Cyber and Network Security Framework: Knowledge Paper On

Download as pdf or txt
Download as pdf or txt
You are on page 1of 24

Knowledge Paper on

Cyber and Network Security Framework

Cyber & Network Security Framework 1


© Mahindra Special Services Group. All Rights Reserved
Table of Contents

FOREWORD ............................................................................................................................. 3
MESSAGE FROM THE CEO - MAHINDRA SPECIAL SERVICES GROUP (MSSG) ................ 4
MESSAGE FROM THE SECRETARY GENERAL - ASSOCHAM ............................................. 5
CONTINUOUSLY RISING SECURITY THREATS ..................................................................... 6
DEVELOPING CYBER SECURITY STANDARDS .................................................................... 9
PUBLIC-PRIVATE INFORMATION SHARING & INFORMATION SECURITY........................ 14
PRIVACY & CIVIL LIBERTY PROTECTION ........................................................................... 15
PROTECTION OF CRITICAL INFORMATION INFRASTRUCTURE ....................................... 17
RECOMMENDATIONS............................................................................................................ 20
MAHINDRA SPECIAL SERVICES GROUP – BRIEF PROFILE.............................................. 21
ASSOCHAM – BRIEF PROFILE ............................................................................................. 23

Cyber & Network Security Framework 2


© Mahindra Special Services Group. All Rights Reserved
Foreword

Information Technology revolution has brought a radical change in the way businesses
function across globe. Businesses that stood on three pillar’s viz. people, process &
technology are compelled to factor the fourth pillar of security. Security may not be restricted
to safeguarding physical assets but also for intangible assets like information, reputation,
brand, intellectual property etc.

Internet has grown exponentially worldwide. India too has witnessed significant rise in
Cyberspace activities and usage of internet so much so that it has not only become one of the
major IT destinations in the world but has also become the third largest number of Internet
users after USA and China. Such phenomenal growth in access to information and
connectivity has empowered individuals to reach the world, but on the flip side has posed new
challenges to administrators of cyberspace.

Cyberspace has unique characteristics viz. anonymity and difficulty of provenance, coupled
with enormous potential for damage and mischief. This characteristic adds to the
vulnerabilities making cyber security a major concern across the globe. Cyberspace is being
exploited by criminals to carry out identity theft and financial fraud, conduct espionage, disrupt
critical infrastructures, facilitate terrorist activities, theft of corporate information and plant
malicious software (malware) and trojans.

Cyber security continues to be an issue of intense interest to users and governments across
the globe. Cyber security assurance is considered as the core strategy. Collaborative efforts
of vendors, customers, policy and law makers will make a substantial difference in addressing
the global cyber security challenge. Further it is prudent to share knowledge and
understanding of what works and what doesn’t to reduce the risk of people using technology
for purposes never intended.

Securing country's critical infrastructures require protecting not only the physical systems but
also the cyber segment of the systems on which they rely upon. Rivals seeking to harm the
critical infrastructures are driven by different motivations and view cyberspace as a possible
means to achieve effects of much greater impact, such as causing harm to people or
widespread economic damage.

This report from the MSSG Fraud Risk Management Teame gives an insight on developing
cyber security standards, information sharing and security framework, data privacy issues and
critical information infrastructure security, thereby giving the reader some basic understanding
about the present status and recommendations.

MSSG – Fraud Risk Management Team

Cyber & Network Security Framework 3


© Mahindra Special Services Group. All Rights Reserved
Message from the CEO

- Mahindra Special Services Group (MSSG)

“While Cyberspace is a source of great opportunity, cyber security


has become a major concern. BRICS countries, should take the lead
in preserving Cyberspace, as a global common good.”

Shri Narendra Modi while addressing the summit of


five-nation grouping BRICS (Brazil-Russia-India-China-South
Africa) at Fortaleza in Brazil, July 15, 2014) 1

In today's word information technology has drastically transformed the


global economy and connected people and markets in ways beyond ever imagined. The
present communication devices have made dramatic changes in the way we live and transact
business.

With increasing use of information technology enabled services such as e-governance, online
business and electronic transactions protection of personal and sensitive data have assumed
paramount importance. The economic growth of any nation and its security whether internal or
external and competitiveness depends on how well is its cyberspace secured and protected.

Cyberspace fundamentally is not complex as we think it to be, what makes it complex is its
nature i.e., Cyberspace is borderless which goes beyond jurisdiction and actions in the
cyberspace can sometimes be anonymous. These features are being exploited by adversaries
or to say cyber criminals for committing crime.

Cyber security threats pose one of the most serious economic and national security challenges
and the threats in cyberspace are serious both from the point of view of the governments as
well as corporates. Nevertheless, if they are addressed effectively then cyberspace will surely
go a long way in significantly contributing to economic growth, empowerment and secured
digital India.

