Kenyaas contemplated by sectionsandof the Act;") of the system ("the digital or physical components that compromise a critical information infrastructure;") as a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") .

Section 20. Directives upondesignation. Section 20(1) The Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") shall, within thirty days of issuing the notice under regulation 19 , issue directives contemplated under section 9(4) of the Act ("the Computer Misuse and Cybercrimes Act ();") to the owner of critical information infrastructure ("the operator or authorized person in control of critical information infrastructure;") . Section 20(2)(a) conduct annual risk assessment; Section 20(2)(b) develop incidence response plans; Section 20(2)(c) implement suitable security measures; and Section 20(2)(d) ensure personnel are adequately trained in security best practices.

Section 21. Failure to implement directives. Section 21(1) The Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") shall upon expiry of the timelines where the owner has failed to implement the directives, issue a notice to show cause to the owner of critical information infrastructure ("the operator or authorized person in control of critical information infrastructure;") . Section 21(2) The Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") may upon providing the owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") with the opportunity to be heard in accordance with the Fair Administrative Action Act ("the Computer Misuse and Cybercrimes Act ();") ( Cap. 7L ), may enter into an implementation plan with the owner of the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data...

Section 22. Gazettement ofcritical information infrastructure. Section 22(1)(a) the Committee shall, in consultation with the owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") , and within seven days of identifying a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") submit its recommendations for gazettement to the National Security Council; or Section 22(1)(b) the owner may apply to the Committee for gazettement of the critical infrastructure in accordance with the procedure outlined in these Regulations. Section 22(2) In identifying a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") , the Committee shall be guided by the criteria set out under section 9(2) of the Act ("the Computer Misuse and Cybercrimes Act ();")...

Section 23. Application byowner of critical information infrastructure Section 23(1) An owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") may, in writing, apply to the Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") to declare a system ("the digital or physical components that compromise a critical information infrastructure;") as a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") in accordance with the Act ("the Computer Misuse and Cybercrimes Act ();") and these Regulations. Section 23(2)(a) be in Form CMCA 1 set out in the Third Schedule; Section 23(2)(b) a copy of the establishment documents ; Section 23(2)(b)(i) a copy of the establishment documents ; Section 23(2)(b)(ii) particulars of the operators of the critical information infrastructure ("a system designated pursuant to section...

Section 24. Consideration of application for declaration ofcritical information infrastructure Section 24(2)(a) within seven days by notice in the Gazette designate the system ("the digital or physical components that compromise a critical information infrastructure;") as critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") ; and Section 24(2)(b) notify the applicant, in writing, of the designation ("declaration of a critical information infrastructure by notice in the Kenyaas contemplated by sectionsandof the Act;") . Section 24(3) Where the Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") declines the application for designating a system ("the digital or physical components that compromise a critical information infrastructure;") as a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") , the Director ("t...

Section 25. Register ofcritical information infrastructure. Section 25(1) The Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") shall keep and maintain an up-to-date Register of critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") designated under the Act ("the Computer Misuse and Cybercrimes Act ();") and these Regulations. Section 25(2) An owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") shall furnish the Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") , within twenty-one days from the date of designation ("declaration of a critical information infrastructure by notice in the Kenyaas contemplated by sectionsandof the Act;") , of the critical information infrastructure ("a system designated pursuant to sectionof...

Section 26. Changes tocritical information infrastructure. Section 26(1) In this regulation- "significant change" means a new system ("the digital or physical components that compromise a critical information infrastructure;") , integration of modification whose new functionalities may compromise the confidentiality, integrity and availability of the critical service. Section 26(2) An owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") shall not make any significant changes to the design, configuration, security or operations of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") , without prior notification to the Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") . Section 26(3) The notification contemplated under paragraph (2) , shall be in Form CMCA 2 set out in the Third Schedule and shall...

Section 27. Change of ownership. Section 27(1) Where there is an intention to change the ownership of an owner of critical information infrastructure ("the operator or authorized person in control of critical information infrastructure;") , the owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") shall within seven days prior to change notify the Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") in Form CMCA 2 set in the Third Schedule. Section 27(2) For the avoidance of doubt, the owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") shall provide the particulars specified under regulation 23 . Section 27(3) Where the new owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and...

