B SECURE Scheme

Cyber Security – Maltese Landscape

A survey that was conducted amongst Maltese businesses in the last quarter of 2018 shows that 40% of the respondents were directly affected by a cyber security incident, with the attack vectors ranging from fraudulent emails or scam calls, the unknowing installation of malicious software or ransomware. Unsurprisingly, 83% of the large organisations that participated in the survey confirmed that they were a victim of at least one cyber security incident. The more moving parts an organisation has, the more susceptible it becomes. Hence, given the size of large organisations, their attack surface is bigger because of the larger amount of people that they employ and/or transact with which results in a larger number of transactions and communication channels. On the other hand, small firms were the mostly affected types of enterprises from the Micro, Small to Medium sized Enterprises, occupying 46% of the total number of respondents that were affected in this group. In the light of this, most of the respondents (75% of SMEs and 83% of large organisations) agreed on the importance to undertake a cyber risk assessment to assess their digital assets to ensure cyberattack readiness.

Unfortunately, the question to ask when it comes to cyberattacks is not whether we will be targeted but rather when we will be hit and what will be the consequences.

Government Initiative supporting the Business Industry

There are various initiatives organisations can take to limit the frequency and also the repercussions of cyberattacks. These measures vary including basic cyber security principles which can be easily implemented that will have an immediate effect, long-term checks on systems by specialists in the security field, and above all cyber security awareness.

In its commitment towards enhancing cyber security on a national level, MITA in collaboration with the Parliamentary Secretary for Financial Services, Digital Economy and Innovation has embarked on a project to promote and strengthen cyber security preparedness in the private sector through the B SECURE Scheme which was announced by Hon. Silvio Schembri on 13th June during an event held at the Chamber of Commerce.

Through the B SECURE Scheme, the private industry can apply for assistance in assessing the posture of their digital assets against the latest cyber security threats and also to further the education of their employees through training being offered, giving participants the possibility to earn certifications recognised world-wide in the cyber security domain. Registration will open on the 23rd October 2019 during the Cyber Security Summit, with services being offered throughout year 2020.

The ultimate objective of this Scheme is to instil a cyber security culture within the local private sector irrespective of the size of the business. It is a golden opportunity for the businesses to evaluate, plan and enhance their cyber security posture because cyber security is everyone’s responsibility. Ultimately, it will place Malta in a better position when it comes to cyber security preparedness. Understandably, this will not be attained through a onetime exercise, but the Scheme would serve as the basis for further strengthening.

 

  • This Scheme offers three services intended to enhance the cyber security posture of the entity partaking the scheme:
    • Cyber Security Training for Executives and Industry Professionals
    • Penetration Testing
    • Vulnerability Assessment
  • An entity can apply for any of the three services.
  • Services offered to Scheme beneficiaries shall be free.
  • The Maltese Government has commissioned Acronis International GmbH or their representatives as the sole technical partner responsible for the delivery of the above-mentioned services.
  • The definition of the services offered by the Scheme vary, depending on the category of the applicant entity. The Scheme follows the below categories:
    • Microenterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million – as per Recommendation 2003/361/EC of 6th May 2003.
    • Small enterprise is defined as an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million – as per Recommendation 2003/361/EC of 6th May 2003.
    • Medium-sized enterprise is defined as an enterprise which employs fewer than 250 persons and which has an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million – as per Recommendation 2003/361/EC of 6th May 2003.
    • Large enterprises are those that do not qualify as micro/small/medium enterprises – as per Recommendation 2003/361/EC of 6th May 2003.
  • This Scheme opens on 23rd October 2019 and closes on 24th November 2019. Registration for the Scheme services shall be made solely through the Cyber Security Malta website.
  • The applications received will be evaluated and ranked according to defined selection criteria, by an Elected Scheme Board.
  • The Maltese Government shall have the right to make any amendments to this Scheme or to publish clarifications to the Scheme by the publication of such amendments and/or clarifications on the Cyber Security Malta website.
  • Information gathered as part of the Scheme will be kept for audit purposes and specifically up till 31st December 2020, irrespective whether the entity will benefit from the Scheme or not, such that should a beneficiary entity drop out, then the Elected Scheme Board will offer the services to the next in line entity.