Warm Regards,

Dinesh Pillai
CEO
Mahindra Special Services Group
Mumbai October 2014

1
http://mea.gov.in/in-focus-
article.htm?23632/Prime+Ministers+statement+in+6th+BRICS+Summit+on+the+Agenda++quotPolitical+Coordinati
on+quotInternational+Governance+amp+Regional+Crisesquot

Cyber & Network Security Framework 4


© Mahindra Special Services Group. All Rights Reserved
Message from the Secretary General - ASSOCHAM

The growing use of ICT for administration and in other spheres of our daily
life cannot be ignored. Further, we also cannot ignore the need to secure
the ICT infrastructure used for meeting the social functions.

With the focus on creating Digital India, the threat from cyber attacks and
malware is not only apparent but also very worrisome. There cannot be a
single solution to counter such threats. We need a techno legal
“Harmonized Law” and international cooperation and cooperation among
States, agencies to address these challenges.

A good combination of law and technology must be established and then an effort be made to
harmonize the laws of various countries keeping in mind common security standards. In this
respect ASSOCHAM lauds the efforts made by the Ministry of Communications and IT,
Government of India in releasing the National Cyber Security Policy 2013 to ensure a secure
and resilient cyber space for citizens, businesses, and the Government.

We at ASSOCHAM, have been discussing and deliberating with the concerned authorities and
stakeholders about the need for security compliance and a legal system for effective dealing
with internal and external cyber security threats.

ASSOCHAM has been a Member of the National Security Council, Joint Working Group (JWG)
on Public Private Partnership on Cyber Security and we deeply appreciate the efforts made by
the JWG in inviting private industries’ views and suggestions on Cyber Security related issues.

We are confident that the deliberations at the 6th Annual Summit on Cyber & Network Security
with theme “Cyber 2.0 – Preparing For the Next Level …With Scale, Speed & Skill” will provide
more insight to emerging cyber related challenges and their appropriate solutions for further
securing the cyber space.

ASSOCHAM is committed to creating more awareness about the Cyber related issues and this
Background Paper jointly prepared by Mahindra SSG and ASSOCHAM is a step in that
direction and we congratulate the team for their efforts.

We convey our very best for the success of the 6th Annual Summit on Cyber & Network
Security.

With Best Regards,

D. S. Rawat
Secretary General
ASSOCHAM
New Delhi October 2014

Cyber & Network Security Framework 5


© Mahindra Special Services Group. All Rights Reserved
Continuously Rising Security Threats

A rapid increase in the use of computers and the


emergence of the Internet in particularly in the last few
decades has led to the evolution of cyberspace.
Cyberspace has become the fifth domain of human
activity. Cyberspace is borderless and anonymous due
to which it becomes difficult to actually trace the origin
of any kind of cyber attack.

Stealing data or information from the computers of business organizations and government
agencies is a big business for criminals, and the scope of the loss to the business organizations
and government ranges from damage to reputation, loss of customer trust, financial penalties to
greater competition arising from the said stolen data or information.

As the quantity and value of data have increased, so to have the business models and efforts of
criminals and other adversaries who have embraced the Cyberspace as a more convenient and
profitable way of carrying out their activities anonymously.

Whether we call it interesting facts, disturbing facts or alarming facts but the
reality is these are true facts.

• Cybercrimes have cost India a whopping about


Rs 24,630 crore ($4 billion) in 2013 alone as
criminals used sophisticated means, says a
Delhi High Court-commissioned report. "Internet
frauds alone have cost India a whopping 4
billion $(about Rs 24,630 crore) in 2013 as
cyber criminals are using more sophisticated
means like ransom ware and spear-phishing,"
the report said. 2

• 62,189 cyber security incidents in the first five months of the current calendar year

• 9,174 Indian websites were hacked by groups spread across the world

2
http://www.business-standard.com/article/current-affairs/cyber-crimes-alone-cost-india-rs-24-630-cr-in-2013-
report-114070600170_1.html

Cyber & Network Security Framework 6


© Mahindra Special Services Group. All Rights Reserved
• During the years 2011, 2012, 2013 and 2014
(till May), a total number of 21,699, 27,605,
28,481 and 9,174 Indian websites were
hacked by various hacker groups spread
across worldwide. In addition, during these
years, a total number of 13,301, 22,060,
71,780 and 62,189 security incidents,
respectively were reported to CERT-In.

• These incidents include phishing, scanning, spam, malicious code and website
intrusions.

• These attacks have been observed to be originating from the Cyberspace of a number of
countries including the US, Europe, Brazil, Turkey, China, Pakistan, Bangladesh, Algeria
and the UAE

• The attackers compromise computer systems located in different parts of the world and
user masquerading techniques and hidden servers to hide the identity of the actual
system from which the attacks are launched.

