SlideShare ist ein Scribd-Unternehmen logo

Cyber Security Standards Compliance

Als PPTX, PDF herunterladen
Dr. Prashant Vats
Dr. Prashant Vats

Cyber Security Standards Compliance

Bildung
1 von 33
Subject - Cyber Laws & Rights M. tech. 3rd Sem., ISM. By: Prashant Kr. Vats, M.tech., Ph.D. INDIRA GANDHI DELHI TECHNICAL UNIVERSITY FOR WOMEN
Cyber Security Standards Compliance
Introduction • The usage of technology in today’s world is inevitable. Whether it is making reservations on our smart phones, or checking emails, or checking in for flights, usage of technology is present. Further, the globalization phenomenon we see today means we are living in a world where almost everything is interconnected to one another. • Governments, businesses and societies around the world are relying more and more on technology and the Internet in their daily lives. Whilst its benefits cannot be questioned, unfortunately the increase of our reliance on technology implies that we are at higher risk of attack and breaches – cyber-attacks. Companies are being hacked causing millions of individuals to be victims of stolen identity and information. • Governments worldwide are also facing the increasing threats of cyber-attacks. Successful attacks put prosperity of economies and the well-being of societies at risk. • Consequently, governments are putting measures in place in hope of having a resilient, healthy and secure cyberspace. Nonetheless, even with these efforts, cyber security continues to dominate headlines in the wrong way. Responding to this current scenario, current trends of governments protecting their critical infrastructures is the implementation of cyber security standards to their critical sectors.
Objectives • The objective of these slides is to provide an overview of the various approaches that countries are taking with regard to the implementation of cyber security standards. • Further, these slides discusses the benefits of the implementation of cyber security standards to organizations as well as nations as a whole.
Cyber-attacks – A global risk • As the E-business began to increase online, there were no signs of cyber threats and attacks on organizations worldwide easing. • Whether targeted to government entities or private corporations, the threats from cyber adversaries continue to grow in scale and sophistication globally. • Public and private organizations in various sectors worldwide now openly acknowledge that cyber threats are one of the most common and high impact risks they face. • Dealing with cyber threats is becoming a complex challenge due to the evolving cyber security landscape. • Organizations today face not only common and known cyber threats, but new and emerging ones where targeted and large scale attacks can impact not only the organizations but may potentially lead to the adverse impact on nations’ critical infrastructures.
Cyber-attacks on critical sectors • The recent cyber-attack against an American entertainment subsidiary of Japanese multimedia conglomerate in 2014 has not only affected the company, but also the nation’s security as a whole. Apart from releasing confidential data, the hackers had also sent threatening messages if their demands were not met [1]. The Financial sector has also become a regular target. • The malware attack in 2013 in South Korea has resulted in the malfunction of 48,000 personal computers and servers, disrupting work at banks and television broadcasters in the country [2] . • In 2012, a virus attack known as Shamoon on Saudi Arabia’s leading Oil & Gas company had damaged approximately 30,000 computers resulting in the disruption of oil and gas flow to the local and international markets [3 ]. • Global technology companies have had their fair share of experiencing cyber-attacks in recent years as well. These companies were hacked, resulting in exposed proprietary information and sensitive communications that was then used to target major corporations.
CYBER INCIDENTS REPORTED
Global cost of cybercrime • From a global standpoint, a recent publication by McAfee estimated the annual cost of cybercrime to the global economy is more than USD400 billion [8] . • Facing the brunt of these losses are the 4 largest economies in the world; the United States of America (USA), China, Japan, and Germany with an accumulative figure reaching USD200 billion. • The financial loss on the global economy is only expected to rise as reliance on technology in the cyberspace increases. Consequently, governments worldwide are realizing that cyber threats can not only disrupt critical infrastructure networks, but also potentially escalate to the level of a national security threat. • Dealing with cyber threats and attacks is no longer just about being aware or vigilant – but it’s about being resilient. Governments around the world are putting measures in place to enhance resiliency in weathering the cyber threats and attacks. • Whilst the global community have undertaken actions and steps in mitigating these cyber threats, it is important to ensure the critical infrastructure remains resilient to withstand cyber-attacks. The term ‘resiliency’ can have many definitions, but generally it is the capability to prepare, protect, respond and recover from threats and hazards.
How do countries or organizations remain resilient? • The implementation of cyber security standards is by no means a silver bullet in critical infrastructure protection. • However, its implementation can establish a set of controls that contribute and build better resiliency. • The cyber security standards may support the capabilities of preparing, protecting, responding and recovering from cyber-attacks. • The implementation and compliance with cyber security standards may enable the principles and better practices in cyber security management be applied in improving the security and resilience of critical infrastructures. • ISO/IEC 27032:2012 Information technology -- Security techniques – Guidelines for cyber security • ISO/IEC 27001 Information technology -- Security techniques -- Information security management systems – Requirements • ISO 22301 Societal security -- Business continuity management system Requirements • ISO/IEC 15408 Information technology -- Security techniques -- Evaluation criteria for IT security • ISO/IEC 27035 Information technology -- Security techniques -- Information security incident management • ISO/IEC 27005 Information technology -- Security techniques -- Information security risk management • FIPS 140-1: Security Requirements for Cryptographic Modules • FIPS 186-3: Digital Signature Standard
ISO/IEC 27032:2012 Information technology -- Security techniques – Guidelines for cyber security • ISO/IEC 27032:2012 provides guidance for improving the state of Cyber security, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular: 1. information security, 2. network security, 3. internet security, and 4. critical information infrastructure protection (CIIP). • It covers the baseline security practices for stakeholders in the Cyberspace. • This International Standard provides: 1. an overview of Cyber security, 2. an explanation of the relationship between Cyber security and other types of security, 3. a definition of stakeholders and a description of their roles in Cyber security, 4. guidance for addressing common Cyber security issues, and 5. a framework to enable stakeholders to collaborate on resolving Cyber security issues.
ISO/IEC 27001 INFORMATION SECURITY MANAGEMENT • When it comes to keeping information assets secure, organizations can rely on the ISO/IEC 27000 family. • ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. • Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties. • Like other ISO management system standards, certification to ISO/IEC 27001 is possible but not obligatory. • Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed. • ISO does not perform certification.
ISO 22301 Societal security • ISO 22301 is the Business Continuity Management System standard. The ISO 22301 BCM standard is designed to ensure that a robust business continuity management system has been established, and that internal staff members are fully aware of their role within the system should an incident occur. • ISO 22301:2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. • The requirements specified in ISO 22301:2012 are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity.
ISO/IEC 15408 IT Security Evaluation • ISO/IEC 15408-1:2009 establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of ISO/IEC 15408 which in its entirety is meant to be used as the basis for evaluation of security properties of IT products. • The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. It is currently in version 3.1 revision 5. • The Common Criteria (CC) was developed to facilitate consistent evaluations of security products and systems. It is an international effort to define an IT Security evaluation methodology, which would receive mutual recognition between customers and vendors throughout the global economy. • ISO/IEC 15408-1:2009 establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of ISO/IEC 15408 which in its entirety is meant to be used as the basis for evaluation of security properties of IT products. • The key concepts of protection profiles (PP), packages of security requirements and the topic of conformance are specified and the consequences of evaluation and evaluation results are described. • ISO/IEC 15408-1:2009 gives guidelines for the specification of Security Targets (ST) and provides a description of the organization of components throughout the model.
ISO/IEC 27035 Security incident management • ISO/IEC 27035:2011 provides a structured and planned approach to: 1. detect, report and assess information security incidents; 2. respond to and manage information security incidents; 3. detect, assess and manage information security vulnerabilities; and 4. continuously improve information security and incident management as a result of managing information security incidents and vulnerabilities. • ISO/IEC 27035:2011 provides guidance on information security incident management for large and medium-sized organizations. Smaller organizations can use a basic set of documents, processes and routines described in this International Standard, depending on their size and type of business in relation to the information security risk situation. • It also provides guidance for external organizations providing information security incident management services.
ISO/IEC 27005 Information security risk management • Scope of the standard • The standard ‘provides guidelines for information security risk management’ and ‘supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.’ • It cites ISO/IEC27000 as a normative (essential) standard, and mentions ISO/IEC 27001, ISO/IEC 27002 and ISO 31000 in the content. NIST standards are referenced in the bibliography. • Content of the standard • The standard doesn't specify, recommend or even name any specific risk management method. It does however imply a continual process consisting of a structured sequence of activities, some of which are iterative: • Establish the risk management context (e.g. the scope, compliance obligations, approaches/methods to be used and relevant policies and criteria such as the organization’s risk tolerance or appetite);