Scheme Partners

Technical Partner

They have provided risk assessments and consultancy services on complex infrastructures within different countries including ones with which Malta is collaborating within this domain. Acronis International GmbH is a Global player in Cyber Security and protection advisor for governments and corporations world-wide including Singapore, Switzerland and the United States. Acronis International GmbH is a company known to set the standard for cyber protection through its solutions. Founded in Singapore in 2003, it is trusted by more than 5 million consumers and 500,000 businesses worldwide, including 79 of the top 100 most valuable brands.

Malta stands to benefit from having local businesses receiving consultancy and risk assessments that are similar to those which their counterparts obtain, and such commonality and equivalency in the methodology will be beneficial for Malta when discussing and assessing cyber security posture and any areas of improvement, vigilance or concern with respective international counterparts. Acronis International GmbH are also renowned for being the organisers of important conferences, attracting Cyber Security professionals from around the globe.

Supporting Partner

Please read these terms and conditions carefully. These terms and conditions (the “Agreement”/”Scheme Agreement”) constitute a binding contract between the selected entity (hereinafter referred to as the “Beneficiary”) and the Parliamentary Secretary for Financial Services, Digital Economy and Innovation (hereinafter referred to as the “Administrator”) for participation in the Scheme. In participating the Beneficiary agrees to be bound by the terms and conditions of this Agreement dated 27th September 2019.

  1. Definitions
  • “Administrator” means the Parliamentary Secretary for Financial Services, Digital Economy and Innovation;
  • “Beneficiary/Beneficiaries” means the entity selected to benefit from the Scheme by the Elected Scheme Board;
  • “Entity” means a Natural or Legal Person established in Malta, or providing a Service in or from Malta;
  • Elected Scheme Board” (hereinafter referred to as the ‘Board’) means the Board assessing applications, selecting beneficiaries to participate in the Scheme and receiving appeals connected to the Scheme;
  •  “Scheme” means the “B SECURE” Scheme;
  • “Third Party/Parties” means the Organization/s providing services in connection with the Scheme, including the execution of information security risk assessments and delivery of training courses;
  • “Term” means the period during which the Agreement is effective, subject to termination in accordance with these Terms and Conditions.
  1. Subject of Agreement:
  • The Agreement governs participation of the Beneficiary in the Scheme operated by the Administrator and delineates the roles of the parties throughout the term of the Agreement;
  • The Beneficiary shall participate in the Scheme in accordance with the terms and conditions set out in this Agreement. The Scheme shall not be used for any other purpose without the prior written agreement of the Administrator;
  • The Agreement does not govern the relationship between the Beneficiary and Third Parties providing services in connection with the Scheme. The Administrator shall not form part of the business and/or contractual relationship between the Beneficiary and the Administrator, save as expressly stated herein.
  1. Rights and duties:

3.1  The Beneficiary

  • Undertakes to comply with the requirements specified in the call for applications and the terms specified in this Agreement, including any dates communicated to it;
  • Agrees to collaborate with Third Parties identified by the Administrator for the purpose of the Services and provide the necessary feedback, as required for the provision of the Service;
  • Acknowledges that the rectification of any vulnerabilities and gaps identified through the course of the Services and the implementation of any recommendations provided are outside the scope of the Scheme. It is recommended that the Beneficiary enters into a direct agreement with a Cyber Security Service provider of its choice at its sole expense to implement the recommended rectifications;
  • The Beneficiary acknowledges that any outcome of the services involving security assessments is limited to the point in time of examination of the entities’ security status and that the services do not constitute any form of representation, warranty or guarantee that the entities’ systems are secure from every form of attack. The entity understands and acknowledges that not all anomalies/intrusions may be detected through the assessment.

