CISO Instruction No.2 (2023) For PR - CCIT (CCA) Regions and Directorates

1
Pr.CCIT(CCA) and Directorates

Sr. Officers/ Domain of Action points for Time Remarks
No. Officials Info. consideration period
in the Security for
hierarch impleme
y nting
action
points
1. Pr.CCIT/ Asset Steps required to be taken Within Details of
Pr.DGIT/ Management for management of 15 days Informatio
DGIT Information Assets in the from the n Assets
office: receipt of and Asset
Instructio Registers
1. Identify all the ns. provided
Information Assets of in
category Hardware Annexure
assets and Software 1
assets and create an
Asset Inventory.
Officers in whose
office the asset is
being used or
whoever has been
assigned the task of
managing works
related to that asset
shall identify all the
assets and forward
the information to
the DDO to record
them in Asset
Registers.
2. All the officers shall
classify Information
Assets in their offices
and put appropriate
labels on them.
3. At the time of change
of incumbent, entry
to be made in asset
inventory register for
handing over of the
Assets to the
successor.
4. Ensure that the
portable devices are
password protected.
5. All removable media
devices need to be
scanned for
malicious threats
2
and remove all
unnecessary data
prior to use further.
6. Take necessary steps
to protect
Information Assets
from physical
damages like fire,
moisture and
magnetic
interference.
7. Storage media like
pen drive, hard-
drive, CDs etc. must
be disposed off
securely and safely
when no longer
required. Data must
be erased before any
asset such as media,
computer system
and electronic office
equipment etc., are
to be transferred or
disposed. The
method of
destruction followed
should be such that
nothing could be
recovered post-
destruction (using
either of degaussing,
physical
destruction/data
wiping etc.)
Necessary entries
should be made in
the Media Disposal
Register regarding
safe disposal of
assets.
8. In the event
exceptions are
identified, in relation
to media disposal
activities, an incident
report should be
raised in accordance
with the Information
Security Incident
Management
3
Procedure.
to protect media and
information assets
etc. from
unauthorized access
during their
transportation.
10. In case of transfer,
retirement,
suspension,
termination or long
leave, all Information
Assets in custody of
the officer should be
handed over to the
succeeding
incumbent and
entries for the same
should be made in
the Asset Registers.
Follow and educate the Within A set of
subordinate officials 25 days Do’s and
(including the contractual from the Don’ts in
employees) of the office in receipt of accordanc
the Acceptable Usage Policy Instructio e with the
for the Departmental ns. Departme
Assets. Ensure that the nt’s
officials paste the Do’s and Acceptable
Don’ts for use of Usage
Information Assets Policy are
(Annexure 2) at their reproduce
workstations or at d in
prominent place in their Annexure
offices for constant 2.
reminder and reference.
Human Train and educate the Within1
Resource subordinate staff regarding month
Security Information Security Policy from the
receipt of
Instructio
ns for the
existing
staff and
within 1
week
whenever
a new
staff
member
joins in
4
the office.
Ensure that Non-Disclosure To be Non-

Agreements are signed by implemen Disclosure
all Contractors/MSPs/sub- ted Agreement
contractors/ contractual within s
staffs working in the office one explained
month of in
receipt of Annexure
Instructio 7
ns.
Ensure that appropriate To be Backgrou

Background verification implemen nd
reports of Contractual ted verificatio
employees are submitted by within n
Contractors to the DDO for two explained
all contractual employees months in
working in the office. of receipt Annexure
of 8
Instructio
ns.
Physical and All electronic office Within
Environment equipment including faxes, 25 days
al Security printers and EPABX, must from the
be physically secured to receipt of
ensure safety from Instructio
environmental hazards like ns.
rain, lightening, flood etc.
and physical hazards such
as fire.
Incident 1. Adhere to Details of
Management Information Security Informatio
Policies and n Security
Procedures. Incidents
2. Report policy and SOP
violations and to handle
information security such
incidents to incidents
BISO/LISO. provided
in
Annexure
3.
2. CCIT Asset Steps required to be taken Within Details of

Management for management of 15 days Informatio
Information Assets in the from the n Assets
5
assets and Software 1
Asset Inventory.
Officers in whose
office the asset is
being used or
whoever has been
managing works
assets and forward
the information to
the DDO to record
them in Asset
Registers.
and put appropriate
labels on them.
of incumbent, entry
to be made in asset
handing over of the
Assets to the
successor.
4. Ensure that the
password protected.
devices need to be
scanned for
malicious threats
and remove all
unnecessary data
to protect
Information Assets
from physical
damages like fire,
moisture and
magnetic
interference.
pen drive, hard-
6
be disposed off
securely and safely
when no longer
required. Data must
computer system
equipment etc., are
disposed. The
method of
should be such that
nothing could be
recovered post-
destruction (using
physical
destruction/data
wiping etc.)
Necessary entries
should be made in
the Media Disposal
Register regarding
safe disposal of
assets.
8. In the event
exceptions are
to media disposal
report should be
Security Incident
Management
Procedure.
information assets
etc. from
unauthorized access
during their
transportation.
retirement,
suspension,
termination or long
7
handed over to the
succeeding
incumbent and
should be made in
receipt of
Instructio
ns for the
existing
staff and
within 1
week
whenever
a new
staff
member
joins in
the office.
staffs working in the office one explained
month of in
receipt of Annexure
Instructio 7
ns.

8
working in the office. of receipt Annexure
of 8
Instructio
ns.
as fire.
BISO/LISO. provided
3. Investigate in
Information Security Annexure
Incident of the 3.
nature of Human
Resource Security
and Asset
Management with
respect to their
office.
4. Take disciplinary
action against
responsible
officers/officials for
Information Security
Incident.
9
3. Pr.CIT/Pr Asset Steps required to be taken Within Details of
.DIT/CIT Management for management of 15 days Informatio
/DIT/AD Information Assets in the from the n Assets
G office: receipt of and Asset
1.
assets and Software
Asset Inventory.
Officers in whose
office the asset is
being used or
whoever has been
managing works
assets and forward
the information to
the DDO to record
them in Asset
Registers.
and put appropriate
labels on them.
of incumbent, entry
to be made in asset
handing over of the
Assets to the
successor.
4. Ensure that the
password protected.
devices need to be
scanned for
malicious threats
and remove all
unnecessary data
10
to protect
Information Assets
from physical
damages like fire,
moisture and
magnetic
interference.
pen drive, hard-
be disposed off
securely and safely
when no longer
required. Data must
computer system
equipment etc., are
disposed. The
method of
should be such that
nothing could be
recovered post-
destruction (using
physical
destruction/data
wiping etc.)
Necessary entries
should be made in
the Media Disposal
Register regarding
safe disposal of
assets.
8. In the event
exceptions are
to media disposal
report should be
Security Incident
11
Management
Procedure.
information assets
etc. from
unauthorized access
during their
transportation.
retirement,
suspension,
termination or long
handed over to the
succeeding
incumbent and
should be made in
HoDs (PDIT/PCIT/DIT/CIT) Within Details of
to ensure that the Asset 15 days Informatio
Registers are created by from the n Assets
DDO and all Hardware and receipt of and Asset
Software Assets are enlisted Instructio Registers
in the Registers. ns. provided
in
Annexure
1.
Asset Registers must be Periodical
reviewed by the ly every
HoD(PDIT/PCIT/DIT/CIT) six-
on a half yearly basis to months.
ensure it is current and up
to date. Suitable entry may
be made in the Registers
indicating the date of review
and observations of the
officer.
12
as fire.
receipt of
Instructio
ns for the
existing
staff and
within 1
week
whenever
a new
staff
member
joins in
the office
staffs working under the one explained
hierarchy of HoD. month of in
receipt of Annexure
Instructio 7
ns.
13
working under the of receipt Annexure
hierarchy of HoD. of 8
Instructio
ns.
The HoD must ensure that Within 1
the access rights of all month
contractors/MSPs/ from the
contractual staffs to receipt of
information and Instructio
information processing ns.
facilities must be removed
upon termination of their
contractor agreement
BISO/LISO. provided
3. Provide monthly in
reports to the Annexure
Commissioner 3.
(Admn. & TPS) on
the status of
information security,
policy violations and
information security
incidents.
4. Investigate
Incident of the
nature of Human
Resource Security
and Asset
Management.
5. Take disciplinary
action against
responsible
officers/officials for
Incident.
14
4. CIT(Admi Asset LISO shall be responsible Details of
n) cum Management for preparing a list of Asset Informatio
LISO Owners in his jurisdiction. n Assets
Each Asset Owner shall be Nomenclat
given a Code. This code ure and
shall form first 7 characters Asset Id
of the Asset Id in the provided
following manner: in
Annexure
(i) First three letters
1.
shall indicate the
city where the
Asset is present
e.g. MUM for
Mumbai or DEL
for Delhi.
(ii) Next four letters
shall indicate the
Asset Owners
office where the
Asset is stationed
e.g. Investigation
Unit 10(1) may be
indicated by I101
or Jurisdictional
Circle-46(1) by
J461.
LISO will have to map all