Section 28. Localisation of critical information Section 28(1) An owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") shall ensure that the infrastructure on which critical information is domiciled is located in Kenya. Section 28(2) Without prejudice to paragraph (1) , an owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") who intends to have critical information located outside Kenya, shall apply the Committee in Form CMCA 3 set out in the Third Schedule. Section 28(3) The Committee shall consider the application submitted under paragraph (2) , and verify that it meets the security standards provided under the Act ("the Computer Misuse and Cybercrimes Act ();") and these Regulations, and shall communicate its decision within thirty days of receipt of the notification. Section 28(4)(a) the security measures and safeguards being applied to the critical informatio...

Section 29. Obligations of owners. Section 29(1) Upon receipt of the notice and directives under regulations 20 and 21 , the owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") shall implement the directives within the time specified in the notice issued by the Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") . Section 29(2)(a) the physical security of the hardware and other details of the critical infrastructure where the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") system ("the digital or physical components that compromise a critical information infrastructure;") is located; Section 29(2)(b) limitation of access to the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national cri...

Section 30. Capacity building by owners ofcritical information infrastructure. Section 30(1)(a) formulate their respective administrative instruments or standard operating procedures which may include best practices and code of ethics for adherence by users or operators of the Critical Information Infrastructure; and Section 30(1)(b) to promote awareness of relevant laws, regulations, codes of practice, policies, standards, guidelines and procedures; Section 30(1)(b)(i) to promote awareness of relevant laws, regulations, codes of practice, policies, standards, guidelines and procedures; Section 30(1)(b)(ii) provide regular and timely communication covering general cybersecurity ("tools, policies, security safeguards, guidelines, risk management approaches, actions, trainings, best practices, assurance and technologies utilized to protect the cyber environment;") awareness messages and prevailing cybersecurity ("tools, policies, security safeguards, guidelines, risk management approaches, actions, trainings, best practices, assurance and technologies utilized to protect the cyber environment;") threats, impacts and mitigations; and Section 30(1)(b)(iii) guide individual behaviour an...

Section 31. Baseline security forcritical information infrastructure. Section 31(1)(a) be reviewed, at least annually, consistent with identified risks and threats affecting the specific critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") sector; Section 31(1)(a)(i) be reviewed, at least annually, consistent with identified risks and threats affecting the specific critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") sector; Section 31(1)(a)(ii) address data protection concerns of the designated critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") , consistent with the provision of the Data Protection Act ("the Computer Misuse and Cybercrimes Act ();") ( Cap. 411C ); Section 31(1)(b) implement and comply with the directives issued under...

Section 32. Designation of theChief Information Security Officer. Section 32(1) An owner of critical information infrastructure ("the operator or authorized person in control of critical information infrastructure;") shall designate or appoint a Chief Information Security Officer ("the person designated or appointed as a Chief Information Security Officer pursuant to regulation;") on such terms and conditions as the owner may determine. Section 32(2) Without prejudice to paragraph (1) , owners of critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") may jointly appoint a single Chief Information Security Officer ("the person designated or appointed as a Chief Information Security Officer pursuant to regulation;") , provided that the officer is accessible by each owner. Section 32(3)(a) cybersecurity ("tools, policies, security safeguards, guidelines, risk management approaches, actions, trainings, best practices, assurance and technologies utilized to protect the cyber environment;") matters in the organization in which the critical i...

Section 33. Qualifications of theChief Information Security Officer. Section holds a master’s degree in information security, computer science, information technology or a related field;

Section 34. Mandatory requirements. Section 34(1) An owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") shall within six months from the date of commencement of these Regulations, formulate, review and update on an annual basis organizational policies, procedures and codes of practice to ensure the protection, preservation and management of the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") . Section 34(2)(a) the storage and archiving procedures; Section 34(2)(b) sharing of critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") system ("the digital or physical components that compromise a critical information infrastructure;") or data within the organization; Section 34(2)(b)(i) sharing of critical information infrastruc...