3.2    The Administrator

  • Shall be entitled to make any amendments or clarifications to the Scheme which shall be published on the Cyber Security Malta website (www.cybersecurity.gov.mt);
  • Shall provide the Beneficiary with the necessary information and assistance in a timely manner, as necessary, throughout the Term of the Agreement;
  • Shall not be obliged to provide assistance to the Beneficiary to implement and/or address the results of the assessment provided by Third Parties during the provision of the Services;
  • Undertakes to adopt a monitoring role as regards the provision of the Services by Third Parties under the Scheme;
  • Shall strive to ensure that services will be performed with all reasonable care, skill and diligence according to generally recognised commercial practices and standards.
  1. Monitoring and reporting
  • The Administrator representatives shall monitor the delivery and success of the Services throughout the Term to ensure that the aims and objectives of the Scheme are being met and that this Agreement is being adhered to;
  • The Beneficiary shall on request, meet the Administrator representatives and provide information, explanations and access to documents and/or records as the Administrator may reasonably require, in order for it to assess the services provided to the Beneficiary.
  1. Acknowledgment and publicity
  • The Beneficiary agrees to participate in and co-operate with promotional activities relating to the Scheme that may be instigated and/or organised by the Administrator;
  • The Administrator may publicly acknowledge the Beneficiary’s involvement in the Scheme as appropriate without prior notice, on the Cyber Security Malta campaign platforms;
  • The Administrator may publicise photos of the Beneficiary or its employees involved in the Scheme, subject to prior written consent of the data subjects;
  • The Beneficiary shall comply with all reasonable requests from the Administrator to facilitate visits, provide reports, statistics, photographs and case studies that will assist the Administrator in its promotional and fundraising activities relating to the Scheme.
  1. Confidentiality
  • Each party shall during the term of this Agreement and thereafter keep secret and confidential all business, technical or commercial information disclosed to it as a result of the Agreement and shall not disclose the same to any person save to the extent necessary to perform its obligations in accordance with the terms of this Agreement or save as expressly authorized in writing by the other party;
  • The obligation of confidentiality contained in this clause shall not apply or shall cease to apply to any business, technical or commercial information which:
    • at the time of its disclosure by the disclosing party is already in the public domain or which subsequently enters the public domain other than by breach of the terms of this Agreement by the receiving party;
    • is already known to the receiving party as evidenced by written records at the time of its disclosure by the disclosing party and was not otherwise acquired by the receiving party from the disclosing party under any obligations of confidence; or
    • is at any time after the date of this Agreement acquired by the receiving party from a third party having the right to disclose the same to the receiving party without breach of the obligations owed by that party to the disclosing party;
  • The provisions of this clause shall survive the termination of the Agreement for any cause whatsoever.
  1. Freedom of information
  • The Beneficiary acknowledges that the Administrator is subject to the requirements of the Freedom of Information Act (Cap. 496 of the Laws of Malta) and that the provisions of the Agreement are without prejudice to the obligations of the Administrator under the said Act, the Code of Practice issued under the same Act and any subordinate legislation made under the Act from time to time and/or any decision issued by the Information and Data Protection Commissioner in relation to such legislation;
  • The Beneficiary shall provide assistance as necessary to enable the Administrator to respond to a request for information within the twenty (20) Working Day time limit established under the Freedom of Information Act for compliance. 
  1. Data protection
  • The Beneficiary shall (and shall procure that any of its staff involved in connection with the Scheme) comply with the requirements of the General Data Protection Regulation (Regulation 2016/679) and the Data Protection Act (Cap 586 of the Laws of Malta) and will duly observe all their obligations under such legislation, which arise in connection with the Scheme.
  • The information provided in this section applies to the processing of personal data submitted by applicants (‘Applicants’) in furtherance of their application for the B Secure Scheme (the ‘Scheme’).
  • The Administrator shall process all personal information submitted voluntarily by Applicants throughout the application process in accordance with the provisions of the Data Protection Act (Chapter 586, Laws of Malta) and the General Data Protection Regulation (Regulation (EU) 2016/679), to consider, review and possibly approve participation in the Scheme.  Data shall only be processed to the extent, and in such a manner, as is necessary for the assessment of applications.
  • Information submitted during the application process shall be retained until the year 2020, irrespective whether the Applicant is successful in its application. The Administrator shall ensure that such data shall only be retained for the purpose of identifying the next beneficiary should a successful applicant cease to participate in the Scheme.
  • Personal data referred to above is accessible to the members of the Elected Scheme Board, as identified from time to time, and shall be shared with relevant public authorities and Third Parties connected with the Scheme.
  • The sharing of information relating to successful applications with Third Parties connected with the Scheme shall be regulated by the written agreement entered into between successful candidates and Third Party Service Providers for risk assessment services, and shall thus be effected for the performance of the said contract.
  • Applicants have the right to request access to their personal data held and processed by the Administrator, to request its correction if it is inaccurate and where applicable, to object to the processing of their personal data, to request restriction of processing, to request erasure of their personal data and to request that their personal data is forwarded to a third party.
  • For queries or concerns regarding the Administrator’s processing of personal data, interested Applicants may contact the Administrator on bsecure.ncss@gov.mt. To lodge an official complaint, interested Applicants may contact the Office for the Information and Data Protection Commissioner, Malta.
  1. Limitation of liability
  • The Administrator accepts no liability for any consequences, whether direct or indirect, that may come about from the provision of services by Third Parties under the Scheme or from rejection of any application to the Scheme. The Beneficiary shall indemnify and hold harmless the Administrator, its employees, agents, officers or sub-contractors with respect to all claims, demands, actions, costs, expenses, losses, damages and all other liabilities arising from or incurred by reason of the actions and/or omissions of the Beneficiary in relation to the Scheme, the non-fulfillment of obligations of the Beneficiary under this Agreement or its obligations to third parties, including obligations arising pursuant to clause 18 (Third Party Services);
  • The Administrator will not be held responsible, whether directly or indirectly, for any damages it may suffer or any expenses incurred by it pursuant to the Services provided by Third Parties connected with the Scheme. The Beneficiary will not hold the Administrator responsible should the Board not be in a position to offer the Beneficiary all or part of the services, even if the Beneficiary has been successful in its application;
  • Subject to clause 9.1, the Administrator’s liability under this Agreement is limited to the operation of the Scheme under this Agreement.
  1. Warranties