ISO/IEC 27005 Information security risk management • Quantitatively or qualitatively assess (i.e. identify, analyze and evaluate) relevant information risks, taking into account the information assets, threats, existing controls and vulnerabilities to determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’; • Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share [with third parties]) the risks appropriately, using those ‘levels of risk’ to prioritize them; • Keep stakeholders informed throughout the process; and • Monitor and review risks, risk treatments, obligations and criteria on an ongoing basis, identifying and responding appropriately to significant changes. • Extensive appendices provide additional information, primarily examples to demonstrate the recommended approach.
FIPS 140: Security Requirements for Cryptographic Modules • The 140 series of Federal Information Processing Standards (FIPS) are U. S. government computer security standards that specify requirements for cryptography modules. • As of December 2016, the current version of the standard is FIPS 140-2, issued on 25 May 2001. Its successor FIPS 140-3 was approved on March 22, 2019 and will become effective on September 22, 2019. • FIPS 140-3 testing will begin September 22, 2020. After FIPS 140-3 testing begins, FIPS 140-2 testing will continue for at least a year, making the two standards to coexist for some time.
Purpose of FIPS 140 • The National Institute of Standards and Technology (NIST) issues the 140 Publication Series to coordinate the requirements and standards for cryptographic modules which include both hardware and software components for use by departments and agencies of the United States federal government. • FIPS 140 does not purport to provide sufficient conditions to guarantee that a module conforming to its requirements is secure, still less that a system built using such modules is secure. The requirements cover not only the cryptographic modules themselves but also their documentation and (at the highest security level) some aspects of the comments contained in the source code. • User agencies desiring to implement cryptographic modules should confirm that the module they are using is covered by an existing validation certificate. FIPS 140-1 and FIPS 140-2 validation certificates specify the exact module name, hardware, software, firmware, and/or applet version numbers. For Levels 2 and higher, the operating platform upon which the validation is applicable is also listed. Vendors do not always maintain their baseline validations. • The Cryptographic Module Validation Program (CMVP) is operated jointly by the United States Government's National Institute of Standards and Technology (NIST) Computer Security Division and the Communications Security Establishment (CSE) of the Government of Canada. The use of validated cryptographic modules is required by the United States Government for all unclassified uses of cryptography. The Government of Canada also recommends the use of FIPS 140 validated cryptographic modules in unclassified applications of its departments.
FIPS 186-3: Digital Signature Standard • Name of Standard: Digital Signature Standard (DSS) (FIPS 186-3). • Category of Standard: Computer Security. Subcategory. Cryptography. • Explanation: This Standard specifies algorithms for applications requiring a digital signature, rather than a written signature. • Applicability: This Standard is applicable to all Federal departments and agencies for the protection of sensitive unclassified information that is not subject to section 2315 of Title 10, United States Code, or section 3502 (2) of Title 44, United States Code. This Standard shall be used in designing and implementing public key-based signature systems that Federal departments and agencies operate or that are operated for them under contract. The adoption and use of this Standard is available to private and commercial organizations. • Applications: A digital signature algorithm allows an entity to authenticate the integrity of signed data and the identity of the signatory. The recipient of a signed message can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation, since the signatory cannot easily repudiate the signature at a later time. A digital signature algorithm is intended for use in electronic mail, electronic funds transfer, electronic data interchange, software distribution, data storage, and other applications that require data integrity assurance and data origin
“ Some countries implement cyber security standards through mandatory requirements, whilst others provide guidelines and frameworks.”
Cyber security framework under the IT Act in India • India enacted the Information Technology Act, 2000 (“IT Act”) on 09 June 2000. The IT Act is based on the UNCITRAL model law on e-commerce. • The preamble of the IT Act simply indicates that the Act is centered around affording legal recognition to transactions carried out electronically. However, the scope of the IT Act goes much beyond its preamble. It covers multiple areas including data protection and security, cybercrimes, adjudication of cyber disputes, government mandated surveillance of digital communication, and intermediary liability. • The IT Act was amended last in 2011. Despite an unprecedented increase in cyber frauds, data breaches and general cyber security concerns, no changes have been made in the IT Act in almost 9 years. In February 2020, the Ministry of Electronics and Information Technology (“MeitY”) announced that it will revamp the IT Act with a stronger focus on framework for cyber security. • Emerging technologies, explosion of digital business models and a substantial increase in the instances of cybercrimes have triggered the government to take steps to fast track the process of amending the IT Act.
A. Key developments in the cyber security framework in India- • 1. The Indian Computer Emergency Response Team- • On 23 February 2003, the MeitY designated the Indian Computer Emergency Response Team (“CERT-In”) as the authority to issue instructions for blocking websites under the IT Act to prevent online obscenity. In 2009, CERT-In was later nominated as the national agency to respond to cyber-security incidents. The CERT-In is currently tasked with the following functions: • a. Collecting, analysing and disseminating information on cyber incidents; • b. Raising awareness about cyber security among citizens; • c. Issuing guidelines, advisories, vulnerability notes on information security practices, procedures, prevention, response and reporting of cyber incidents. For instance, in December 2019, the CERT-In issued a vulnerability note on a vulnerability in the Android operating system called the StrandHogg.
2. Constitution of committee of experts to review the IT Act- • In 2005, a committee of experts was constituted by the erstwhile Ministry of Communications and Information Technology to review the IT Act. In their report, the committee proposed to strengthen the framework for computer based crimes. It also proposed to build a robust mechanism to deal with data protection and privacy challenges. Accordingly, the following notable amendments were suggested: • a. Treatment of computer based crimes– Section 43 of the IT Act provided for compensation in various cases including unauthorized access to a computer system, data theft and introduction of viruses through a computer system. Section 66 of the IT Act penalized the offence of hacking a computer system. The committee suggested to substitute section 66 for a new section that comprehensively dealt with computer based offenses. The substituted section 66, which penalized computer offences done ‘fraudulently’ or ‘dishonestly’ was worded to be in line with the section 43 of the then IT Act. • b. Data protection – To ensure security of data and protection of information from unauthorized damage, the committee suggested to hold a body corporate processing, dealing or handling sensitive personal data in a computer resource liable for failure to implement and maintain reasonable security procedures and measures. • c. Stringent provisions to deal with cybercrimes– Provisions addressing the issue of child pornography and video voyeurism with higher degree of punishment were proposed. • d. Power of interception-Based on the recommendations of Inter-Ministerial Working Group on Cyber Laws & Cyber Forensics, wide powers of monitoring, interception and decryption of any information through any computer resource was proposed to be transferred from the Controller of Certifying Authority to the central government. • The set of amendments proposed to be introduced by these recommendations paved the way for the government to consider the issues of data protection and cyber security in its subsequent attempts to amend the IT Act
3. Recommendations of the standing committee on IT on the IT (Amendment) Bill 2006- • Based on the recommendations of the committee of experts, the government introduced the IT (Amendment) Bill, 2006 (“Amendment Bill”) in December 2006. It was later referred for review to the standing committee on IT. In its 50th report released in 2007, the standing committee on IT criticized the government’s approach of amending the existing IT Act, rather than bringing a new and exclusive legislation for governing information technology. The standing committee on IT highlighted the following issues in its report: • a. Specific issues of cybercrime and cyber terrorism– The committee pointed out the inadequacy of the Amendment Bill to deal with the issues of cybercrime including cyber terrorism. It noted that cyber terrorism was not defined in the proposed amendments to the IT Act. The committee expressed its concerns over government’s proposal to introduce penalties that aligned the IT Act with the Indian Penal Code (“IPC”). The report noted that the IPC was an archaic law and ill equipped to encompass varied cybercrimes including cyber terrorism. The committee recommended to incorporate adequate, stringent, specific and self-enabling provisions in the IT Act itself to effectively deal with such offences. • b. Cross border cybercrimes– The committee opined that entering into Mutual Legal Assistance Treaties to deal with cross border cybercrimes with one country at a time offered a solution in a ‘piecemeal manner’. Accordingly, the committee recommended that the government must build a roadmap to become a part of an omnibus international convention on cybercrimes to effectively address this issue. • c. Child pornography– The committee recommended that the Amendment Bill should have explicit provisions to deal with child pornography. This would align it with the laws in other advanced countries and Article 9 of the Council of Europe Convention on Cyber Crimes. • d. Powers of interception – The committee questioned the rationale of vesting the central government with the power to issue directions for interception or monitoring of any information through any computer resource. It noted that since ‘public order’ and ‘police’ are state subjects as per the Constitution of India, the power to intercept any information should be vested in the state governments. This will also align the proposed law with the powers of interception given to state governments in the Indian Telegraph Act, 1885. • e. Status of the CERT-In– The committee in its report noted that even though CERT-In has been nominated as the national agency on cyber security, the status of the body has not been defined. Accordingly, the committee suggested that the agency should be defined as a government body to clarify its status beyond doubt. Doing so will instill confidence in foreign investors regarding existence of a bona fide legal framework in the country.
