(Sonam Bajaj) Call Girl in Jaipur- 09257276172 Escorts Service 50% Off with C...
Computer Emergency Response Team for Health Care Sector (CERT-H)
1. SETTING UP OF
COMPUTER EMERGENCY
RESPONSE TEAM FOR
HEALTH CARE CERT-H
Draft Concept Note
ABSTRACT
This document is a concept note which draws
the need of setting up of sectoral CERT to
secure and mitigate the risks arising out of
cyber space.
Manpreet Singh Sidhu, Consultant (NISG)
2. Contents
1. Overview .........................................................................................................................................2
2. Preparation of Information Security Policy and Contingency Plan ................................3
3. Approach- Formation of Computer Emergency Response Team for Health care
(CERT-H): .......................................................................................................................................4
3.1. Constitution of Ministry Level Cyber Crisis Management Committee (MCCMC)/
Information Security Steering Committee (ISSC)................................................................4
3.2. Formation of Cyber Security Cell (CSeC)..............................................................................5
3.2.1. Objectives of CSeC .....................................................................................................................6
3.2.2. Roles & Responsibilities of CSeC...........................................................................................7
4. Institutional Framework of CERT-H ........................................................................................8
5. Conclusion: ...................................................................................................................................9
3. 1. Overview
To build a secure and resilient cyberspace for citizens, business and government and
also to protect anyone from intervening into privacy, National Cyber Security Policy 2013
has been published by the ministry of Electronics and Information Technology (MeitY),
GoI.
The one of the objective of the policy is to create an assurance framework for design of
security policies and promotion and enabling actions for compliance to global security
standards and best practices by way of conformity assessment (Product, process,
technology & people).
The strategies devised to implement National Cyber Security Policy 2013 are
To create infrastructure for conformity assessment and certification of
compliance to cyber security best practices, standards and guidelines (Eg. ISO
27001 ISMS certification).
To operationalise 24x7 sectoral CERTs for all coordination and communication
actions within the respective sectors for effective incidence response &
resolution and cyber crisis management.
To implement Cyber Crisis Management Plan.
To mandate implementation of global security best practices, business
continuity management and cyber crisis management plan.
Similarly, The XII five-year plan on information technology sector, Report of Sub-Group
on Cyber Security published by Meity, Section 3.0, Current status of cyber security
preparedness, Point (e) states that:-
“To enable comprehensive cyber security policy compliance, the Govt. has mandated
implementation of security policy within Govt. in accordance with the Information Security
Management System (ISMS) Standard ISO 27001. In addition, Computer security
guidelines have been issued for compliance within Govt. A Common Criteria based IT
product security testing facility has been set up at Kolkata, which can test IT products up
to EAL4”
4. In support of this, Ministry of Home affairs has released National Information Security
Policy and Guidelines (NISPG) and MeitY has published the Cyber Crisis Management
Plan-2015 (CCMP-2015). The Cyber Crisis Management Plan for countering Cyber
Attacks and Cyber Terrorism outlines a framework for dealing with cyber related incidents
for a coordinated, multi-disciplinary and broad based approach for rapid identification,
information exchange, swift response and remedial actions to mitigate and recover from
malicious cyber related incidents impacting critical national processes.
In the CCMP-2015, it is advised to prepare detailed contingency plans in consultation with
CERT-In/NTRO/MoD/MHA, as the case may be, for dealing with crisis in respective
areas. The Crisis Management Group established by respective central administrative
ministry will be mainly responsible for dealing with cyber crisis in consultation with CERT-
In/NTRO/MoD/MHA and report all developments to National Crisis Management
Committee seeking its directions and guidance as when necessary. Furthermore, the
respective Central Administrative Ministry/Department will set up a control room. He
response teams and supporting organisations such as CERT-In, NTRO, MoD, IDS
(DIARA), MHA, IB, R&AW, DoT and NDMA will work together to mitigate the incident.
