Fi 11- RT-ln Ministry at Communication and lntormation Technology Department at Electronics and Information Technology NOTIFICATION om may 2013 Subject Noemi on National Cyber Security Policy-2013 nose-2013 National Cyber Security Pollcy- 201 emcee-201 3 Preamble 1 Cyberspace IS a complex environment oormsting ot Interactions between people software and services supported by We distribution of intormatlon and technology ICT demo and networks 2 Owing to the numerous benefits brought about by technological advancements the cyberspace today is a common pool used by citrzens busnesses critical Information intrastructue military and governments in a manner that makes it dl cutt to draw clear boundaries among these different groups 3 Indianeconomy lnadditionto and indirect contribution to the venous soclo-econornlc parameters such as employment standard 0 lung and among others The sector has played a role in India's image to that of a global player In providing world-class technology solwons and business services IT enabled services in Public services Government to citizen services citizen pwlic datn butlon systems Healhcare telemedicine remote consultation mobtle duties Education Learning virtual classrooms etc and Financial services mobile banking I payment gateways etc Such moves have enabled Increased IT adoption the country through sectoral retorms and National programmes which have led to creation of large scale IT unfraslructure with Wale I private participation 4 software serVices 'm Pagelotlo WEI-10 Ministry of Communication and Information Technology Department of Electronics and Information Technology country in tune with globally networked environment 5 Cyberspace is vulnerable to a wide variety of incidents whether intentional or accidental purposes by both nation- states and non-state aetors Cyber attacks that target the or underlying economrc well-being of a nation state can effectively reduce available state resources signi cance may take any form an organized cyber attack an uncontrolled exploit such as computer vinis or worms or any malicious software code a national disaster with signi cant cyber censequences or other related incidents capable of causing extensive damage to the information infrastructure or key assets Large-scale cyber incidents may overwhelm the government public and private sector resources and services by disrupting fmctioning of critical information systems Complications from disruptions of such a magnitude may threaten lives economy and national security Rapid information exchange investigation and coordinated response and examples of cyber threats to individuals businesses and govemment are identity theft phishing social engineering cyber terrorism compound threats targeting mobile devices and smart phone compromised digital certificates advanced persistent threats denial of service bot nets supply chain attacks data leakage etc The protection of information infrastructure and preservation of the con dentiality integrity and availability of information in cyberspace is the essence of a secure cyber space secuity challenges which have significantly contributed to the creation of a platform that is now Duetothedynamic natureofcyberspace underaNatlonaleber Security Policy with an integrated vision and a set of sustained 8- coordinated strategies for implementation 7_ providers including home users and small medium and large enterprises and Government 8 non- Govemment It serves as an umbrella framework for defining and guiding the actions related to security of cyberspace It also enables the individual sectors and organizations It designing takes to effectively protect information information systems 8 networks and also gives an Insight ltalso Pagelof 10 Ministry of Communication and Information Technology Department of Electronics and Information Technology outlines some pointers to enable colaboratrve working of all key players in public private to safeguard country s information and information systems This policy therefore aims to create a posture of country's cyber space I Vision To build a secure and resllient cyberspace for citizens businesses and Government ll Mission To protect information and information infrastructure in cyberspace build capabilities to prevent and respond to cyber threats reduce vulnerabilities and minimize damage from cyber incidents through a combination of institutional structures people processes technology and cooperation in Objectives I 3 4 5 6 con dence in IT systems and transaaions in cyberspace and thereby enhance adoption oflTinallsectorsoftheeconomy Tocreate an enabling conformity assessment product process technology 8- people To strengthen the Regulatory framework for ensuring a Secure Cyberspace ecosystem To enhance and create National and Sectoral level 24 7 mechanisms for obtaining strategic information regarding threats to infrastructure creating scenarios for response resolution and crisis management through effective predictive preventive protective response and recovery actions Toenhancetheprotectionand operating a 24x7 National Critical Information Infrastructure Protection Centre NCIIPC and mandating security practices related to the design acquisition development use and operation of informatiOn resources To develop suitable indigenous security technologies through frontier technology research soiution oriented research proof of concept pilot development transition diffusion and