4. The Information Technology (Amendment) Act, 2008- • In December 2008, the Parliament enacted the IT (Amendment) Act 2008[ (“Amendment Act”). The following notable amendments were introduced through the Amendment Act: • a. Computer related offences– The Amendment Act prohibited transmission of offensive messages or any information for the purposes of causing annoyance, inconvenience, etc. by means of a computer resource and communication service. However, this provision was struck down later by the Supreme Court of India in the Shreya Singhal case. • b. Power of interception– Based on the recommendations of the standing committee on IT, the Amendment Act empowered both the central and state governments to issue directions for interception/monitoring of any information under section 69. The scope of the information intercepted was broadened to include its transmission, generation and storage, as opposed to just transmission in the original provision. The amended section also made issuance of such interception orders subject to additional safeguards introduced through the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (“Interception Rules”). • c. Critical information infrastructure– The Amendment Act introduced the term ‘critical information infrastructure’ (“CII”) i.e.a computer resource whose destruction will have a huge impact on the national security, public health and safety and economy. Further, any computer resource facilitating such CII was designated as a protected system. Accordingly, the government was empowered to exercise control over such protected systems, in addition to prescribing information security practices and procedures for such a system. • d. Nodal agency for CII– In January 2014, the National Critical Information Infrastructure Protection Centre (“NCIIPC”) was designated as the national nodal agency under the provisions of the Amendment Act. The NCIIPC is responsible for undertaking all measures to protect CII from unauthorized access, modification, use or disclosure
5. Bill on Intelligence agency reforms- • In March 2011, the Intelligence Services (Powers and Regulation) Bill, 2011 (“Intelligence Bill”) was introduced as a private members bill by Shri Manish Tewari. He was a Member of Parliament in the Lok Sabha and currently a member of the Joint Parliamentary Committee examining the Draft Personal Data Protection Bill, 2019. The Intelligence Bill proposed to regulate the functioning of three major Indian Intelligence Agencies- Research and Analysis Wing (“RAW”), Intelligence Bureau (“IB”) and National Technical Research Organization (“NTRO”)- by putting in place an oversight mechanism. The Bill stated that surveillance operations undertaken by such intelligence agencies infringe the right to privacy of individuals. To prevent intelligence agencies from misusing their surveillance powers, it proposed a National Intelligence and Security Oversight Committee (“NISOC”). The NISOC was empowered to seek any information that these agencies possessed. Additionally, the Intelligence Bill provided for a National Intelligence Tribunal to hold these agencies accountable. The tribunal was empowered to investigate complaints filed by any person for action taken against her or her property by these agencies. However, the Intelligence Bill, like most private member bills, never came up for discussion and ultimately lapsed.
6. National Cyber Security Policy, 2013- • In July 2013, the erstwhile Ministry of Communication and Information Technology notified the National Cyber Security Policy (“NCSP”). • Based on the objectives envisioned in the NCSP 2013, the following strategies/initiatives were introduced by the Indian government: • a. Designation of the NCIIPC as the nodal agency to undertake measures to secure the country’s CII. • b. Cyber Swachhta Kendra initiative under the CERT-In to combat and analyse any malicious infections/attacks that damage computer systems. The initiative is aimed at securing the cyber ecosystem by preventing such attacks from taking place and cleaning the systems that have already been infected. • c. Development of multilateral relationships in the area of cyber security. In 2016, India partnered with the US for coordinating best practices in relation to cyber security and exchanging information in real time about malicious cyberattacks, among other things. • d. Setting up of the National Cyber Coordination Centre (“NCCC”) to create situational awareness about cyber security threats and enable timely information sharing for preventive action by individual entities.
7. Standing committee on IT report on ‘Cyber Crime, Cyber Security and Right to Privacy’- • In February 2014, the standing committee on IT made the following recommendations in its report on cybercrime, security and privacy – • a. The committee observed that there are 20 different kinds of cybercrimes. Recognizing the impact of cyber threats on critical sectors (such as power, atomic energy, space, aviation, etc.), it recommended establishing a national protection centre to protect the CII in the country. • b. In dealing with issues pertaining to cyber frauds, the government may have to coordinate with multiple institutions, such as the Reserve Bank of India and the SEBI. Accordingly, the committee recommended to form a centralized agency to deal with all the cases of cybercrimes. • c. The committee noted that multiple agencies including Ministry of Defense (“MoD”), Ministry of Home Affairs (“MHA”), IB, NTRO, NCIIPC, etc. are involved in securing the Indian cyberspace. It also noted that to minimize overlaying responsibilities between such agencies, it has tasked the National Security Council Secretariat (“NSCS”) to oversee compliance of cyber security policies. However, this could act as a hindrance in combating cyber threats at the earliest, given the multiple agencies involved. Recognizing the need for a collaborative effort between the government and the industry to address this issue, the committee suggested to implement the recommendations made by a Joint Working Group (“JWG”) that was set up under the Deputy National Security Advisor in this regard. The JWG recommended putting in place a permanent mechanism for a Public Private Partnership (“PPP”) on cyber security as a solution, among other things. • d. The committee acknowledged that despite the cost advantages in hosting servers outside India, the accompanying technical and legal security concerns posed to the nation and citizen’s privacy have to be given due consideration. Accordingly, the committee recommended that government should take all steps to ensure that as far as possible, the servers should be hosted locally.
8. Surveillance order issued by MHA– • In December 2018, the MHA passed an order under the Interception Rules which authorized 10 security and intelligence agencies to intercept/monitor/decrypt any information transmitted, generated, received or stored on any computer resource. • These agencies include the IB, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Central Bureau of Investigation and the Delhi Police. The order was heavily criticized and challenged before the Supreme Court on the grounds of violating the fundamental right to privacy, as laid down in the Puttaswamy case. • The central government defended the order by claiming that it has been passed to pursue a legitimate state aim. Furthermore, for authorized agencies to intercept any information, the government has submitted that they will have to seek the permission of the competent authority. The matter is currently pending before the Supreme Court.
9. National Cyber Security Strategy 2020- • In another one of its attempts to address the issues pertaining to cyber threats and data vulnerabilities, the Indian government has proposed to come out with the National Cyber Security Strategy (“NCSS”) 2020. • The NCSS aims to examine various facets of cyber security under three pillars- securing the national cyberspace; strengthening the structures, people, processes, capabilities; and synergizing the resources including cooperation and collaboration. • The government had sought comments and suggestions on different aspects of the NCSS by 10th January 2020 and is currently in the process of framing the policy
B. Key Issues on cyber security– • 1. Surveillance and privacy- • a. The Interception Rules designate the Secretary in the Union Ministry of Home Affairs/Home Department of a state government (“Home Secretary”) as the ‘competent authority’ for approving data surveillance/monitoring requests under the IT Act. Additionally, the Interception Rules provide for a review committee to oversee the directions issued by the competent authority to intercept/monitor such information. Per the Interception Rules, the review committee is mandated to meet at least once in two months. Similarly, a committee headed by the chief secretary reviews directions passed by state governments. • b. This means that the central government has to approach the Home Secretary before it issues any directions to intercept/monitor any digital communication. However, given the large number of interception/monitoring requests made by the government, it becomes unfeasible for Home Secretary to objectively assess each request. Thus, the Home Secretary becomes a mere rubber stamp authority for approving government interception requests. • c. Interestingly, the Srikrishna Committee report mentioned that an application filed under the RTI Act revealed that the review committee has a task of reviewing 15,000-18,000 interception orders in every meeting. This unrealistic target poses a threat to safety and security of personal data of individuals. The committee noted that surveillance should not be carried out without a degree of transparency that can pass the Puttaswamy test of necessity, proportionality and due process
2. Multiplicity of institutions • The issue of multiplicity of cyber security agencies was highlighted by the Standing Committee on IT in its 52nd report. Several institutions tasked with securing the cyber space leads to lack of coordination between them. • In 2015, the standing committee on IT in its 17th report outlined the action taken by the government on the recommendations of the JWG to deal with the issue of multiplicity of cyber security agencies. • The report noted that the government, in July 2014, had identified the objectives that would promote the overall cooperative framework for a PPP on cyber security. However, an action plan for implementing these recommendations was still being worked out.
• The issue as such appears to be unresolved with the following agencies dealing presently with the issue of cyber security: • a. Cyber and Information Security Division, MHA: This division under the MHA is tasked with handling the matters related to cyber security and cyber-crimes. • b. CERT-In: CERT-In functions under the aegis of MeitY. Its main functions include responding to cyber-security incidents and issuing security guidelines, advisories and alerts. • c. NCIIPC: It acts as the national nodal agency for the protection of CII in India. • d. NCCC: It is responsible for creating situational awareness about existing and potential cyber security threats and enable timely information sharing for ‘proactive, preventive and protective’ actions by individual entities. • e. Indian Cyber Crime Coordination Centre (“I4C”): The I4C scheme consists of seven components which will be established on a rolling basis by the MHA in 2018- 2020. The scheme consists of seven components, including a National Cybercrime Threat Analytics Unit, National Cybercrime Forensic Laboratory Ecosystem and National Cyber Research and Innovation Centre. • f. National Cyber Security Coordinator (“NCSC”): It was formed under the NSCS as the nodal agency for cyber security. The NCSC coordinates with different agencies at the national level for cyber security matters. • g. Defence Cyber Agency: The agency has been established to address the issues pertaining to military cyber security and cyber warfare. It is governed by the Defence Intelligence Agency under the MoD. 2. Multiplicity of institutions