asset owners in his region
and shall issue these codes
for reference of all DDOs
mapped under him.
15
Physical and Physical Security Perimeter: In case
Environment not in
al Security 1. All the Department place, to
areas must be be
logically divided into ensured
different physical within 2
zones. Each zone months
must have of receipt
appropriate level of of
access restrictions Instructio
and access ns.
authorization
requirements.
2. Areas containing
critical IT equipment
or handling sensitive
information such as
information received
from foreign
jurisdictions or
information related
to an investigation
matter must be
designated as High
Security Zones.
Critical or sensitive
information
processing facilities
must be protected by
defined security
perimeters, with
appropriate security
barriers and entry
controls.
3. Server room or other
areas containing
critical IT equipment
must be secured
using biometric
access control
mechanism.
16
Physical Access Control: In case To be
not in ensured
1. For Contractual place, to by
employees- creation be Building
of I-cards/Access ensured In-charge
cards at the time of within 1 Officer of
hiring, Provisioning month of the
access in the access receipt of concerned
control system, Instructio building.
allotted cards to be ns.
updated periodically
and to be obtained
back/ disabled at the
time of removal/ end
of contract
2. Visitors’ entry into
the premises must be
restricted by
appropriate security
validations like
checking the identity
(company ID, driving
license, voter’s ID,
etc.) of the visitor,
random frisking of
visitors, checking
their belongings and
bags, etc.
3. A confirmation from
the visited employee
must be taken before
allowing a visitor
inside the
Department
premises.
4. All movement of
material going in and
out of premises must
be duly authorized
and tracked.
17
Protecting against External In case To be
and Environmental not in ensured
Hazards: place, to by
be Building
1. The Department’s ensured In-charge
offices must be fitted within 2 Officer of
with appropriate months the
firefighting devices at of receipt concerned
critical locations in of building.
order to arrest the Instructio
fire and to avoid ns.
damage to the
various resources of
the Department.
Selected Department
employees must
know how to use
these firefighting
devices.
2. Monitoring of fire
sensors, smoke
sensors, and other
fire safety alarms be
done regularly.
3. Safety measures like
fire and earthquake
evacuation drills
must be practiced
regularly.
4. Appropriate safety
measure must be
taken to avoid loss
and damage due to
Water flooding or
inappropriate
drainage system
within the premises
of the Department.
5. Physical protection
against damage from
natural or man-made
disaster must be
designed and
applied.
CCTV surveillance: In case To be

not in ensured
1. At entry and exit place, to by
points of buildings be Building
and secure areas ensured In-charge
there should be within 1 Officer of
18
CCTV cameras. month of the
2. There should be receipt of concerned
restricted entry to Instructio building.
CCTV control room. ns.
3. Monitoring of CCTV
should be done by
departmental
employees.
Incident
Management 1. Provide monthly
reports to the LISC
on the status of
information security,
policy violations and
information security
incidents in the
region.
2. If required, the LISO
shall contact
authorities outside
the Department like
police, fire brigade
etc. for resolution of
Incidents.
3. LISO should send a
monthly Incidents
report to the CISO
with respect to the
Incidents.
Human 1. Ensure that ongoing
Resource information security
Security awareness education
and training is
provided to all
employees and users
in the region.
2. Communicate
Policies and
Procedures to all
employees in the
region.
19
staffs working in the region. one explained
month of in
receipt of Annexure
Instructio 7
ns.

working in the region. of receipt Annexure
of 8
Instructio
ns.
Risk LISOs to ensure that all A copy of A sample
Management identified risks pertaining the risk
to their regions are respectiv register is
captured in risk registers e risk also
maintained and updated register enclosed
regularly. An indicative list of the for
of risks and vulnerabilities region reference
are given in Annexure 6. shall be in
forwarde Annexure
d by the 5.
LISO
concerne
d to the
CISO on
a
quarterly
basis in
an excel
format by
15th of
the
month
following
the
quarter.
5. BISO(Bui Physical and 1. Ensure that
lding Environment responsibilities
Informati al Security related to
on environmental and
Security physical security in
Officer) the building are
20
defined and
*BISO implemented.
will be 2. Oversee
nominate implementation of
d by Information Security
LISO for Policies and
each Procedures related to
building. environmental and
BISO will physical security in
be an the building.
officer Incident 1. In case an Details of
not below Management Information Security Informatio
the rank Incident is reported n Security
of CIT or observed, the Incidents
who is BISO should conduct and SOP
stationed an inquiry into the to handle
in the breach to give a such
building preliminary report to incidents
concerne the LISO within 24 provided
d. If there hours of the incident. in
is no The preliminary Annexure
officer of report should 3.
the rank identify relevant
CIT and stakeholders who
above in need to be
a immediately
building informed of the
then the incident, to
senior- safeguard further
most data loss.
officer 2. The BISO should
posted in safeguard the area of
the incident in such a
building way that data loss
may be can be minimized.
appointe 3. If the Information
d as Security Incident is
BISO. of the nature of a
The cyber security
building incident then BISO
in-charge shall intimate
of the AD(Systems)/DD(Sys
building tems)/JD(Systems)
will in the office of
report to Pr.CCIT(CCA).
the BISO 4. BISO shall ensure
with that the
respect to AD(Systems)/DD(Sys
the tems)/JD(Systems)
matters are given full access
of and cooperation to
21
Informati resolve an issue of
on cyber security.
Security 5. If the Information
which Security Incident is
includes of the nature of a
physical physical or
and environmental
environm security incident
ental then BISO shall
security. intimate LISO
regarding the
incident.
6. If the Information
Security Incident is
of the nature of a
human resource
security incident or
asset management
security incident
then BISO shall
intimate the HoD
(PCIT/PDIT/CIT/DIT
/ADG) regarding the
incident.
7. Once an incident is
resolved, the BISO
shall send a report to
the LISO describing
the incident and its
resolution.
8. BISO should send a
monthly Incidents
report to the LISO
with respect to the
Incidents.
6. CIT(Audit Information 1. Carry out the SOP for

) Security Information Security carrying
Audit Audit using the out
CIT(Audit) checklists. Informatio
2. Submit final Audit n Security
report to LISO and Audit
CISO. Provided
3. Follow up with LISO in
to ensure that non- Annexure-
compliances to the 4
Policy as observed
during Audit are
rectified.
22
7. Addl.CIT Asset Steps required to be taken Within Details of
/Addl.DI Management for management of 15 days Informatio
T/Jt.CIT Information Assets in the from the n Assets
/Jt.DIT office: receipt of and Asset
1.
assets and Software
Asset Inventory.
Officers in whose
office the asset is
being used or
whoever has been
managing works
assets and forward
the information to
the DDO to record
them in Asset
Registers.
and put appropriate
labels on them.
of incumbent, entry
to be made in asset
handing over of the
Assets to the
successor.
4. Ensure that the
password protected.
devices need to be
scanned for
malicious threats
and remove all
unnecessary data
23
to protect
Information Assets
from physical
damages like fire,
moisture and
magnetic
interference.
pen drive, hard-
be disposed off
securely and safely
when no longer
required. Data must
computer system
equipment etc., are
disposed. The
method of
should be such that
nothing could be
recovered post-
destruction (using
physical
destruction/data
wiping etc.)
Necessary entries
should be made in
the Media Disposal
Register regarding
safe disposal of
assets.
8. In the event
exceptions are
to media disposal
report should be
Security Incident
24
Management
Procedure.
information assets
etc. from
unauthorized access
during their
transportation.
retirement,
suspension,
termination or long
handed over to the
succeeding
incumbent and
should be made in
as fire.
25
2. Report policy provided
violations and in
information security Annexure
incidents to higher 3.
authorities.

receipt of
Instructio
ns for the
existing
staff and
within 1
week
whenever
a new
staff
member
joins in
the office
8. AD(Syste Incident 1. In the case of an SOP for
ms)/ Management Information Security handling
DD(Syste Incident of the Informatio
ms)/ nature of cyber n Security
JD(Syste security incident, the Incidents
ms) AD(Systems)/DD(Sys provided
tems)/JD(Systems) in
shall identify the Annexure
affected system and 3
other systems
connected to it which
may have also been
affected.
2. The
AD(Systems)/DD(Sys
tems)/JD(Systems)
shall oversee the
resolution of the
issue for cyber
security incidents. If
the resolution
requires some
software
update/formatting or
hardware change
26
then that shall be
done by the AMC
vendor of the affected
system.
3. The
AD(Systems)/DD(Sys
tems)/JD(Systems)
shall ensure that
resolution happens
in accordance with
the Information
Security Policy.
4. The
AD(Systems)/DD(Sys
tems)/JD(Systems)
shall take steps to
preserve logs,
safeguard evidence,
classify incident and
do root cause
analysis in
accordance with the
Policy for cyber
security incidents.
9. DCIT/DD Asset Steps required to be taken Within Details of
IT/ACIT/ Management for management of
15 days Informatio
ADIT/ITO Information Assets in the from the n Assets
1.
assets and Software
Asset Inventory.
Officers in whose
office the asset is
being used or
whoever has been
managing works
assets and forward
the information to
the DDO to record
them in Asset
27
Registers.
and put appropriate
labels on them.
of incumbent, entry
to be made in asset
handing over of the
Assets to the
successor.
4. Ensure that the
password protected.
devices need to be
scanned for
malicious threats
and remove all
unnecessary data
to protect
Information Assets
from physical
damages like fire,
moisture and
magnetic
interference.
pen drive, hard-
be disposed off
securely and safely
when no longer
required. Data must
computer system
equipment etc., are
disposed. The
method of
28
should be such that
nothing could be
recovered post-
destruction (using
physical
destruction/data
wiping etc.)
Necessary entries
should be made in
the Media Disposal
Register regarding
safe disposal of
assets.
8. In the event
exceptions are
to media disposal
report should be
Security Incident
Management
Procedure.
information assets
etc. from
unauthorized access
during their
transportation.
retirement,
suspension,
termination or long
handed over to the
succeeding
incumbent and
should be made in
29
as fire.
violations and in
authorities.

receipt of
Instructio
ns for the
existing
staff and
within 1
week
whenever
a new
staff
member
joins in
the office
30
10. DDO Physical and All electronic office Within
as fire.
Access to delivery and To be To be
loading areas: implemen implement
1. Ensuring that no ted ed by the
unauthorised person within DDO with
can enter the one assistance
delivery/ loading month of of security
areas receipt of personnel.
2. Inspection of goods Instructio
received in the ns.
delivery area for
potential threats
3. Entry in separate
registers of items
received for delivery/
dispatch.
Movement of goods/ To be To be
equipment: implemen implement
can enter/ exit the one assistance
building for month of of security
movement of goods receipt of personnel
2. Examination/ Instructio
verification of goods ns.
with the invoice/
gate-pass
registers of items
incoming/ outgoing.
Human Ensure that Non-Disclosure To be Non-