 10.1 The Beneficiary warrants, undertakes and agrees that:

  • it has not committed, nor shall it commit, any act constituting serious misconduct, including fraud, neglect or refusal to continue with the Scheme;
  • it shall at all times comply with all relevant legislation and all applicable codes of practice and other similar codes or recommendations, and shall notify the Administrator immediately of any significant departure from such legislation, codes or recommendations;
  • it has advised the Administrator fully of any conflict of interest of which it is aware regarding the Service as at the date of the Agreement and further undertakes to inform the Administrator as soon as practicable of any conflict of interest regarding the Agreement of which it may become aware during the Term;
  • all information concerning the Beneficiary and/or its members which has been disclosed to the Administrator is to the best of its knowledge and belief, true and accurate;
  • it is not subject to any contractual or other restriction imposed by its own or any other organisation’s rules or regulations or otherwise which may prevent or materially impede it from meeting its obligations in connection with the Scheme;
  • it is not aware of anything in its own affairs, which it has not disclosed to the Administrator or any of the Administrator’s advisers, which might reasonably have influenced the decision of the Board to allow participation on the terms contained in this Agreement.
  1. Consequences of Cancellation

In the event the Beneficiary fails to provide necessary feedback to Third Parties related to risk assessments or fails to reach sufficient attendance to a training course without a valid justification, as applicable, the Beneficiary will be liable to pay the costs for cancelled services as follows:

Penetration Test for micro/ small/ medium entity €6,400
Penetration Test for large entity €17,000
Vulnerability Assessment for micro/small/medium entity €1,900
Vulnerability Assessment for large entity €5,300
Executive Course €93.75 per day
Technical Course €187.50 per day
  1. Termination

The Administrator may terminate this Agreement by giving the Beneficiary written notice should it be required to do so for any reason or without reason.

The terms, conditions and warranties contained in this Agreement that by their sense and context are intended to survive this Agreement, shall so survive the expiry or termination of this Agreement whichever is the earlier.

  1. Assignment

The Beneficiary may not, without the prior written consent of the Administrator, assign, transfer or in any other way make over to any third party the benefit and/or the burden of this Agreement.

  1. Waiver

No failure or delay by either party to exercise any right or remedy under this Agreement shall be construed as a waiver of any other right or remedy. 

  1. Notices

All notices and other communications in relation to this Agreement shall be in writing and shall be deemed to have been duly given if personally delivered, e-mailed, or mailed to the address of the relevant party, to the address referred to in this Agreement. 