Empfohlen

Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 

Empfohlen

Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & ComplianceAmazon Web Services
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0DallasHaselhorst
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityRamiro Cid
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Cyber Security A Challenges For Mankind
Cyber Security A Challenges For MankindCyber Security A Challenges For Mankind
Cyber Security A Challenges For MankindSaurabh Kheni
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityEng Hasan Shamroukh CISCO Exams Author
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Managementn|u - The Open Security Community
 
Network Security
Network SecurityNetwork Security
Network SecurityRaymond Jose
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
 
Securing the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the InternetSecuring the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the Internetaccenture
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0DallasHaselhorst
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityRamiro Cid
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Cyber Security A Challenges For Mankind
Cyber Security A Challenges For MankindCyber Security A Challenges For Mankind
Cyber Security A Challenges For MankindSaurabh Kheni
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 

Was ist angesagt? (20)

Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & Compliance
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Information security
Information securityInformation security
Information security
 
Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
Cyber Security A Challenges For Mankind
Cyber Security A Challenges For MankindCyber Security A Challenges For Mankind
Cyber Security A Challenges For Mankind
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
Security policies
Security policiesSecurity policies
Security policies
 
Security policy
Security policySecurity policy
Security policy
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and Attacks
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
Network Security
Network SecurityNetwork Security
Network Security
 

Ähnlich wie Cyber Security Standards Compliance

Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
 
Securing the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the InternetSecuring the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the Internetaccenture
 
Securing the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the InternetSecuring the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the Internetaccenture
 
REPORT USE OF CYBERSECURITY.pptx
REPORT USE OF CYBERSECURITY.pptxREPORT USE OF CYBERSECURITY.pptx
REPORT USE OF CYBERSECURITY.pptxeresavenzon
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxRambilashTudu
 
CYBER SECURITY.pptx
CYBER SECURITY.pptxCYBER SECURITY.pptx
CYBER SECURITY.pptxMalu704065
 
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber AttacksA Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber AttacksIRJET Journal
 
National cyber security policy final
National cyber security policy finalNational cyber security policy final
National cyber security policy finalIndian Air Force
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Dave Darnell
 
Guarding Indias Digital Fortress The Vulnerability to Zero Day Attacks.pptx
Guarding Indias Digital Fortress The Vulnerability to Zero Day Attacks.pptxGuarding Indias Digital Fortress The Vulnerability to Zero Day Attacks.pptx
Guarding Indias Digital Fortress The Vulnerability to Zero Day Attacks.pptxANA Cyber Security Forensic Pvt. Ltd.
 
Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Kirti Ahirrao
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsCognizant
 
Fundamental Areas of Cyber Security on Latest Technology
Fundamental Areas of Cyber Security on Latest TechnologyFundamental Areas of Cyber Security on Latest Technology
Fundamental Areas of Cyber Security on Latest Technologyijtsrd
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 

Ähnlich wie Cyber Security Standards Compliance (20)

Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.
 
Securing the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the InternetSecuring the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the Internet
 
Securing the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the InternetSecuring the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the Internet
 
REPORT USE OF CYBERSECURITY.pptx
REPORT USE OF CYBERSECURITY.pptxREPORT USE OF CYBERSECURITY.pptx
REPORT USE OF CYBERSECURITY.pptx
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptx
 
CYBER SECURITY.pptx
CYBER SECURITY.pptxCYBER SECURITY.pptx
CYBER SECURITY.pptx
 
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber AttacksA Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
 
National cyber security policy final
National cyber security policy finalNational cyber security policy final
National cyber security policy final
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Guarding Indias Digital Fortress The Vulnerability to Zero Day Attacks.pptx
Guarding Indias Digital Fortress The Vulnerability to Zero Day Attacks.pptxGuarding Indias Digital Fortress The Vulnerability to Zero Day Attacks.pptx
Guarding Indias Digital Fortress The Vulnerability to Zero Day Attacks.pptx
 
Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Chapter 1 introduction(web security)
Chapter 1 introduction(web security)
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
 
Fundamental Areas of Cyber Security on Latest Technology
Fundamental Areas of Cyber Security on Latest TechnologyFundamental Areas of Cyber Security on Latest Technology
Fundamental Areas of Cyber Security on Latest Technology
 
Class activity 4
Class activity 4 Class activity 4
Class activity 4
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 

Mehr von Dr. Prashant Vats

Financial fucntions in ms e xcel
Financial fucntions in ms e xcelFinancial fucntions in ms e xcel
Financial fucntions in ms e xcelDr. Prashant Vats
 
3. lookup functions in excel
3. lookup functions in excel3. lookup functions in excel
3. lookup functions in excelDr. Prashant Vats
 
2. date and time function in excel
2. date and time function in excel2. date and time function in excel
2. date and time function in excelDr. Prashant Vats
 
1. statistical functions in excel
1. statistical functions in excel1. statistical functions in excel
1. statistical functions in excelDr. Prashant Vats
 
3. subtotal function in excel
3. subtotal function in excel3. subtotal function in excel
3. subtotal function in excelDr. Prashant Vats
 
2. mathematical functions in excel
2. mathematical functions in excel2. mathematical functions in excel
2. mathematical functions in excelDr. Prashant Vats
 
RESOLVING CYBERSQUATTING DISPUTE IN INDIA
RESOLVING CYBERSQUATTING DISPUTE IN INDIARESOLVING CYBERSQUATTING DISPUTE IN INDIA
RESOLVING CYBERSQUATTING DISPUTE IN INDIADr. Prashant Vats
 
India: Meta-Tagging Vis-À-Vis Trade Mark Misuse: An Overview
India: Meta-Tagging Vis-À-Vis Trade Mark Misuse: An OverviewIndia: Meta-Tagging Vis-À-Vis Trade Mark Misuse: An Overview
India: Meta-Tagging Vis-À-Vis Trade Mark Misuse: An OverviewDr. Prashant Vats
 
Trademark Cases Arise from Meta-Tags, Frames: Disputes Involve Search-Engine ...
Trademark Cases Arise from Meta-Tags, Frames: Disputes Involve Search-Engine ...Trademark Cases Arise from Meta-Tags, Frames: Disputes Involve Search-Engine ...
Trademark Cases Arise from Meta-Tags, Frames: Disputes Involve Search-Engine ...Dr. Prashant Vats
 
