UNIT - II

By:
SHUBHANGI SHARMA
Assistant Professor
Department of Computer Science & Engineering
CONTINUITY STRATEGIES
 A cyber security business continuity plan is a form of Business Continuity
planning.
 Business Continuity Planning is the process of creating a plan to identify
major risks to a business which could cause significant disruption,
preventing these where feasible, and planning to allow essential processes
to continue wherever possible.
 A cyber security business continuity plan (sometimes known as an
incident response plan) can help your business to identify a range of cyber
risk and outline how to prevent or mitigate incidents where possible. It
should also outline the actions that should be taken to minimise business
disruption during a cyber emergency.
 The benefits of an incident response plan or cybersecurity business
continuity plan include; lessening business disruption by providing clear
steps, actions and responsibilities, and an increased awareness of cyber
risks across a business which can prevent incidents from occurring.
three core BCM plans
 The Incident Response Plan (IRP). This IT-centric plan includes
the procedures and continuity strategies to assess, investigate, recover
from, mitigate and manage the impacts and potential impacts of a
cyber-security incident, such as a data breach or ransomware attack.
 The Disaster Recovery Plan (DRP). This continuity strategy
encompasses the recovery of your entire datacenter and associated IT
infrastructure, from servers to networks to data storage to voice
communications and the business functions within the IT department
such as the Help Desk.
 The Business Continuity Plan (BCP). This plan covers the
functional recovery of an organization’s business processes
(including IT) and thus includes the IRP and DRP. ISO 22301 is a
popular management systems standard often used by organizations of
all sizes for business continuity planning.
CYBER BUSINESS CONTINUITY
PLANNING
Assemble your team
Conduct a cyber security risk assessment
Perform a Business Impact analysis
Test your systems
Set up a continuous monitoring process
CRISIS MANAGEMENT
 The Cyber Crisis Management Plan (CCMP) provides the strategic
framework and guides actions to prepare for, respond to, and begin to
coordinate recovery from a cyber incident.
 It covers different type of cyber crisis, possible targets and related
impact, actions and responsibilities of concerned stakeholders, cyber
incident response coordination among Departments of State
Government, its agencies and Critical Information Infrastructure (CII)
organizations to deal with cyber crisis situations.
 The motive of Cyber Crisis Management Plan (CCMP) is to provide the
State Government with a guideline or foundation for viable handling of
Cyber Crisis that may adversely impact Government, Business and
Citizen.
 The Cyber Crisis Management Plan stipulates the actions and processes
to be carried out in the event of an attack to safeguard the state
government assets and its services.
COMPONENTS OF CYBER CRISIS
MANAGEMENT PLAN
Preparation and Readiness
Detection and Assessment
Business continuity and Recovery
Post Event Activity
ASSET LIFE CYCLE
An asset life cycle is the series of stages involved in
the management of an asset. It starts with the planning
stages when the need for an asset is identified, and
continues all the way through its useful life and
eventual disposal.
ASSET LIFE CYCLE
Asset Life Cycle Stages
Every asset has four different stages in its lifecycle:
Create/acquire
Utilize
Maintain
Renew/dispose
PLAN, DO, CHECK, ACT MODEL
PDCA, which stands for Plan-Do-Check-Act, is an
iterative cycle for continuous improvement of people,
products, services, and business processes.
The PDCA cycle has four stages:
Plan — determine goals for a process and needed
changes to achieve them.
Do — implement the changes.
Check — evaluate the results in terms of performance
Act — standardize and stabilize the change or begin
the cycle again, depending on the results
Due Care & Diligence
The terms “due diligence” and “due care” are both
important to risk management, but have different
meanings depending on the context in which they are
used. Most importantly, the two concepts differ
depending on whether you are referring to real-life
scenarios or a regulatory environment.
LAWS & REGULATIONS
What is Cyber Law?
Cyber laws, more commonly known as internet laws,
are laws that are related to legal informatics, regulating
the digital distribution of information, e-commerce,
software, and information security. It usually covers
many related areas, such as usage and access to the
Internet, freedom of speech, and privacy.
LAWS & REGULATIONS
Why Cybercrime Laws?
 Many security and privacy issues arise with the use of the
internet.
 Ingenious criminals have been known to use advanced strategies
to carry out unauthorized activities and potential fraud.
 Therefore, the need to protect against them is substantial, and the
most effective method of doing so is to enforce a cyber security
policy.
 These policies and laws are made to protect individuals and
businesses online by holding these criminals accountable for
their malicious actions and sentencing them to appropriate
punishment as decided by the federal government.
Role of Cyber Laws in Cyber security
Cyber laws cover these three primary areas:
 Fraud: Cyber laws protect users from falling victim to online
fraud. They exist to prevent crimes such as credit card and identity
theft. These laws also declare federal and state criminal charges
for anyone that attempts to commit such fraud.
 Copyright: Cyber laws also prevent copyright infringement and
enforce copyright protection. They provide individuals and
businesses with the right to protect their creative works and to
profit from them.
 Defamation: Cyber laws are also enforced in online defamation
cases, which provide individuals and businesses protection against
false allegations made online that can be harmful to their
reputations.
Cyber security Laws
Cyber security or cyber-crime law comprises
directives that safeguard information technology with
the purpose of forcing companies and organizations to
protect their systems and information from cyber
attacks using numerous measures. Below, we will take
a quick look at the several types of international cyber
law and cybercrime regulations in India, the United
States, and the European Union.
India has four predominant laws when it
comes to cybersecurity:
 Information Technology Act (2000): Enacted by the parliament of India, the
information technology act was made to safeguard the e-governance, e-
banking, and e-commerce sectors; but now, its scope has been enhanced to
encompass all the latest communication devices.