• As per the cyber crime data maintained by National Cyber Records Bureau, a total of
1,791, 2,876 and 4,356 cyber crime cases were registered under Information
Technology Act during the year 2011, 2012 and 2013, respectively, thereby showing an
increasing trend.

• Growing Internet penetration and rising popularity of online banking have made India a
favourite among cybercriminals, who target online financial transactions using malware
and India ranks third after Japan and the US in the tally of countries most affected by
online banking malware during the April-June quarter of 2014.

However, it is interesting to note that the Government of India has understood the importance of
public private partnership model to combat cyber threats. Government has been associating
public and private sector organizations in the projects of Cyber Security Programme. Data
Security Council of India (DSCI), set-up by NASSCOM is implementing projects in the area of
Cyber Forensics Training and Awareness creation for Law Enforcement Agencies.

INR. 500 Crores has been allocated for Department of Electronics and Information Technology
(Deity) in the 12th Plan period (2012-17) for Cyber Security Programme including Cyber Safety,
Security and Surveillance, Cyber Crime Investigations and Cyber Forensics.

Cyber & Network Security Framework 7


© Mahindra Special Services Group. All Rights Reserved
In fact, in the case of K.N. Govindacharya vs Union of India 3 , Delhi High Court has directed the
intermediaries, including the social networking sites such as Facebook and Orkut, to follow the
Sub Rule 11 Intermediary Guidelines Rules 2011 and publish the names of the respective
Grievance Officers on their websites along with contact numbers as well as mechanism by
which any user or any victim who suffers as a result of access or usage of computer resource
by any person in violation of rule 3, can notify their complaints against such access or usage.

Further, the Division Bench of the Allahabad High Court (Lucknow Bench) had also issued
directions to ensure that Sub Rule 3(11) of the Information Technology (Intermediary
Guidelines) Rules 2011 is implemented in the country in its letter and spirit.

3
Writ Petition No 3672/2012

Cyber & Network Security Framework 8


© Mahindra Special Services Group. All Rights Reserved
Developing Cyber Security Standards

Cyber security is a complex issue which cuts across


domains and national boundaries making it difficult to
attribute the origin of cyber-attacks. This scenario
warrants strategic and holistic approach comprising of
multi-dimensional initiatives and responses. Developing
and implementing cyber security standards is one such
initiative. National Cyber Security Policy by Department
of Electronics & Information Technology serves the
cause.

Keeping in mind the provisions laid down in this policy as the guiding principles the business
houses can design their strategies to combat any situation arising out of cyber crime and cyber
security incidents.

The mission statement of the National Cyber Security Policy, 2013 equally holds good for the
business houses and the corporates which states

Mission:
To protect information and information infrastructure in Cyberspace, build
capabilities to prevent and respond to cyber threats, reduce vulnerabilities and minimize
damage from cyber incidents through a combination of institutional structures,
people, processes, technology and cooperation.

Following the strategies as laid down in the National Cyber Security Policy which was notified
on 2nd July 2013. We at Mahindra SSG have tried to simplify it from the point of view of
business houses and corporates.

1. Creating a secure cyber ecosystem – Cyber security threats are bound to increase
with emergence of new technologies therefore it is important for us to be prepared,
have best security standards and practice in place to detect cyber security threats
and respond to the threats.

Suffice it to say that it becomes imperative for the corporates to give priority to
information security.

Cyber & Network Security Framework 9


© Mahindra Special Services Group. All Rights Reserved
It is equally important to develop information
security policies duly integrated with the business
plans and implement such policies as per
international best practices keeping in line with the
Indian legal system.

Corporates and the government agencies should


make their best efforts to establish a mechanism
for sharing information and also for identifying and
responding to cyber security incidents in timely a
manner.

In such a scenario, it equally becomes important for the business houses and the
government to allocate sufficient budget for implementing cyber security initiatives
and for meeting emergency response arising out of cyber incidents. Such allocation
of budget should not be treated and seen as an expense on the balance sheet rather
should be treated as one of the important component of doing secured business.

2. Creating an assurance framework – The business houses along with the


government should endeavor to promote adoption of global best practices in cyber
security and compliance as per the Information Technology Act, 2000, Information
Technology (Amendment) Act, 2008 and its allied rules and regulations.

It is also suggested that all entities (both government and corporate) to periodically
test and evaluate the adequacy and effectiveness of technical and operational
security control measures implemented in their information technology system and
networks.

The Information Technology (Reasonable Security Practices & Procedures and


Sensitive Personal Data or Information) Rules, 2011 also provides that any industry
or an entity formed by such association, whose members are self – regulating by
following IS/ISO/ICE codes of best practices for data protection as per the rules can
get its codes of best practices duly approved by and notified by the Central
Government for effective implementation.