Scheme for Notifying Examiner of Electronic Evidence Under section 79A of the...
Scheme for Notifying Examiner of Electronic Evidence Under section 79A of the...Scheme for Notifying Examiner of Electronic Evidence Under section 79A of the...
Scheme for Notifying Examiner of Electronic Evidence Under section 79A of the...Dr. Prashant Vats
 
METHODS OF RESOLVING CYBERSQUATTING DISPUTE IN INDIA
METHODS OF RESOLVING CYBERSQUATTING DISPUTE IN INDIAMETHODS OF RESOLVING CYBERSQUATTING DISPUTE IN INDIA
METHODS OF RESOLVING CYBERSQUATTING DISPUTE IN INDIADr. Prashant Vats
 
Computer Software and Related IPR Issues
Computer Software and Related IPR Issues Computer Software and Related IPR Issues
Computer Software and Related IPR Issues Dr. Prashant Vats
 
Amendments to the Indian Evidence Act, 1872 with respect to IT ACT 2000
Amendments to the Indian Evidence Act, 1872 with respect to IT ACT 2000Amendments to the Indian Evidence Act, 1872 with respect to IT ACT 2000
Amendments to the Indian Evidence Act, 1872 with respect to IT ACT 2000Dr. Prashant Vats
 
Trademark Issues in cyberspace
Trademark Issues in cyberspace Trademark Issues in cyberspace
Trademark Issues in cyberspace Dr. Prashant Vats
 
Trade-Related Aspects of Intellectual Property Rights (TRIPS)
Trade-Related Aspects of Intellectual Property Rights (TRIPS)Trade-Related Aspects of Intellectual Property Rights (TRIPS)
Trade-Related Aspects of Intellectual Property Rights (TRIPS)Dr. Prashant Vats
 
How to Copyright a Website to Protect It under IPR and copyright act
How to Copyright a Website to Protect It under IPR and copyright actHow to Copyright a Website to Protect It under IPR and copyright act
How to Copyright a Website to Protect It under IPR and copyright actDr. Prashant Vats
 
International Treaties for protection of IPR
International Treaties for protection of IPRInternational Treaties for protection of IPR
International Treaties for protection of IPRDr. Prashant Vats
 

Mehr von Dr. Prashant Vats (20)

Multiplexers
MultiplexersMultiplexers
Multiplexers
 
C lab programs
C lab programsC lab programs
C lab programs
 
Financial fucntions in ms e xcel
Financial fucntions in ms e xcelFinancial fucntions in ms e xcel
Financial fucntions in ms e xcel
 
4. text functions in excel
4. text functions in excel4. text functions in excel
4. text functions in excel
 
3. lookup functions in excel
3. lookup functions in excel3. lookup functions in excel
3. lookup functions in excel
 
2. date and time function in excel
2. date and time function in excel2. date and time function in excel
2. date and time function in excel
 
1. statistical functions in excel
1. statistical functions in excel1. statistical functions in excel
1. statistical functions in excel
 
3. subtotal function in excel
3. subtotal function in excel3. subtotal function in excel
3. subtotal function in excel
 
2. mathematical functions in excel
2. mathematical functions in excel2. mathematical functions in excel
2. mathematical functions in excel
 
RESOLVING CYBERSQUATTING DISPUTE IN INDIA
RESOLVING CYBERSQUATTING DISPUTE IN INDIARESOLVING CYBERSQUATTING DISPUTE IN INDIA
RESOLVING CYBERSQUATTING DISPUTE IN INDIA
 
India: Meta-Tagging Vis-À-Vis Trade Mark Misuse: An Overview
India: Meta-Tagging Vis-À-Vis Trade Mark Misuse: An OverviewIndia: Meta-Tagging Vis-À-Vis Trade Mark Misuse: An Overview
India: Meta-Tagging Vis-À-Vis Trade Mark Misuse: An Overview
 
Trademark Cases Arise from Meta-Tags, Frames: Disputes Involve Search-Engine ...
Trademark Cases Arise from Meta-Tags, Frames: Disputes Involve Search-Engine ...Trademark Cases Arise from Meta-Tags, Frames: Disputes Involve Search-Engine ...
Trademark Cases Arise from Meta-Tags, Frames: Disputes Involve Search-Engine ...
 
Scheme for Notifying Examiner of Electronic Evidence Under section 79A of the...
Scheme for Notifying Examiner of Electronic Evidence Under section 79A of the...Scheme for Notifying Examiner of Electronic Evidence Under section 79A of the...
Scheme for Notifying Examiner of Electronic Evidence Under section 79A of the...
 
METHODS OF RESOLVING CYBERSQUATTING DISPUTE IN INDIA
METHODS OF RESOLVING CYBERSQUATTING DISPUTE IN INDIAMETHODS OF RESOLVING CYBERSQUATTING DISPUTE IN INDIA
METHODS OF RESOLVING CYBERSQUATTING DISPUTE IN INDIA
 
Computer Software and Related IPR Issues
Computer Software and Related IPR Issues Computer Software and Related IPR Issues
Computer Software and Related IPR Issues
 
Amendments to the Indian Evidence Act, 1872 with respect to IT ACT 2000
Amendments to the Indian Evidence Act, 1872 with respect to IT ACT 2000Amendments to the Indian Evidence Act, 1872 with respect to IT ACT 2000
Amendments to the Indian Evidence Act, 1872 with respect to IT ACT 2000
 
Trademark Issues in cyberspace
Trademark Issues in cyberspace Trademark Issues in cyberspace
Trademark Issues in cyberspace
 
Trade-Related Aspects of Intellectual Property Rights (TRIPS)
Trade-Related Aspects of Intellectual Property Rights (TRIPS)Trade-Related Aspects of Intellectual Property Rights (TRIPS)
Trade-Related Aspects of Intellectual Property Rights (TRIPS)
 
How to Copyright a Website to Protect It under IPR and copyright act
How to Copyright a Website to Protect It under IPR and copyright actHow to Copyright a Website to Protect It under IPR and copyright act
How to Copyright a Website to Protect It under IPR and copyright act
 
International Treaties for protection of IPR
International Treaties for protection of IPRInternational Treaties for protection of IPR
International Treaties for protection of IPR
 

Kürzlich hochgeladen

Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxPooja Bhuva
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Pooja Bhuva
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxPooja Bhuva
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfDr Vijay Vishwakarma
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Pooja Bhuva
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxDr. Ravikiran H M Gowda
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxDr. Sarita Anand
 

Kürzlich hochgeladen (20)

Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 

Cyber Security Standards Compliance

  • 1. Subject - Cyber Laws & Rights M. tech. 3rd Sem., ISM. By: Prashant Kr. Vats, M.tech., Ph.D. INDIRA GANDHI DELHI TECHNICAL UNIVERSITY FOR WOMEN
  • 3. Introduction • The usage of technology in today’s world is inevitable. Whether it is making reservations on our smart phones, or checking emails, or checking in for flights, usage of technology is present. Further, the globalization phenomenon we see today means we are living in a world where almost everything is interconnected to one another. • Governments, businesses and societies around the world are relying more and more on technology and the Internet in their daily lives. Whilst its benefits cannot be questioned, unfortunately the increase of our reliance on technology implies that we are at higher risk of attack and breaches – cyber-attacks. Companies are being hacked causing millions of individuals to be victims of stolen identity and information. • Governments worldwide are also facing the increasing threats of cyber-attacks. Successful attacks put prosperity of economies and the well-being of societies at risk. • Consequently, governments are putting measures in place in hope of having a resilient, healthy and secure cyberspace. Nonetheless, even with these efforts, cyber security continues to dominate headlines in the wrong way. Responding to this current scenario, current trends of governments protecting their critical infrastructures is the implementation of cyber security standards to their critical sectors.
  • 4. Objectives • The objective of these slides is to provide an overview of the various approaches that countries are taking with regard to the implementation of cyber security standards. • Further, these slides discusses the benefits of the implementation of cyber security standards to organizations as well as nations as a whole.
  • 5. Cyber-attacks – A global risk • As the E-business began to increase online, there were no signs of cyber threats and attacks on organizations worldwide easing. • Whether targeted to government entities or private corporations, the threats from cyber adversaries continue to grow in scale and sophistication globally. • Public and private organizations in various sectors worldwide now openly acknowledge that cyber threats are one of the most common and high impact risks they face. • Dealing with cyber threats is becoming a complex challenge due to the evolving cyber security landscape. • Organizations today face not only common and known cyber threats, but new and emerging ones where targeted and large scale attacks can impact not only the organizations but may potentially lead to the adverse impact on nations’ critical infrastructures.
  • 6. Cyber-attacks on critical sectors • The recent cyber-attack against an American entertainment subsidiary of Japanese multimedia conglomerate in 2014 has not only affected the company, but also the nation’s security as a whole. Apart from releasing confidential data, the hackers had also sent threatening messages if their demands were not met [1]. The Financial sector has also become a regular target. • The malware attack in 2013 in South Korea has resulted in the malfunction of 48,000 personal computers and servers, disrupting work at banks and television broadcasters in the country [2] . • In 2012, a virus attack known as Shamoon on Saudi Arabia’s leading Oil & Gas company had damaged approximately 30,000 computers resulting in the disruption of oil and gas flow to the local and international markets [3 ]. • Global technology companies have had their fair share of experiencing cyber-attacks in recent years as well. These companies were hacked, resulting in exposed proprietary information and sensitive communications that was then used to target major corporations.
  • 8. Global cost of cybercrime • From a global standpoint, a recent publication by McAfee estimated the annual cost of cybercrime to the global economy is more than USD400 billion [8] . • Facing the brunt of these losses are the 4 largest economies in the world; the United States of America (USA), China, Japan, and Germany with an accumulative figure reaching USD200 billion. • The financial loss on the global economy is only expected to rise as reliance on technology in the cyberspace increases. Consequently, governments worldwide are realizing that cyber threats can not only disrupt critical infrastructure networks, but also potentially escalate to the level of a national security threat. • Dealing with cyber threats and attacks is no longer just about being aware or vigilant – but it’s about being resilient. Governments around the world are putting measures in place to enhance resiliency in weathering the cyber threats and attacks. • Whilst the global community have undertaken actions and steps in mitigating these cyber threats, it is important to ensure the critical infrastructure remains resilient to withstand cyber-attacks. The term ‘resiliency’ can have many definitions, but generally it is the capability to prepare, protect, respond and recover from threats and hazards.
  • 9. How do countries or organizations remain resilient? • The implementation of cyber security standards is by no means a silver bullet in critical infrastructure protection. • However, its implementation can establish a set of controls that contribute and build better resiliency. • The cyber security standards may support the capabilities of preparing, protecting, responding and recovering from cyber-attacks. • The implementation and compliance with cyber security standards may enable the principles and better practices in cyber security management be applied in improving the security and resilience of critical infrastructures. • ISO/IEC 27032:2012 Information technology -- Security techniques – Guidelines for cyber security • ISO/IEC 27001 Information technology -- Security techniques -- Information security management systems – Requirements • ISO 22301 Societal security -- Business continuity management system Requirements • ISO/IEC 15408 Information technology -- Security techniques -- Evaluation criteria for IT security • ISO/IEC 27035 Information technology -- Security techniques -- Information security incident management • ISO/IEC 27005 Information technology -- Security techniques -- Information security risk management • FIPS 140-1: Security Requirements for Cryptographic Modules • FIPS 186-3: Digital Signature Standard
  • 10. ISO/IEC 27032:2012 Information technology -- Security techniques – Guidelines for cyber security • ISO/IEC 27032:2012 provides guidance for improving the state of Cyber security, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular: 1. information security, 2. network security, 3. internet security, and 4. critical information infrastructure protection (CIIP). • It covers the baseline security practices for stakeholders in the Cyberspace. • This International Standard provides: 1. an overview of Cyber security, 2. an explanation of the relationship between Cyber security and other types of security, 3. a definition of stakeholders and a description of their roles in Cyber security, 4. guidance for addressing common Cyber security issues, and 5. a framework to enable stakeholders to collaborate on resolving Cyber security issues.
  • 11. ISO/IEC 27001 INFORMATION SECURITY MANAGEMENT • When it comes to keeping information assets secure, organizations can rely on the ISO/IEC 27000 family. • ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. • Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties. • Like other ISO management system standards, certification to ISO/IEC 27001 is possible but not obligatory. • Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed. • ISO does not perform certification.
  • 12. ISO 22301 Societal security • ISO 22301 is the Business Continuity Management System standard. The ISO 22301 BCM standard is designed to ensure that a robust business continuity management system has been established, and that internal staff members are fully aware of their role within the system should an incident occur. • ISO 22301:2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. • The requirements specified in ISO 22301:2012 are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity.
  • 13. ISO/IEC 15408 IT Security Evaluation • ISO/IEC 15408-1:2009 establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of ISO/IEC 15408 which in its entirety is meant to be used as the basis for evaluation of security properties of IT products. • The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. It is currently in version 3.1 revision 5. • The Common Criteria (CC) was developed to facilitate consistent evaluations of security products and systems. It is an international effort to define an IT Security evaluation methodology, which would receive mutual recognition between customers and vendors throughout the global economy. • ISO/IEC 15408-1:2009 establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of ISO/IEC 15408 which in its entirety is meant to be used as the basis for evaluation of security properties of IT products. • The key concepts of protection profiles (PP), packages of security requirements and the topic of conformance are specified and the consequences of evaluation and evaluation results are described. • ISO/IEC 15408-1:2009 gives guidelines for the specification of Security Targets (ST) and provides a description of the organization of components throughout the model.
  • 14. ISO/IEC 27035 Security incident management • ISO/IEC 27035:2011 provides a structured and planned approach to: 1. detect, report and assess information security incidents; 2. respond to and manage information security incidents; 3. detect, assess and manage information security vulnerabilities; and 4. continuously improve information security and incident management as a result of managing information security incidents and vulnerabilities. • ISO/IEC 27035:2011 provides guidance on information security incident management for large and medium-sized organizations. Smaller organizations can use a basic set of documents, processes and routines described in this International Standard, depending on their size and type of business in relation to the information security risk situation. • It also provides guidance for external organizations providing information security incident management services.
  • 15. ISO/IEC 27005 Information security risk management • Scope of the standard • The standard ‘provides guidelines for information security risk management’ and ‘supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.’ • It cites ISO/IEC27000 as a normative (essential) standard, and mentions ISO/IEC 27001, ISO/IEC 27002 and ISO 31000 in the content. NIST standards are referenced in the bibliography. • Content of the standard • The standard doesn't specify, recommend or even name any specific risk management method. It does however imply a continual process consisting of a structured sequence of activities, some of which are iterative: • Establish the risk management context (e.g. the scope, compliance obligations, approaches/methods to be used and relevant policies and criteria such as the organization’s risk tolerance or appetite);
  • 16. ISO/IEC 27005 Information security risk management • Quantitatively or qualitatively assess (i.e. identify, analyze and evaluate) relevant information risks, taking into account the information assets, threats, existing controls and vulnerabilities to determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’; • Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share [with third parties]) the risks appropriately, using those ‘levels of risk’ to prioritize them; • Keep stakeholders informed throughout the process; and • Monitor and review risks, risk treatments, obligations and criteria on an ongoing basis, identifying and responding appropriately to significant changes. • Extensive appendices provide additional information, primarily examples to demonstrate the recommended approach.