commercialisation leading to widespread deployment of secure ICT Page 3 of 10 IV Fi 11 - Ministry of Communication and Information Technology Department of Electronics and Information Technology requirements 7 To improve visibility of the integrity of ICT products and services by establishing products 8 years through capacity building skill development and training 9 processes enable protecbonofinfonnation Miileinprocess handling to ordatatheft Il To enable effective prevention investigation and prosecution of cyber crime and enhancement of law enforcement capabilities through appropriate legislative intervention 12 To responsibleuserbehaviourar actions through an effective communication and promotion strategy l3 To develop effective public private partnerships and collaborative engagements through cyberspace N To enhance global cooperation by promoting shared understanding and leveraging Strategies Creating a secure cyber ecosystem I To designate a National nodal agency to coordinate all matters related to cyber 2 To encourage a organizations private and public to designate a member of senior management as Chief Information Security Officer CISO responsible for cyber security efforts and initiatives 3 To encowage aI organizations to develop information security policies duly integrated with their business plans and implement such policies as per emotional best practices Such policies should include establishing standards and mechanisms for secure information flow while in process handling storage 8- transit cnsis Pageeof 10 4 S 6 7 3 i 11- Ministry of Communication and lntormation Technoiogy Department of Elearonics and Information Technology management plan proactive security posture assessment and foremicaly enabled Normationinfrastructm and upgrade informatiOn infrastructurewith respect to cyber security technology andproactiveactions To establim amecnanism iorsharing inionnation andforidentilying andresponding tocybersecurity incidents and forcooperationin restoration e orts To tor proctrrementoltrustworthy ICTproducts security implications Creating an assurance tramework 1 3 4 S 6 To promote adoption of global best practices in information security and compliance and thereby enhance cyber secu'ity posture To create infrastructure for conformity assessment and certi cation ol compliance to cyber security best practices standards and guidelines Eg ISO 27001 ISMS IS system audits Penetration testing I Vulnerability assessment application security testing web security testing the risk oi disruption and improve the security posture with respect to risk perception for undertaking commensurate security protection measures To encourage secure application I software development processes based on global best practices To create conformity assessment framework for periodic verification of compliance to best practices standards and guidelines on cyber security PageSoilo 7 Ministry of Communication and Information Technology Department of Electronics and Information Technology To encourage all entities to periodically test and evaluate the adequacy and effectiveness of technical and operational security control measures unplemented in IT systems and in neMorks Encouraging Open Standards I To encourage use of open standards to facilitate interoperability and data exchange among dillerent produds or services To promote aconsortiumchovemmentand private sectortoenhancethe availability of tested and certi ed IT products based on open standards Strengthening the Regulatory frameworlt I 3 developments incyberspaceisuch as cloud computing mobile computing services and social media and its harmonization with international frameworks including those related to lntemet governance To mandate periodic audit and evaluation of the adequacy and effectiveness of security of information infrastructure as may be appropnate with reaped to regulatory framework To enable educate and facilitate awareness of the regulatory framework Creating mechanisms for security threat early warning vulnerability management and response to security threats 1 2 3 To create National level systems processes stnictures and mechanisms to generate necessary situational scenario of existing and potenual cyber security threats and enable timely information sharing for proactive preventive and protective actions by individual To operate a 24x7 National Level Computer Emergency Response Team emergency response and crisis management wil function as an umbrella organization in enabling creation and operationalization of sectoral CERTs as well as facilitating communication and coordination actions in dealing with cyber crisis situations To operationalise 24x7 sectoral CERTs for all coordination and communication actions crisis management Page 6 of 10 4 S Eiig Ministry of Communication and Information Technology Department of Electronics and information Technology To implement Cyber Crisis Management Plan for dealing with cyber related incidents publicsafetyandseourityofthe Nation by way of well coordinated multi disciplinary approach at the National Sectoral as we as entity levels To condud and facilitate regular cyber security drills 8 exercises at National sectoral postueandlevelofemergency Wm in resisting and dealing with cyber security incidents F Securing E-Governance services I 3 To mandate implementation of global security best practices business continuity management managementplanfor all e-Govemance initiatives