  1. Dispute resolution
  • In the event of any complaint arising between the parties to this Agreement in relation to this Agreement the matter should first be referred to any individual nominated by the Administrator from time to time;
  • In the absence of agreement under the preceding clause, the parties shall refer the disagreement to the Malta Arbitration Centre for a final decision on the matter;
  • In the event of any complaint arising between the Beneficiary and Third Parties providing services under the Scheme, the Beneficiary is to discuss any issues regarding these services directly with the Third Party and the Administrator shall reasonable endeavour to assist the Beneficiary and the Third Party in reaching a solution. Provided that the Administrator shall not be held responsible if the issues are not resolved.
  1. No partnership or agency

This Agreement shall not create any partnership or joint venture between the Administrator and the Beneficiary, nor any relationship of principal and agent, nor authorise any party to make or enter into any commitments for or on behalf of the other party.

  1. Third Party Services

The Administrator disclaims all liability, including express or implied warranties, whether written or not for any services provided by third parties in connection with the Scheme. The Administrator makes no representation whatsoever as to fitness for a particular purpose in respect of services provided by third parties for the Beneficiary’s intended purpose.

The Beneficiary also acknowledges that the services provided by third parties related to risk assessment services in connection with the Scheme are subject to separate terms and conditions and that in accepting to avail of the service by the third parties agrees to abide by such terms and conditions. 

  1. Joint and several liability

Where the Beneficiary is not a company nor an incorporated entity with a distinct legal personality of its own, the individuals who enter into and sign this Agreement on behalf of the Beneficiary shall be jointly and severally liable for the Beneficiary’s obligations and liabilities arising under this Agreement.

  1. Governing law

This Agreement shall be governed by and construed in accordance with the Laws of Malta.

The Scheme offers different training courses, at different levels, for both Executives and Industry Professionals.

  • Training will be held in Malta at MITA Data Centre, Triq Il – Ferrovija, Santa Venera between Monday and Friday between 08:00 and 17:00.
  • All training sessions will be delivered in English.
  • The number of seats an entity is qualified for depends on its category where:
    • Microenterprises are entitled to register a maximum of 1 employee to attend an aggregate of 1 training course being offered;
    • Small enterprises are entitled to register a maximum of 2 employees to attend an aggregate of 2 training courses being offered;
    • Medium-sized enterprises are entitled to register a maximum of 3 employees to attend an aggregate of 3 training courses being offered;
    • Large enterprises are entitled to register a maximum of 5 employees to attend an aggregate of 5 training courses being offered.
  • An entity may decide to assign less personnel for training than the number allocated.
  • The same employee can attend different courses but cannot attend a course more than once.

Executives’ Training
Certification Level Course Name Duration Delivery Dates Course Fee*

    Introductory
Security Awareness Training for Executives (SATE) 1 day
  • 30 January 2020
  • 13 February 2020
 €93.75
    Advanced
The Certified Information Systems Auditor (CISA) certification 4 days
  • 2 – 5 March 2020
 €375
    Advanced
The Certified Information Security Manager (CISM) certification 4 days
  • Postponed
 €375

 Professionals’ Training
Certification Level Course Name Duration Delivery Dates Course Fee*
    Introductory
Security Awareness Training for Administrators & Security Professionals (SAASP) 1 day
  • 29 January 2020
  • 12 February 2020
  • 20 February 2020
  • 06 May 2020
  • 07 May 2020
  • 21 May 2020
  • 24 June 2020
  • 25 June 2020
 €187.50
    Medium
Web Application Protection (WAP) 3 days
  • 20 – 22 April 2020
  • 20 – 22 July 2020
€562.50
    Advanced
The Certificate of Cloud Security Knowledge (CCSK) certification 3 days
  • 17 – 19 February 2020
  • 18 – 20 May 2020
 €562.50
    Advanced
The Certified Information Systems Security Professional (CISSP) certification 5 days
  • 20 – 24 January 2020
  • 15 – 19 June 2020
 €937.50
* Fees are listed as these are to be referred to when filling in the De Minimis form. The courses offered to scheme beneficiaries shall be free.