In my view the reason for such provision is that there cannot be uniform best
practices for all sectors and domains of business as threat perceptions are different
for each industry.

3. Encouraging open standards – Until and unless we adopt the practice of following
open standards it would be difficult for the corporate houses and the government to
facilitate interoperability and exchange of information or data exchange among
different products or services which have become part and partial of any business.

Cyber & Network Security Framework 10


© Mahindra Special Services Group. All Rights Reserved
4. Strengthening the regulatory framework – With the
development and implementation of technology
everyday it is essential that the Indian legal
framework on information technology is periodically
reviewed so as to ensure that it is in harmonization
with international legal frameworks. The corporate
houses and the industry associations should always
brain storm on such issues arising out of cyber
security incidents and continuously provide its
recommendations to the government agencies.

Most of the cyber crime and cyber security breaches occur because of ignorance of
law and regulatory framework and therefore it is important that the corporate houses
should make it mandatory in their induction programs that their employees and
vendors are made aware of the law and regulatory framework and its consequences.

5. Creating mechanism for security threat early warning, vulnerability


management and response to security threats: It is high time that business
houses should create Computer Emergency Response Team (CERT) within their
organization which should be operational 24x7. The CERT team of the business
houses should make a mechanism to regularly interact with Indian Computer
Emergency Response Team, New Delhi which serves as national agency for
incident response.

The corporate houses should regularly conduct and facilitate regular cyber security
drills & exercises. This will help them in assessing their level of security posture and
level of emergency preparedness in dealing with cyber security incidents.

6. Promotion of research and development in cyber security: It is important that


the business houses should give due importance to research and development in the
field of cyber security and accordingly allocate sufficient budget for the same.

The Research and Development program should be undertaken for addressing all
aspects of development aimed at short term, medium term and long term goals. The
Research & Development programs should also address all aspects including
development of trustworthy systems, their testing, deployment and maintenance
throughout the life cycle and include R&D on cutting edge security technologies.

The corporates should collaborate in joint Research & Development projects with
other industry groups and academia in designing and developing frontline
technologies and solution oriented research as per their business requirements.

Cyber & Network Security Framework 11


© Mahindra Special Services Group. All Rights Reserved
7. Reducing supply chain risk: Better late than never aptly applies to the supply
chain management of any business. In today’s global economy when we have
merged as global village and the dependence on the supply chain has increased
dramatically, it is important to build trusted relationships with product vendors,
system vendors and service providers for improving end-to-end supply chain security
visibility.

The organizations should create awareness of the threats, vulnerabilities and legal
consequences and liabilities on breach of security among entities for managing
supply chain risks related to information technology (products, systems or services)
procurement.

8. Human resource development – In today’s


business environment Human Resource with
cybersecurity knowledge and skills are critical for
protecting the digital infrastructure of any
organization. Industries as diverse as retail,
telecommunication, insurance, banking and finance
healthcare, manufacturing and energy all depend
on the security and reliability of cyberspace.

With the organizations facing new and dynamic risks, threats, and vulnerabilities
every day a highly skilled cybersecurity workforce capable of responding to these
challenges is needed. Organizations should establish cyber security training
infrastructure by way of institutional collaboration with academia and cyber security
research centers.

The Human Resource development team should design a strong cyber security
policy for its employees along with the technical and legal team. A clear mention of
the same should also reflect in all contracts and appointment letters.

9. Creating cyber security awareness – The organizations should conduct, support


and enable cyber security workshops, seminars and certifications. However this
should not be a onetime exercise rather it should be a continued process because
every day the treat changes with change in technology.

10. Prioritized approach of implementation & Operationalization of the Policy – The


organizations should adopt a prioritized and operational approach to implement the
cyber security policy so as to address the most critical areas in the first instance.

Cyber & Network Security Framework 12


© Mahindra Special Services Group. All Rights Reserved
As per Standing Committee on Information Technology(2013-14 - Fifty Second Report)
dealing with Cyber Crime, Cyber Security and Right to Privacy the Department of
Electronics and Information Technology (DeitY) has prioritized by the following eight
areas:

1. To designate a National nodal agency to


coordinate all matters related to cyber security in
the country, with clearly defined roles &
responsibilities.
2. To create National level system, processes, and
mechanism to generate necessary situational
scenario of existing and potential cyber security
threats and enable timely information sharing for
proactive, preventive and protective actions by
individual entities.
3. To operate a 24X7 National Critical Infrastructure Protection Center (NCIIPC) to
function as the nodal agency for critical information infrastructure protection in the
country.
4. To create infrastructure for conformity assessment and certification of compliance to
cyber security best practices, standards and guidelines (Eg. ISO 27001 ISMS
certification, IS system audits, Penetration testing/Vulnerability assessment,
application security testing, web security testing)
5. To create and maintain testing infrastructure and facilities for IT security product
evaluation and compliance verification as per global standards and practices -Crypto
module evaluation.
6. To create and maintain testing infrastructure and facilities for IT security product
evaluation and compliance verification as per global standards and practices - CC
test/ evaluation.
7. To foster education and training programs both in formal and informal sectors to
support the Nation’s cyber security needs and build capacity.
8. To create conformity assessment framework for periodic verification of compliance to
best practices, standards and guidelines on cyber security.