2. Preparation of Information Security Policy and
Contingency Plan
In order to prepare contingency plan for dealing with cyber crisis. MoHFW need to
prepare the information security policy along with Cyber Crisis Management Plan (CCMP)
with following steps:-
I. Gap Assessment of current system in place;
II. Preparation of Information Security Policy of MoHFW;
III. Formulation of Cyber Crisis Management Plan (CCMP) for MoHFW based on the
CCMP shared by MeitY;
IV. Consultation with various stakeholders ;
V. Cyber Security awareness for senior officials;
VI. Cyber security awareness training for all employees of the department including
mock drills/table top exercises;
5. VII. Documenting security control procedures in order to mitigate risk;
VIII. Implementation of information security policy by implementing security control
procedures;
IX. Periodic internal and external audit review;
X. Review of process and procedures related to information security.
3. Approach- Formation of Computer Emergency Response
Team for Health care (CERT-H):
The information security of an organisation is a continuous process which is based on the
Plan, DO Check, Act (PDCA) approach. In order to implement and secure the information
of MoHFW, it is proposed to constitute the Sectoral CERT as CERT-H of health care
sector under Ministry Level Cyber Crisis Management Committee (MCCMC) and Cyber
Security Cell (CSeC) to carry out the task successful.
3.1. Constitution of Ministry Level Cyber Crisis Management
Committee (MCCMC)/ Information Security Steering Committee
(ISSC)
For successful governance of CERT-H, it is proposed to constitute a Ministry Level Cyber
Crisis Management Committee (MCCMC) to oversee and to provide the vision to Cyber
Security implementation in eHealth sector. This committee is an apex body of high-level
officials of the MoHFW for developing various policies related to cyber security and
dealing with crisis situations, which has serious or national ramifications, will also deal
with Ministry level crisis arising out of focused cyber-attacks. This committee shall
monitor, review and oversee the Information Security Policy and Cyber Crisis
Management Plan of the MoHFW and its critical information Infrastructures.
The composition of the Committee will be as under:
1. Secretary (HFW) Chairman
2. Add. Secretary e-Governance Member
3. DDG (Admin), DteGHS Member
4. Joint Secretary, eHealth, MoHFW Member
6. 5. JS/Director, IFD, MoHFW Member
6. Director, Legal Cell, MoHFW Member
7. Sr. Director, MeitY, GoI Member
8. NIC, HoD, (MoHFW) Member
9. Sr. Director, CERT-In, GoI Member
10.Chairman Computerisation, AIIMS, New Delhi Member
11.Add. Director, Centre for Health Informatics (CHI) Member
12.Chief Information Security Officer, MoHFW Member Convener
The MCCMC will be free to co-opt members depending on the nature of crisis, as
and when required. When a situation is handled by the MCCMC, it will give such
directions to the Crisis Management Group of the Department/division as deemed
necessary. This committee shall also act as Information Security Steering
Committee (ISSC) as proposed by National Critical Information Infrastructure
Protection Centre (NCIIPC).
3.2. Formation of Cyber Security Cell (CSeC)
As per the Crisis Management Plan for countering cyber-attacks and cyber
terrorism prepared by Government of India, MoHFW may draw up their own Crisis
Management Plans and implements the same. Since there is lack of adequate
expertise in Government/Government Agencies/ it emerged that there is need for
setting up an ongoing permanent mechanism which may act as nodal agency for
monitoring various cyber security related matters for Ministry of Health and Family
Welfare and its associated divisions, programs, projects, institutions etc. The
Ministry may set up of Cyber Security Cell (CSeC) under eHealth division to cater
to crisis situations in Cyber Security matters of Ministry of Health and Family
Welfare. The nodal agency for implementation of Cyber Security within Ministry will
be Centre for Health Informatics (CHI), NIHFW. The Cyber Security Cell will work
under the guidance of Governing body of Cyber Security Cell of MoHFW headed
by JS(eHealth), MoHFW.