Notification Process

  • Upon the entity completes the registration for training, an email will be sent, to the identified contact person, as a confirmation that the Elected Scheme Board received the application for evaluation.
  • The application will be reviewed for eligibility and assessed based on the eligibility criteria and selection criteria published on the Cyber Security Malta website.
  • An email will be sent to the identified contact person by 10th January 2020 confirming whether the application has been either fully accepted, partially accepted or rejected. For partially accepted and rejected cases, reasons will be given.  Incomplete applications will not be accepted and will be rejected.
  • A Letter of Agreement shall be sent as an attachment as part of the communication which has to be read, signed, scanned and returned to email address bsecure.ncss@gov.mt within four (4) working days from the date when the entity was notified with the approval.
  • Should the Elected Scheme Board not receive the Letter of Agreement within the stipulated timeframe, then the application will be considered as withdrawn by the entity.
  • Should an entity be informed that it will not benefit from the Scheme, then it will have the right to appeal the Elected Scheme Board’s decision by sending a formal complaint on email address bsecure.ncss@gov.mt within four (4) working days from the communication email. The Elected Scheme Board will provide feedback within five (5) working days from the date the appeal is received. The Elected Scheme Board’s decision will be considered as final.
  • Within two (2) weeks prior the course start date, a notification email will be sent to the contact person stating all relevant details. Coffee and lunch breaks will be provided. The entity is to reply on the email by not later than three (3) working days before the course start confirming whether it will honour the application or not. The entity is to list the name, surname and ID Card / Passport number of the person/s that will attend, if applicable, and the number of booked seats that cannot be honoured, if applicable.  If no advice is received within three (3) working days before the course start date or the entity cannot honour booked seats, then the beneficiary entity may be requested to contribute to the costs incurred for each non-honoured seat.

Employee’s Requirements

  • The employee registered for the training should:
    • have a clean police conduct, and
    • be proficient in English, and
    • not be on probation period and has been employed with the entity for at least 1 year from the course start date, and
    • meet the course requirements specified in the course description available from the Cyber Security Malta website, and
    • be available to attend the entire course, unless a valid justification is provided.
  • An identified employee cannot attend the same course more than once.

Attendance to Training

  • Anyone not registered will not be allowed in the training room.
  • Admission to training will be allowed only upon presentation of an identification document at the training location that will be communicated.
  • People who turn up more than 30 minutes late than the communicated session start time will not be allowed in the training room, unless trainer is previously notified, or a valid justification is provided.
  • If a person assigned a course does not attend at least 60% of the course, then he/she will be considered as absent from the course and hence the beneficiary entity may be requested to contribute to the costs incurred.
  • A certificate of attendance, covering the scope of the training, will be given to each participant attending at least 90% of the course. A subset of the courses being provided will prepare the applicants to sit for industry certification. Such industry examination and certification are outside the scope of the scheme.

Course Material

  • Specific material delivered during the training will be provided to the participants. Acronis International GmbH have intellectual property rights on this material.
  • Participants are expected to bring their own portable computer/device with a browser (Chrome/Edge/Opera) during all sessions.

The Scheme offers 2 types of risk assessments:

  • Vulnerability Assessment
    • Vulnerability assessments will be held remotely and hence the beneficiary entity is only to provide remote access to Acronis International GmbH or their representatives to be able to conduct the assessment within the allocated five (5) days for large sized entities, including the remote assessment of up to 20 External IPs, and two (2) days for micro/small/medium sized entities, including the remote assessment of up to 10 External IPs.
  • Penetration Testing
    • In case of a Penetration Test for large sized entity, the beneficiary entity is to provide both remote and onsite access to Acronis International GmbH or their representatives to be able to conduct the exercise within the allocated fifteen (15) days. On the other hand, a micro/small/medium sized entity is to provide only remote access to Acronis International GmbH or their representatives to be able to conduct the exercise within the allocated seven (7) days.
    • The scope of the Penetration Testing is limited to 3 domains: Network, Wireless and Web Application Penetration Testing, irrespective whether it is a micro/small/medium/large sized entity.

Vulnerability Assessment is the process to identify known vulnerabilities of a system, software and configurations implemented and utilised within an organisation. Such vulnerabilities are weighted depending on severity, complexity to exploit and impact on Confidentiality, Integrity and Availability. Vulnerabilities can include patches or practices which have not been applied, vulnerable, old or outdated software versions, known weaknesses in applications and controls and others. Vulnerability Assessments should occur within a vulnerability assessment program, to be performed on a regular basis to pro-actively keep in-line with modern-day vulnerabilities and exploits being identified.

