Dr. Prashant Vats, profile picture
Uploaded byDr. Prashant Vats
PPTX, PDF998 views

Cyber Security Standards Compliance

1) The document discusses cyber security standards and their implementation by governments and organizations to improve resilience against cyber attacks. 2) It provides an overview of common cyber security standards like ISO/IEC 27001, ISO 22301, and ISO/IEC 15408 which provide requirements and guidelines for cyber security management, business continuity, and evaluation of IT security. 3) Implementing cyber security standards helps establish controls to improve an organization's ability to prepare for, protect against, respond to, and recover from cyber threats and attacks.

Embed presentation

Downloaded 10 times
Subject - Cyber Laws & Rights M. tech. 3rd Sem., ISM. By: Prashant Kr. Vats, M.tech., Ph.D. INDIRA GANDHI DELHI TECHNICAL UNIVERSITY FOR WOMEN
Cyber Security Standards Compliance
Introduction • The usage of technology in today’s world is inevitable. Whether it is making reservations on our smart phones, or checking emails, or checking in for flights, usage of technology is present. Further, the globalization phenomenon we see today means we are living in a world where almost everything is interconnected to one another. • Governments, businesses and societies around the world are relying more and more on technology and the Internet in their daily lives. Whilst its benefits cannot be questioned, unfortunately the increase of our reliance on technology implies that we are at higher risk of attack and breaches – cyber-attacks. Companies are being hacked causing millions of individuals to be victims of stolen identity and information. • Governments worldwide are also facing the increasing threats of cyber-attacks. Successful attacks put prosperity of economies and the well-being of societies at risk. • Consequently, governments are putting measures in place in hope of having a resilient, healthy and secure cyberspace. Nonetheless, even with these efforts, cyber security continues to dominate headlines in the wrong way. Responding to this current scenario, current trends of governments protecting their critical infrastructures is the implementation of cyber security standards to their critical sectors.
Objectives • The objective of these slides is to provide an overview of the various approaches that countries are taking with regard to the implementation of cyber security standards. • Further, these slides discusses the benefits of the implementation of cyber security standards to organizations as well as nations as a whole.
Cyber-attacks – A global risk • As the E-business began to increase online, there were no signs of cyber threats and attacks on organizations worldwide easing. • Whether targeted to government entities or private corporations, the threats from cyber adversaries continue to grow in scale and sophistication globally. • Public and private organizations in various sectors worldwide now openly acknowledge that cyber threats are one of the most common and high impact risks they face. • Dealing with cyber threats is becoming a complex challenge due to the evolving cyber security landscape. • Organizations today face not only common and known cyber threats, but new and emerging ones where targeted and large scale attacks can impact not only the organizations but may potentially lead to the adverse impact on nations’ critical infrastructures.
Cyber-attacks on critical sectors • The recent cyber-attack against an American entertainment subsidiary of Japanese multimedia conglomerate in 2014 has not only affected the company, but also the nation’s security as a whole. Apart from releasing confidential data, the hackers had also sent threatening messages if their demands were not met [1]. The Financial sector has also become a regular target. • The malware attack in 2013 in South Korea has resulted in the malfunction of 48,000 personal computers and servers, disrupting work at banks and television broadcasters in the country [2] . • In 2012, a virus attack known as Shamoon on Saudi Arabia’s leading Oil & Gas company had damaged approximately 30,000 computers resulting in the disruption of oil and gas flow to the local and international markets [3 ]. • Global technology companies have had their fair share of experiencing cyber-attacks in recent years as well. These companies were hacked, resulting in exposed proprietary information and sensitive communications that was then used to target major corporations.
CYBER INCIDENTS REPORTED
Global cost of cybercrime • From a global standpoint, a recent publication by McAfee estimated the annual cost of cybercrime to the global economy is more than USD400 billion [8] . • Facing the brunt of these losses are the 4 largest economies in the world; the United States of America (USA), China, Japan, and Germany with an accumulative figure reaching USD200 billion. • The financial loss on the global economy is only expected to rise as reliance on technology in the cyberspace increases. Consequently, governments worldwide are realizing that cyber threats can not only disrupt critical infrastructure networks, but also potentially escalate to the level of a national security threat. • Dealing with cyber threats and attacks is no longer just about being aware or vigilant – but it’s about being resilient. Governments around the world are putting measures in place to enhance resiliency in weathering the cyber threats and attacks. • Whilst the global community have undertaken actions and steps in mitigating these cyber threats, it is important to ensure the critical infrastructure remains resilient to withstand cyber-attacks. The term ‘resiliency’ can have many definitions, but generally it is the capability to prepare, protect, respond and recover from threats and hazards.
How do countries or organizations remain resilient? • The implementation of cyber security standards is by no means a silver bullet in critical infrastructure protection. • However, its implementation can establish a set of controls that contribute and build better resiliency. • The cyber security standards may support the capabilities of preparing, protecting, responding and recovering from cyber-attacks. • The implementation and compliance with cyber security standards may enable the principles and better practices in cyber security management be applied in improving the security and resilience of critical infrastructures. • ISO/IEC 27032:2012 Information technology -- Security techniques – Guidelines for cyber security • ISO/IEC 27001 Information technology -- Security techniques -- Information security management systems – Requirements • ISO 22301 Societal security -- Business continuity management system Requirements • ISO/IEC 15408 Information technology -- Security techniques -- Evaluation criteria for IT security • ISO/IEC 27035 Information technology -- Security techniques -- Information security incident management • ISO/IEC 27005 Information technology -- Security techniques -- Information security risk management • FIPS 140-1: Security Requirements for Cryptographic Modules • FIPS 186-3: Digital Signature Standard
ISO/IEC 27032:2012 Information technology -- Security techniques – Guidelines for cyber security • ISO/IEC 27032:2012 provides guidance for improving the state of Cyber security, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular: 1. information security, 2. network security, 3. internet security, and 4. critical information infrastructure protection (CIIP). • It covers the baseline security practices for stakeholders in the Cyberspace. • This International Standard provides: 1. an overview of Cyber security, 2. an explanation of the relationship between Cyber security and other types of security, 3. a definition of stakeholders and a description of their roles in Cyber security, 4. guidance for addressing common Cyber security issues, and 5. a framework to enable stakeholders to collaborate on resolving Cyber security issues.
ISO/IEC 27001 INFORMATION SECURITY MANAGEMENT • When it comes to keeping information assets secure, organizations can rely on the ISO/IEC 27000 family. • ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. • Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties. • Like other ISO management system standards, certification to ISO/IEC 27001 is possible but not obligatory. • Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed. • ISO does not perform certification.
ISO 22301 Societal security • ISO 22301 is the Business Continuity Management System standard. The ISO 22301 BCM standard is designed to ensure that a robust business continuity management system has been established, and that internal staff members are fully aware of their role within the system should an incident occur. • ISO 22301:2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. • The requirements specified in ISO 22301:2012 are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity.
ISO/IEC 15408 IT Security Evaluation • ISO/IEC 15408-1:2009 establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of ISO/IEC 15408 which in its entirety is meant to be used as the basis for evaluation of security properties of IT products. • The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. It is currently in version 3.1 revision 5. • The Common Criteria (CC) was developed to facilitate consistent evaluations of security products and systems. It is an international effort to define an IT Security evaluation methodology, which would receive mutual recognition between customers and vendors throughout the global economy. • ISO/IEC 15408-1:2009 establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of ISO/IEC 15408 which in its entirety is meant to be used as the basis for evaluation of security properties of IT products. • The key concepts of protection profiles (PP), packages of security requirements and the topic of conformance are specified and the consequences of evaluation and evaluation results are described. • ISO/IEC 15408-1:2009 gives guidelines for the specification of Security Targets (ST) and provides a description of the organization of components throughout the model.
ISO/IEC 27035 Security incident management • ISO/IEC 27035:2011 provides a structured and planned approach to: 1. detect, report and assess information security incidents; 2. respond to and manage information security incidents; 3. detect, assess and manage information security vulnerabilities; and 4. continuously improve information security and incident management as a result of managing information security incidents and vulnerabilities. • ISO/IEC 27035:2011 provides guidance on information security incident management for large and medium-sized organizations. Smaller organizations can use a basic set of documents, processes and routines described in this International Standard, depending on their size and type of business in relation to the information security risk situation. • It also provides guidance for external organizations providing information security incident management services.
ISO/IEC 27005 Information security risk management • Scope of the standard • The standard ‘provides guidelines for information security risk management’ and ‘supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.’ • It cites ISO/IEC27000 as a normative (essential) standard, and mentions ISO/IEC 27001, ISO/IEC 27002 and ISO 31000 in the content. NIST standards are referenced in the bibliography. • Content of the standard • The standard doesn't specify, recommend or even name any specific risk management method. It does however imply a continual process consisting of a structured sequence of activities, some of which are iterative: • Establish the risk management context (e.g. the scope, compliance obligations, approaches/methods to be used and relevant policies and criteria such as the organization’s risk tolerance or appetite);