Composition of Cyber Security Cell with following members as its Governing Body:
7. 1. Joint Secretary, eHealth, MoHFW Chairman
2. NIC HoD, MoHFW Member
3. HoD Computer Science Department, IIT Delhi or his nominee Member
4. Mission Director, NHM, Haryana Member
5. Mission Director, NHM, Tamil Nadu Member
6. Mission Director, NHM, Rajasthan Member
7. Director, NHM, MoHFW Member
8. DGM (IS-I), Ministry of Home Affairs Member
9. Add. Director, Centre for Health Informatics (CHI) Member
10.Add. Chief Information Security Officer, MoHFW. Member
11.Two Cyber Security Experts Member
12.Chief Information Security Officer, MoHFW Member Convener
The modalities to establish CSeC may be finalized by eHealth Division, MoHFW
will facilitate the provisions for IT infrastructure & manpower support to the CSeC.
The CSeC will be headed by the CISO of MoHFW.
3.2.1. Objectives of CSeC
To formulate MoHFW's Information Security Policy and Cyber Crisis
Management Plan as appropriate from time to time and implement the same in
coordination with CERT-In & with direction of MCCMC.
To initiate proactive measures to increase awareness and understanding of
Information security and computer security issues throughout the community of
network users and service providers by disseminating security related
information.
To act as a nodal agency to conduct security audits or assessments of
government and constituent IT infrastructure in the Ministry and its
organisations, evolving security policy for the Ministry.
To act as a central point for monitoring, identifying vulnerabilities and suggesting
remedial measures for correcting vulnerabilities in computer and communication
8. systems(websites & e-governance applications) belonging to government and
'certify' any e-governance or e-commerce site in the Ministry.
To conduct education, training, research and development in cyber security.
To collect and maintain a repository of all System/Website administrators of
MoHFW Websites/Web applications
To build capacity among the technical personnel to identify and fight security
threats.
To assist MCCMC by priority with relevant information for their decision making
process.
To carry out direction of MCCMC to fight cyber-attacks.
3.2.2. Roles & Responsibilities of CSeC
Vulnerability Reporting
Incident Reporting
Penetration testing
Incident Analysis
Vulnerability Assessment of various MoHFW Websites Log analysis.
Coordination with CERT-In, other government bodies, divisions, institutions and
MCCMC Identify and classify cyber-attack scenarios.
Determine the tools and technology used to detect and prevent attacks.
Develop a checklist for handling initial investigations of cyber-attacks.
Determine the scope of an internal investigation once an attack has occurred.
Conduct any investigations within the determined scope.
Promote cyber security awareness within divisions.
Address data breach issues, including notification requirements.
Conduct follow-up reviews on the effectiveness of the department’s response to
an actual attack
Prepare SOP for different types of crisis.
9. CISO shall formulate appropriate guidelines and action plan to ensure the role and
responsibility of CSeC as described above.
4. Institutional Framework of CERT-H
It is essential to implement the Crisis Management Plan (CMP) from the grass
root level for countering Cyber threats. In view of this, it is proposed to have
Information Security Officers (ISO) at the subordinate office, divisions etc. These
ISOs shall report to Chief Information Security Officer (CISO) of the MoHFW who
will be assisted by Addl. CISO. The day to day Security related activities for the
MoHFW will be looked after by CSeC. CSeC will be a unit under the administrative
control of eHealth division. The ISOs will continuously interact with CSeC for
Cyber security related assistance. Ministry Level Committee on Cyber Security
shall be the apex committee for Crisis Management in the Ministry. The same
committee shall also act as Information Security Steering Committee (ISSC).
Structure of the Institutional Framework of CERT-H.
10. 5. Conclusion:
Considering the thrust of the Government for digitization and making available majority of
Govt. Services to citizens through cyber means, it is imperative that cyber security
receives utmost attention. Ministry of Health and Family Welfare are required to set up
CERT-H for preparation of detailed Information Security Policy and Contingency plan for
dealing with Information Security and crisis arising out of cyber-attacks in health care
sector.
In order to implement and secure the information of MoHFW, it is proposed to form
Sectoral CERT by setting up of Ministry Level Cyber Crisis Management Committee
(MCCMC) and Cyber Security Cell (CSeC) under eHealth division.