Vulnerability Assessment within the B Secure Scheme will provide deep insights, through security scanning, on security deficiencies in the respective environment and will help to evaluate a system’s vulnerability to a specific threat and the evolving ones.

Penetration Testing is the act of examining an environment, network, or an organisation to detect any known misconfigurations and lax security measures. Weaknesses would lead to possible entry points for a malicious user attacker targeting an organisation. Outcome from this testing provides an insight into the security posture of the environment being tested, where suggested remediations are provided to be mitigated. Penetration Testing employs multiple methods and vary from phishing and social engineering techniques to technically sophisticated attacks and can be executed through various automated tools as well as manual efforts. Regular Penetration tests should occur throughout the year to assist an organisation in proactively address the weaknesses in technologies, hardware and software that are constantly emerging at an alarming rate and also measures the cyber awareness, from the human aspect.

Penetration Testing within the B Secure Scheme covers Network & Wireless infrastructures and Web Application solutions.

The processes behind a Network Penetration Test is to identify exploitable vulnerabilities and misconfigurations in computer networks, servers or network devices (e.g. switches and routers) before a malicious attacker finds them. Network penetration testing reveals real-world opportunities for attackers to compromise the network in such a way that allows for unauthorized access to sensitive data or to taking control of systems for malicious purposes. A network penetration test provides several benefits including identifying specific network security flaws present in the environment, validating internal and/or external security controls, discovering exposure on the Internet, understanding the level of risk that the vulnerabilities identified pose to the organization, mimicing the attacker’s opportunities on your environment through manual testing that simulates current threats, and helping address and fix identified network security flaws.

The processes behind a Wireless Networks Penetration Test is to identify infrastructure components, identify rouge Access Points through a site survey for large enterprises and through remote access to devices on the location following the running of a down sized scan for micro/small/medium enterprises, capture network traffic and perform detailed technical analysis, search for vulnerabilities or misconfigurations, perform packet inspection to break into the wireless network, perform password ‘brute forcing’ and authentication attacks to check the strength of the authentication, simulate malicious attacks as applicable, and create a remediation plan to fix problems and a roadmap to secure the wireless network.

The processes behind a Web Application Penetration Test will enable the entity visibility into the security vulnerabilities of the websites and portals, including the integration to various platforms which are accessible through the portals. Based on testing standards such as OWASP, a Web Application Penetration test is aimed to determine security vulnerabilities that could be discovered and exploited by someone with no internal or privileged access to the systems. The testing attempts to identify the faulty injection points by attempting malicious inputs to determine vulnerabilities such as buffer overflows, format string bugs, logic flaws, insecure access control, weak session management and other web application vulnerabilities such as SQL injection, XSS, CSRF and many more.  Use of manual testing will be applied to aid in finding flaws that cannot be found using automated tools.

Notification Process

  • Upon the entity completes the registration for risk assessment, an email will be sent, to the identified contact person, as a confirmation that the Elected Scheme Board received the application for evaluation.
  • The application will be reviewed for eligibility and assessed based on the eligibility criteria and selection criteria published on the Cyber Security Malta website.
  • An email will be sent to the identified contact person by 10th January 2020 confirming whether the services applied for have been either fully accepted, partially accepted or rejected. For partially accepted and rejected cases, reasons and the marks obtained will be given. Incomplete applications will not be accepted and will be rejected.
  • In the case of a successful application, the entity shall be informed via email that it will benefit from the Scheme, indicating the timeframe of the assessment.
  • A Letter of Agreement shall be sent as an attachment as part of the communication which has to be read, signed, scanned and returned to email address bsecure.ncss@gov.mt within four (4) working days from the date when the entity was notified with the approval.
  • The entity will also be entering into a direct contract agreement with Acronis International GmbH or their representatives and such services will be governed solely by this Contract. This agreement has to be read, signed, scanned and returned to email address bsecure.ncss@gov.mt within four (4) working days from the date when the entity was notified with the approval.
  • Should the Elected Scheme Board not receive the Letter of Agreement and Contract within the stipulated timeframe, then the application will be considered as withdrawn by the entity.
  • Should an entity be informed that it will not benefit from the Scheme, then it will have the right to appeal the Elected Scheme Board’s decision by sending a formal complaint on email address bsecure.ncss@gov.mt within four (4) working days from the communication email. The Elected Scheme Board will provide feedback within four (4) working days from the date the appeal is received. The Elected Scheme Board’s decision will be considered as final.
  • A notification email will be sent to the contact person, within two (2) weeks prior the exercise start date including all relevant details. In view of the scalability of the project, the entity is to abide to the agreed dates, unless a justified written notification is sent on email address bsecure.ncss@gov.mt by not later than three (3) working days prior the commencement date of the assessment. If an entity requests the exercise to be postposed, there is no guarantee that the assessment can be carried out at a later stage. An entity that will not honour the allocated dates without communicating so within the indicated timeframes on email address bsecure.ncss@gov.mt may be requested to contribute to the costs incurred.