ISO/IEC 27005 Information security risk management • Quantitatively or qualitatively assess (i.e. identify, analyze and evaluate) relevant information risks, taking into account the information assets, threats, existing controls and vulnerabilities to determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’; • Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share [with third parties]) the risks appropriately, using those ‘levels of risk’ to prioritize them; • Keep stakeholders informed throughout the process; and • Monitor and review risks, risk treatments, obligations and criteria on an ongoing basis, identifying and responding appropriately to significant changes. • Extensive appendices provide additional information, primarily examples to demonstrate the recommended approach.
FIPS 140: Security Requirements for Cryptographic Modules • The 140 series of Federal Information Processing Standards (FIPS) are U. S. government computer security standards that specify requirements for cryptography modules. • As of December 2016, the current version of the standard is FIPS 140-2, issued on 25 May 2001. Its successor FIPS 140-3 was approved on March 22, 2019 and will become effective on September 22, 2019. • FIPS 140-3 testing will begin September 22, 2020. After FIPS 140-3 testing begins, FIPS 140-2 testing will continue for at least a year, making the two standards to coexist for some time.
Purpose of FIPS 140 • The National Institute of Standards and Technology (NIST) issues the 140 Publication Series to coordinate the requirements and standards for cryptographic modules which include both hardware and software components for use by departments and agencies of the United States federal government. • FIPS 140 does not purport to provide sufficient conditions to guarantee that a module conforming to its requirements is secure, still less that a system built using such modules is secure. The requirements cover not only the cryptographic modules themselves but also their documentation and (at the highest security level) some aspects of the comments contained in the source code. • User agencies desiring to implement cryptographic modules should confirm that the module they are using is covered by an existing validation certificate. FIPS 140-1 and FIPS 140-2 validation certificates specify the exact module name, hardware, software, firmware, and/or applet version numbers. For Levels 2 and higher, the operating platform upon which the validation is applicable is also listed. Vendors do not always maintain their baseline validations. • The Cryptographic Module Validation Program (CMVP) is operated jointly by the United States Government's National Institute of Standards and Technology (NIST) Computer Security Division and the Communications Security Establishment (CSE) of the Government of Canada. The use of validated cryptographic modules is required by the United States Government for all unclassified uses of cryptography. The Government of Canada also recommends the use of FIPS 140 validated cryptographic modules in unclassified applications of its departments.
FIPS 186-3: Digital Signature Standard • Name of Standard: Digital Signature Standard (DSS) (FIPS 186-3). • Category of Standard: Computer Security. Subcategory. Cryptography. • Explanation: This Standard specifies algorithms for applications requiring a digital signature, rather than a written signature. • Applicability: This Standard is applicable to all Federal departments and agencies for the protection of sensitive unclassified information that is not subject to section 2315 of Title 10, United States Code, or section 3502 (2) of Title 44, United States Code. This Standard shall be used in designing and implementing public key-based signature systems that Federal departments and agencies operate or that are operated for them under contract. The adoption and use of this Standard is available to private and commercial organizations. • Applications: A digital signature algorithm allows an entity to authenticate the integrity of signed data and the identity of the signatory. The recipient of a signed message can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation, since the signatory cannot easily repudiate the signature at a later time. A digital signature algorithm is intended for use in electronic mail, electronic funds transfer, electronic data interchange, software distribution, data storage, and other applications that require data integrity assurance and data origin
“ Some countries implement cyber security standards through mandatory requirements, whilst others provide guidelines and frameworks.”
Cyber security framework under the IT Act in India • India enacted the Information Technology Act, 2000 (“IT Act”) on 09 June 2000. The IT Act is based on the UNCITRAL model law on e-commerce. • The preamble of the IT Act simply indicates that the Act is centered around affording legal recognition to transactions carried out electronically. However, the scope of the IT Act goes much beyond its preamble. It covers multiple areas including data protection and security, cybercrimes, adjudication of cyber disputes, government mandated surveillance of digital communication, and intermediary liability. • The IT Act was amended last in 2011. Despite an unprecedented increase in cyber frauds, data breaches and general cyber security concerns, no changes have been made in the IT Act in almost 9 years. In February 2020, the Ministry of Electronics and Information Technology (“MeitY”) announced that it will revamp the IT Act with a stronger focus on framework for cyber security. • Emerging technologies, explosion of digital business models and a substantial increase in the instances of cybercrimes have triggered the government to take steps to fast track the process of amending the IT Act.
A. Key developments in the cyber security framework in India- • 1. The Indian Computer Emergency Response Team- • On 23 February 2003, the MeitY designated the Indian Computer Emergency Response Team (“CERT-In”) as the authority to issue instructions for blocking websites under the IT Act to prevent online obscenity. In 2009, CERT-In was later nominated as the national agency to respond to cyber-security incidents. The CERT-In is currently tasked with the following functions: • a. Collecting, analysing and disseminating information on cyber incidents; • b. Raising awareness about cyber security among citizens; • c. Issuing guidelines, advisories, vulnerability notes on information security practices, procedures, prevention, response and reporting of cyber incidents. For instance, in December 2019, the CERT-In issued a vulnerability note on a vulnerability in the Android operating system called the StrandHogg.
2. Constitution of committee of experts to review the IT Act- • In 2005, a committee of experts was constituted by the erstwhile Ministry of Communications and Information Technology to review the IT Act. In their report, the committee proposed to strengthen the framework for computer based crimes. It also proposed to build a robust mechanism to deal with data protection and privacy challenges. Accordingly, the following notable amendments were suggested: • a. Treatment of computer based crimes– Section 43 of the IT Act provided for compensation in various cases including unauthorized access to a computer system, data theft and introduction of viruses through a computer system. Section 66 of the IT Act penalized the offence of hacking a computer system. The committee suggested to substitute section 66 for a new section that comprehensively dealt with computer based offenses. The substituted section 66, which penalized computer offences done ‘fraudulently’ or ‘dishonestly’ was worded to be in line with the section 43 of the then IT Act. • b. Data protection – To ensure security of data and protection of information from unauthorized damage, the committee suggested to hold a body corporate processing, dealing or handling sensitive personal data in a computer resource liable for failure to implement and maintain reasonable security procedures and measures. • c. Stringent provisions to deal with cybercrimes– Provisions addressing the issue of child pornography and video voyeurism with higher degree of punishment were proposed. • d. Power of interception-Based on the recommendations of Inter-Ministerial Working Group on Cyber Laws & Cyber Forensics, wide powers of monitoring, interception and decryption of any information through any computer resource was proposed to be transferred from the Controller of Certifying Authority to the central government. • The set of amendments proposed to be introduced by these recommendations paved the way for the government to consider the issues of data protection and cyber security in its subsequent attempts to amend the IT Act
3. Recommendations of the standing committee on IT on the IT (Amendment) Bill 2006- • Based on the recommendations of the committee of experts, the government introduced the IT (Amendment) Bill, 2006 (“Amendment Bill”) in December 2006. It was later referred for review to the standing committee on IT. In its 50th report released in 2007, the standing committee on IT criticized the government’s approach of amending the existing IT Act, rather than bringing a new and exclusive legislation for governing information technology. The standing committee on IT highlighted the following issues in its report: • a. Specific issues of cybercrime and cyber terrorism– The committee pointed out the inadequacy of the Amendment Bill to deal with the issues of cybercrime including cyber terrorism. It noted that cyber terrorism was not defined in the proposed amendments to the IT Act. The committee expressed its concerns over government’s proposal to introduce penalties that aligned the IT Act with the Indian Penal Code (“IPC”). The report noted that the IPC was an archaic law and ill equipped to encompass varied cybercrimes including cyber terrorism. The committee recommended to incorporate adequate, stringent, specific and self-enabling provisions in the IT Act itself to effectively deal with such offences. • b. Cross border cybercrimes– The committee opined that entering into Mutual Legal Assistance Treaties to deal with cross border cybercrimes with one country at a time offered a solution in a ‘piecemeal manner’. Accordingly, the committee recommended that the government must build a roadmap to become a part of an omnibus international convention on cybercrimes to effectively address this issue. • c. Child pornography– The committee recommended that the Amendment Bill should have explicit provisions to deal with child pornography. This would align it with the laws in other advanced countries and Article 9 of the Council of Europe Convention on Cyber Crimes. • d. Powers of interception – The committee questioned the rationale of vesting the central government with the power to issue directions for interception or monitoring of any information through any computer resource. It noted that since ‘public order’ and ‘police’ are state subjects as per the Constitution of India, the power to intercept any information should be vested in the state governments. This will also align the proposed law with the powers of interception given to state governments in the Indian Telegraph Act, 1885. • e. Status of the CERT-In– The committee in its report noted that even though CERT-In has been nominated as the national agency on cyber security, the status of the body has not been defined. Accordingly, the committee suggested that the agency should be defined as a government body to clarify its status beyond doubt. Doing so will instill confidence in foreign investors regarding existence of a bona fide legal framework in the country.