Resource Agreements are signed by implemen Disclosure
Security all Contractors/MSPs/sub- ted Agreement
staffs. one explained
month of in
receipt of Annexure
Instructio 7
ns.
31
Contractors for all two explained
contractual employees. months in
of receipt Annexure
of 8
Instructio
ns.
Asset 1. Create Asset Within Details of
Management Registers and enlist 25 days Informatio
all Hardware and from the n Assets
Software Assets in receipt of and Asset
the Registers in the Instructio Registers
prescribed format. ns. provided
2. Obtain periodic in
information Annexure
regarding 1
Information Assets
from the
officers/officials
using these assets
and update the Asset
Registers
accordingly.
3. All computer,
communication,
security, backup
power etc. equipment
must be brought
under AMC after
initial warranty is
over. AMC may be
given only to
trustworthy vendors
after due background
verification.
4. Timely renew all
necessary licenses of
software, anti-virus
etc.Ensure that only
licensed and valid
software should be
installed.
5. Ensure that
contractual
employees return the
Department’s
Information Assets in
case of transfer or
32
termination of
employment.

violations and in
authorities.
11. ITI/OS/S Asset Follow the Acceptable A set of

r.TA/TA/ Management Usage Policy for the use of Do’s and
MTS Departmental Assets. Don’ts in
accordanc
e with the
Departme
nt’s
Acceptable
Usage
Policy are
reproduce
d in
Annexure
2. The
officials
may paste
these
instructio
ns at their
workstatio
ns or at
prominent
place in
their
offices for
constant
reminder
and
reference.
Human Do not disclose any

Resource information related to the
Management Departmental work to
unauthorized person.
33
violations and in
authorities.
12. Contract Asset Follow the Acceptable A set of

ual staff Management Usage Policy for the use of Do’s and
Departmental Assets. Don’ts in
accordanc
e with the
Departme
nt’s
Acceptable
Usage
Policy are
reproduce
d in
Annexure
2. The
staff
members
may paste
these
instructio
ns at their
workstatio
ns or at
prominent
place in
their
offices for
constant
reminder
and
reference.
Human Do not disclose any
Resource information related to the
Management Departmental work to
unauthorized person.
violations and in
34
authorities.
13. Security Physical and Access to Visitors: To be

personnel Environment 1. Verification by the implemen
al Security Receptionist/Securit ted
y personnel from the within
officer to whom the one
visitor intends to month of
meet receipt of
2. Entering details of Instructio
visitor in visitor's ns.
register
3. Issuing visitors pass
(which the visitor is
required to wear
during his time in
the premise)
4. Retaining electronic
devices of the visitor
(except on specific
permission of the
officer)
5. Escorting the visitor
to the concerned
officer
6. Returning his
gadgets at the time of
exit (on his returning
the visitor's card).
Access to employees: All To be
officers, officials and
implemen
contractual staff should ted
display their id-cards to within
security personnel for entry one
into the office premises. month of
receipt of
Instructio
ns.
Access to Maintenance To be
personnel: Same as in the implemen
case of Visitors ted
within
one
month of
receipt of
Instructio
ns.
Access to Suppliers: All To be
35
suppliers to supply items to implemen
the DDO. Verification from ted
the DDO and other process within
to be same as in the case of one
Visitor/ Maintenance month of
Personnel. receipt of
Instructio
ns.
Access to delivery and To be To be
loading areas: implemen implement
can enter the one assistance
delivery/ loading month of of security
areas receipt of personnel.
2. Inspection of goods Instructio
received in the ns.
delivery area for
potential threats
registers of items
received for delivery/
dispatch.
Movement of goods/ To be To be
equipment: implemen implement
can enter/ exit the one assistance
building for month of of security
movement of goods receipt of personnel
2. Examination/ Instructio
verification of goods ns.
with the invoice/
gate-pass
registers of items
incoming/ outgoing.
Asset 1. No contractual To be
Management employee and implemen
Departmental ted
employees below the within 15
rank of ITO be days of
allowed to carry any receipt of
electronic device Instructio
(except mobile) in ns.
and out of the
premise, without
entry in the log
register
2. Incoming material
36
log register to be
filled before any
media enters ITD
premises.
3. Outgoing material log
to be maintained
when physical media
is transported out of
ITD premises.
violations and in
authorities.
Annexure-1
A. Information Assets
The CISO Instruction No. 2/2022 Dated: 21-01-2022 defines the term information
asset as follows:
“An information asset is a discrete set of information resources organized for the
collection, processing, maintenance, use, sharing, dissemination, or disposition of
information. Information resources include information and related resources, such as
personnel, equipment, funds and information technology.”
Examples of Information Assets included in the CISO Instruction No. 2/2022 are:
o Information assets: databases and data files, contracts and agreements,
system documentation, research information, user manuals, training material,
operational or support procedures, business continuity plans, fallback
arrangements, audit trails, and archived information;
37
o Software assets: application software, system software, development tools,
and utilities;
o Hardware assets: computer equipment, communications equipment,
removable media, and other equipment.
The Information Security Guidelines also mention non-IT Assets as an Information
Assets.
For the sake of simplicity and ease of Information Asset Management, three broad
category of Assets need to be identified, inventorized and handled from various
perspectives.
1. Information Technology Hardware Assets: These include:
a. Computer equipment like Desktops, Laptops, Servers etc.
b. Communications equipment like Mobile Phones, Routers, etc
c. Removable media like pen-drives, flash drives, tape-drives, CDs, Portable
Hard Drives etc
d. Other equipment like webcams, scanners, printers, network printers etc.
2. Information Technology Software Assets: These include:
a. Operating Systems like Windows, Mac OS, Linux, etc
b. Departmental Software Systems like ITBA/Efiling/ Project Insight etc..
c. Word Processors and Spread Sheets like MS Word and Excel
d. Databases and data files
3. Non-IT Assets: These include:
a. Files/Folders like Assessment Records, Appeal Records, CSR Folders,
Administrative Records, Service Books.
b. Reports like Appraisal Reports, Investigation Reports, Reports of
Committees and Working Groups etc.
Miscellaneous Records: Any other non-IT Assets not falling in the above categories.
Information Assets like Hardware and Software which are procured or maintained by
the DDO shall be recorded in three Asset Registers maintained by the DDO.
Information Assets which are in the nature of files, documents, papers etc. which
belong to any office shall be inventoried and maintained by the concerned
officers/officials.
The primary responsibility of maintenance and upkeep of registers lies with the DDO
under the supervision of the concerned HoD. The DDO will seek the information to be
filled in Asset registers from the concerned officers who are using that particular
Asset.
Type of Information Assets Officer responsible for maintenance

and upkeep of Asset Registers
Information assets: databases and data Officer concerned in whose office such
files, Office Files, contracts and documents are maintained
agreements, system documentation,
38
research information, user manuals,
training material, operational or support
procedures, business continuity plans,
fallback arrangements, audit trails, and
archived information
Software assets: application software, DDO
system software, development tools, and
utilities
Hardware assets: computer equipment, DDO
communications equipment, removable
media, and other equipment
39
B. Formats for Asset Registers (as specified in CISO Instruction No. 2(2022).
These are the three registers which are required to be maintained by DDOs.
Hardware Asset
Asset Asset Asset IP Asset Asset Asset Asset Functi Storage Asset Classification Controls Remarks
Category Name Id Address Addition Removal Owner User on location Criticality in Place
Date Date
Software Assets
Asset Asset Asset IP Asset Asset Removal Asset Asset Storage Classification Controls in Remarks
Category Name Id Address Addition Date/License Owner User location Place
Date End Date
Media Disposal Register
Sr. No. Type of Asset Quantity Department Date of Disposal Approved by Remarks
Media Criticality
40
C. Assigning Asset Id to Information Assets
An alphanumeric id. of 13 letters which shall be assigned to each Information Asset of

the nature of Hardware Assets in the following way:
i. First three letters shall indicate the city where the Asset is present e.g. MUM
for Mumbai or DEL for Delhi. These letter codes for each city shall be decided
by the LISO and communicated to all offices in the region.
ii. Next four letters shall indicate the Asset Owners office where the Asset is
stationed e.g. Investigation Unit 10(1) may be indicated by I101 or
Jurisdictional Circle-46(1) by J461. LISO will have to map all asset owners in
his region and shall issue these codes for reference of all Asset Owners mapped
under him
iii. One number for the classification of the Asset e.g. 0 for unclassified, 1 for
Restricted, 2 for Confidential, 3 for Secret and 4 for Top Secret.
iv. One number (3 or 2 or 1) for criticality of the Asset as per criticality guidelines.
v. Last 4 letters shall be number indicating the unique no. for Information Asset
in that particular office.
In this way, a computer system in Chennai Jurisdictional Circle-4(1) may be

numbered as CHE-J041-2-3-0123. This Asset Id shall be displayed on the Asset for
clear identification and prima-facie indication of classification and criticality of the
Asset. Prompt action can be taken if an information Asset is not found to be handled
in accordance to its classification or criticality.
LISO shall be responsible for preparing a list of Asset Owners in his jurisdiction. Each
Asset Owner shall be given a Code. This code shall form first 7 characters of the Asset
Id in the following manner:
(iii) First three letters shall indicate the city where the Asset is present e.g. MUM
for Mumbai or DEL for Delhi.
(iv) Next four letters shall indicate the Asset Owners office where the Asset is
stationed e.g. Investigation Unit 10(1) may be indicated by I101 or
Jurisdictional Circle-46(1) by J461.
LISO will have to map all asset owners in his region and shall issue these codes for
reference of all Asset Owners mapped under him.
D. Guidelines for classification of Information Assets and their labeling and
other security measures
(as specified in CISO Instruction No. 2(2022))
All the Department information must be classified into one of the following categories:-
i. Top Secret: Information, unauthorized disclosure of which could be expected to