Risk Assessment Process

  • A kick-off meeting will be set amongst assigned persons from MITA, Acronis International GmbH or their representatives and the registering entity to define the scope of the assessment.
  • The beneficiary entity is obliged to inform the Scheme by sending an email on bsecure.ncss@gov.mt with immediate effect when encountering any disagreement or concern with Acronis International GmbH or their representatives.
  • The entity is to collaborate with Acronis International GmbH or their representatives to complete the risk assessment. The entity is obliged to provide feedback to Acronis International GmbH or their representatives on any queries that will affect the provision of the assessment within two (2) working days of communication such that timeframes can be honoured. The concerned entity will be disqualified if this does not happen and may be requested to contribute to the costs incurred.
  • Acronis International GmbH or their representatives shall provide a report to the registering entity through the established contact once the Penetration Testing or Vulnerability Assessment is completed. This report will include any vulnerabilities identified and possible mitigation strategies to rectify. This report will be visible only to Acronis International GmbH or their representatives and the respective entity.

The Scheme was opened on the 23rd October during the Cyber Security Summit 2019 and closed on Sunday 24th November.

By submitting the application, the entity confirms that it has filled in the registration form details to the best of its knowledge, it meets the eligibility criteria and agrees to the selection criteria. The Elected Scheme Board reserves the right to confirm any information, submitted by the entity, with the relevant authorities. In case of default, all services will be stopped, and the entity can incur up to a maximum penalty of EUR 1,000 in case false information was provided.

Applicant beneficiary must:

  • use technology to connect to the cyber space to operate its business;
  • provide all information and documents requested in the respective Cyber Security Risk Assessment and/or Cyber Security Training application forms;
  • be eligible for the State Aid;
  • be established in Malta or providing a Service in or from Malta, for at least the last 2 years from the date of application;
  • not fail under any of the grounds listed under Part VI of the Public Procurement Regulations 2016 (Legal Notice 352 of 2016);
  • have available a network infrastructure, a wireless network infrastructure  or a web application when applying for Penetration Testing;
  • deploy an external facing host when applying for Vulnerability Assessment;
  • be willing to grant the required visibility and access to Acronis International GmbH or their representatives to be able to conduct the infrastructure security assessment when applying for Penetration Testing and/or Vulnerability Assessment services.

Allocation will be assigned until the Scheme budget is consumed.

Training

The selection criteria is based on the order in which the applications are received.

Penetration Testing

The selection criteria is based on:

  • The different infrastructures the Entity has available;
  • The impact the Entity has on Malta’s economy should it suffer a cyber-attack on its infrastructure;
  • The impact the Entity has on Malta’s reputation should it suffer a cyber-attack on its infrastructure;
  • The impact the Entity has on the Maltese well-being should it suffer a cyber-attack on its infrastructure.

Should there be a tie situation, then ranking will be based on the order in which the applications were received, giving preference to the application that was received first.

Vulnerability Assessment

The selection criteria is based on:

  • The different external hosts the Entity deploys;
  • The impact the Entity has on Malta’s economy should it suffer a cyber-attack on its infrastructure;
  • The impact the Entity has on Malta’s reputation should it suffer a cyber-attack on its infrastructure;
  • The impact the Entity has on the Maltese well-being should it suffer a cyber-attack on its infrastructure.

Should there be a tie situation, then ranking will be based on the order in which the applications were submitted, giving preference to the application that was submitted first.

When will registration open?

On the 23rd October during the Cyber Security Summit.

Can individuals apply for any of the services the Scheme offers?

You have to be a company, self-employed or partnership to be able to apply for any of the services the Scheme offers.