Section 35. Mandatory requirements for licenced operators of international or national internet gateways. Section 35(1) Pursuant to section 6(1)(f) of the Act ("the Computer Misuse and Cybercrimes Act ();") , and upon the commencement of these Regulations, the Committee shall require a licensed operator of an international or the national internet gateway ("the internet gateway owned and operated by the Government of Kenya;") to comply with the cybersecurity ("tools, policies, security safeguards, guidelines, risk management approaches, actions, trainings, best practices, assurance and technologies utilized to protect the cyber environment;") standards provided under these Regulations. Section 35(2) A licensed operator of an international or the national gateway, shall upon request by the Committee, submit a safety standards compliance report within thirty days of such request. Section 35(3) In the event there is any internet traffic congestion or suspicious activity, the operator of an international or the national internet gateway ("the internet gateway owned and operated by the Government of Kenya;") shall immediately report to the Committee concerning the connection status of t...

Section 36. Integration ofcritical information infrastructure. Section 36(1) An operator of critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") shall integrate or permit the integration of the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") with any other information infrastructure where such integration has satisfied the required safety standards including safeguards specified under paragraph (2) . Section 36(2)(a) the security of the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") is not compromised; Section 36(2)(b) the third-party information infrastructure has adequate safeguards or measures; and Section 36(2)(c) access to the critical information infrastructure ("a system designated pursuant to sectionof the Act and incl...

Section 37. Protection and preservation ofpremisesand surrounding areas. Section 37(1) An owner of critical information infrastructure ("the operator or authorized person in control of critical information infrastructure;") shall implement appropriate safeguards and measures to ensure security of the premises ("the building and the area surrounding the building in which a critical information infrastructure is situated;") and surrounding areas in which a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") is situated. Section 37(2)(a) systems being maintained in a secure place and preventing unauthorized access of such systems, and considering the nature of the database activity and the sensitivity of information therein; Section 37(2)(b) where applicable, sufficient cooling mechanisms to prevent overheating of equipment; Section 37(2)(c) backup equipment to prevent or mitigate the effect of a fluctuation of an electric load; Section 37(2)(d) taking such actions or measures to monitor and document the entry to and exit from sites in...

Section 38. Access to information infrastructure. Section 38(1) An owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") shall develop a system ("the digital or physical components that compromise a critical information infrastructure;") of security clearance levels for personnel and third parties authorized to access a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") . Section 38(2) An owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") shall restrict and ensure adequate measures are in place to monitor permitted access critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastr...

Section 39. Virtual access tocritical information infrastructure. Section 39(1) Regulation 38 shall, with necessary modifications, apply to any person who seeks virtual access to a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") . Section 39(2)(a) apply the principle of least privilege ("an information security model that restricts access to the specific data, resources and applications required to undertake a task to a specific user of entity;") in granting access to critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") systems; Section 39(2)(b) implement security logging and monitoring system ("the digital or physical components that compromise a critical information infrastructure;") to capture logs from critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical inf...

Section 40. Register of persons accessingcritical information infrastructure. Section 40(2)(a) the identification particulars of the person granted access to a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") including their nationality; Section 40(2)(b) reason for accessing the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") ; Section 40(2)(c) the duration of the authorization and restrictions applicable to the authorized access of the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") ; Section 40(2)(d) any archived data on the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure...

Section 41. Storage and archiving of critical data of information. Section 41(1) An owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") may, where critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") system ("the digital or physical components that compromise a critical information infrastructure;") or data is no longer immediately required for use, place the information in an archive for storage purposes. Section 41(2) Where critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") system ("the digital or physical components that compromise a critical information infrastructure;") or data has been stored in an archive, the adequate security standards, policies, procedures and codes of practice that apply to critical information i...