 Indian Penal Code (IPC) (1980): This cybercrime prevention act has primary
relevance to cyber frauds concerning identity theft and other sensitive
information theft.
 Companies Act (2013): With the companies act enacted back in 2013, the
legislature ensured that all the regulatory compliances are covered, including e-
discovery, cyber forensics, and cybersecurity diligence. The Companies Act
provides guidelines for the responsibilities of the company directors and leaders
concerning confirming cybersecurity obligations.
 NIST Compliance: The Cybersecurity Framework (NCFS), authorized by the
National Institute of Standards and Technology (NIST), contains all the
guidelines, standards, and best practices necessary to responsibly address
cybersecurity risks.
Security Standards
 To make cybersecurity measures explicit, the written norms are
required. These norms are known as cybersecurity standards: the
generic sets of prescriptions for an ideal execution of certain measures.
 The standards may involve methods, guidelines, reference
frameworks, etc. It ensures efficiency of security, facilitates integration
and interoperability, enables meaningful comparison of measures,
reduces complexity, and provide the structure for new developments.
 A security standard is "a published specification that establishes a
common language, and contains a technical specification or other
precise criteria and is designed to be used consistently, as a rule, a
guideline, or a definition.
 " The goal of security standards is to improve the security of
information technology (IT) systems, networks, and critical
infrastructures.
Security Standards
1. ISO
 ISO stands for International Organization for Standardization.
International Standards make things to work. These standards
provide a world-class specification for products, services and
computers, to ensure quality, safety and efficiency. They are
instrumental in facilitating international trade.
 ISO standard is officially established On 23 February 1947. It is an
independent, non-governmental international organization. Today, it
has a membership of 162 national standards bodies and 784
technical committees and subcommittees to take care of standards
development. ISO has published over 22336 International Standards
and its related documents which covers almost every industry, from
information technology, to food safety, to agriculture and healthcare.
ISO 27000 Series
It is the family of information security standards which is
developed by the International Organization for
Standardization and the International Electrotechnical
Commission to provide a globally recognized framework
for best information security management. It helps the
organization to keep their information assets secure such
as employee details, financial information, and
intellectual property.
The need of ISO 27000 series arises because of the risk
of cyber-attacks which the organization face. The cyber-
attacks are growing day by day making hackers a
constant threat to any industry that uses technology.
ISO 27000 series
 ISO 27001- This standard allows us to prove the clients and stakeholders of any organization
to managing the best security of their confidential data and information. This standard involves
a process-based approach for establishing, implementing, operating, monitoring, maintaining,
and improving our ISMS.
 ISO 27000- This standard provides an explanation of terminologies used in ISO 27001.
 ISO 27002- This standard provides guidelines for organizational information security
standards and information security management practices. It includes the selection,
implementation, operating and management of controls taking into consideration the
organization's information security risk environment(s).
 ISO 27005- This standard supports the general concepts specified in 27001. It is designed to
provide the guidelines for implementation of information security based on a risk management
approach. To completely understand the ISO/IEC 27005, the knowledge of the concepts,
models, processes, and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is
required. This standard is capable for all kind of organizations such as non-government
organization, government agencies, and commercial enterprises.
 ISO 27032- It is the international Standard which focuses explicitly on cybersecurity. This
Standard includes guidelines for protecting the information beyond the borders of an
organization such as in collaborations, partnerships or other information sharing arrangements
with clients and suppliers.
Security Standards
2. IT Act
 The Information Technology Act also known as ITA-2000, or
the IT Act main aims is to provide the legal infrastructure in
India which deal with cybercrime and e-commerce. The IT
Act is based on the United Nations Model Law on E-
Commerce 1996 recommended by the General Assembly of
United Nations. This act is also used to check misuse of cyber
network and computer in India. It was officially passed in
2000 and amended in 2008. It has been designed to give the
boost to Electronic commerce, e-transactions and related
activities associated with commerce and trade. It also facilitate
electronic governance by means of reliable electronic records.
Security Standards
3. Copyright Act
 The Copyright Act 1957 amended by the Copyright Amendment Act 2012
governs the subject of copyright law in India. This Act is applicable from 21
January 1958. Copyright is a legal term which describes the ownership of
control of the rights to the authors of "original works of authorship" that are
fixed in a tangible form of expression. An original work of authorship is a
distribution of certain works of creative expression including books, video,
movies, music, and computer programs. The copyright law has been enacted to
balance the use and reuse of creative works against the desire of the creators of
art, literature, music and monetize their work by controlling who can make and
sell copies of the work.
 The copyright act covers the following-
 Rights of copyright owners
 Works eligible for protection
 Duration of copyright
 Who can claim copyright
Security Standards
4. Patent Law
 Patent law is a law that deals with new inventions. Traditional patent
law protect tangible scientific inventions, such as circuit boards,
heating coils, car engines, or zippers. As time increases patent law have
been used to protect a broader variety of inventions such as business
practices, coding algorithms, or genetically modified organisms. It is
the right to exclude others from making, using, selling, importing,
inducing others to infringe, and offering a product specially adapted for
practice of the patent.
 In general, a patent is a right that can be granted if an invention is:
 Not a natural object or process
 New
 Useful
 Not obvious.
Security Standards
5. IPR
Intellectual property rights is a right that allow creators,
or owners of patents, trademarks or copyrighted works to
benefit from their own plans, ideas, or other intangible
assets or investment in a creation. These IPR rights are
outlined in the Article 27 of the Universal Declaration of
Human Rights. It provides for the right to benefit from
the protection of moral and material interests resulting
from authorship of scientific, literary or artistic
productions. These property rights allow the holder to
exercise a monopoly on the use of the item for a
specified period.