4. The Information Technology (Amendment) Act, 2008- • In December 2008, the Parliament enacted the IT (Amendment) Act 2008[ (“Amendment Act”). The following notable amendments were introduced through the Amendment Act: • a. Computer related offences– The Amendment Act prohibited transmission of offensive messages or any information for the purposes of causing annoyance, inconvenience, etc. by means of a computer resource and communication service. However, this provision was struck down later by the Supreme Court of India in the Shreya Singhal case. • b. Power of interception– Based on the recommendations of the standing committee on IT, the Amendment Act empowered both the central and state governments to issue directions for interception/monitoring of any information under section 69. The scope of the information intercepted was broadened to include its transmission, generation and storage, as opposed to just transmission in the original provision. The amended section also made issuance of such interception orders subject to additional safeguards introduced through the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (“Interception Rules”). • c. Critical information infrastructure– The Amendment Act introduced the term ‘critical information infrastructure’ (“CII”) i.e.a computer resource whose destruction will have a huge impact on the national security, public health and safety and economy. Further, any computer resource facilitating such CII was designated as a protected system. Accordingly, the government was empowered to exercise control over such protected systems, in addition to prescribing information security practices and procedures for such a system. • d. Nodal agency for CII– In January 2014, the National Critical Information Infrastructure Protection Centre (“NCIIPC”) was designated as the national nodal agency under the provisions of the Amendment Act. The NCIIPC is responsible for undertaking all measures to protect CII from unauthorized access, modification, use or disclosure
5. Bill on Intelligence agency reforms- • In March 2011, the Intelligence Services (Powers and Regulation) Bill, 2011 (“Intelligence Bill”) was introduced as a private members bill by Shri Manish Tewari. He was a Member of Parliament in the Lok Sabha and currently a member of the Joint Parliamentary Committee examining the Draft Personal Data Protection Bill, 2019. The Intelligence Bill proposed to regulate the functioning of three major Indian Intelligence Agencies- Research and Analysis Wing (“RAW”), Intelligence Bureau (“IB”) and National Technical Research Organization (“NTRO”)- by putting in place an oversight mechanism. The Bill stated that surveillance operations undertaken by such intelligence agencies infringe the right to privacy of individuals. To prevent intelligence agencies from misusing their surveillance powers, it proposed a National Intelligence and Security Oversight Committee (“NISOC”). The NISOC was empowered to seek any information that these agencies possessed. Additionally, the Intelligence Bill provided for a National Intelligence Tribunal to hold these agencies accountable. The tribunal was empowered to investigate complaints filed by any person for action taken against her or her property by these agencies. However, the Intelligence Bill, like most private member bills, never came up for discussion and ultimately lapsed.
6. National Cyber Security Policy, 2013- • In July 2013, the erstwhile Ministry of Communication and Information Technology notified the National Cyber Security Policy (“NCSP”). • Based on the objectives envisioned in the NCSP 2013, the following strategies/initiatives were introduced by the Indian government: • a. Designation of the NCIIPC as the nodal agency to undertake measures to secure the country’s CII. • b. Cyber Swachhta Kendra initiative under the CERT-In to combat and analyse any malicious infections/attacks that damage computer systems. The initiative is aimed at securing the cyber ecosystem by preventing such attacks from taking place and cleaning the systems that have already been infected. • c. Development of multilateral relationships in the area of cyber security. In 2016, India partnered with the US for coordinating best practices in relation to cyber security and exchanging information in real time about malicious cyberattacks, among other things. • d. Setting up of the National Cyber Coordination Centre (“NCCC”) to create situational awareness about cyber security threats and enable timely information sharing for preventive action by individual entities.
7. Standing committee on IT report on ‘Cyber Crime, Cyber Security and Right to Privacy’- • In February 2014, the standing committee on IT made the following recommendations in its report on cybercrime, security and privacy – • a. The committee observed that there are 20 different kinds of cybercrimes. Recognizing the impact of cyber threats on critical sectors (such as power, atomic energy, space, aviation, etc.), it recommended establishing a national protection centre to protect the CII in the country. • b. In dealing with issues pertaining to cyber frauds, the government may have to coordinate with multiple institutions, such as the Reserve Bank of India and the SEBI. Accordingly, the committee recommended to form a centralized agency to deal with all the cases of cybercrimes. • c. The committee noted that multiple agencies including Ministry of Defense (“MoD”), Ministry of Home Affairs (“MHA”), IB, NTRO, NCIIPC, etc. are involved in securing the Indian cyberspace. It also noted that to minimize overlaying responsibilities between such agencies, it has tasked the National Security Council Secretariat (“NSCS”) to oversee compliance of cyber security policies. However, this could act as a hindrance in combating cyber threats at the earliest, given the multiple agencies involved. Recognizing the need for a collaborative effort between the government and the industry to address this issue, the committee suggested to implement the recommendations made by a Joint Working Group (“JWG”) that was set up under the Deputy National Security Advisor in this regard. The JWG recommended putting in place a permanent mechanism for a Public Private Partnership (“PPP”) on cyber security as a solution, among other things. • d. The committee acknowledged that despite the cost advantages in hosting servers outside India, the accompanying technical and legal security concerns posed to the nation and citizen’s privacy have to be given due consideration. Accordingly, the committee recommended that government should take all steps to ensure that as far as possible, the servers should be hosted locally.
8. Surveillance order issued by MHA– • In December 2018, the MHA passed an order under the Interception Rules which authorized 10 security and intelligence agencies to intercept/monitor/decrypt any information transmitted, generated, received or stored on any computer resource. • These agencies include the IB, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Central Bureau of Investigation and the Delhi Police. The order was heavily criticized and challenged before the Supreme Court on the grounds of violating the fundamental right to privacy, as laid down in the Puttaswamy case. • The central government defended the order by claiming that it has been passed to pursue a legitimate state aim. Furthermore, for authorized agencies to intercept any information, the government has submitted that they will have to seek the permission of the competent authority. The matter is currently pending before the Supreme Court.
9. National Cyber Security Strategy 2020- • In another one of its attempts to address the issues pertaining to cyber threats and data vulnerabilities, the Indian government has proposed to come out with the National Cyber Security Strategy (“NCSS”) 2020. • The NCSS aims to examine various facets of cyber security under three pillars- securing the national cyberspace; strengthening the structures, people, processes, capabilities; and synergizing the resources including cooperation and collaboration. • The government had sought comments and suggestions on different aspects of the NCSS by 10th January 2020 and is currently in the process of framing the policy
B. Key Issues on cyber security– • 1. Surveillance and privacy- • a. The Interception Rules designate the Secretary in the Union Ministry of Home Affairs/Home Department of a state government (“Home Secretary”) as the ‘competent authority’ for approving data surveillance/monitoring requests under the IT Act. Additionally, the Interception Rules provide for a review committee to oversee the directions issued by the competent authority to intercept/monitor such information. Per the Interception Rules, the review committee is mandated to meet at least once in two months. Similarly, a committee headed by the chief secretary reviews directions passed by state governments. • b. This means that the central government has to approach the Home Secretary before it issues any directions to intercept/monitor any digital communication. However, given the large number of interception/monitoring requests made by the government, it becomes unfeasible for Home Secretary to objectively assess each request. Thus, the Home Secretary becomes a mere rubber stamp authority for approving government interception requests. • c. Interestingly, the Srikrishna Committee report mentioned that an application filed under the RTI Act revealed that the review committee has a task of reviewing 15,000-18,000 interception orders in every meeting. This unrealistic target poses a threat to safety and security of personal data of individuals. The committee noted that surveillance should not be carried out without a degree of transparency that can pass the Puttaswamy test of necessity, proportionality and due process
2. Multiplicity of institutions • The issue of multiplicity of cyber security agencies was highlighted by the Standing Committee on IT in its 52nd report. Several institutions tasked with securing the cyber space leads to lack of coordination between them. • In 2015, the standing committee on IT in its 17th report outlined the action taken by the government on the recommendations of the JWG to deal with the issue of multiplicity of cyber security agencies. • The report noted that the government, in July 2014, had identified the objectives that would promote the overall cooperative framework for a PPP on cyber security. However, an action plan for implementing these recommendations was still being worked out.
• The issue as such appears to be unresolved with the following agencies dealing presently with the issue of cyber security: • a. Cyber and Information Security Division, MHA: This division under the MHA is tasked with handling the matters related to cyber security and cyber-crimes. • b. CERT-In: CERT-In functions under the aegis of MeitY. Its main functions include responding to cyber-security incidents and issuing security guidelines, advisories and alerts. • c. NCIIPC: It acts as the national nodal agency for the protection of CII in India. • d. NCCC: It is responsible for creating situational awareness about existing and potential cyber security threats and enable timely information sharing for ‘proactive, preventive and protective’ actions by individual entities. • e. Indian Cyber Crime Coordination Centre (“I4C”): The I4C scheme consists of seven components which will be established on a rolling basis by the MHA in 2018- 2020. The scheme consists of seven components, including a National Cybercrime Threat Analytics Unit, National Cybercrime Forensic Laboratory Ecosystem and National Cyber Research and Innovation Centre. • f. National Cyber Security Coordinator (“NCSC”): It was formed under the NSCS as the nodal agency for cyber security. The NCSC coordinates with different agencies at the national level for cyber security matters. • g. Defence Cyber Agency: The agency has been established to address the issues pertaining to military cyber security and cyber warfare. It is governed by the Defence Intelligence Agency under the MoD. 2. Multiplicity of institutions

