Professional Documents
Culture Documents
Introduction
Concept
Mission
To protect information and information infrastructure in cyberspace, build capabilities to
prevent and respond to cyber threats, reduce vulnerabilities and minimize damage from
cyber incidents through a combination of institutional structures, people, processes,
technology and cooperation.
National Cyber Security Policy
2013
Enabling secure
computing environment &
Introduction
confidence in electronic
transactions
Agenda
The National Cyber
Concept Strengthen cyber
01 Roadmap to
create cyber
Security Policy was
released on 2nd July 2013
Regulatory 04 02 security
framework framework
03
Approach &
Strategy for
protection of
cyber space
Overview of NCSP 2013
National Cyber Security Policy
2013
Objectives
Introduction
Agenda
Concept
1
• Secure cyber
2
• Assurance
3 4
• Regulatory
framework
• 24 x 7
5
• 24x7
ecosystem framework for operational operational
design of for a national National
• Trust & security policies Secure level Critical
confidence in Cyberspace computer Information
IT systems • Compliance to emergency Infrastructur
and global security response e Protection
transactions standards and team (CERT- Centre
in cyberspace best practices in) (NCIIPC)
National Cyber Security Policy
2013
Objectives
Introduction
Agenda
Concept
6 7 8
Development • Security • Capacity
9
• To provide
10
• Protection of
of indigenous testing of building of fiscal benefits information
Security ICT workforce of to businesses while in
technologies products. 500,000 for adoption of process,
for addressing professional standard handling,
National s skilled in security storage &
Security cyber practices and transit so as to
requirements. security in processes. safeguard
the next 5 privacy of
years citizen's data
National Cyber Security Policy
2013
Objectives
Introduction
Agenda
Concept
11 12 13 14
• Prevention, • Culture of • Effective • Global
investigatio cyber security public private cooperation
n and and privacy partnerships by
prosecution enabling and promoting
of cyber responsible collaborative shared
crime user engagements understandi
behaviour & for enhancing ng and
actions the security of information
cyberspace. sharing
Information Technology Act
Introduction
Agenda
IT Act provides a legal framework Justice 01 Legal
Concept Dispensation recognition
to the Cyber ecosystem in India.
System for
04 02 of Digital
Cyber Crimes
03 Signatures
Offenses and
Contraventions
Highlights of IT Act
Information Technology Act
Few Sections applicable to Cyber
Introduction Security
Penalty and compensation for damage to computer, computer system,
43 etc
Agenda
43A Compensation for failure to protect data
Concept
46 Power to adjudicate
Concept
2 Forecast and alerts of cyber security incidents.
• International Collaboration
– Member of FIRST
– Member of APCERT
– Research Partner- APWG
– Functional relationships with CERTs (US-CERT, CERT/CC, JPCERT etc.)
NCIIPC
Government of India, has designated ‘National Critical Information Infrastructure
Protection Centre’ (NCIIPC) for taking all measures including associated Research and
Introduction Development for the protection of CIIs in India.
NCIIPC
Agenda
“To take all necessary measures to facilitate protection of Critical Information
Infrastructure, from unauthorized access, modification, use, disclosure, disruption,
Concept incapacitation or destruction, through coherent coordination, synergy and raising information
security awareness among all stakeholders” and with a vision “to facilitate safe, secure and
resilient Information Infrastructure for Critical Sectors in the country”.
NCIIPC Responsibilities
1 Research and
3 Partnership across
Development for
protection of CII 2 National Program
& policies on CII
Government/Academia
and Private Sector
.
NCIIPC
NCIIPC Responsibilities
Introduction
7 Training &
8 Reporting of all
incidents by CII
stakeholders
9 Compliance of all
advisories of
NCIIPC by all stake
Awareness
holders
10 Malware
Analysis 11 Cyber
Forensics
activities
12 24X7 operation
and helpdesk
.
Cyber Crisis Management Plan
This plan establishes strategic framework
for dealing with Cyber incidents . It
Introduction describes types of cyber incidents, actions
and responsibilities for a coordinated
Agenda
approach in order to prepare for rapid
Concept identification, information exchange,
response, and remediation to mitigate &
recover from malicious cyber related
incidents impacting critical business
functions and processes.