cause exceptionally grave damage to the national security or national interest.
This category is reserved for Nation’s closest secrets and to be used with great
reserve.
Attribute Guidelines
Labelling  "Top Secret", must appear on the bottom of each
page (footer).
 “Top Secret” should be added on the Document
Control Table
 " Top Secret" must also appear on removable media
labels.
Security Controls  Not for disclosure, restricted to designated High-
Level Management of ITD, who needs to know and
should be stored and transfer in encrypted
manner.
 Only information owner shall distribute the
information based on need
 Encrypt using communication protocols with
strong encryption such as SSL, Point to Point
Tunneling Protocol (PPTP) or Internet Protocol
Security (IPSEC)
 Information to be stored on a restricted access
folder/SharePoint/key management server with
access logged.
 Where information is stored on portable electronic
storage devices or media, that storage must be
encrypted
ii. Secret: Information, unauthorized disclosure of which could be expected to

cause serious damage to the national security or national interest or cause
serious embarrassment in its functioning. This classification should be used for
highly important information and is the highest classification normally used.
Labelling  "Secret", must appear on the bottom of each page
(footer).
 “Secret” should be added on the Document Control
Table.
 "Secret" must also appear on removable media
labels.
Security Controls  Encrypt using communication protocols with
strong encryption such as SSL, Point to Point
42
Tunneling Protocol (PPTP) or Internet Protocol
Security (IPSEC) both within and outside the
network.
 Hard copy Information should be stored in secure
areas with access logged.
iii. Confidential: Information, unauthorized disclosure of which could be expected

to cause damage to the security of the organisation or could be prejudicial to
the interest of the organisation, or could affect the organisation in its
functioning. Most information will on proper analysis, be classified no higher
than confidential.
Labelling  “Confidential", must appear on the bottom of each
page (footer).
 “Confidential” should be added on the Document
Control Table.
 "Confidential" must also appear on removable
media labels.
Security Controls  Encryption shall be used for transmission over the
Internet.
folder/SharePoint/key management server
Restriction on read, download, print, write etc.
 Information should only be exchanged only on a
Need Basis post due approval from Information
Owner and the message marked as ‘Confidential’ in
settings.
 Confidential emails must not be forwarded to
personal email accounts (e.g. Gmail, Hotmail etc.)
 Hard copy information should be kept out of public
areas (Clear Desk Policy) should be stored in
secure areas
iv. Restricted: Information which is essentially meant for official use only and
which would not be published or communicated to anyone except for official
purpose. o Unclassified: Information that requires no protection against
disclosure. E.g. Public releases.
Labelling  “Restricted" should appear on the bottom of each
page and on removable media labels.
 “Restricted” should be added on the Document
Control Table.
Security Controls  Information should only be exchanged with
members of ITD, MSP and authorized stakeholders,
through official emails only.
 Access only after due approval from Information
Owner.
43
folder/SharePoint.
 Restriction on read, download, print, write, delete
etc.
 Permissions to modify limited to authorized users
E. Guidelines to determine criticality of Information Assets

(as specified in CISO Instruction No. 2(2022))
Level of importance in terms of Confidentiality, Integrity and Availability must be

determined in the asset inventory. Level of protection is assessed for the asset by
analysing the Confidentiality, Integrity and Availability (CIA) requirements of the
information and assets. CIA level of the assets is rated on a scale of 1-3 with 1 being
minimum impact and 3 being maximum impact. Rating guidelines are as follows:
Confidentiality
Rating Impact
3 Unauthorized disclosure or loss of information or assets containing
information that could adversely impact the Department, resulting
in identity theft, fraud, financial damages, loss of public
confidence, breach of a contract clause, or may lead to a legal
action.
2 Unauthorized disclosure or loss of information and assets could
result in operational setbacks.
1 The information and asset is easily available/ accessible by
employees and, if disclosed, would have negligible/ acceptable
financial, operational or legal impact on the organization.
Integrity
Rating Impact
3 Modification of the asset's accuracy and completeness has severe
impact.
2 Modification of the asset's accuracy and completeness has
moderate impact.
1 Modification of the asset's accuracy and completeness has
negligible/ minor impact.
Availability
Rating Impact
3 Unavailability of asset would result in very high consequences /
severe loss to ITD.
2 Unavailability of asset may cause some impact to ITD.
1 No/ insignificant impact if the asset is not available.
44
Once the asset is rated based on the CIA values, then the asset is given an Asset
Criticality Rating which is determined on the basis of the Asset Value. Asset Criticality
Rating is calculated as follows:
Sr. No. Asset Value = max of (C, I, A) Criticality of the Asset

1. 3 High
2. 2 Medium
3. 1 Low
45
Annexure-2
Do’s and Don’ts for the use of Information Assets of the Income Tax Department
(in accordance with Acceptable Usage Policy circulated vide CISO Instruction No. 2 (2020))
The purpose of this document is to educate the Department’s officers and officials
including the contractual staff in acceptable and unacceptable use of Information and
Information Assets of Income Tax Department. These instructions apply to all officers,
officials, contractors, sub-contractors, contractual staff and their associates having
access to Income Tax Department’s resources.
Do’s:
1. Use only approved and licensed commercial software, applications, operating

system, database, programs (e.g. MS Windows, MS Office and Anti-Virus) for
official purposes.
2. Restrict physical access to desktop, laptop, handheld devices to authorized

personnel only.
3. Secure desktop / laptop (screen-lock / log-out) prior to leaving the workstation

to prevent unauthorized access.
4. Ensure IT assets are used for authorized purposes only.
5. Keep eatables away from workstations to avoid any accidental spills.
6. Always shut down the workstation properly before leaving it unattended for a
long duration or at the end of work for the day.
7. In case of loss, damage or theft of organization’s asset, immediately inform

supervisory officer about the incident.
8. Hand over the assets which are not in use / pertaining to any separated
employee to the authorized person.
9. Use email and file transfers for official purpose only.
10. Use hard-to-guess passwords.
Don’ts:
1. Do not create, use or distribute copies of such software that are not in
compliance with the license agreement for the software.
2. Do not use or distribute cracked / pirated / unlicensed version of software.
3. Do not share password/OTP/RSA Token No. with anyone except the person
authorized to access them.
46
4. Do not try to install, modify or uninstall any software by your own. If required
to do so, seek prior approval and seek assistance of authorized personnel.
5. Do not try to fix any malfunctioning of system/network resources on your own.

Inform authorized personnel to get this resolved.
6. Do not store any personal data in organization provided systems.
7. Do not connect personal devices like computer, laptop or smart devices to the
organization’s network.
8. Do not try to tamper with network settings and LAN cables / devices in the
event of inaccessibility to the organization’s network.
9. Do not switch off the network devices like network switches, routers, Wi-Fi
access point etc.
10. Do not share Wireless Access Point passwords with unauthorized persons.
11. Introduction of malicious codes or intentionally destroying or modifying files on

the network is strictly prohibited.
12. In the event that the user is aware / suspects that his / her system is
compromised / affected by any malware, he/she should not connect the system
to the organization’s network.
13. Any personal use of the network for commercial, illegal or unethical purposes is
strictly prohibited.
14. Do not transmit confidential information over internet. If confidential

information is required to be transmitted over internet, the information must be
encrypted and approval from supervisory officer must be obtained for sharing
confidential information over internet.
15. Do not access obscene, pornographic or offensive sites.
16. Playing on-line games / gambling is strictly prohibited.
17. Do not access casual browsing websites or social networking sites.
18. Do not download unnecessary software, songs, and videos from the internet.
19. Do not open any email unless user is confident that it is coming from legitimate
source and the communication is expected.
20. Sending / forwarding chain mails, spam mails are prohibited.
21. Abusing, usage of profane, threatening, racist, sexist or otherwise objectionable

language / content in either public or private communication is strictly
prohibited.
22. Do not leave any sensitive info or document lying around in the office.
23. Do not try to access any restricted areas where you do not have access.
47
24. Do not copy or send Department’s data to external devices / entities (e-mail,
Internet, Pen Drives etc.) if you are not authorized to do so.
48
Annexure-3
A. Information Security Incident
The Policy defines an Information Security Incident as follows:
“An Incident is defined as the occurrence of any exceptional situation that could
compromise the Confidentiality, Integrity or Availability of Information and
Information Systems of the Income Tax Department. Security weaknesses
(vulnerability in the information system, which could be exploited to compromise the
Confidentiality, Integrity or Availability of the Information and Information system),
software malfunctions (any abnormality or deviation in the functioning of a software
application) and violations of the Department’s security policies and procedures must
also be considered an incident.”
An indicative list of possible Information Security Incidents is as follows (the list is not
exhaustive):
Cyber security incidents  Malware infection such as virus,