More Related Content

PDF
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
byEdureka!
 
PPTX
Cyber Security Awareness Session for Executives and Non-IT professionals
byKrishna Srikanth Manda
 
PPTX
Information Security Awareness
bySnapComms
 
PPTX
Cybersecurity Awareness Overview.pptx
bysanap6
 
PDF
Cyber security and demonstration of security tools
byVicky Fernandes
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PDF
Introduction to Cybersecurity
byKrutarth Vasavada
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
byEdureka!
 
Cyber Security Awareness Session for Executives and Non-IT professionals
byKrishna Srikanth Manda
 
Information Security Awareness
bySnapComms
 
Cybersecurity Awareness Overview.pptx
bysanap6
 
Cyber security and demonstration of security tools
byVicky Fernandes
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Introduction to Cybersecurity
byKrutarth Vasavada
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 

What's hot

PDF
Cybersecurity Awareness Training Presentation v1.3
byDallasHaselhorst
 
PPTX
Employee Security Awareness Training
byDenis kisina
 
PPTX
Incident response
byAnshul Gupta
 
PPT
Cyber security awareness training by cyber security infotech(csi)
byCyber Security Infotech
 
PDF
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
PPTX
Cyber-Espionage: Understanding the Advanced Threat Landscape
byAaron White
 
PPT
Cyber security standards
byVaughan Olufemi ACIB, AICEN, ANIM
 
PPTX
Information security awareness - 101
bymateenzero
 
PPT
IT Security Awareness-v1.7.ppt
byOoXair
 
PDF
Cyber security
byBhavin Shah
 
PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
PPSX
Security Awareness Training
byWilliam Mann
 
PPT
Penetration Testing Basics
byRick Wanner
 
PPT
IT Security management and risk assessment
byCAS
 
PPTX
CYBER SECURITY
byMohammad Shakirul islam
 
PPT
Incident handling.final
byahmad abdelhafeez
 
PPT
Information security in todays world
bySibghatullah Khattak
 
PPTX
Cyber Security 101: Training, awareness, strategies for small to medium sized...
byStephen Cobb
 
PPT
Introduction To OWASP
byMarco Morana
 
PDF
Cyber Security Awareness
byRamiro Cid
 
Cybersecurity Awareness Training Presentation v1.3
byDallasHaselhorst
 
Employee Security Awareness Training
byDenis kisina
 
Incident response
byAnshul Gupta
 
Cyber security awareness training by cyber security infotech(csi)
byCyber Security Infotech
 
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
byAaron White
 
Cyber security standards
byVaughan Olufemi ACIB, AICEN, ANIM
 
Information security awareness - 101
bymateenzero
 
IT Security Awareness-v1.7.ppt
byOoXair
 
Cyber security
byBhavin Shah
 
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
Security Awareness Training
byWilliam Mann
 
Penetration Testing Basics
byRick Wanner
 
IT Security management and risk assessment
byCAS
 
CYBER SECURITY
byMohammad Shakirul islam
 
Incident handling.final
byahmad abdelhafeez
 
Information security in todays world
bySibghatullah Khattak
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
byStephen Cobb
 
Introduction To OWASP
byMarco Morana
 
Cyber Security Awareness
byRamiro Cid
 

Similar to Cyber Security Standards Compliance

PDF
Articulo de Ciberseguridad IEC en formato pdf
bycayosinche1
 
PPTX
National cyber security policy final
byIndian Air Force
 
PPTX
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
bykevlekalakala
 
PDF
Cybersecurity Issues and Challenges
byTam Nguyen
 
PDF
Cyber Security Matters a book by Hama David Bundo
byhdbundo
 
DOCX
Running head CYBERSECURITY IN FINANCIAL DOMAIN .docx
byhealdkathaleen
 
PDF
40 under 40 in Cybersecurity year 2022.pdf
byDr. Ludmila Morozova-Buss
 
PDF
40 under 40 in Cybersecurity 2022. Top Cyber News MAGAZINE
byTopCyberNewsMAGAZINE
 
PDF
40 under 40 in cybersecurity. top cyber news magazine
byBradford Sims
 
PDF
A Systematic Literature Review On The Cyber Security
byAmy Cernava
 
PDF
Guideline Thailand Cybersecure Strate Digital Economy
bySettapong_CyberSecurity
 
PPT
S nandakumar
byIPPAI
 
PPT
S nandakumar_banglore
byIPPAI
 
PDF
Francesca Bosco, Le nuove sfide della cyber security
byAndrea Rossetti
 
PPTX
Cyber security by Gaurav Singh
byGaurav Singh
 
PDF
Finland s cyber security strategy background dossier
byYury Chemerkin
 
PPTX
Cyber Security awareness of cyber security
byBabaBoss5
 
PDF
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
byKROTOASA FOUNDATION
 
PDF
CISSP Certification Training Course
byRicky Lionel Vaz
 
PDF
Cyber security general perspective a
bymarukanda
 
Articulo de Ciberseguridad IEC en formato pdf
bycayosinche1
 
National cyber security policy final
byIndian Air Force
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
bykevlekalakala
 
Cybersecurity Issues and Challenges
byTam Nguyen
 
Cyber Security Matters a book by Hama David Bundo
byhdbundo
 
Running head CYBERSECURITY IN FINANCIAL DOMAIN .docx
byhealdkathaleen
 
40 under 40 in Cybersecurity year 2022.pdf
byDr. Ludmila Morozova-Buss
 
40 under 40 in Cybersecurity 2022. Top Cyber News MAGAZINE
byTopCyberNewsMAGAZINE
 
40 under 40 in cybersecurity. top cyber news magazine
byBradford Sims
 
A Systematic Literature Review On The Cyber Security
byAmy Cernava
 
Guideline Thailand Cybersecure Strate Digital Economy
bySettapong_CyberSecurity
 
S nandakumar
byIPPAI
 
S nandakumar_banglore
byIPPAI
 
Francesca Bosco, Le nuove sfide della cyber security
byAndrea Rossetti
 
Cyber security by Gaurav Singh
byGaurav Singh
 
Finland s cyber security strategy background dossier
byYury Chemerkin
 
Cyber Security awareness of cyber security
byBabaBoss5
 
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
byKROTOASA FOUNDATION
 
CISSP Certification Training Course
byRicky Lionel Vaz
 
Cyber security general perspective a
bymarukanda
 

More from Dr. Prashant Vats

PDF
Multiplexers
byDr. Prashant Vats
 
PDF
C lab programs
byDr. Prashant Vats
 
PDF
Financial fucntions in ms e xcel
byDr. Prashant Vats
 
PDF
4. text functions in excel
byDr. Prashant Vats
 
PDF
3. lookup functions in excel
byDr. Prashant Vats
 
PDF
2. date and time function in excel
byDr. Prashant Vats
 
PDF
1. statistical functions in excel
byDr. Prashant Vats
 
PDF
3. subtotal function in excel
byDr. Prashant Vats
 
PDF
2. mathematical functions in excel
byDr. Prashant Vats
 
PPTX
RESOLVING CYBERSQUATTING DISPUTE IN INDIA
byDr. Prashant Vats
 
PPTX
India: Meta-Tagging Vis-À-Vis Trade Mark Misuse: An Overview
byDr. Prashant Vats
 