Cyber Crisis Management Plan
Concept • This plan takes into consideration the crisis that occur due to cyber security incidents
and breaches, and presents a broad based approach to deal with such crisis. CCMP is
not only to respond cyber crisis/incidence but guide in building cyber resiliency at
organisation & sector-level.
• The plan is updated periodically by CERT-In to take into account dynamic nature of
Cyber Security threat landscape and emerging technologies.
a. Public, Private b. Public, Critical
c. 24 x 7 operational
national level computer
emergency response d. All of the above
team (CERT-in)
c. Resilience of
Critical Information d. All of the above
Infrastructure
b. 40 d. 50
Introduction
Agenda
Concept
ATIVE
DIC
I N
Standards, Audit and Compliance
ISO 27001
Information Security:
• Preservation of confidentiality, integrity and availability of information.
-ISO 27000:2012 clause 3.30
Management System:
• Framework of guidelines, policies, procedures, processes and associated resources
aimed at ensuring an organization meets its objectives.
- -ISO 27000:2012 clause 2.42
Standards, Audit and Compliance
ISO 27001
Introduction
14 Domains – 114 Controls
• A.5: Information security policies (2 controls)
Agenda • A.6: Organization of information security (7 controls)
Concept • A.7: Human resource security - 6 controls that are applied before, during, or after
employment
• A.8: Asset management (10 controls)
• A.9: Access control (14 controls)
• A.10: Cryptography (2 controls)
• A.11: Physical and environmental security (15 controls)
Standards, Audit and Compliance
ISO 27001
Introduction
14 Domains – 114 Controls
• A.12: Operations security (14 controls)
Agenda
• A.13: Communications security (7 controls)
Concept • A.14: System acquisition, development and maintenance (13 controls)
• A.15: Supplier relationships (5 controls)
• A.16: Information security incident management (7 controls)
• A.17: Information security aspects of business continuity management (4
controls)
• A.18: Compliance; with internal requirements, such as policies, and with external
requirements, such as laws (8 controls)
Standards, Audit and Compliance
ISO 27001
Plan
Introduction
04 Context of the 07 Support
05 Leadership 06 Planning
organization
Agenda
Understanding the Leadership and Actions to Resources
Concept organization and its commitment address risk and
context opportunities
Competence
Expectations of Policy
interested parties IS objectives and Awareness
Organization plans to achieve
Scope of ISMS roles and them Communication
responsibilities
ISMS Documented
information
Annex A : 14 control objectives and 114 controls
Standards, Audit and Compliance
ISO 27001
Do Check Act
Introduction
8 Operation 9 Performance 10 Improvement
Evaluation
Agenda
Operational Monitoring Non conformity
Concept planning and measurement, and corrective
control analysis and action
evaluation
Information
security risk Continual
assessment Internal audit improvement
Information Management
security risk review
treatment
Introduction
By implementing ISO 27001, many security incidents are
Agenda Decreasing prevented, and the investment in implementing this standard
the Cost is usually far less than the cost of remediation which goes in
correction of the incidents; and
Concept
Concept
Business continuity Planning and control
plan exercising and Business continuity
of operations strategy selection
testing
Introduction
Agenda ASSESS
Information and Information and
Concept communication flows communication flows
FRAME
MONITOR RESPOND
Standards, Audit and Compliance
NIST 800-30 Conducting risk assessments within organizations
Determine Risk
Standards, Audit and Compliance
ISO 20000
Introduction
ISO 20000 is the international standard for IT service management.
Agenda “It describes an integrated set of management processes for the
effective delivery of services to the business and its customers.”
Concept • Closely follows the ITIL framework.
• While individuals are ITIL certified, organizations are ISO 20000
certified.
Standards, Audit and Compliance
ISO 20000
Introduction
The Standard is divided into three parts.
• Part 1 : Provides the requirements for IT service management to gain certification
Agenda • This is relevant to those responsible for initiating, implementing or maintaining
IT service management in their organization
Concept
• Senior Management are responsible and accountable for ensuring all
requirements of Part One are met if Certification is sought
• Part 2 - Code of Practice for Service Management
• Provides guidance to internal auditors and assists service providers planning
service improvements or preparing for audits against ISO 20000
• Part 3 - Scope & Applicability
• Advice on scoping for service management
• Planning & improvements
Standards, Audit and Compliance
ISO 20000
Agenda
Problem Release & Deploy
Business Management Management
Relationship
Concept Management
Incident Configuration
Management Management
Supplier
Management
Change
Management
Standards, Audit and Compliance
ISO 20000
Why implement of ISO 20000?
