On the 2nd of July 2013, the Indian Government formally approved and published the National Cyber Security Policy (NCSP). The policy had been lying as a draft document and awaiting its formal release for some years now. Whether it is the USA’s PRISM program or some other factor that pushed the Government to officially release it, we don’t know. But what is important is that this is a big step in the right direction. While the publication of a policy document itself will not readily get us to a secure state, it will definitely push us along in the right direction. This article looks at the implications of the NCSP for the private sector.
The NCSP makes all the right noises and states all the right objectives, including aiming to protect citizens’ privacy as well as promoting public-private partnership (PPP) in the area of cyber-security. What will be most important though is the follow-up actions that the Government takes to aid and facilitate the implementation and adoption of the policy in both public and private sector organizations. One of the key aspects that will influence this is the level of regulation that the Policy enforces on various industry segments. While the Indian banking industry is heavily regulated by the Reserve Bank of India in terms of cyber-security, the same can definitely not be said with regards to other Critical National Infrastructure (CNI) sectors, defined by the Ministry as Defence, Finance, Energy, Transportation and Telecommunications. (It may be noted that information security in the telecom domain is partially addressed by the Department of Telecommunications license amendments issued in 2009).
As far as the private sector is concerned, the following is of relevance (note the statements in the NCSP are not mandatory other than for entities covered under CNI):
- Senior manager to be appointed as the Chief Information Security Officer (CISO)
- Develop security policies integrated with business plans
- Specific budget to be earmarked for cyber-security initiatives
- Encourage entities to adopt guidelines for procurement of trustworthy ICT products and provide for procurement of indigenously developed security technologies
- Promote adoption of ISO 27001 and other security best practices, especially in risk management processes adopted by Government agencies and CNI
- Encourage secure application development processes based on global best practices
- Create an assessment framework for periodic verification of compliance to the above
- Periodically test and evaluate adequacy and effectiveness of technical and operational security controls
- Encourage use of open standards
- Mandate the periodic audit and evaluation of the information security infrastructure (as part of strengthening the regulatory framework)
- Enable, educate and facilitate awareness of the regulatory framework (where such regulations exist, I presume)
- Sectoral CERTs (Computer Emergency Response Teams) may come into play and function under CERT India as the umbrella organization
- Implement a cyber-crisis management plan (at national, sectoral and entity levels)
- Conduct and facilitate regular cyber-security drills (the CERT-In already does this)
- For organizations that come under CNI, the following are additional points similar to the above, but specified as mandatory:
- Develop an information security protection plan
- Implement global best practices, business continuity management, and cyber crisis management
- Use validated and certified IT products
- Security audit of critical infrastructure on periodic basis
- Certification of all individuals at all security roles (from CISO to operational roles)
- Secure application development processes
- A 24X7 nodal National Critical Information Infrastructure Protection Center (NCIIPC) will also come into being (I suppose this would be under CERT-In.
The remaining sections deal with promotion of research and development in cyber security, reducing IT supply chain risks by creating the facilities to test IT products and create awareness on this subject, foster development of human resources in this domain, develop effective private-public partnerships, and enhance national and global cooperation.
The final two sections of the Policy state that a prioritized approach is to be adopted and that this policy shall be operationalised by way of detailed guidelines and plans at the national, sectoral, state, ministry and entity levels.
In summary, for organizations that have implemented standards such as ISO 27001 (hopefully in earnest), adopted strong application security practices, appointed a qualified CISO, and have helped spread awareness throughout the stakeholder community, there is nothing new that would apply. The point about managing supply-chain risk from IT solutions is very relevant in the day and age of various back-doors being found in products from some of the most reputed vendors. Currently, in the absence of reliable testing labs, all a private sector organization can do is to try and avoid products with blatant back-doors that have been reported, such as this, this, this and this!
However, the most important takeaway for a whole host of other organization that come under CNI, but have been paying lip-service to information security – the NCSP is a wake-up call to get serious!
K. K. Mookhey (PCI QSA, CISA, CISSP, CISM) is the Founder Director at Network Intelligence (www.niiconsulting.com) as well as the Founder of The Institute of Information Security (www.iisecurity.in). He is an internationally well-regarded expert in the field of IT governance, information risk management, forensic fraud investigations, compliance, and business continuity. He has more than a decade of experience in this field, having worked with prestigious clients in India such as the top 4 private bank, the top 4 public sector banks, the top 5 IT companies, and some of the largest industrial conglomerates. Internationally, he has done consulting and audit engagements for United Nations organizations, numerous Banks and manufacturing firms in the Middle East, as well as various government entities. He has published numerous articles, two books, presented at numerous conferences such as Blackhat, OWASP Asia, ISACA, Interop, and Nullcon.