inthe To encourage wider usage of Public Key infrastructure within Government for trusted communication and transactions To engage information security professionals I organisations to assist e Govemance and ensure conformance to security best practices 6 Protection and resilience of Critical Information infrastructure 1 3 4i 5 To develop a plan for protection of Critical lnfonnation infrastructure and its integration with business plan at the entity level and implement such plan The plans shall include establishing mechanisms for secure information flow while in process handling storage 8- transit guidelines and standards crisis management plan proactive security posture assessment and forensicaly enabled information infrastructure To Operate a 24x7 National Critical information infrastructure Protection Centre NCIIPC to function as the nodal agency for critical information infrastructure protection in the country To facilitate prioritisation assessment remediation and protection of information infrastructure To mandate implementation of global security best practices bushess continuity management and cyber cnsis management plan by all critical sect0r entities to reduce the risk of disruption and improve the security posture To encourage and mandate as appropnate the use of validated and certified lT products Pate 7 of 10 Ministry of Communication and Information Technology Department or Electronics and Information Technology To mandate secure application I soltware development process irom design through retirement based on global best practices Promotion of Research 8 Development In cyber security To undertake Research 8- Development programs for addressing all aspects oi development aimed at short term medium term and long term goals The Research trustworthy system their testing deployment and maintenance throughout the lite cycleandinclude R Doncuttingedgesecurity technologies To encourage Research Development to produce cost-effective tailor-made target for export markets To facilitate transition di usion and commercialisation or the outputs of Research 8- sectors securityofcyberspaoe To colaborate in Research a Development proieas with industry and Reducing supply chain risks I 3 To create and maintain testing infrastructure and facilities for IT security product evaluation and compliance veri cation as per global standards and practices To build trusted relationships with product 1 system vendors and service providers for improving endoto-end supply chain security visibility security among entities tar managing supply chain risks related to IT products systems or services procurement Pagelof 10 i 11 4 Ministry of Communication and Iniormation Technology Department of Eledronics and Information Technology Manama J Human Resource Development I 3 4 To foster education and training programs both in formal and informal sectors to support the Nation's cyber security needs and build capacity To establish cyber security training infrastructure across the country by way of public private partnership arrangements To establish cyber security concept labs for awareness and skil development in key areas To establish institutional mechanisms for capacity building for Law Enforcement Agencies K Creating Cyber Security Awareness I 2 3 To promote and launch a comprehensive national awareness program on security at cyberspace To sustain security literacy awareness and publicity campaign through eledronic certifications L Developing effective Public Private Partnerships l 2 3 To facilitate collaboration and cooperation among stakeholder entities including private sector in the area of cyber security in general and protection of critical information infrastructure in particular for actions related to cyber threats vulnerabilities breaches potential protective measures and adoption of best practices To create models for collaborations and engagement with al relevant stakeholders To create a think tank for cyber security policy inputs discussion and deliberations M Information sharing and cooperation I 2 To develop bilateral and multi-lateral relationships in the area of cyber security with other countries To enhance National and global cooperation among security agencies Defence agencies and forces Law Enforcement Agendas and the judicial systems Page 9 of 10 File Ministry of Communication and Information Technology Department of Electronics and information Technology 3 To create mechanisms for dialogue related to technical and operational aspects with industry in order to facilitate efforts in recovery and resilience of systems including critical information infrastructure Prioritized approach for implementation To adopt a prioritized approach to implement the policy so as to address the most critical areas in the rst instance Operationaiisation of the Policy This policy shall be operationalised by way of detailed guidelines and plans of action at various levels such as national sectoral state ministry department and enterprise as may be appropriate to address the challenging requirements of security of the cyberspace J Satyanarayana Secretary DeitY Tel 24364041 New Delhi Dated QJuly 2013 Copy to 1 All Concerned Ministries Departments of Government of India Cabinet Secretariat PMO Planning Commission Comptroller and Auditor General of India JS FA Department of Electronics and information Technology Internal Distribution J Satyanarayana Secretary DeitY Tel 24364041 Page 10 of 10