PPTX
Trademark Cases Arise from Meta-Tags, Frames: Disputes Involve Search-Engine ...
byDr. Prashant Vats
 
PPTX
Scheme for Notifying Examiner of Electronic Evidence Under section 79A of the...
byDr. Prashant Vats
 
PPTX
METHODS OF RESOLVING CYBERSQUATTING DISPUTE IN INDIA
byDr. Prashant Vats
 
PPTX
Computer Software and Related IPR Issues
byDr. Prashant Vats
 
PPTX
Amendments to the Indian Evidence Act, 1872 with respect to IT ACT 2000
byDr. Prashant Vats
 
PPTX
Trademark Issues in cyberspace
byDr. Prashant Vats
 
PPTX
Trade-Related Aspects of Intellectual Property Rights (TRIPS)
byDr. Prashant Vats
 
PPTX
How to Copyright a Website to Protect It under IPR and copyright act
byDr. Prashant Vats
 
PPTX
International Treaties for protection of IPR
byDr. Prashant Vats
 
Multiplexers
byDr. Prashant Vats
 
C lab programs
byDr. Prashant Vats
 
Financial fucntions in ms e xcel
byDr. Prashant Vats
 
4. text functions in excel
byDr. Prashant Vats
 
3. lookup functions in excel
byDr. Prashant Vats
 
2. date and time function in excel
byDr. Prashant Vats
 
1. statistical functions in excel
byDr. Prashant Vats
 
3. subtotal function in excel
byDr. Prashant Vats
 
2. mathematical functions in excel
byDr. Prashant Vats
 
RESOLVING CYBERSQUATTING DISPUTE IN INDIA
byDr. Prashant Vats
 
India: Meta-Tagging Vis-À-Vis Trade Mark Misuse: An Overview
byDr. Prashant Vats
 
Trademark Cases Arise from Meta-Tags, Frames: Disputes Involve Search-Engine ...
byDr. Prashant Vats
 
Scheme for Notifying Examiner of Electronic Evidence Under section 79A of the...
byDr. Prashant Vats
 
METHODS OF RESOLVING CYBERSQUATTING DISPUTE IN INDIA
byDr. Prashant Vats
 
Computer Software and Related IPR Issues
byDr. Prashant Vats
 
Amendments to the Indian Evidence Act, 1872 with respect to IT ACT 2000
byDr. Prashant Vats
 
Trademark Issues in cyberspace
byDr. Prashant Vats
 
Trade-Related Aspects of Intellectual Property Rights (TRIPS)
byDr. Prashant Vats
 
How to Copyright a Website to Protect It under IPR and copyright act
byDr. Prashant Vats
 
International Treaties for protection of IPR
byDr. Prashant Vats
 

Recently uploaded

PPTX
West Hatch High School -- GCSE Geography
byWestHatch
 
PPTX
Definition of communication skills and it's process.
bypurvrajsinhsarvaiya0
 
PPTX
Guidelines for reporting social networks and personal networks data
byisidromj
 
PDF
Chapter 05 Drug Acting on CNS General Anasthetics.pdf
bySandeshSul
 
PPTX
Chapter 1 - Introduction to Business Research.pptx
byFJ M
 
PPTX
A detailed notes on Conjugate Vaccine and its mechanism.
byDr. R. Ram
 
PPTX
ALTERNATIVE DV PROGRAMS Facilitator Training MAIN.pptx
byStephen Lasicka
 
PDF
Radio Ceylon Finals (An Indian Subcontinent Quiz).pdf
byConquiztadors- the Quiz Society of Sri Venkateswara College
 
PPTX
EYE IRRIGATION AND INSTILLATION....pptx
byAneetaSharma15
 
PPTX
West Hatch High School - GCSE Art Presentation
byWestHatch
 
PPTX
Master of Punjabi Short Story "kartar singh duggal
bybhautikbharwad4
 
PDF
West Hatch High School - GCSE French Specification
byWestHatch
 
PPTX
How to Track Team Performance Analysis in Odoo 18 Recruitment
byCeline George
 
PPTX
How to Easily Track Appraisal Analysis Report in Odoo 18 Appraisal
byCeline George
 
PPTX
judging the soundness of authors reasoning
byJoanaMarieRamos2
 
PDF
Schrodinger's Capital Finals (SciBiz Quiz).pdf
byConquiztadors- the Quiz Society of Sri Venkateswara College
 
PDF
Why Projects Fail – The Need to “Do the Right Project” and “Do the Project Ri...
byAssociation for Project Management
 
PDF
Using T-Test to Analyze Research Data.pdf
byThelma Villaflores
 
PPTX
Biological source, chemical constituents, and therapeutic efficacy of the fol...
bySai Meer College of Pharmacy
 
PPTX
West Hatch High School - GCSE Spanish Presentation
byWestHatch
 
West Hatch High School -- GCSE Geography
byWestHatch
 
Definition of communication skills and it's process.
bypurvrajsinhsarvaiya0
 
Guidelines for reporting social networks and personal networks data
byisidromj
 
Chapter 05 Drug Acting on CNS General Anasthetics.pdf
bySandeshSul
 
Chapter 1 - Introduction to Business Research.pptx
byFJ M
 
A detailed notes on Conjugate Vaccine and its mechanism.
byDr. R. Ram
 
ALTERNATIVE DV PROGRAMS Facilitator Training MAIN.pptx
byStephen Lasicka
 
Radio Ceylon Finals (An Indian Subcontinent Quiz).pdf
byConquiztadors- the Quiz Society of Sri Venkateswara College
 
EYE IRRIGATION AND INSTILLATION....pptx
byAneetaSharma15
 
West Hatch High School - GCSE Art Presentation
byWestHatch
 
Master of Punjabi Short Story "kartar singh duggal
bybhautikbharwad4
 
West Hatch High School - GCSE French Specification
byWestHatch
 
How to Track Team Performance Analysis in Odoo 18 Recruitment
byCeline George
 
How to Easily Track Appraisal Analysis Report in Odoo 18 Appraisal
byCeline George
 
judging the soundness of authors reasoning
byJoanaMarieRamos2
 
Schrodinger's Capital Finals (SciBiz Quiz).pdf
byConquiztadors- the Quiz Society of Sri Venkateswara College
 
Why Projects Fail – The Need to “Do the Right Project” and “Do the Project Ri...
byAssociation for Project Management
 
Using T-Test to Analyze Research Data.pdf
byThelma Villaflores
 
Biological source, chemical constituents, and therapeutic efficacy of the fol...
bySai Meer College of Pharmacy
 