  • 17. FIPS 140: Security Requirements for Cryptographic Modules • The 140 series of Federal Information Processing Standards (FIPS) are U. S. government computer security standards that specify requirements for cryptography modules. • As of December 2016, the current version of the standard is FIPS 140-2, issued on 25 May 2001. Its successor FIPS 140-3 was approved on March 22, 2019 and will become effective on September 22, 2019. • FIPS 140-3 testing will begin September 22, 2020. After FIPS 140-3 testing begins, FIPS 140-2 testing will continue for at least a year, making the two standards to coexist for some time.
  • 18. Purpose of FIPS 140 • The National Institute of Standards and Technology (NIST) issues the 140 Publication Series to coordinate the requirements and standards for cryptographic modules which include both hardware and software components for use by departments and agencies of the United States federal government. • FIPS 140 does not purport to provide sufficient conditions to guarantee that a module conforming to its requirements is secure, still less that a system built using such modules is secure. The requirements cover not only the cryptographic modules themselves but also their documentation and (at the highest security level) some aspects of the comments contained in the source code. • User agencies desiring to implement cryptographic modules should confirm that the module they are using is covered by an existing validation certificate. FIPS 140-1 and FIPS 140-2 validation certificates specify the exact module name, hardware, software, firmware, and/or applet version numbers. For Levels 2 and higher, the operating platform upon which the validation is applicable is also listed. Vendors do not always maintain their baseline validations. • The Cryptographic Module Validation Program (CMVP) is operated jointly by the United States Government's National Institute of Standards and Technology (NIST) Computer Security Division and the Communications Security Establishment (CSE) of the Government of Canada. The use of validated cryptographic modules is required by the United States Government for all unclassified uses of cryptography. The Government of Canada also recommends the use of FIPS 140 validated cryptographic modules in unclassified applications of its departments.
  • 19. FIPS 186-3: Digital Signature Standard • Name of Standard: Digital Signature Standard (DSS) (FIPS 186-3). • Category of Standard: Computer Security. Subcategory. Cryptography. • Explanation: This Standard specifies algorithms for applications requiring a digital signature, rather than a written signature. • Applicability: This Standard is applicable to all Federal departments and agencies for the protection of sensitive unclassified information that is not subject to section 2315 of Title 10, United States Code, or section 3502 (2) of Title 44, United States Code. This Standard shall be used in designing and implementing public key-based signature systems that Federal departments and agencies operate or that are operated for them under contract. The adoption and use of this Standard is available to private and commercial organizations. • Applications: A digital signature algorithm allows an entity to authenticate the integrity of signed data and the identity of the signatory. The recipient of a signed message can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation, since the signatory cannot easily repudiate the signature at a later time. A digital signature algorithm is intended for use in electronic mail, electronic funds transfer, electronic data interchange, software distribution, data storage, and other applications that require data integrity assurance and data origin
  • 20. “ Some countries implement cyber security standards through mandatory requirements, whilst others provide guidelines and frameworks.”
  • 21. Cyber security framework under the IT Act in India • India enacted the Information Technology Act, 2000 (“IT Act”) on 09 June 2000. The IT Act is based on the UNCITRAL model law on e-commerce. • The preamble of the IT Act simply indicates that the Act is centered around affording legal recognition to transactions carried out electronically. However, the scope of the IT Act goes much beyond its preamble. It covers multiple areas including data protection and security, cybercrimes, adjudication of cyber disputes, government mandated surveillance of digital communication, and intermediary liability. • The IT Act was amended last in 2011. Despite an unprecedented increase in cyber frauds, data breaches and general cyber security concerns, no changes have been made in the IT Act in almost 9 years. In February 2020, the Ministry of Electronics and Information Technology (“MeitY”) announced that it will revamp the IT Act with a stronger focus on framework for cyber security. • Emerging technologies, explosion of digital business models and a substantial increase in the instances of cybercrimes have triggered the government to take steps to fast track the process of amending the IT Act.
  • 22. A. Key developments in the cyber security framework in India- • 1. The Indian Computer Emergency Response Team- • On 23 February 2003, the MeitY designated the Indian Computer Emergency Response Team (“CERT-In”) as the authority to issue instructions for blocking websites under the IT Act to prevent online obscenity. In 2009, CERT-In was later nominated as the national agency to respond to cyber-security incidents. The CERT-In is currently tasked with the following functions: • a. Collecting, analysing and disseminating information on cyber incidents; • b. Raising awareness about cyber security among citizens; • c. Issuing guidelines, advisories, vulnerability notes on information security practices, procedures, prevention, response and reporting of cyber incidents. For instance, in December 2019, the CERT-In issued a vulnerability note on a vulnerability in the Android operating system called the StrandHogg.
  • 23. 2. Constitution of committee of experts to review the IT Act- • In 2005, a committee of experts was constituted by the erstwhile Ministry of Communications and Information Technology to review the IT Act. In their report, the committee proposed to strengthen the framework for computer based crimes. It also proposed to build a robust mechanism to deal with data protection and privacy challenges. Accordingly, the following notable amendments were suggested: • a. Treatment of computer based crimes– Section 43 of the IT Act provided for compensation in various cases including unauthorized access to a computer system, data theft and introduction of viruses through a computer system. Section 66 of the IT Act penalized the offence of hacking a computer system. The committee suggested to substitute section 66 for a new section that comprehensively dealt with computer based offenses. The substituted section 66, which penalized computer offences done ‘fraudulently’ or ‘dishonestly’ was worded to be in line with the section 43 of the then IT Act. • b. Data protection – To ensure security of data and protection of information from unauthorized damage, the committee suggested to hold a body corporate processing, dealing or handling sensitive personal data in a computer resource liable for failure to implement and maintain reasonable security procedures and measures. • c. Stringent provisions to deal with cybercrimes– Provisions addressing the issue of child pornography and video voyeurism with higher degree of punishment were proposed. • d. Power of interception-Based on the recommendations of Inter-Ministerial Working Group on Cyber Laws & Cyber Forensics, wide powers of monitoring, interception and decryption of any information through any computer resource was proposed to be transferred from the Controller of Certifying Authority to the central government. • The set of amendments proposed to be introduced by these recommendations paved the way for the government to consider the issues of data protection and cyber security in its subsequent attempts to amend the IT Act
  • 24. 3. Recommendations of the standing committee on IT on the IT (Amendment) Bill 2006- • Based on the recommendations of the committee of experts, the government introduced the IT (Amendment) Bill, 2006 (“Amendment Bill”) in December 2006. It was later referred for review to the standing committee on IT. In its 50th report released in 2007, the standing committee on IT criticized the government’s approach of amending the existing IT Act, rather than bringing a new and exclusive legislation for governing information technology. The standing committee on IT highlighted the following issues in its report: • a. Specific issues of cybercrime and cyber terrorism– The committee pointed out the inadequacy of the Amendment Bill to deal with the issues of cybercrime including cyber terrorism. It noted that cyber terrorism was not defined in the proposed amendments to the IT Act. The committee expressed its concerns over government’s proposal to introduce penalties that aligned the IT Act with the Indian Penal Code (“IPC”). The report noted that the IPC was an archaic law and ill equipped to encompass varied cybercrimes including cyber terrorism. The committee recommended to incorporate adequate, stringent, specific and self-enabling provisions in the IT Act itself to effectively deal with such offences. • b. Cross border cybercrimes– The committee opined that entering into Mutual Legal Assistance Treaties to deal with cross border cybercrimes with one country at a time offered a solution in a ‘piecemeal manner’. Accordingly, the committee recommended that the government must build a roadmap to become a part of an omnibus international convention on cybercrimes to effectively address this issue. • c. Child pornography– The committee recommended that the Amendment Bill should have explicit provisions to deal with child pornography. This would align it with the laws in other advanced countries and Article 9 of the Council of Europe Convention on Cyber Crimes. • d. Powers of interception – The committee questioned the rationale of vesting the central government with the power to issue directions for interception or monitoring of any information through any computer resource. It noted that since ‘public order’ and ‘police’ are state subjects as per the Constitution of India, the power to intercept any information should be vested in the state governments. This will also align the proposed law with the powers of interception given to state governments in the Indian Telegraph Act, 1885. • e. Status of the CERT-In– The committee in its report noted that even though CERT-In has been nominated as the national agency on cyber security, the status of the body has not been defined. Accordingly, the committee suggested that the agency should be defined as a government body to clarify its status beyond doubt. Doing so will instill confidence in foreign investors regarding existence of a bona fide legal framework in the country.
