The Ministry of Electronics and Information Technology reported on the implementation of the Information Technology Implementation Regulation (System of Information Systems and Procedures) of 2018 (from now on referred to as “the Rules”) in May 2018.
The rules have been waiting for a long time after the global awareness of the abuse of data/information and cyber terrorism. These standards define an infrastructure for so-called “protected systems” for implementing security practices and safeguards for highly confidential data or data collection centers.
Protected system: According to the rules, a protected set-up is any computer, computer system or computer network of an organization registered in the applicable national publication under section 70 of the Information Act 2000.
Information security steering committee:
The Code defines the Information Security Management Committee as “a senior management committee of an organization responsible for the continuous improvement and improvement of the state of cybersecurity in protected systems, and for the planning, development, and review of corrective actions to mitigate and restore them.
According to Article 3 of the Regulation, each organization with a “protected system” shall be headed by the Executive Director / Director-General or by the Secretary of the Organization to form a Steering Committee on Information Security.
Rules and responsibilities of the committee
To approve all protected system information security policies, any significant changes in the network configuration can affect any important changes to the protected system or protected system application.
Establish a mechanism for timely reporting of network events from the “security system” to the Information Security Steering Committee. The detailed definitions of network events in the Rules are described as negative events may cause damage to the confidentiality, integrity or availability of information, systems, services or electronic networks, resulting in unauthorized access, denial of service or interruption without authorization to use resources. Not authorized for data, information or threats to the public interest.
Establish a mechanism to share all information security and compliance audit results of the Protected System to the Information Security Steering Committee.
Nomination of Chief Information Security Officer (CISO):
“Information Security Officer” means a designated Senior Management Officer reporting directly to the Organization’s Executive Director / Executive Director, etc., with knowledge of information security and related matters. CISO is responsible for cybersecurity efforts and initiatives, including the planning, development, maintenance, review, and implementation of information security policies.
Each organization designated as a “protected system” must nominate CISO. The roles and responsibilities of CISO are listed in the Critical Information Infrastructure Protection Guidelines and the roles and responsibilities of CISO in India. Issued by NCIIPC.
Some of CISO’s key responsibilities include creating ISMS, network architecture documentation, stability assurance, system flexibility and scalability, V/T/R analysis of network security architecture, development of network crisis management plans, and internal and external security audits.
Verification of the protected system is evaluated after every two years.
Companies with protected systems should install C-SCO and NOC to implement preventative and corrective controls to protect against advanced and emerging cyber threats, unauthorized access threats, and ensure continuity of network availability.
The rules also specify the roles and responsibilities of the NCIIPC “protected system.”