West Hatch High School - GCSE Spanish Presentation
byWestHatch
 

Cyber Security Standards Compliance

  • 1.
    Subject - CyberLaws & Rights M. tech. 3rd Sem., ISM. By: Prashant Kr. Vats, M.tech., Ph.D. INDIRA GANDHI DELHI TECHNICAL UNIVERSITY FOR WOMEN
  • 2.
  • 3.
    Introduction • The usageof technology in today’s world is inevitable. Whether it is making reservations on our smart phones, or checking emails, or checking in for flights, usage of technology is present. Further, the globalization phenomenon we see today means we are living in a world where almost everything is interconnected to one another. • Governments, businesses and societies around the world are relying more and more on technology and the Internet in their daily lives. Whilst its benefits cannot be questioned, unfortunately the increase of our reliance on technology implies that we are at higher risk of attack and breaches – cyber-attacks. Companies are being hacked causing millions of individuals to be victims of stolen identity and information. • Governments worldwide are also facing the increasing threats of cyber-attacks. Successful attacks put prosperity of economies and the well-being of societies at risk. • Consequently, governments are putting measures in place in hope of having a resilient, healthy and secure cyberspace. Nonetheless, even with these efforts, cyber security continues to dominate headlines in the wrong way. Responding to this current scenario, current trends of governments protecting their critical infrastructures is the implementation of cyber security standards to their critical sectors.
  • 4.
    Objectives • The objectiveof these slides is to provide an overview of the various approaches that countries are taking with regard to the implementation of cyber security standards. • Further, these slides discusses the benefits of the implementation of cyber security standards to organizations as well as nations as a whole.
  • 5.
    Cyber-attacks – Aglobal risk • As the E-business began to increase online, there were no signs of cyber threats and attacks on organizations worldwide easing. • Whether targeted to government entities or private corporations, the threats from cyber adversaries continue to grow in scale and sophistication globally. • Public and private organizations in various sectors worldwide now openly acknowledge that cyber threats are one of the most common and high impact risks they face. • Dealing with cyber threats is becoming a complex challenge due to the evolving cyber security landscape. • Organizations today face not only common and known cyber threats, but new and emerging ones where targeted and large scale attacks can impact not only the organizations but may potentially lead to the adverse impact on nations’ critical infrastructures.
  • 6.
    Cyber-attacks on criticalsectors • The recent cyber-attack against an American entertainment subsidiary of Japanese multimedia conglomerate in 2014 has not only affected the company, but also the nation’s security as a whole. Apart from releasing confidential data, the hackers had also sent threatening messages if their demands were not met [1]. The Financial sector has also become a regular target. • The malware attack in 2013 in South Korea has resulted in the malfunction of 48,000 personal computers and servers, disrupting work at banks and television broadcasters in the country [2] . • In 2012, a virus attack known as Shamoon on Saudi Arabia’s leading Oil & Gas company had damaged approximately 30,000 computers resulting in the disruption of oil and gas flow to the local and international markets [3 ]. • Global technology companies have had their fair share of experiencing cyber-attacks in recent years as well. These companies were hacked, resulting in exposed proprietary information and sensitive communications that was then used to target major corporations.
  • 7.
  • 8.
    Global cost ofcybercrime • From a global standpoint, a recent publication by McAfee estimated the annual cost of cybercrime to the global economy is more than USD400 billion [8] . • Facing the brunt of these losses are the 4 largest economies in the world; the United States of America (USA), China, Japan, and Germany with an accumulative figure reaching USD200 billion. • The financial loss on the global economy is only expected to rise as reliance on technology in the cyberspace increases. Consequently, governments worldwide are realizing that cyber threats can not only disrupt critical infrastructure networks, but also potentially escalate to the level of a national security threat. • Dealing with cyber threats and attacks is no longer just about being aware or vigilant – but it’s about being resilient. Governments around the world are putting measures in place to enhance resiliency in weathering the cyber threats and attacks. • Whilst the global community have undertaken actions and steps in mitigating these cyber threats, it is important to ensure the critical infrastructure remains resilient to withstand cyber-attacks. The term ‘resiliency’ can have many definitions, but generally it is the capability to prepare, protect, respond and recover from threats and hazards.
  • 9.
    How do countriesor organizations remain resilient? • The implementation of cyber security standards is by no means a silver bullet in critical infrastructure protection. • However, its implementation can establish a set of controls that contribute and build better resiliency. • The cyber security standards may support the capabilities of preparing, protecting, responding and recovering from cyber-attacks. • The implementation and compliance with cyber security standards may enable the principles and better practices in cyber security management be applied in improving the security and resilience of critical infrastructures. • ISO/IEC 27032:2012 Information technology -- Security techniques – Guidelines for cyber security • ISO/IEC 27001 Information technology -- Security techniques -- Information security management systems – Requirements • ISO 22301 Societal security -- Business continuity management system Requirements • ISO/IEC 15408 Information technology -- Security techniques -- Evaluation criteria for IT security • ISO/IEC 27035 Information technology -- Security techniques -- Information security incident management • ISO/IEC 27005 Information technology -- Security techniques -- Information security risk management • FIPS 140-1: Security Requirements for Cryptographic Modules • FIPS 186-3: Digital Signature Standard
  • 10.
    ISO/IEC 27032:2012 Informationtechnology -- Security techniques – Guidelines for cyber security • ISO/IEC 27032:2012 provides guidance for improving the state of Cyber security, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular: 1. information security, 2. network security, 3. internet security, and 4. critical information infrastructure protection (CIIP). • It covers the baseline security practices for stakeholders in the Cyberspace. • This International Standard provides: 1. an overview of Cyber security, 2. an explanation of the relationship between Cyber security and other types of security, 3. a definition of stakeholders and a description of their roles in Cyber security, 4. guidance for addressing common Cyber security issues, and 5. a framework to enable stakeholders to collaborate on resolving Cyber security issues.
  • 11.
    ISO/IEC 27001 INFORMATION SECURITYMANAGEMENT • When it comes to keeping information assets secure, organizations can rely on the ISO/IEC 27000 family. • ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. • Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties. • Like other ISO management system standards, certification to ISO/IEC 27001 is possible but not obligatory. • Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed. • ISO does not perform certification.
  • 12.
    ISO 22301 Societalsecurity • ISO 22301 is the Business Continuity Management System standard. The ISO 22301 BCM standard is designed to ensure that a robust business continuity management system has been established, and that internal staff members are fully aware of their role within the system should an incident occur. • ISO 22301:2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. • The requirements specified in ISO 22301:2012 are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity.
  • 13.
    ISO/IEC 15408 ITSecurity Evaluation • ISO/IEC 15408-1:2009 establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of ISO/IEC 15408 which in its entirety is meant to be used as the basis for evaluation of security properties of IT products. • The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. It is currently in version 3.1 revision 5. • The Common Criteria (CC) was developed to facilitate consistent evaluations of security products and systems. It is an international effort to define an IT Security evaluation methodology, which would receive mutual recognition between customers and vendors throughout the global economy. • ISO/IEC 15408-1:2009 establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of ISO/IEC 15408 which in its entirety is meant to be used as the basis for evaluation of security properties of IT products. • The key concepts of protection profiles (PP), packages of security requirements and the topic of conformance are specified and the consequences of evaluation and evaluation results are described. • ISO/IEC 15408-1:2009 gives guidelines for the specification of Security Targets (ST) and provides a description of the organization of components throughout the model.
  • 14.
    ISO/IEC 27035 Securityincident management • ISO/IEC 27035:2011 provides a structured and planned approach to: 1. detect, report and assess information security incidents; 2. respond to and manage information security incidents; 3. detect, assess and manage information security vulnerabilities; and 4. continuously improve information security and incident management as a result of managing information security incidents and vulnerabilities. • ISO/IEC 27035:2011 provides guidance on information security incident management for large and medium-sized organizations. Smaller organizations can use a basic set of documents, processes and routines described in this International Standard, depending on their size and type of business in relation to the information security risk situation. • It also provides guidance for external organizations providing information security incident management services.
  • 15.
    ISO/IEC 27005 Informationsecurity risk management • Scope of the standard • The standard ‘provides guidelines for information security risk management’ and ‘supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.’ • It cites ISO/IEC27000 as a normative (essential) standard, and mentions ISO/IEC 27001, ISO/IEC 27002 and ISO 31000 in the content. NIST standards are referenced in the bibliography. • Content of the standard • The standard doesn't specify, recommend or even name any specific risk management method. It does however imply a continual process consisting of a structured sequence of activities, some of which are iterative: • Establish the risk management context (e.g. the scope, compliance obligations, approaches/methods to be used and relevant policies and criteria such as the organization’s risk tolerance or appetite);
  • 16.
    ISO/IEC 27005 Informationsecurity risk management • Quantitatively or qualitatively assess (i.e. identify, analyze and evaluate) relevant information risks, taking into account the information assets, threats, existing controls and vulnerabilities to determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’; • Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share [with third parties]) the risks appropriately, using those ‘levels of risk’ to prioritize them; • Keep stakeholders informed throughout the process; and • Monitor and review risks, risk treatments, obligations and criteria on an ongoing basis, identifying and responding appropriately to significant changes. • Extensive appendices provide additional information, primarily examples to demonstrate the recommended approach.