Suffice is to say that nothing is totally secured today in Cyberspace but if the above
mentioned suggestions are adopted by the organizations to some extent it will help them in
protecting their information while in process, handling, storage & transit. This will also help
them in safeguarding the privacy of citizen's data and for reducing economic losses due to
cyber crime or data theft.

Last but not the least, it is always good that one should be on the right side of the law and
therefore in this context it is suggested that all business organizations should strictly comply
to the Information Technology Act its allied rules and regulations and governments
advisories.

Cyber & Network Security Framework 13


© Mahindra Special Services Group. All Rights Reserved
Public-Private Information Sharing & Information Security

One of the main objectives of the National Cyber Security


Policy, 2013 is to develop effective public private partnerships
and collaborative engagements through technical and
operational cooperation and contribution for enhancing the
security of cyberspace.

Also one of the strategies mentioned in the National Cyber Security Policy, 2013 is with respect
to Developing effective Public Private Partnerships which emphasizes on the following.

1. To facilitate collaboration and cooperation among stakeholder entities including private


sector, in the area of cyber security in general and protection of critical information
infrastructure in particular for actions related to cyber threats, vulnerabilities, breaches,
potential protective measures, and adoption of best practices.
2. To create models for collaborations and engagement with all relevant stakeholders.
3. To create a think tank for cyber security policy inputs, discussion and deliberations.

Public private partnership is very important to address the issue of cyber security. The primary
challenges faced by both Government as well as the business houses is to curb the threat
arising out of cyber security incidents and cyber crime at the earliest and this cannot be
achieved in isolation by either Government or Industry alone. It requires collaboration and
coordinated efforts of all the corporates and the government agencies involved in securing the
country’s cyber space.

The business houses should design a mechanism to regularly interact with the government
agencies either directly or through industry associations.

Cyber & Network Security Framework 14


© Mahindra Special Services Group. All Rights Reserved
Privacy & Civil Liberty Protection

In the real word it is often said that “Your right to swing your
arms ends just where the other man's nose begins 4”. But I
seriously doubt how good this proverb will stand the test of time
in the virtual world where privacy can easily be intrude without
touching ones nose.

Historically, privacy was almost implicit, because it was hard to


find and gather information. But in the digital world, whether it's digital cameras or satellites or
just what you click on, we need to have more explicit rules - not just for governments but for
private companies. 5

With proliferation of information technology enabled services such as e-governance, e-


commerce and e-transactions, protection of personal data and information and implementation
of security practices and procedures relating to these applications of electronic communications
assumed greater importance and they were required to be harmonization with the provisions of
the Information Technology Act, 2000 therefore the Information Technology Act, 2000 was
accordingly amended by Information Technology (Amendment) Act, 2008 which was later
notified on 27th October 2009.

The Information Technology Act 2000 contains adequate provisions to deal with various cyber
related offenses as well as protection of privacy of individuals. The following is a brief on such
provisions in the Act 6:

• Section 43 and section 66 of the Information Technology Act, 2000 provides penalty and
stringent punishment for hacking of website.
• Section 43A of the Information Technology Act, 2000 provides compensation to the
affected person for failure to protect data
• The Information Technology (Reasonable Security Practices and Procedures and
Sensitive Personal Data or Information) Rules, 2011 notified on 11th April, 2013 under
section 43A of the Information Technology Act defines the sensitive personal data and
reasonable security practices and procedures. The Rules require body corporate to

4
Various permutations of this quote have been attributed to Oliver Wendell Holmes, Jr. (8 March 1841 – 6 March
1935) American jurist; Associate Justice of the Supreme Court of the United States from 1902 to 1932, but it was
actually written by Zechariah Chafee, "Freedom of Speech in Wartime", 32 Harvard Law Review 932, 957 (1919).
Source: http://en.wikiquote.org/wiki/Oliver_Wendell_Holmes,_Jr.
5
Bill Gates
6
Standing Committee on Information Technology (2013-14 - Fifty Second Report) dealing with Cyber Crime, Cyber
Security and Right to Privacy. February 2014

Cyber & Network Security Framework 15


© Mahindra Special Services Group. All Rights Reserved
provide policy for privacy and disclosure of information (Rule 4), obtain consent of user
for collection of information (Rule 5), prior permission
required from provider of information before disclosure of
sensitive personal information (Rule 6)
• Section 72 of the Act provides penalty for breach of
confidentiality and privacy
• Section 72A of the Act provides punishment for
disclosure of information in breach of lawful contract.