ransomware, torjan horse etc.
 Distributed Denial of Service
(DDoS) or Denial of Service (DoS)
attacks
 Phishing, whaling, social
engineering etc.
 Password hacking
 Website defacing
 Bot attacks
Physical security incidents Every physical security incident may not
be an Information Security Incident. Only
such incidents of physical security which
substantially impacts the security of
Information Assets may be categorized as
Information Security Incident such as:
 Theft/Dacoity
 Terrorist attack
 Bomb blast
 Unauthorized Trespassing
 Unauthorized access to server
rooms
Environmental security incidents Every environmental security incident
may not be an Information Security
Incident. Only such incidents of
environmental security which
substantially impacts the security of
Information Assets may be categorized as
 Fire
 Flood
 Lightening
 Short-circuit/Electrical
malfunction
 Cyclone
 Tsunami
 Landslide
 Building collapse
Human resource security incidents Any violation of Information Security
Policy with respect to the Human
Resource Security would constitute an
 Hiring contractual staff without
background checks and
verifications.
 Hiring contractors without getting
the Non-disclosure agreement
signed.
 Breach of confidentiality or non-
disclosure agreements
 Putting officials to handle
Information Assets without
educating them on Information
Security.
 A terminated or transferred
individual fails to return The
information assets of the
Department.
 The access rights (both physical
and logical) of a terminated or
transferred individual are not
removed immediately.
Asset management security incident Any violation of Information Security
Policy with respect to the Asset
Management would constitute an
 Unauthorized access to classified
information.
 Passwords of devices get
compromised.
 Use of unauthorized portable
media like pen drives, hard disk
etc. in Department’s systems.
 Improper disposal of Information
Assets
50
 Unauthorized access or tampering
to media during transportation
 Removal of Information Assets
without permission of the Asset
owner.
 Repair of Information Assets by
unauthorized vendors
B. SOP for handling an Information Security Incident
1. The first person who observes or suspects an Information Security Incident

should notify the BISO of the building where the incident has occurred. If the
building cannot be ascertained than LISO may be informed who shall inquire
into the incident and identify and inform the concerned BISO.
2. The BISO should conduct an inquiry into the breach to give a preliminary
report to the LISO within 24 hours of the incident in the prescribed format
given in Annexure 3.1. The preliminary report should identify relevant
stakeholders who need to be immediately informed of the incident, to safeguard
further data loss.
3. The BISO should safeguard the area of incident in such a way that data loss
can be minimized.
4. If the Information Security Incident is of the nature of a cyber security incident
then:
a. BISO shall intimate AD(Systems)/DD(Systems)/JD(Systems) in the office
of Pr.CCIT(CCA).
b. The AD(Systems)/DD(Systems)/JD(Systems) shall identify the affected
system and other systems connected to it which may have also been
affected.
c. The AD(Systems)/DD(Systems)/JD(Systems) shall oversee the resolution
of the issue. If the resolution requires some software update/formatting
or hardware change then that shall be done by the AMC vendor of the
affected system. The AD(Systems)/DD(Systems)/JD(Systems) shall
ensure that resolution happens in accordance with the Information
Security Policy.
d. BISO shall ensure that the AD(Systems)/DD(Systems)/JD(Systems) are
given full access and cooperation to resolve to the issue.
e. The AD(Systems)/DD(Systems)/JD(Systems) shall take steps to preserve
logs, safeguard evidence, classify incident and do root cause analysis in
accordance with the Information Security Policy.
f. Once the incident is resolved, the BISO shall send a report to the LISO
describing the incident and it resolution.
51
5. If the Information Security Incident is of the nature of a physical or
environmental security incident then:
a. BISO shall intimate LISO regarding the incident.
b. LISO shall take steps to resolve the incident. If required, the LISO shall
contact authorities outside the Department like police, fire brigade etc.
for resolution.
c. Once the incident is resolved, the BISO shall send a report to the LISO
describing the incident and its resolution in the prescribed format
given in Annexure 3.2.
6. If the Information Security Incident is of the nature of a human resource
security incident or asset management security incident then:
a. BISO shall intimate the HoD (PCIT/PDIT/CIT/DIT/ADG) or CCIT or DGIT
regarding the incident.
b. The HoD or CCIT or DGIT shall investigate the incident and set
responsibility.
c. The HoD or CCIT or DGIT may take disciplinary action against the
concerned officer/official if deemed necessary.
d. Once the incident is resolved, the HoD or CCIT or DGIT shall intimate
the BISO in the prescribed format given in Annexure 3.2.
e. The BISO shall send a report to the LISO describing the incident and the
action taken on it.
C. Monthly Report of the LISC/LISO to CISO with regard to Information

Security Incidents
Number of Number of Number of Number of Number of Number of

Information Information Information Information Information Information
Security Security Security Security Security Security
Incidents Incidents Incidents Incidents Incidents Incidents
at the during the at the end for which for which for which
beginning Month of the Report sent Report sent Report is
of the Month to CISO at to CISO yet to be
Month the during the sent to
beginning Month CISO
of the
Month
52
Annexure 3.1
Incident Details
Incident No. Incident Start
Date
Incident* Incident Priority*
Classification
Affected Service
Number of
Employees /User(s)
Impacted
Description
Status
* As per the scheme given in Annexure 3.3
Annexure 3.2
Incident Reporting Form
Incident Report No. Date of

Reporting
Incident Classification* Date of
Incident
Time of Incident Reported
By
Place / Location of
Incident
Description of Incident
Any Immediate Action Taken
Permanent Resolution of the Incident
Root Cause Analysis (if any)
Recommendation
Prepared By Remarks
Approved By Approval Date
53
* As per the scheme given in Annexure 3.3
Annexure 3.3
Priority Type ( Incident Definition Examples

Classification)
P1 (Critical) System unavailability, that 1. Exposure of
will stop, or have potential unencrypted, unmasked,
to stop significant parts of or insufficiently masked
the IT operations, which taxpayer confidential or
will completely stop all the sensitive information into
services of multiple the public domain. 2.
employees Service failure Ransomware/DDoS attack
that will immediately cause
significant security risks
and loss of confidentiality
or data integrity.
P2 (High) System unavailability that 1. Compromised privileged
will degrade parts of the IT account credentials,
operation due to which Incident involving Highly
partial services are Critical assets 2. Active
unavailable or impacted for attack incidents by
multiple employees unknown attackers that
impacts project servers
P3 (Average) System unavailability that 1. Malware incidents that
will seriously degrade or don’t fall in a higher
have potential to seriously severity 2. Data loss
degrade parts of the IT incidents not involving
operation and will stop all sensitive information 3.
the services of single Confirmed phishing
employee campaign that impacts
more than a hundred users
P4 (Low) Minor issues with no 1. Virus not cleaned from a
material impact to single machine 2. Antivirus
operations signatures not being
updated automatically
54
Annexure-4
SOP for carrying out Information Security Audit
Sr. Domain of Action points for Time period for

No. Action Plan consideration implementing action
points
1. Pre-Audit 1. CIT(Audit) give prior intimation 1 week
phase to the LISO for carrying out
Information Security Audit.
2. LISOs provide the necessary
information to the CIT(Audit) to
carry out audit such list of
offices, the BISOs of such office
buildings etc.
3. The CIT(Audit) shall prepare an
Audit plan for the entire region
delineating a schedule for
building wise and office wise
Information Security Audit.
2. Audit phase 1. CsIT(Audit) give prior 1 month

intimation to the HoDs
(PCIT/CIT/ADG etc.) of the
offices selected for Audit and
request them to direct the
officers/officials concerned to
furnish the necessary
documents to the Audit party.
2. The CIT(Audit) and/or their
subordinate officers/officials
visit the offices and inspect
them on parameters of
Information Security in
accordance with Information
Security Audit checklists.
3. Post-Audit 1. The final Audit report to be 7 days
phase submitted by the CIT(Audit) to
the LISO with a copy marked
to the CISO.
55
1. LISO to follow up on Audit 15 days
report of non-compliances and
get them rectified in
accordance with Information
Security Policy.
56
Annexure-5
Instructions on Risk Management
Purpose
Information Security Risk assessment is aimed at identifying, quantifying, prioritizing

information security risks and determination of appropriate actions for managing such
risks. Risk Assessment will help decide the countermeasures needed to reduce the
exposure to information security threats and minimize their impact.
Scope and Applicability
This procedure is applicable to all offices functioning under Principal Chief

Commissioners of Income-tax (CCA) in various regions as well as the offices working
under the attached directorates of CBDT. ITD employees, contractors, third party staff
or any other persons having access to ITD information or information processing
facilities, shall adhere to this procedure and ensure compliance.
1. The ITD Information Security Policy circulated vide CISO Instruction No. 2
dated 27.11.2020 mandates that Department shall establish and maintain
Information Security Risk Management procedure covering Risk Assessment and
treatment of identified Risks on continual basis.
2. Information Security Risk assessment shall be carried out periodically or in

case of major event/change that impacts security of Information Assets. All identified
risks shall be captured in risk registers (template of risk register is at Annexure-
5).The outcome of such Risk assessment shall be reviewed,and corrective / preventive
actions shall be taken.
3. Information Security Risk Management shall ensure that:
i. No critical Information and related assets are left out.
ii. Trivial assets are not over protected and important assets are not under
protected.
iii. Controls selected for risk mitigation are compatible with existing ones,
which not only complement each other but also produce synergetic effect.
Risk Assessment Procedure
Information Security Risk Assessment focuses on determining the risks to information

security. It provides methodology and procedures of identifying top threats and
analysing and mitigating impact due to occurrence of the identified threats. Risk
Assessment consists of the following activities:
57
Table 1:
# Activity
1. Risk Identification
2. Risk Analysis
3. Risk Evaluation
4. Risk Treatment
5. Risk Monitoring and Review.
Risk Criteria
Risk Criteria is the terms of reference used in deciding on the significance of risks to
be assessed. The terms of reference include inter alia, associated cost and benefits,
legal and statutory requirements and best practices. Risk criteria define the Risk
Ratings and the Risk Acceptance criteria for assessment and adequate treatment of
the risks.
1. Risk Identification
Risk identification is the process of identifying threats, associated vulnerabilities and

determining potential Impact. It includes the following key activities:
Threat and Vulnerability Identification
A threat is a potential for a source to exploit (accidentally or intentionally) a specific

vulnerability. Vulnerability is the susceptibility or weakness of a resource or asset to
any negative impact from hazardous events, i.e. a weakness or flaw that enables a
threat to attack an asset. Vulnerabilities include weaknesses in physical layout,
organization, procedures, personnel, management, hardware, software, information,
etc. They may be exploited by a threat which may cause harm or damage to the asset.
A repository of identified threats and vulnerabilities shall be maintained in the Threat

and Vulnerability Database which is a part of the Risk Assessment Template.
Potential Impact and Risk Identification
Risk is a function of threats exploiting vulnerabilities to cause potential impact.