  • 17.
    FIPS 140: SecurityRequirements for Cryptographic Modules • The 140 series of Federal Information Processing Standards (FIPS) are U. S. government computer security standards that specify requirements for cryptography modules. • As of December 2016, the current version of the standard is FIPS 140-2, issued on 25 May 2001. Its successor FIPS 140-3 was approved on March 22, 2019 and will become effective on September 22, 2019. • FIPS 140-3 testing will begin September 22, 2020. After FIPS 140-3 testing begins, FIPS 140-2 testing will continue for at least a year, making the two standards to coexist for some time.
  • 18.
    Purpose of FIPS140 • The National Institute of Standards and Technology (NIST) issues the 140 Publication Series to coordinate the requirements and standards for cryptographic modules which include both hardware and software components for use by departments and agencies of the United States federal government. • FIPS 140 does not purport to provide sufficient conditions to guarantee that a module conforming to its requirements is secure, still less that a system built using such modules is secure. The requirements cover not only the cryptographic modules themselves but also their documentation and (at the highest security level) some aspects of the comments contained in the source code. • User agencies desiring to implement cryptographic modules should confirm that the module they are using is covered by an existing validation certificate. FIPS 140-1 and FIPS 140-2 validation certificates specify the exact module name, hardware, software, firmware, and/or applet version numbers. For Levels 2 and higher, the operating platform upon which the validation is applicable is also listed. Vendors do not always maintain their baseline validations. • The Cryptographic Module Validation Program (CMVP) is operated jointly by the United States Government's National Institute of Standards and Technology (NIST) Computer Security Division and the Communications Security Establishment (CSE) of the Government of Canada. The use of validated cryptographic modules is required by the United States Government for all unclassified uses of cryptography. The Government of Canada also recommends the use of FIPS 140 validated cryptographic modules in unclassified applications of its departments.
  • 19.
    FIPS 186-3: DigitalSignature Standard • Name of Standard: Digital Signature Standard (DSS) (FIPS 186-3). • Category of Standard: Computer Security. Subcategory. Cryptography. • Explanation: This Standard specifies algorithms for applications requiring a digital signature, rather than a written signature. • Applicability: This Standard is applicable to all Federal departments and agencies for the protection of sensitive unclassified information that is not subject to section 2315 of Title 10, United States Code, or section 3502 (2) of Title 44, United States Code. This Standard shall be used in designing and implementing public key-based signature systems that Federal departments and agencies operate or that are operated for them under contract. The adoption and use of this Standard is available to private and commercial organizations. • Applications: A digital signature algorithm allows an entity to authenticate the integrity of signed data and the identity of the signatory. The recipient of a signed message can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation, since the signatory cannot easily repudiate the signature at a later time. A digital signature algorithm is intended for use in electronic mail, electronic funds transfer, electronic data interchange, software distribution, data storage, and other applications that require data integrity assurance and data origin
  • 20.
    “ Some countriesimplement cyber security standards through mandatory requirements, whilst others provide guidelines and frameworks.”
  • 21.
    Cyber security frameworkunder the IT Act in India • India enacted the Information Technology Act, 2000 (“IT Act”) on 09 June 2000. The IT Act is based on the UNCITRAL model law on e-commerce. • The preamble of the IT Act simply indicates that the Act is centered around affording legal recognition to transactions carried out electronically. However, the scope of the IT Act goes much beyond its preamble. It covers multiple areas including data protection and security, cybercrimes, adjudication of cyber disputes, government mandated surveillance of digital communication, and intermediary liability. • The IT Act was amended last in 2011. Despite an unprecedented increase in cyber frauds, data breaches and general cyber security concerns, no changes have been made in the IT Act in almost 9 years. In February 2020, the Ministry of Electronics and Information Technology (“MeitY”) announced that it will revamp the IT Act with a stronger focus on framework for cyber security. • Emerging technologies, explosion of digital business models and a substantial increase in the instances of cybercrimes have triggered the government to take steps to fast track the process of amending the IT Act.
  • 22.
    A. Key developmentsin the cyber security framework in India- • 1. The Indian Computer Emergency Response Team- • On 23 February 2003, the MeitY designated the Indian Computer Emergency Response Team (“CERT-In”) as the authority to issue instructions for blocking websites under the IT Act to prevent online obscenity. In 2009, CERT-In was later nominated as the national agency to respond to cyber-security incidents. The CERT-In is currently tasked with the following functions: • a. Collecting, analysing and disseminating information on cyber incidents; • b. Raising awareness about cyber security among citizens; • c. Issuing guidelines, advisories, vulnerability notes on information security practices, procedures, prevention, response and reporting of cyber incidents. For instance, in December 2019, the CERT-In issued a vulnerability note on a vulnerability in the Android operating system called the StrandHogg.
  • 23.
    2. Constitution ofcommittee of experts to review the IT Act- • In 2005, a committee of experts was constituted by the erstwhile Ministry of Communications and Information Technology to review the IT Act. In their report, the committee proposed to strengthen the framework for computer based crimes. It also proposed to build a robust mechanism to deal with data protection and privacy challenges. Accordingly, the following notable amendments were suggested: • a. Treatment of computer based crimes– Section 43 of the IT Act provided for compensation in various cases including unauthorized access to a computer system, data theft and introduction of viruses through a computer system. Section 66 of the IT Act penalized the offence of hacking a computer system. The committee suggested to substitute section 66 for a new section that comprehensively dealt with computer based offenses. The substituted section 66, which penalized computer offences done ‘fraudulently’ or ‘dishonestly’ was worded to be in line with the section 43 of the then IT Act. • b. Data protection – To ensure security of data and protection of information from unauthorized damage, the committee suggested to hold a body corporate processing, dealing or handling sensitive personal data in a computer resource liable for failure to implement and maintain reasonable security procedures and measures. • c. Stringent provisions to deal with cybercrimes– Provisions addressing the issue of child pornography and video voyeurism with higher degree of punishment were proposed. • d. Power of interception-Based on the recommendations of Inter-Ministerial Working Group on Cyber Laws & Cyber Forensics, wide powers of monitoring, interception and decryption of any information through any computer resource was proposed to be transferred from the Controller of Certifying Authority to the central government. • The set of amendments proposed to be introduced by these recommendations paved the way for the government to consider the issues of data protection and cyber security in its subsequent attempts to amend the IT Act
  • 24.
    3. Recommendations ofthe standing committee on IT on the IT (Amendment) Bill 2006- • Based on the recommendations of the committee of experts, the government introduced the IT (Amendment) Bill, 2006 (“Amendment Bill”) in December 2006. It was later referred for review to the standing committee on IT. In its 50th report released in 2007, the standing committee on IT criticized the government’s approach of amending the existing IT Act, rather than bringing a new and exclusive legislation for governing information technology. The standing committee on IT highlighted the following issues in its report: • a. Specific issues of cybercrime and cyber terrorism– The committee pointed out the inadequacy of the Amendment Bill to deal with the issues of cybercrime including cyber terrorism. It noted that cyber terrorism was not defined in the proposed amendments to the IT Act. The committee expressed its concerns over government’s proposal to introduce penalties that aligned the IT Act with the Indian Penal Code (“IPC”). The report noted that the IPC was an archaic law and ill equipped to encompass varied cybercrimes including cyber terrorism. The committee recommended to incorporate adequate, stringent, specific and self-enabling provisions in the IT Act itself to effectively deal with such offences. • b. Cross border cybercrimes– The committee opined that entering into Mutual Legal Assistance Treaties to deal with cross border cybercrimes with one country at a time offered a solution in a ‘piecemeal manner’. Accordingly, the committee recommended that the government must build a roadmap to become a part of an omnibus international convention on cybercrimes to effectively address this issue. • c. Child pornography– The committee recommended that the Amendment Bill should have explicit provisions to deal with child pornography. This would align it with the laws in other advanced countries and Article 9 of the Council of Europe Convention on Cyber Crimes. • d. Powers of interception – The committee questioned the rationale of vesting the central government with the power to issue directions for interception or monitoring of any information through any computer resource. It noted that since ‘public order’ and ‘police’ are state subjects as per the Constitution of India, the power to intercept any information should be vested in the state governments. This will also align the proposed law with the powers of interception given to state governments in the Indian Telegraph Act, 1885. • e. Status of the CERT-In– The committee in its report noted that even though CERT-In has been nominated as the national agency on cyber security, the status of the body has not been defined. Accordingly, the committee suggested that the agency should be defined as a government body to clarify its status beyond doubt. Doing so will instill confidence in foreign investors regarding existence of a bona fide legal framework in the country.
  • 25.