Further section 66C and 72A of the Information Technology Act, 2000 provides for punishment
and penalty for identity theft and breach of confidentiality and privacy respectively.

Department of Personnel and Training is engaged in evolving legislation to address concerns of


privacy, in general in the country. The proposed legislation together with section 43A of the
Information Technology Act, 2000 is expected to address all concerns of privacy in the
cyberspace and in general. 7

In a move towards safeguarding privacy of individuals and defining invasion of privacy offences,
the government has proposed to set up a Data Protection Authority (DPA) that will rule on
issues around invasion of privacy and impose penalties on violations. The Authority will
"investigate any data security breach and issue appropriate orders to safeguard security
interests of all affected data subjects in respect of any personal data that has or is likely to have
been compromised by such breach," according to a draft Right to Privacy Bill. 8

7
Standing Committee on Information Technology (2013-14 - Fifty Second Report) dealing with Cyber Crime, Cyber
Security and Right to Privacy. February 2014
8
http://articles.economictimes.indiatimes.com/2014-02-18/news/47451233_1_personal-data-privacy-bill-draft-
bill

Cyber & Network Security Framework 16


© Mahindra Special Services Group. All Rights Reserved
Protection of Critical Information Infrastructure

Many of the critical services that are essential to the well being of
the economy are increasingly becoming dependent on IT. As such,
the Government is making efforts to identify the core services that
need to be protected from electronic attacks and is seeking to work
with organizations responsible for these systems so that their
services are secured in a way that is proportional to the threat
perception.

The primary focus of these efforts is to secure the information resources belonging to
Government as well as those in the critical sectors. The critical sectors include

• Defence,
• Finance,
• Energy,
• Transportation and
• Telecommunications.

Consequently, many in the industry and critical infrastructure organizations have come to
recognize that their continued ability to gain consumer confidence will depend on improved
software development, systems engineering practices and the adoption of strengthened
security models and best practices. 9

The Information Technology Act, 2000 did not have provision with respect to Critical Information
Infrastructure though it had a provision with respect to Protected System under Section 70 of
the Act. 10

However with passage of time the need and importance of safeguarding the Critical Information
Infrastructure was envisaged and accordingly it is stated in the Amendment Act 10 of 2009 –
Statement of Objects and Reasons which is as follows.

“The protection of Critical Information Infrastructure is pivotal to national security,


economy, public health and safety, so it becomes necessary to declare such
infrastructure as a protected system so as to restrict its access.”

9
http://deity.gov.in/content/strategic-approach
10

(1) The appropriate Government may, by notification in the Official Gazette, declare that any
Computer, computer system or computer network to be a protected system.
(2) The appropriate Government may, by order in writing, authorize the persons who are
Authorized to access protected systems notified under sub-section (1).
(3) Any person who secures access or attempts to secure access to a protected system in
contravention of the provisions of this section shall be punished with imprisonment of either
description for a term which may extend to ten years and shall also be liable to fine.

Cyber & Network Security Framework 17


© Mahindra Special Services Group. All Rights Reserved
Accordingly Section 70 of the Information Technology Act, 2000 was amended to include
protection of Critical Information Infrastructure. The Critical Information Infrastructure is
explained as

“The computer resource, the incapacitation or destruction of which, shall have debilitating
impact on national security, economy, public health or safety.”

Section 70 also states that

“Any person who secures access or attempts to secure access to a protected system in
contravention of the provisions of this section shall be punished with imprisonment of either
description for a term which may extend to ten years and shall also be liable to fine.”

On 16th January 2014, Government of India designated the National Critical Information
Infrastructure Protection Centre, Block - III, JNU Campus, New Delhi - 110067, an organization
under the National Technical Research Organization, as national nodal agency in respect of
Critical Information Infrastructure Protection.

Critical Sector means sectors, which are critical to the nation and whose incapacitation or
destruction will have debilitating impact on national security, economy, public health or safety; 11

To better understand the importance of protecting Critical Information Infrastructure let’s take an
example. The electricity power supply of the City of Mumbai which is considered as the financial
capital of India is disrupted for one full day because someone has managed to enter into
computer systems of the main power grid and has taken total control of the power grid and
demands a hefty amount of money to restore the electricity. In this case, what worries is not
only the money but the chaos it will create in the city.