Potential Impact is the probable loss of physical assets and information implications
that can happen if the identified vulnerabilities are exploited by the related threats.
Thus, threats may exist, but if there are no vulnerabilities, there is no risk. Similarly,
even if vulnerability exists, but if no threat persists, there is no risk. Hence, it is
58
important to properly identify risks pertaining to identified threats, vulnerabilities and
potential impact. It is the responsibility of the LISO to identify risks associated with
the loss of confidentiality, integrity and availability of information/assets.
2. Risk Analysis
Risk analysis is the process in which identified risks and existing controls are
evaluated. This process involves various activities listed as follows:
a) Assess and analyse the identified threats, vulnerabilities and potential

impact using predefined criteria.
b) Assess the realistic likelihood of the threat. Calculate the risk value.
c) Identify the risk rating according to predefined criteria.
Various criteria used for risk analysis are given as follows:
Vulnerability Rating
The weakness in the system which might be exploited by a threat and the effectiveness
of the control in preventing the vulnerability from being exploited is estimated in this
step. During Risk rating evaluation, more weightage is given to the vulnerability than
likelihood of occurrence. The following matrix shown in Table 2 is used for
determining the scale of Vulnerability rating.
Table 2: Vulnerability Rating
Rating Value Ease of Exploitation
The possibility of the vulnerability being

1 Insignificant
exploited is very less (extra controls in place)
The possibility of the vulnerability being

2 Low
exploited is less (sufficient controls in place)
The vulnerability might be exploited (some

3 Medium
controls in place)
The vulnerability can be easily exploited

4 High
(existing controls not adequate)
The vulnerability can be very easily exploited

5 Very High
(no controls in place)
Threat Likelihood
59
The likelihood with which a threat can exploit vulnerabilities is estimated in this step.
The following matrix shown in Table 3 should be used for determining the scale of
Threat likelihood:
Table 3: Threat Likelihood
Rating Likelihood Description
The event will only occur in exceptional

1 Rare circumstances or because of a combination of
unusual events
The event may occur at some time but not likely

2 Unlikely
to occur in the foreseeable future (3-5 Years).
The event may occur within the foreseeable future

3 Possible or medium term (i.e. expected to occur with the
next 3 years)
The event will probable to occur in most

4 Likely circumstances (i.e. expected to occur once within
1 year)
The event will occur in most circumstances (i.e.

5 Almost Certain
expected to occur multiple times within 1 year)
Potential Impact Rating
Potential Impact is the damage instigated on the information security due to

exploitation of the vulnerabilities by the threats. Potential Impact rating is defined
based on probable level of harm that may cause due to materializing of threats. The
following matrix shown in Table 4 should be used for determining the scale of
Potential Impact Rating.
Table 4: Potential Impact Rating
Rating Impact Description
Nominal or close to no impact to the process

1 Insignificant due to disruption; little or no efforts required to
repair / recover.
2 Low Minor impact to the process due to disruption;
60
minimal efforts required to repair / recover.
Moderate impact to process and reasonable

3 Medium effort required to repair / recover (minor
outage).
Substantial damage to Department Information

4 High Assets (major outage); Substantial expenditure
of resources required for repair / recovery.
In addition to substantial expenditure to repair,

5 Very High may lead to permanent shutdown of operations
/ Complete compromise.
Risk Rating
Risk rating is determined based on the risk value. Risk value is a product of
vulnerability rating, threat likelihood and the potential impact. The risk rating also
takes into consideration the controls implemented in the environment. The
vulnerability value carries more weightage than the threat likelihood. Based on this
product, Table 5 shows the risk rating classifications. Refer the Annexure 6 for an
indicative list of threats and vulnerabilities.
Risk Value = Vulnerability rating X Potential Impact Rating X Threat Likelihood
Table 5: Risk Rating
Risk Rating Risk value Description Example
 Unauthorized
access to
These risks will have a
confidential
huge impact leading to
taxpayer data
significant effect on the
entire information security  Breach/Loss of
High (71-125)
environment. Risk Taxpayer Data
treatment need to be
considered with high  Major Service
priority. Interruption
61
These risks will have a Unauthorised
considerable amount of access/attack due to
Medium (36-70) impact leading to major un-patched
issue on information software/applications
security.
Unauthorised access
These risks will have some
Low (16-35) due to lack of clear
minor amount of impact.
desk policy
These risks are at Temporary network

notification level that may disruption affecting
Insignificant (1-15) service/work.
articulate into negative
impact.
3. Risk Evaluation
Risk should be evaluated by comparing the results of risk analysis and risk
acceptance criteria and prioritized based on risk rating.
4. Risk Treatment
Risk treatment is the process of determining the treatment options for the identified
risks and development of an action plan for treatment of these risks. It includes the
following key activities:
a) Determine the Risk Treatment Option for all identified risks
b) Determine/develop the risk treatment controls.
c) Develop Risk Treatment Plan and follow up on the implementation of

Risk Treatment Plans.
Risk Treatment Options
Risk treatment involves identifying the range of options for treating risk, assessing
those options, preparing risk treatment plans and implementing them. The risk
treatment plan should first identify the selected options for the treatment of risks.
The risk treatment options are listed in the table 6 below.
62
Table 6: Risk Treatment Options
Treatment
Description
Option
Chosen action when the risk can be treated by implementing

Mitigate
appropriate controls
Chosen action when the risks are treated by hedging the impact
Transfer
to a third party
Chosen action when the controls identified to treat the risk are
Accept
not considered feasible
Chosen action when the risk is avoided by terminating the

Terminate
activities that gives rise to risk
Risk Acceptance Criteria
Risk acceptance refers to the decision in which identified risk is accepted and normal
procedures are continued with the accepted risk. In such cases, the reasons for
acceptance of the risk shall be documented along with appropriate justifications.
Risk shall be accepted for several reasons including, but not limited to:
a) The potential impact is low and cost of further protection against risk is not
worthwhile;
b) The likelihood of an incident is low, and the cost of further protection

against the risk is greater than the expected loss valueand
Risk acceptance criteria is decided based on the risk rating also. The risk acceptance
criteria shown in the Table7 below:
Table 7: Risk Acceptance Criteria
Risk Rating Description
A corrective action plan to Terminate or Mitigate the risk

High must be put in place as early as possible. Such risks
would be reviewed once in a quarter
Corrective actions are needed and a plan to Terminate or

Medium Mitigate the risk must be developed to incorporate these
actions within a reasonable period. Such risks would be
63
Risk Rating Description
reviewed once in a year
These risks can be acceptedeg. Risk below risk value <=

Low
35.
These risks can be accepted eg. Risk below risk value <=
Insignificant
15.
Risk Mitigation Criteria
Risk mitigation is the process of reducing a specific risk (or a set of risk) to an
acceptable level by changing the operational environment and/ or applying technical
or non-technical counter measures.
Risk Transfer Criteria
Risk transfer involves a decision to share certain risks with external parties. Risk
transfer can create new risks or modify existing, identified risks. Therefore, additional
risk assessment followed by risk treatment may be necessary. Transfer can be done by
insurance that shall support the consequences, or by sub-contracting a third party
whose role shall be to monitor the information system and take immediate actions to
stop an attack before it makes a defined level of damage.
Risk Terminate Criteria
Risk can be terminated by taking into consideration various means listed below:
a) Choosing not to undertake the aspect of information security that

attracts the risk, such as not providing direct access from internet;
b) Using alternative methods, such as selecting different hardware or

software; or
c) Relocating assets away from known areas of physical risk, such as flood
zones.
Risk Communication
Risks must be appropriately communicated to the relevant stakeholders. Risk

communication is an activity to achieve greater agreement on how to manage risks by
exchanging and/ or sharing information about the risks with stakeholders.
Residual Risk
64
Residual risk is the risk remaining after risk treatment. Efforts will be made to treat
the high risks to an acceptable risk value by implementing any of the risk treatment
plan. The residual risk shall be accepted as per the risks acceptance criteria defined.
5. Risk Monitoring and Review
Risk monitoring and review process is aimed at providing assurance that risks have
been adequately identified and prioritized and that significant risks are well managed
by implementing adequate controls. This process helps in determining whether:
 Procedures adopted and information gathered for identifying the risks were
appropriate, and whether significant risks have been identified
 Mitigation controls put in place are appropriate for the current scenario and
lead to reduction of future risk exposure.
 Identified risks are closed in a timely manner
Any of the below may be considered for the re-assessment of risks apart from the
annual review cycle:
a) Changes to the activities/procedures which may affect the originally

assessed risk levelse.g. new vulnerabilities, new threats, change in the decision
on acceptable level of risk
b) Weak performances of the implemented controls as per earlier Risk