    4. The InformationTechnology (Amendment) Act, 2008- • In December 2008, the Parliament enacted the IT (Amendment) Act 2008[ (“Amendment Act”). The following notable amendments were introduced through the Amendment Act: • a. Computer related offences– The Amendment Act prohibited transmission of offensive messages or any information for the purposes of causing annoyance, inconvenience, etc. by means of a computer resource and communication service. However, this provision was struck down later by the Supreme Court of India in the Shreya Singhal case. • b. Power of interception– Based on the recommendations of the standing committee on IT, the Amendment Act empowered both the central and state governments to issue directions for interception/monitoring of any information under section 69. The scope of the information intercepted was broadened to include its transmission, generation and storage, as opposed to just transmission in the original provision. The amended section also made issuance of such interception orders subject to additional safeguards introduced through the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (“Interception Rules”). • c. Critical information infrastructure– The Amendment Act introduced the term ‘critical information infrastructure’ (“CII”) i.e.a computer resource whose destruction will have a huge impact on the national security, public health and safety and economy. Further, any computer resource facilitating such CII was designated as a protected system. Accordingly, the government was empowered to exercise control over such protected systems, in addition to prescribing information security practices and procedures for such a system. • d. Nodal agency for CII– In January 2014, the National Critical Information Infrastructure Protection Centre (“NCIIPC”) was designated as the national nodal agency under the provisions of the Amendment Act. The NCIIPC is responsible for undertaking all measures to protect CII from unauthorized access, modification, use or disclosure
  • 26.
    5. Bill onIntelligence agency reforms- • In March 2011, the Intelligence Services (Powers and Regulation) Bill, 2011 (“Intelligence Bill”) was introduced as a private members bill by Shri Manish Tewari. He was a Member of Parliament in the Lok Sabha and currently a member of the Joint Parliamentary Committee examining the Draft Personal Data Protection Bill, 2019. The Intelligence Bill proposed to regulate the functioning of three major Indian Intelligence Agencies- Research and Analysis Wing (“RAW”), Intelligence Bureau (“IB”) and National Technical Research Organization (“NTRO”)- by putting in place an oversight mechanism. The Bill stated that surveillance operations undertaken by such intelligence agencies infringe the right to privacy of individuals. To prevent intelligence agencies from misusing their surveillance powers, it proposed a National Intelligence and Security Oversight Committee (“NISOC”). The NISOC was empowered to seek any information that these agencies possessed. Additionally, the Intelligence Bill provided for a National Intelligence Tribunal to hold these agencies accountable. The tribunal was empowered to investigate complaints filed by any person for action taken against her or her property by these agencies. However, the Intelligence Bill, like most private member bills, never came up for discussion and ultimately lapsed.
  • 27.
    6. National CyberSecurity Policy, 2013- • In July 2013, the erstwhile Ministry of Communication and Information Technology notified the National Cyber Security Policy (“NCSP”). • Based on the objectives envisioned in the NCSP 2013, the following strategies/initiatives were introduced by the Indian government: • a. Designation of the NCIIPC as the nodal agency to undertake measures to secure the country’s CII. • b. Cyber Swachhta Kendra initiative under the CERT-In to combat and analyse any malicious infections/attacks that damage computer systems. The initiative is aimed at securing the cyber ecosystem by preventing such attacks from taking place and cleaning the systems that have already been infected. • c. Development of multilateral relationships in the area of cyber security. In 2016, India partnered with the US for coordinating best practices in relation to cyber security and exchanging information in real time about malicious cyberattacks, among other things. • d. Setting up of the National Cyber Coordination Centre (“NCCC”) to create situational awareness about cyber security threats and enable timely information sharing for preventive action by individual entities.
  • 28.
    7. Standing committeeon IT report on ‘Cyber Crime, Cyber Security and Right to Privacy’- • In February 2014, the standing committee on IT made the following recommendations in its report on cybercrime, security and privacy – • a. The committee observed that there are 20 different kinds of cybercrimes. Recognizing the impact of cyber threats on critical sectors (such as power, atomic energy, space, aviation, etc.), it recommended establishing a national protection centre to protect the CII in the country. • b. In dealing with issues pertaining to cyber frauds, the government may have to coordinate with multiple institutions, such as the Reserve Bank of India and the SEBI. Accordingly, the committee recommended to form a centralized agency to deal with all the cases of cybercrimes. • c. The committee noted that multiple agencies including Ministry of Defense (“MoD”), Ministry of Home Affairs (“MHA”), IB, NTRO, NCIIPC, etc. are involved in securing the Indian cyberspace. It also noted that to minimize overlaying responsibilities between such agencies, it has tasked the National Security Council Secretariat (“NSCS”) to oversee compliance of cyber security policies. However, this could act as a hindrance in combating cyber threats at the earliest, given the multiple agencies involved. Recognizing the need for a collaborative effort between the government and the industry to address this issue, the committee suggested to implement the recommendations made by a Joint Working Group (“JWG”) that was set up under the Deputy National Security Advisor in this regard. The JWG recommended putting in place a permanent mechanism for a Public Private Partnership (“PPP”) on cyber security as a solution, among other things. • d. The committee acknowledged that despite the cost advantages in hosting servers outside India, the accompanying technical and legal security concerns posed to the nation and citizen’s privacy have to be given due consideration. Accordingly, the committee recommended that government should take all steps to ensure that as far as possible, the servers should be hosted locally.
  • 29.
    8. Surveillance orderissued by MHA– • In December 2018, the MHA passed an order under the Interception Rules which authorized 10 security and intelligence agencies to intercept/monitor/decrypt any information transmitted, generated, received or stored on any computer resource. • These agencies include the IB, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Central Bureau of Investigation and the Delhi Police. The order was heavily criticized and challenged before the Supreme Court on the grounds of violating the fundamental right to privacy, as laid down in the Puttaswamy case. • The central government defended the order by claiming that it has been passed to pursue a legitimate state aim. Furthermore, for authorized agencies to intercept any information, the government has submitted that they will have to seek the permission of the competent authority. The matter is currently pending before the Supreme Court.
  • 30.
    9. National CyberSecurity Strategy 2020- • In another one of its attempts to address the issues pertaining to cyber threats and data vulnerabilities, the Indian government has proposed to come out with the National Cyber Security Strategy (“NCSS”) 2020. • The NCSS aims to examine various facets of cyber security under three pillars- securing the national cyberspace; strengthening the structures, people, processes, capabilities; and synergizing the resources including cooperation and collaboration. • The government had sought comments and suggestions on different aspects of the NCSS by 10th January 2020 and is currently in the process of framing the policy
  • 31.
    B. Key Issueson cyber security– • 1. Surveillance and privacy- • a. The Interception Rules designate the Secretary in the Union Ministry of Home Affairs/Home Department of a state government (“Home Secretary”) as the ‘competent authority’ for approving data surveillance/monitoring requests under the IT Act. Additionally, the Interception Rules provide for a review committee to oversee the directions issued by the competent authority to intercept/monitor such information. Per the Interception Rules, the review committee is mandated to meet at least once in two months. Similarly, a committee headed by the chief secretary reviews directions passed by state governments. • b. This means that the central government has to approach the Home Secretary before it issues any directions to intercept/monitor any digital communication. However, given the large number of interception/monitoring requests made by the government, it becomes unfeasible for Home Secretary to objectively assess each request. Thus, the Home Secretary becomes a mere rubber stamp authority for approving government interception requests. • c. Interestingly, the Srikrishna Committee report mentioned that an application filed under the RTI Act revealed that the review committee has a task of reviewing 15,000-18,000 interception orders in every meeting. This unrealistic target poses a threat to safety and security of personal data of individuals. The committee noted that surveillance should not be carried out without a degree of transparency that can pass the Puttaswamy test of necessity, proportionality and due process
  • 32.
    2. Multiplicity ofinstitutions • The issue of multiplicity of cyber security agencies was highlighted by the Standing Committee on IT in its 52nd report. Several institutions tasked with securing the cyber space leads to lack of coordination between them. • In 2015, the standing committee on IT in its 17th report outlined the action taken by the government on the recommendations of the JWG to deal with the issue of multiplicity of cyber security agencies. • The report noted that the government, in July 2014, had identified the objectives that would promote the overall cooperative framework for a PPP on cyber security. However, an action plan for implementing these recommendations was still being worked out.
  • 33.
    • The issueas such appears to be unresolved with the following agencies dealing presently with the issue of cyber security: • a. Cyber and Information Security Division, MHA: This division under the MHA is tasked with handling the matters related to cyber security and cyber-crimes. • b. CERT-In: CERT-In functions under the aegis of MeitY. Its main functions include responding to cyber-security incidents and issuing security guidelines, advisories and alerts. • c. NCIIPC: It acts as the national nodal agency for the protection of CII in India. • d. NCCC: It is responsible for creating situational awareness about existing and potential cyber security threats and enable timely information sharing for ‘proactive, preventive and protective’ actions by individual entities. • e. Indian Cyber Crime Coordination Centre (“I4C”): The I4C scheme consists of seven components which will be established on a rolling basis by the MHA in 2018- 2020. The scheme consists of seven components, including a National Cybercrime Threat Analytics Unit, National Cybercrime Forensic Laboratory Ecosystem and National Cyber Research and Innovation Centre. • f. National Cyber Security Coordinator (“NCSC”): It was formed under the NSCS as the nodal agency for cyber security. The NCSC coordinates with different agencies at the national level for cyber security matters. • g. Defence Cyber Agency: The agency has been established to address the issues pertaining to military cyber security and cyber warfare. It is governed by the Defence Intelligence Agency under the MoD. 2. Multiplicity of institutions