Introduction
• ISO 20000 provides the organization with the means to operate more effectively and
efficiently
Agenda
• ISO 20000 provides an auditable method by which it can assess the quality and
conformance of its IT Services
Concept
• Provides a structured framework to effectively manage IT services to meet the business/
customer requirements.
• Improves effectiveness of IT and promotes consistent delivery of IT services.
• Improves IT performance and service reliability.
• Inculcates a ‘Process Driven’ approach for providing IT services.
CIA
• Confidentiality of information refers to the property that
information is not made available or disclosed to unauthorized
individuals, entities, or processes.
•Asset Format/Type
• Information – Policies and procedures, system documentation etc.
•Software – Applications, system software, utilities etc.
•Physical – Servers, Tapes, Magnetic Devices etc.
•Services – Client services, Facility Management Services, Process etc.
•People
•Paper – Physical hard copy
•Asset Classification
•Top Management Confidential, Confidential, Restricted, Internal, Public
•Asset Valuation -
Perform impact assessment for compromise of confidentiality, integrity and
availability of assets in a qualitative and a quantitative manner
a. Service Delivery b. Supplier Management
c. IT Governance d. IT Service
Management
c. 23 d. 24
c. Implementation d. Improvement
c. Process d. Project
Agenda Current state structures are not optimal to address the drivers shaping the current landscape.
These companies are not:
Concept ► Allocating compliance spend efficiently to proactively identify potential violations before
they arise.
► Recognizing the complexity of the regulatory environment and the priorities of the
regulatory agencies
► Advancing data analytics tools and capabilities to match the sophistication of the agencies
that regulate them when it comes to compliance
Governance and Risk Management
Agenda Board Oversight
Audit Compensation Risk Other
committee committee committee committees
Executive Management
CEO CFO CIO General Counsel
Framework Function)
incorporating and
Organization Process, risk and control framework
Concept
an IT process procedures.
(People, Risk assessments
IT strategy
requirements
Program
Businessand Risk processes and operational procedures Processes,
procedures
Issues mgmt.
Function)
e
objectives,
Ri s k
a nd
c
ptan
regulatory and methods
repo
met ting
t.
As rdi
a cce
gm
co
s u na for executing
o
requirements Inc
r ic s
m
r
ra tio
ma i d e n nc n
at
Ri sk
n a t lo mt
. the IT risk
re
e
and board gem ss g
Th
m
en i s is program.
directives. Scenari
o a n al y
t r
C Awareness
s is and training
Tools and technology Tools to
IT risk
facilitate IT
dashboard: Compliance monitoring and reporting risk program.
Managing risk, driving value, controlling costs and achieving compliance
Governance and Risk Management
Key Objectives
Concept Cyber Security Risk Management Program
• The program should be aligned to address cyber risks that matter most to the business
• Each component requires people, processes and technology capabilities to develop a
resilient IT environment Govern
Complicate Effectively manage cybersecurity risks through
people, processes and technology
Complicate (Deter)
Make it difficult for an attacker to achieve their
Risk Threat objective
tolerance intelligence Detect
Establish capabilities to identify the attack before
Educate meaningful business impact is accomplished
Govern
Detect Respond
Effectively and efficiently respond and remediate
Business an attack
priorities Educate
Maintain a security-conscious workforce
Respond
Governance and Risk Management
Integrated risk assessment approach to identify the organization’s keys risks and cyber security gaps
Business drivers
Compliance and
Introduction Top Down Outcomes
Governance
Proposed
intelligence
Policy and standard
EY CPA framework
► CPA Assessment Assessment Services Prioritized
Agenda
People, process, technology across Data infrastructure roadmap
Metrics and reporting
20 domains
Concept
Executive perspectives on what Critical assets Prioritized initiatives
matters most to the business Company Information Security
Domain Mitigation
1 Security Monitor egress
Strategy Monitoring
Bottom Up Align security to the business 2 Incident Incident
Management response process
► Scenario-based technical testing Fill technical gaps 3 Software SDLC
► Attack and penetration technical Manage security risk Security
c. React d. Respond