One of the prominent examples of a cyber attack on a critical infrastructure is the Stuxnet virus,
which ravaged Iran's Natanz nuclear facility beginning in 2008, disrupting a fifth of Iranian
facilities and setting back Iran’s nuclear plans by almost two years.

To enable organizations to assess their preparedness in dealing with cyber crisis, CERT-In
conducts Cyber Security drills of different complexities with various key organizations. So far, 7
drills have been conducted involving more than 110 organizations from Defence, Space, Atomic

11
The Information Technology ( National Critical Information Infrastructure Protection Centre and Manner of
Performing Function and Duties) Rules, 2013

Cyber & Network Security Framework 18


© Mahindra Special Services Group. All Rights Reserved
Energy, Telecommunications (ISPs), Finance, Power, Petroleum & Natural Gas, Transportation
(Railways & Civil Aviation) and IT/ ITeS/ BPO sectors. 12

The Government should while drafting the detailed comprehensive guidelines for protection of
Critical Information Infrastructure should design a methodology to protect individual privacy and
civil liberties when critical infrastructure organizations conduct cyber security activities. It is
equally true that while the processes and existing needs will differ from organization to
organization, the guidelines should assist organizations in incorporating privacy and civil
liberties as part of a comprehensive cyber security program.

The detailed comprehensive guidelines for protection of Critical Information Infrastructure


should enable organizations regardless of size, threat perceptions of cyber security risk.

12
Standing Committee on Information Technology (2013-14 - Fifty Second Report) dealing with Cyber Crime, Cyber
Security and Right to Privacy. February 2014

Cyber & Network Security Framework 19


© Mahindra Special Services Group. All Rights Reserved
Recommendations

A business will have good security if its corporate culture is correct. That depends on
one thing: tone at the top. There will be no grassroots effort to overwhelm corporate
neglect.
William Malik, Vice President and Research
Area Director for Information Security at Gartner

Cyber Security requirements are quite dynamic that change with the threat environment. Threat
landscape needs to be updated regularly to prevent emerging attacks. Collaboration among
various agencies is needed to share information regarding emerging threats and vulnerabilities,
which would help in effective protection and prevention of cyber attacks.

Some recommendations:
• The organizations should invest in Research and Development (R&D) initiative this is
essential for enhancement of skills and expertise in areas of cyber security.

• The organizations should appoint independent agencies as cyber security auditors to


conduct security audit, vulnerability assessment and penetration testing periodically or
as and when they upgrade their IT infrastructure. There are 44 empanelled auditors by
CERT-In for purpose of carrying out cyber security audit related activities.

• The organizations should regularly carry out cyber security mock drills on a periodic
basis for assessing the preparedness of their IT infrastructure in dealing with cyber
incidents and crisis arising out of such situation. Cyber security drill is a confidence
building and learning exercise.

• Last but not the least Organizations should allocate sufficient budget for cyber security
and consider as business investment rather than an expense.

Cyber & Network Security Framework 20


© Mahindra Special Services Group. All Rights Reserved
Mahindra Special Services Group – Brief Profile
Recommendations

Derisk your business…

Mahindra Special Services Group (MSSG), a strategic business unit under $15.9 bn Mahindra
group, is a leading Corporate Security Risk Consulting firm that helps organizations reduce risk
and enhance competitive advantage. MSSG protects information assets and minimizes losses
due to an enterprise’s deviations from good governance.
With a core team comprising exforces officers and domain experts with decades of experience
in corporate security, MSSG’s risk mitigation advisories have enabled over 150 major corporate
clients secure their people, assets, information and reputation. The company’s distinctiveness
lies in its ‘People-Centric’ approach; endorsed by clients across scores of implementations.
Headquartered in Mumbai, India, the company has presence in major cities of India and the
capability to operate out of several global locations.
One of the most defining differentiators of MSSG is its holistic approach towards Corporate
Security. The corporate risk landscape in the world has gone through paradigm shifts and
MSSG partners with clients to derisk their businesses from the new and emerging forces of risk.
We help our client’s to mitigate risk in the following manner:
• Assessment of risk exposure that the organization has in terms of physical, personnel and
information assets.
• Formulate and implement a de-risking strategy that hardens the organization across
Physical locations, Technology, Processes and the Personnel (including those who man
them).
• Changing the “People-Culture” and increasing their participation in the Risk Mitigation
Program.
• Providing an ‘embedded’ team that will ensure implementation and sustenance of the
security initiatives.

Cyber & Network Security Framework 21


© Mahindra Special Services Group. All Rights Reserved
MSSG Practices

MSSG’s consulting services are categorized under three major heads:


• Information Security Consulting Practice
• Physical Security Consulting
• Fraud Risk Management Practice

All the above mentioned practices have multiple services lines catering to varied needs of the
organizations.
At MSSG we realize that improving security is an ongoing and a structured process. This begins
with creating the right environment for improvement, viz, getting the buy-in of all stakeholders,
establishing return on investments and clear measurability of the success of the initiative.