Section 42. Disaster recovery ofcritical information infrastructure. Section 42(1) An owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") shall establish a disaster recovery and backup site which may be distinct of each other and located in a different location from the main location of the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") . Section 42(2)(a) is stored in a format that permits the retrieval of the information and restoration of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") system ("the digital or physical components that compromise a critical information infrastructure;") and data in the event of a compromise or destruction of the infrastructure; Section 42(2)(b) retains the backup copy of the data...

Section 43. Transfer ofcritical information infrastructure. Section 43(1) An owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") shall where he intends to transfer part or whole of the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") notify the Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") in writing. Section 43(2) An owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") who contravenes paragraph (1) commits an offence chargeable under section 20 of the Act ("the Computer Misuse and Cybercrimes Act ();") .

Section 44. Requirements for anauditor. Section 44(1) The Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") shall appoint or designate such number of auditors as may be necessary, who shall be responsible for carrying out audit of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") as provided under section 13 of the Act ("the Computer Misuse and Cybercrimes Act ();") . Section 44(2)(a) is a citizen of Kenya; Section 44(2)(b) has a degree from a university recognized in Kenya or equivalent; Section 44(2)(c) has at least five years of demonstrable professional experience in the protection of critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") ; Section 44(2)(d) has demonstrable technical skills, competencies and knowledge on critical information infrastructure ("a system designated pursuant to sectionof t...

Section 45. Powers ofauditor. Section enter a premises ("the building and the area surrounding the building in which a critical information infrastructure is situated;") to monitor and evaluate the compliance with the directives issued pursuant to these Regulations, upon giving a thirty-day notice to the owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") as contemplated under section 13(2) of the Act ("the Computer Misuse and Cybercrimes Act ();") ; and

Section 46. Compliance report byowner of critical information infrastructure. Section 46(1)(a) demonstrate compliance with the critical infrastructure framework; Section 46(1)(b) verify compliance with the requirements of the Act ("the Computer Misuse and Cybercrimes Act ();") and these Regulations; Section 46(1)(c) assess the adequacy and effectiveness of safeguards and measures put in place by the owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") to satisfy the requirements of the Act ("the Computer Misuse and Cybercrimes Act ();") and these Regulations; Section 46(1)(d) assess whether the owner of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") has in place and implements the organizational policies, standards and procedure on cyber security; and Section 46(1)(e) identify risks and mitigation measure on a critical information infrastructure ("a system designated...

Section 47. Requirement for audit. Section 47(1) The Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") shall conduct an annual audit or at any time where there is an imminent threat ("an occurrence that actually jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system;") or an attack that amounts to an attack to a computer or computer system ("the digital or physical components that compromise a critical information infrastructure;") that may result to a cybercrime as contemplated under section 13 (2) of the Act ("the Computer Misuse and Cybercrimes Act ();") . Section 47(2)(a) evidence of unauthorized access to the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") ; Section 47(2)(b) credible intelligence from law enforcement agencies indicating a planned cyber-attack targeting the infrastructure; Section 47(2)(c) an unusual network activity suggesting a potential security breach; or...

Section 48. Audit approach. Section 48(1) The audit undertaken under these Regulations shall adopt both a compliance and risk-based approach. Section 48(2) The compliance based audit approach shall require the auditor ("a person designated or appointed by the Director to conduct a cybersecurity audit of a critical information infrastructure as provided under regulation;") to carry out compliance test to ascertain the adequacy and effectiveness of the controls applied in the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") in order to comply with the Act ("the Computer Misuse and Cybercrimes Act ();") and these Regulations. Section 48(3) The risk-based audit approach shall identify the risks and threats that the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") is susceptible to and ascertain if established controls are appropriate to mitigate the identified risks and threats.

Section 49. Content of audit report. Section 49(1)(a) summary of the audit findings identified during the audit exercise; Section 49(1)(b) any systemic finding within the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") , which may result in a weakness in the design of a critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") ; Section 49(1)(c) a recurring finding identified from past audits and that reoccurs irrespective of the recommended corrective action being done; and Section 49(1)(d) recommended good practices in the governance and controls of the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") identified during the audit. Section 49(2)(a) appropriateness of the management’s response or proposed actions to the audit finding;...