Assessment and Risk Treatment Plan cycle
c) Increased impact or consequences of assessed threats, vulnerabilities and

risks in aggregation resulting in an unacceptable level of risk
Any of the above can be considered for the re-assessment of the risks apart from the
annual review cycle.
65
Risk Register Template
Actual
Risk Potenti Ris Existi Risk Closur
Threat Potenti Vulnerabil Threat Risk Risk Risk Risk Closur
Sr Thre Vulnerabil Respon Ris Assessm al k ng Treatme e Residu Remar
Catego al ity Likeliho Ratin Identifi Treatme Own e
. at ity se k ent Impact valu contro nt Timeli al Risk ks
ry Impact Rating od g ed date nt Plan er Timeli
Standard Rating e ls Option ne
ne
1
2
3
66
Sample filled out Risk Register for Pr.CCIT(CCA) region (This sample is only for reference. Risk register for every charge should be prepared after identifying the risks which
are specific to that charge)
Risk Identified
Residual Risk
Impact Rating
Vulnerability
Assessment
Risk Rating
Risk Owner
Vulnerability
Likelihood
Risk value
Treatment
Treatment
Response
Category
Standard
Remarks
Potential
Potential
Timeline
Timeline
controls
Existing
Closure
Closure
Sr. No.
Option
Impact
Rating
Actual
Threat
Threat
Threat
Risk
Risk
date
Risk
Risk
Plan
Additional Staff
Lack of proper to be deployed
rain water at all entry exit
drainage system points.
and low plinth Adequate
level of the maintenance of
Building may water drainage
cause flooding in Water pumps system be
Damage to
the ground floor of installed at entry ensured before
property and Building
office premises in and exit gates in the rainy
1 Environmental Flooding Medium hinderance to entry 3 2 2 12 Insignificant Mitigate In-
rainy season, addition to the season. Pumps
of officers/officials charge
leading to damage drainage system installed shall be
in the Building
to records, in the Building in working
systems, condition and
electronic devices regular
and may further maintenance
lead to power and pump
failure/short operator shall
circuit. be made
available.
Fire sensors
and Public
announcement
system shall be
Fire Extinguishers installed in
Systems & Probable spread of and Wet risers entire Building
equipments used fire/crisis/disruption are in Place; including rooms.
Fire / Short are susceptible to to all section of Adequate fire Fire Safety Drill
2 Physical Medium Mitigate
Circuit damage by short building, Data exits available in and Awareness
circuit/ voltage Loss. Human the Building of Staff be
fluctuation etc. Lives Loss Security guards in conducted at
place. regular intervals.
Fire exits shall
be kept open Building
and free from In-
3 3 3 27 Low encumberances. charge
Regular
inspection of
Systems & Lightening lightening
equipments in the conductors are conductors at
Building and installed and the roof be
structure of the Damage to maintained at the conducted and Building
3 Environmental Lightening building are Low property and loss 2 1 2 4 Insignificant roof of the Mitigate faults noticed In-
susceptible to of human life Building. shall be repaired charge
damage by fire Adequate fire immediately.
incidence caused exits available in Fire exits shall
by lightening the Building be kept open
and free from
encumberances.
Security guards,
earthquake
SOPs shall be
publicised, mock
drills, First Aid
Systems & training shall be
equipments in the ensured. Public
Public
Building and announcement
Announcement
structure of the Damage to system shall be Building
System, open
4 Environmental Earthquake building are Medium property and loss 3 3 3 27 Low Mitigate in place In-
space, sufficient
susceptible to of human life covering entire charge
entry exit are in
damage and area in the
place.
human life may be Building.
at risk Provision for
adequate
entry/exit points
and open space
shall be made
available.
First Aid kit, wheel Close
chair, stretcher is monitoring of
available in office. Ministry of
Some reputed Health
Building
human life may be hospitals are in guidelines
5 Environmental Epidemic Medium loss of human life 3 2 2 12 Insignificant Mitigate In-
at risk close vicinity. regarding
charge
Proper sanitation spread of any
measures and epidemic in the
mosquitoes area. Proper
breeding control restricing
67
sprays are done guidelines be
at regular followed.
intervals.
some common
places in the CCTV regular
building are monitoring is in
CCTVs installed
allowed to be place.
in the Building.
used for some Additional Staff
Entry in the
non-departmental Probable to be deployed
Building restricted Building
events like CAs / unauthorised entry at all entry exit
6 Physical Unauthorized entry High 4 4 4 64 Medium through valid Mitigate In-
Advocates general during office & points.
identity cards and charge
body non-office hours Entry & exit
visitor's pass.
elections/meetings points to be
Security guards in
and publicity minimised
place
campaign by during time of
banks/other such events.
institutions.
Additional
secure doors be
24x7 Security installed,
Bags of Private loss of assets and
guard on duty. Effective CCTV
and Contractual confidential data Building
Gate pass is monitoring be
8 Physical Theft of equipment Staff are not High contained in the 3 2 4 24 Low Terminate In-
mandatory to take ensured.
checked on daily equipment/system charge
out any Biometric
basis may be at risk
equipment/system access control
gates shall be
installed
CCTVs installed
any person in the Building. CCTV regular
authorized to visit Entry in the monitoring is in
Probable
Sharing of Building other department Building restricted place. Building
unauthorised entry
9 Physical premises with other may have High 4 4 4 64 Medium through valid Mitigate Additional Staff In-
during office &
organizations/institutions unauthoried identity cards and to be deployed charge
non-office hours
access in the visitor's pass. at all entry exit
office Security guards in points.
place
CCTVs installed
in the Building. CCTV regular
Entry in the monitoring is in
human life and Building restricted place. Building
loss of human life
10 Physical Terrorist Attack property may be Low 2 1 3 6 Insignificant through valid Mitigate Armed security In-
and assets
at risk identity cards and guards to be charge
visitor's pass. deployed at all
Security guards in entry exit points.
place
Regular
Regular monitoring and
maintenace and inspection of the
inspection of Building be
building is ensured. Timely
ensured through minor repair and
any weak
external maintenace
structure may fall Loss of Human
specialized work be
11 Physical Old building structures and cause Medium Lives and Mitigate
agency. The performed.
damage to human property/assets
necessary Major repair
life and assets
approvals and works be
budgetary identified and be
allocations are performed as
ensured for major per prevailing Building
repairs. rules and In-
3 3 3 27 Low regulations charge
Proper CCTV
monitoring be
ensured.
Awareness
campaign
Regular meetings regarding
are arranged with relevant conduct
the rules be
employees may Loss to representatives of arranged.
go on strike on property/assets the employees' Regular
12 Physical Strike by Employees Medium Mitigate
call of their and delay in office associations. meetings be
associations work CCTVs installed arranged with
in the Building. the employees'
Security guards in associations
place and their valid
grievances be
addressed as
per prevailing Building
rules. Security In-
3 3 3 27 Low guards in place charge
68
Annexure-6
List of potential threats and vulnerabilities
Lists of Threats
A threat is a potential for a source to exploit (accidentally or intentionally) a specific

vulnerability. A threat is can also be defined as any incident that could negatively
affect the confidentiality, integrity or availability of an asset. Following is a tentative
list of threats that an organisation may encounter. This further needs to be
augmented based on actual situation in the organisation.
Indicative
Risk rating
Threats
(1 low - 5
high)
▪ Breach of contractual relations 5
▪ Breach of legislation 5
▪ Damage caused by a third party 4
▪ Destruction of records 5
▪ Eavesdropping 2
▪ Employees going on strike 3
▪ Equipment malfunction 3
▪ Failure of communication links 4
▪ Falsification of records 5
▪ Fraud from a cyber criminal 4
▪ Fraud from an internal party 5
▪ Improper disclosure of passwords 3
▪ Improper disclosure of sensitive information 4
▪ Industrial espionage 5
▪ Interruption of business processes 4
▪ Loss of support services 2
▪ Malicious code 2
▪ Misuse of information systems 3
▪ Natural or man-made disaster 4
▪ Phishing scams 3
. DDOS attack 3
. Ransomware attack 3
▪ Power failure 1
▪ Sensitive data being compromised 5
▪ Terrorism threat in the immediate vicinity or
affecting nearby transport and logistics 2
▪ Theft of equipment 3
69
▪ Theft of sensitive data 5
▪ Unauthorised access to the information system 3
▪ Unauthorised access to the network 3
▪ Unauthorised changes of records 4
▪ Unauthorised physical access 2
▪ Unauthorised use of copyright material 4
70
Lists of Vulnerabilities
Vulnerability is an organisational flaw that can be exploited by a threat to destroy,
damage or compromise an asset. It is the is the susceptibility or weakness of a
resource or asset to any negative impact from hazardous events, i.e., a weakness or
flaw that enables a threat to attack an asset. Following is a tentative list of
vulnerabilities that an organisation may encounter. This further needs to be
augmented based on actual situation in the organisation.
Vulnerability Indicative
Risk rating
(1 low - 5
high)
Employees not receiving adequate training 3
▪ Equipment not being replaced when it is no longer fit 2
for purpose
▪ Hard drives being disposed of without sensitive data 4
having been deleted
▪ Improper cabling security and management 2
▪ Improper change management 2
▪ Improper internal audit 3
▪ Improper network management 3
▪ Improper validation of the processed data 2
▪ Inadequate or irregular system backups 3
▪ Inadequate physical security controls 3
▪ Insufficient processes or technologies to prevent 4
malicious files from being downloaded
▪ Insufficient processes or technologies to prevent 4
sensitive data from being copied
▪ Insufficient software testing 3
▪ Insufficient processes or technologies to prevent users 3
from downloading unapproved software
▪ Inadequate protection of cryptographic keys 3
▪ Lack of systems for identification and authentication 2
▪ No procedure for removing access rights upon 3
termination of employment
▪ No protection for mobile equipment 3
▪ Passwords not being changed from default settings 4
▪ Passwords not being strong enough 3
▪ Poor or non-existent access control policy 4
▪ Poor or non-existent clean desk and clear screen policy 3
▪ Poor or non-existent of internal documentation 2
▪ Poor staff morale and potential for malicious action 4
▪ Premises is vulnerable to flooding, fire or other 4
disruptive event
▪ Sensitive data not being properly classified 4
▪ Staff duties not being properly segregated 2
71
▪ Staff not receiving security awareness training 3
▪ User rights are not reviewed regularly 3
▪ Unprotected public networks 3
▪ Water or heat damage to equipment 2
· Non updating of anti-virus 3
· Expired fire extinguisher 4
· Expired fire alarm 4
· Expired fire safety certificate 2
· Non signing of Non-Disclosure agreement by 3
employees/contractors
· No police verification of contractors/ employees 3
72
Annexure-7
Non-Disclosure Agreement/ Confidentiality Agreements
The HoD or DDO should ensure that all Contractors/MSPs/sub-contractors/

contractual staffs must sign appropriate confidentiality agreements/non-disclosure
obligations to protect confidential and sensitive information of the Department. They
are required not to disclose organizational information derived as a result of their
access to the Department’s Information Systems to unauthorized parties. The Non-
Disclosure Agreement should clearly outline the confidential information that the
contractor will have access to and the consequences of any unauthorized disclosure
and misuse of that information. Template of a Confidentiality Agreement is being
reproduced here. It may be modified (if necessary) as per the requirement of the
concerned office.
Confidentiality Agreement Template
1. This Declaration (“Declaration”) is entered into as of the day of signing, by