MSSG Corporate Offices


Mumbai (Head Office) New Delhi Bangalore

5th floor, Times Square, 212, Rectangle One, 109, Raheja Chambers,
Western Express Highway, Commercial Complex D4, 1st Floor,12, Museum Road,
Andheri (E), Mumbai - 400 069, Saket, New Delhi-110017, Bangalore - 560 001,
India. India. India.
Ph: +91-22-40903232 Ph: +91-11- 41097807 Ph: +91-80-65736524

Email :[email protected]
Website : www.mahindrassg.com

Cyber & Network Security Framework 22


© Mahindra Special Services Group. All Rights Reserved
ASSOCHAM – Brief Profile

The Knowledge Architect of Corporate India

• Evolution of Value Creator


ASSOCHAM initiated its endeavour of value creation for Indian industry in 1920. Having in
its fold more than 400 Chambers and Trade Associations, and serving more than 4,50,000
members from all over India. It has witnessed upswings as well as upheavals of Indian
Economy, and contributed significantly by playing a catalytic role in shaping up the Trade,
Commerce and Industrial environment of the country.
Today, ASSOCHAM has emerged as the fountainhead of Knowledge for Indian industry,
which is all set to redefine the dynamics of growth and development in the technology driven
cyber age of ‘Knowledge Based Economy’.
ASSOCHAM is seen as a forceful, proactive, forward looking institution equipping itself to
meet the aspirations of corporate India in the new world of business. ASSOCHAM is
working towards creating a conducive environment of India business to compete globally.
ASSOCHAM derives its strength from its Promoter Chambers and other Industry/Regional
Chambers/Associations spread all over the country.

• Vision
Empower Indian enterprise by inculcating knowledge that will be the catalyst of growth in the
barrier less technology driven global market and help them upscale, align and emerge as
formidable player in respective business segments.

• Mission
As a representative organ of Corporate India, ASSOCHAM articulates the genuine,
legitimate needs and interests of its members. Its mission is to impact the policy and
legislative environment so as to foster balanced economic, industrial and social
development. We believe education, IT, BT, Health, Corporate Social responsibility and
environment to be the critical success factors.

• Members – Our Strength


ASSOCHAM represents the interests of more than 4,50,000 direct and indirect members
across the country. Through its heterogeneous membership, ASSOCHAM combines the
entrepreneurial spirit and business acumen of owners with management skills and expertise
of professionals to set itself apart as a Chamber with a difference.

Cyber & Network Security Framework 23


© Mahindra Special Services Group. All Rights Reserved
Currently, ASSOCHAM has more than 100 National Councils covering the entire gamut of
economic activities in India. It has been especially acknowledged as a significant voice of
Indian industry in the field of Corporate Social Responsibility, Environment & Safety, HR &
Labour Affairs, Corporate Governance, Information Technology, Biotechnology, Telecom,
Banking & Finance, Company Law, Corporate Finance, Economic and International Affairs,
Mergers & Acquisitions, Tourism, Civil Aviation, Infrastructure, Energy & Power, Education,
Legal Reforms, Real Estate and Rural Development, Competency Building & Skill
Development to mention a few.

• Insight into ‘New Business Models’


ASSOCHAM has been a significant contributory factor in the emergence of new-age Indian
Corporates, characterized by a new mindset and global ambition for dominating the
international business. The Chamber has addressed itself to the key areas like India as
Investment Destination, Achieving International Competitiveness, Promoting International
Trade, Corporate Strategies for Enhancing Stakeholders Value, Government Policies in
sustaining India’s Development, Infrastructure Development for enhancing India’s
Competitiveness, Building Indian MNCs, Role of Financial Sector the Catalyst for India’s
Transformation.
ASSOCHAM derives its strengths from the following Promoter Chambers: Bombay
Chamber of Commerce & Industry, Mumbai; Cochin Chambers of Commerce & Industry,
Cochin: Indian Merchant’s Chamber, Mumbai; The Madras Chamber of Commerce and
Industry, Chennai; PHD Chamber of Commerce and Industry, New Delhi.
Together, we can make a significant difference to the burden that our nation carries and
bring in a bright, new tomorrow for our nation.

D. S. Rawat
Secretary General
email: [email protected]

The Associated Chambers of Commerce and Industry of India


ASSOCHAM Corporate Office:
5, Sardar Patel Marg, Chanakyapuri, New Delhi-110 021
Tel: 011-46550555 (Hunting Line) • Fax: 011-23017008, 23017009
Website: www.assocham.org

Cyber & Network Security Framework 24


© Mahindra Special Services Group. All Rights Reserved

You might also like