  • 25. 4. The Information Technology (Amendment) Act, 2008- • In December 2008, the Parliament enacted the IT (Amendment) Act 2008[ (“Amendment Act”). The following notable amendments were introduced through the Amendment Act: • a. Computer related offences– The Amendment Act prohibited transmission of offensive messages or any information for the purposes of causing annoyance, inconvenience, etc. by means of a computer resource and communication service. However, this provision was struck down later by the Supreme Court of India in the Shreya Singhal case. • b. Power of interception– Based on the recommendations of the standing committee on IT, the Amendment Act empowered both the central and state governments to issue directions for interception/monitoring of any information under section 69. The scope of the information intercepted was broadened to include its transmission, generation and storage, as opposed to just transmission in the original provision. The amended section also made issuance of such interception orders subject to additional safeguards introduced through the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (“Interception Rules”). • c. Critical information infrastructure– The Amendment Act introduced the term ‘critical information infrastructure’ (“CII”) i.e.a computer resource whose destruction will have a huge impact on the national security, public health and safety and economy. Further, any computer resource facilitating such CII was designated as a protected system. Accordingly, the government was empowered to exercise control over such protected systems, in addition to prescribing information security practices and procedures for such a system. • d. Nodal agency for CII– In January 2014, the National Critical Information Infrastructure Protection Centre (“NCIIPC”) was designated as the national nodal agency under the provisions of the Amendment Act. The NCIIPC is responsible for undertaking all measures to protect CII from unauthorized access, modification, use or disclosure
  • 26. 5. Bill on Intelligence agency reforms- • In March 2011, the Intelligence Services (Powers and Regulation) Bill, 2011 (“Intelligence Bill”) was introduced as a private members bill by Shri Manish Tewari. He was a Member of Parliament in the Lok Sabha and currently a member of the Joint Parliamentary Committee examining the Draft Personal Data Protection Bill, 2019. The Intelligence Bill proposed to regulate the functioning of three major Indian Intelligence Agencies- Research and Analysis Wing (“RAW”), Intelligence Bureau (“IB”) and National Technical Research Organization (“NTRO”)- by putting in place an oversight mechanism. The Bill stated that surveillance operations undertaken by such intelligence agencies infringe the right to privacy of individuals. To prevent intelligence agencies from misusing their surveillance powers, it proposed a National Intelligence and Security Oversight Committee (“NISOC”). The NISOC was empowered to seek any information that these agencies possessed. Additionally, the Intelligence Bill provided for a National Intelligence Tribunal to hold these agencies accountable. The tribunal was empowered to investigate complaints filed by any person for action taken against her or her property by these agencies. However, the Intelligence Bill, like most private member bills, never came up for discussion and ultimately lapsed.
  • 27. 6. National Cyber Security Policy, 2013- • In July 2013, the erstwhile Ministry of Communication and Information Technology notified the National Cyber Security Policy (“NCSP”). • Based on the objectives envisioned in the NCSP 2013, the following strategies/initiatives were introduced by the Indian government: • a. Designation of the NCIIPC as the nodal agency to undertake measures to secure the country’s CII. • b. Cyber Swachhta Kendra initiative under the CERT-In to combat and analyse any malicious infections/attacks that damage computer systems. The initiative is aimed at securing the cyber ecosystem by preventing such attacks from taking place and cleaning the systems that have already been infected. • c. Development of multilateral relationships in the area of cyber security. In 2016, India partnered with the US for coordinating best practices in relation to cyber security and exchanging information in real time about malicious cyberattacks, among other things. • d. Setting up of the National Cyber Coordination Centre (“NCCC”) to create situational awareness about cyber security threats and enable timely information sharing for preventive action by individual entities.
  • 28. 7. Standing committee on IT report on ‘Cyber Crime, Cyber Security and Right to Privacy’- • In February 2014, the standing committee on IT made the following recommendations in its report on cybercrime, security and privacy – • a. The committee observed that there are 20 different kinds of cybercrimes. Recognizing the impact of cyber threats on critical sectors (such as power, atomic energy, space, aviation, etc.), it recommended establishing a national protection centre to protect the CII in the country. • b. In dealing with issues pertaining to cyber frauds, the government may have to coordinate with multiple institutions, such as the Reserve Bank of India and the SEBI. Accordingly, the committee recommended to form a centralized agency to deal with all the cases of cybercrimes. • c. The committee noted that multiple agencies including Ministry of Defense (“MoD”), Ministry of Home Affairs (“MHA”), IB, NTRO, NCIIPC, etc. are involved in securing the Indian cyberspace. It also noted that to minimize overlaying responsibilities between such agencies, it has tasked the National Security Council Secretariat (“NSCS”) to oversee compliance of cyber security policies. However, this could act as a hindrance in combating cyber threats at the earliest, given the multiple agencies involved. Recognizing the need for a collaborative effort between the government and the industry to address this issue, the committee suggested to implement the recommendations made by a Joint Working Group (“JWG”) that was set up under the Deputy National Security Advisor in this regard. The JWG recommended putting in place a permanent mechanism for a Public Private Partnership (“PPP”) on cyber security as a solution, among other things. • d. The committee acknowledged that despite the cost advantages in hosting servers outside India, the accompanying technical and legal security concerns posed to the nation and citizen’s privacy have to be given due consideration. Accordingly, the committee recommended that government should take all steps to ensure that as far as possible, the servers should be hosted locally.
  • 29. 8. Surveillance order issued by MHA– • In December 2018, the MHA passed an order under the Interception Rules which authorized 10 security and intelligence agencies to intercept/monitor/decrypt any information transmitted, generated, received or stored on any computer resource. • These agencies include the IB, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Central Bureau of Investigation and the Delhi Police. The order was heavily criticized and challenged before the Supreme Court on the grounds of violating the fundamental right to privacy, as laid down in the Puttaswamy case. • The central government defended the order by claiming that it has been passed to pursue a legitimate state aim. Furthermore, for authorized agencies to intercept any information, the government has submitted that they will have to seek the permission of the competent authority. The matter is currently pending before the Supreme Court.
  • 30. 9. National Cyber Security Strategy 2020- • In another one of its attempts to address the issues pertaining to cyber threats and data vulnerabilities, the Indian government has proposed to come out with the National Cyber Security Strategy (“NCSS”) 2020. • The NCSS aims to examine various facets of cyber security under three pillars- securing the national cyberspace; strengthening the structures, people, processes, capabilities; and synergizing the resources including cooperation and collaboration. • The government had sought comments and suggestions on different aspects of the NCSS by 10th January 2020 and is currently in the process of framing the policy
  • 31. B. Key Issues on cyber security– • 1. Surveillance and privacy- • a. The Interception Rules designate the Secretary in the Union Ministry of Home Affairs/Home Department of a state government (“Home Secretary”) as the ‘competent authority’ for approving data surveillance/monitoring requests under the IT Act. Additionally, the Interception Rules provide for a review committee to oversee the directions issued by the competent authority to intercept/monitor such information. Per the Interception Rules, the review committee is mandated to meet at least once in two months. Similarly, a committee headed by the chief secretary reviews directions passed by state governments. • b. This means that the central government has to approach the Home Secretary before it issues any directions to intercept/monitor any digital communication. However, given the large number of interception/monitoring requests made by the government, it becomes unfeasible for Home Secretary to objectively assess each request. Thus, the Home Secretary becomes a mere rubber stamp authority for approving government interception requests. • c. Interestingly, the Srikrishna Committee report mentioned that an application filed under the RTI Act revealed that the review committee has a task of reviewing 15,000-18,000 interception orders in every meeting. This unrealistic target poses a threat to safety and security of personal data of individuals. The committee noted that surveillance should not be carried out without a degree of transparency that can pass the Puttaswamy test of necessity, proportionality and due process
  • 32. 2. Multiplicity of institutions • The issue of multiplicity of cyber security agencies was highlighted by the Standing Committee on IT in its 52nd report. Several institutions tasked with securing the cyber space leads to lack of coordination between them. • In 2015, the standing committee on IT in its 17th report outlined the action taken by the government on the recommendations of the JWG to deal with the issue of multiplicity of cyber security agencies. • The report noted that the government, in July 2014, had identified the objectives that would promote the overall cooperative framework for a PPP on cyber security. However, an action plan for implementing these recommendations was still being worked out.
  • 33. • The issue as such appears to be unresolved with the following agencies dealing presently with the issue of cyber security: • a. Cyber and Information Security Division, MHA: This division under the MHA is tasked with handling the matters related to cyber security and cyber-crimes. • b. CERT-In: CERT-In functions under the aegis of MeitY. Its main functions include responding to cyber-security incidents and issuing security guidelines, advisories and alerts. • c. NCIIPC: It acts as the national nodal agency for the protection of CII in India. • d. NCCC: It is responsible for creating situational awareness about existing and potential cyber security threats and enable timely information sharing for ‘proactive, preventive and protective’ actions by individual entities. • e. Indian Cyber Crime Coordination Centre (“I4C”): The I4C scheme consists of seven components which will be established on a rolling basis by the MHA in 2018- 2020. The scheme consists of seven components, including a National Cybercrime Threat Analytics Unit, National Cybercrime Forensic Laboratory Ecosystem and National Cyber Research and Innovation Centre. • f. National Cyber Security Coordinator (“NCSC”): It was formed under the NSCS as the nodal agency for cyber security. The NCSC coordinates with different agencies at the national level for cyber security matters. • g. Defence Cyber Agency: The agency has been established to address the issues pertaining to military cyber security and cyber warfare. It is governed by the Defence Intelligence Agency under the MoD. 2. Multiplicity of institutions