Section 50. Procedure for submission of audit report. Section 50(1) The Auditor shall within fourteen days upon completion of the audit exercise, furnish the Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") with an audit report. Section 50(2) The Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") shall table the audit report before the Committee within seven days upon receipt thereof. Section 50(3) Upon considering of the audit report submitted under paragraph (2) , the Committee shall issue recommendations and the Director ("the Director of the National Computer and Cybercrimes Co-ordination Committee appointed under section 7 of the Act;") shall within seven days communicate the recommendations to the owner of critical information infrastructure ("the operator or authorized person in control of critical information infrastructure;") . Section 50(4) The recommendations by the Committee shall form the subject of evaluation by the auditor ("a person designated or appointed by the Director to conduct a cybersecurity audit of a c...

Section 51. National Public Key Infrastructure components. Section 51(1)(a) the Root Certification Authority ("the Certification Authority contained in a National Public Key Infrastructure as provided under regulation;") ; Section 51(1)(b) the Certification Authorities; Section 51(1)(c) the Registration Authorities; and Section 51(1)(d) the Subscribers. Section 51(2)(a) be managed by use of a public and private Key; and Section 51(2)(b) be interoperable amongst other systems that support the secure development and use of systems. Section 51(3) Despite paragraphs (1) and (2) , the owners of critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastructure system or data and national critical information infrastructure;") shall use public key ("a technical infrastructure comprising of a root certification authority and certification authority or an Electronic Certification Service Provider;") infrastructure controls, to safeguard the confidentiality, integrity and availability of the critical information infrastructure ("a system designated pursuant to sectionof the Act and includes critical information infrastruc...

Section 52.Root Certification Authority. Section 52(1)(a) establish and maintain the certificate policy ("a set of rules that indicate the applicability of the certificate practice statement to a particular community or class of applications with common security requirements;") and certificate policy ("a set of rules that indicate the applicability of the certificate practice statement to a particular community or class of applications with common security requirements;") statement for the Root Certification Authority ("the Certification Authority contained in a National Public Key Infrastructure as provided under regulation;") ; Section 52(1)(b) accredit and audit certification authorities; Section 52(1)(c) issue, renew and revoke licenses to certification authorities; Section 52(1)(d) regulate country to country cross certification and ensure mutual certificate recognition; Section 52(1)(e) regulate certification authorities; Section 52(1)(f) report to the committee at least annually; Section 52(1)(g) inspect the certification authority infrastructure; Section 52(1)(h) develop technical requirements for certification authority infrastructure compliance; Section 52(1)(i) license a...

Section 53. Certification Authority. Section 53(1) A Certification Authority shall utilize a trustworthy system ("the digital or physical components that compromise a critical information infrastructure;") in performing its services and may be either a public body or a private entity. Section 53(2) A Certification Authority shall generate, manage, issue and distribute public key ("a technical infrastructure comprising of a root certification authority and certification authority or an Electronic Certification Service Provider;") infrastructure services.

Section 54. Registration Authority. Section 54(1) The Certification Authority may appoint any person or entity as a Registration Authority. Section 54(2)(a) verify the identity of individuals and organizations before issuing digital certificates; Section 54(2)(b) act as a trusted third party ("an external entity having a written or implied contractual relationship with the first-party organization and may include service providers, vendors, supply-side partners, demand-side partners, alliances, consortiums and investors;") to ensure the authenticity and validity of the identity information provided; Section 54(2)(c) verify the identity of individuals before issuing digital signatures; Section 54(2)(d) identify subscribers; Section 54(2)(e) register or verify the applicant’s information; Section 54(2)(f) transmit the certificate request to Sector Certification Authority Section 54(2)(g) validate certificates by the Certification Authority; Section 54(2)(h) request for revocation, suspension and restoration of certificates; and Section 54(2)(i) ensure that all aspects of registration services and operations are performed.

Section 55. Subscribers. Section A subscriber ("a person that has applied for and issued with a digital certificate from a Certification Authority;") shall obtain a digital certificate from a Certification Authority.