____________ _______________ (“Receiving Party”)
2. WHEREAS, it is anticipated that the receiving party may get access to confidential
information with respect to their engagement with ___________________________________
________ ___________________________________________________(“Disclosing Party”) for
the purpose of _______________________________________________ (“Purpose”).
3. For the purpose of this Declaration "Confidential Information" shall mean any and
all information and data, including but not limited to any kind of any product, service,
process, invention, improvement or development carried on or used, discoveries, ideas,
concepts, know-how (whether patentable or copyrightable or not), research,
development, designs, specifications, drawings, blueprints, tracings, diagrams,
models, samples, flow charts, computer programs, algorithms, marketing plans or
techniques, budgets, costs, profits, prices, discounts, mark-ups, strategies, tenders
and any price sensitive information, whether or not labelled as “Confidential
Information” and disclosed in connection with the Purpose, irrespective of the medium
in which such information or data is embedded. Confidential Information shall include
any copies, abstracts, reports, work products or any derivatives made or derived there
from.
4. All Confidential Information disclosed pursuant to this Declaration:
a. shall be used exclusively for the Purpose of this Declaration, and the
receiving party shall be permitted to use Confidential Information disclosed only
for such sole Purpose and for no other purpose, unless otherwise expressly
agreed to in writing by disclosing party;
73
b. shall not be distributed, disclosed, or disseminated in any way or form by the
receiving party to anyone except parties who have the reasonable need to know
the Confidential Information and who are bound to confidentiality by their
employment agreement;
c. shall not be disclosed to any other third party without the prior written
approval from disclosing party;
d. Shall not be used for personal purpose or for the benefit of anyone other than
the disclosing party.
e. Shall not be used to make abridged version, copies, summaries or extract in

any form, nor will remove any Confidential Information from the place of
business unless authorized by the disclosing party.
5. It is understood that no license or right of use or any other right in respect of the
Confidential Information is granted or conveyed by this Declaration. The disclosure of
Confidential Information and materials shall not result in any obligation to grant the
receiving party any such rights therein.
6. Receiving party agrees that it shall treat Confidential Information disclosed under
this Declaration as strictly confidential perpetually.
7. All Confidential Information disclosed pursuant to this Declaration shall either be

returned to disclosing party or be destroyed upon cessation of engagement.
8. In the event of a breach or threatened breach of this Declaration by or any one

acting on behalf of the Receiving party, without prejudice to other rights and remedies
which disclosing party may have in this regard, disclosing party shall be entitled to
seek any equitable relief, specific performance or any such applicable relief from any
court of competent jurisdiction.
9. This Declaration shall be governed by laws of India.
10. If any term, clause or provision of this Declaration shall be judged to be invalid for
any reason whatsoever, such invalidity shall not affect the validity or operation of any
other term, clause or provision of this Declaration and such invalid term clause or
provision shall be deemed to have been deleted from this Declaration.
11. The provisions of this Declaration may not be modified, amended, nor waived,
except by a written instrument duly executed by the Parties hereto. The requirement
of written form can only be waived in writing.
I agree to have read and abide by the above Declaration.
NAME:
ID.:
74
SIGNATURE
EXECUTED AT _________ THIS ____DAY OF _____
75
Annexure-8
SOP for verification of contractor/ contractual staff
(As specified in CISO instruction No. 2 dated 27.11.2020)
A “Contractor” is a Person or firm that undertakes a contract to provide materials or

labor to perform a service or do a job. The term is used interchangeably with MSP
(Managed Service Provider). An SOP related to deployment of
contractors/MSPs/contractual staffs in the Department has been prepared in
accordance with the CISO instructions. The SOP may be modified and finalized
keeping in view local conditions and requirements.
A.Terms and condition of the Contract with Contractor/MSP:
1. The HoD (PCIT/ PDIT/ CIT/ DIT) or DDO should ensure that a formal contract
should be entered between the Department and all third parties providing
service to the Department or using the Department’s information systems. The
services to be provided by the outsourced party must be covered by a strong
Service Level Agreement (‘SLA’) that takes into consideration expected levels of
service, security, monitoring, contingency and other stipulations as appropriate.
2. In the Contract the HoD or the DDO should ensure that following clauses have
been kept:
a. clause regarding subcontractors that all contractors must be required to
provide information to the Department about related subcontractors and
obtain the Department’s permission for the subcontracting, prior to
initiation of work by the subcontractor.
b. clause regarding responsibilities towards information security: all
contractors/MSPs/ contractual staffs must sign and agree with the
terms and conditions of their contract. These terms and conditions must
include the responsibilities towards Information Security.
3. The above clauses may be added to the existing contracts by making the
necessary addendums.
4. The HoD should ensure that the Security controls and service levels, associated
reports and records of contract/third party service providers should be
independently assessed, reviewed and monitored.
B.Background check:
Background check must be performed for all contractors/MSPs/subcontractors. The

concerned HOD or DDO should conduct of thorough background check to ensure that
the contractor has a clean record and is trustworthy. The background check of the
Contractor must include verification of the following aspects:
a) Identity
76
b) Address
c) Criminal Records
d) Employment History
e) Promoters History
f) ITR/PAN
g) CIBIL score
h) Reputation: 360-degree profiling
i) Experience
j) Feedback/Reference from past and current clients
k) Reference from 2 credible persons.
A report in this regard, after due verification, must be kept in the records of the HoD
or the DDO concerned.
Contactor/MSP would be responsible for Background check of all the contractual staff
that are being deployed in the Department through the contractor/MSP. The
Background check of the staff would include:
a) Identity
b) Address
c) Criminal Records
d) Employment History/ Experience
e) ADHAAR
f) Education
g) Reference from 02 credible persons
Background check report of the contractual staffs should be made part of the
individual staff file in the records of the HoD or the DDO.
77

CISO Instruction No.2 (2023) For PR - CCIT (CCA) Regions and Directorates

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISO Instruction No.2 (2023) For PR - CCIT (CCA) Regions and Directorates

Uploaded by

Copyright:

Available Formats

1

Pr.CCIT(CCA) and Directorates

Ensure that Non-Disclosure To be Non-

Ensure that appropriate To be Backgrou

2. CCIT Asset Steps required to be taken Within Details of

Ensure that appropriate To be Backgrou

LISO will have to map all

CCTV surveillance: In case To be

Ensure that appropriate To be Backgrou

6. CIT(Audit Information 1. Carry out the SOP for

Human Train and educate the Within1

Human Train and educate the Within1

Human Ensure that Non-Disclosure To be Non-

Incident 1. Adhere to Details of

11. ITI/OS/S Asset Follow the Acceptable A set of

Human Do not disclose any

12. Contract Asset Follow the Acceptable A set of

13. Security Physical and Access to Visitors: To be

Type of Information Assets Officer responsible for maintenance

Media Disposal Register

An alphanumeric id. of 13 letters which shall be assigned to each Information Asset of

In this way, a computer system in Chennai Jurisdictional Circle-4(1) may be

i. Top Secret: Information, unauthorized disclosure of which could be expected to

ii. Secret: Information, unauthorized disclosure of which could be expected to

iii. Confidential: Information, unauthorized disclosure of which could be expected

E. Guidelines to determine criticality of Information Assets

Level of importance in terms of Confidentiality, Integrity and Availability must be

Sr. No. Asset Value = max of (C, I, A) Criticality of the Asset

1. Use only approved and licensed commercial software, applications, operating

2. Restrict physical access to desktop, laptop, handheld devices to authorized

3. Secure desktop / laptop (screen-lock / log-out) prior to leaving the workstation

4. Ensure IT assets are used for authorized purposes only.

5. Keep eatables away from workstations to avoid any accidental spills.

7. In case of loss, damage or theft of organization’s asset, immediately inform

9. Use email and file transfers for official purpose only.

10. Use hard-to-guess passwords.

2. Do not use or distribute cracked / pirated / unlicensed version of software.

5. Do not try to fix any malfunctioning of system/network resources on your own.

6. Do not store any personal data in organization provided systems.

11. Introduction of malicious codes or intentionally destroying or modifying files on

14. Do not transmit confidential information over internet. If confidential

15. Do not access obscene, pornographic or offensive sites.

16. Playing on-line games / gambling is strictly prohibited.

17. Do not access casual browsing websites or social networking sites.

20. Sending / forwarding chain mails, spam mails are prohibited.

21. Abusing, usage of profane, threatening, racist, sexist or otherwise objectionable

A. Information Security Incident

The Policy defines an Information Security Incident as follows:

Cyber security incidents  Malware infection such as virus,

B. SOP for handling an Information Security Incident

1. The first person who observes or suspects an Information Security Incident

C. Monthly Report of the LISC/LISO to CISO with regard to Information

Number of Number of Number of Number of Number of Number of

* As per the scheme given in Annexure 3.3

Incident Reporting Form

Incident Report No. Date of

Any Immediate Action Taken

Permanent Resolution of the Incident

Root Cause Analysis (if any)

Priority Type ( Incident Definition Examples

SOP for carrying out Information Security Audit

Sr. Domain of Action points for Time period for

2. Audit phase 1. CsIT(Audit) give prior 1 month