technology

Critical sectors may be asked to have a common crisis management plan


The government may mandate all public and private companies in banking, telecom, power and energy, public health, and other sectors that deal with or possess critical information infrastructure to stick to a common ‘cyber crisis management plan’ when dealing with cybersecurity incidents of all kinds.
These organisations may have to undertake “mandatory internal and external information security audits” and report the findings of these audits to their respective sectoral regulator, as per the proposed national cybersecurity reference framework.

Elevate Your Tech Prowess with High-Value Skill Courses

Offering College Course Website
IIT Delhi IITD Certificate Programme in Data Science & Machine Learning Visit
IIM Lucknow IIML Executive Programme in FinTech, Banking & Applied Risk Management Visit
MIT MIT Technology Leadership and Innovation Visit

ET has seen a copy of the draft framework, which might be released soon for public consultation.
If implemented, private entities will be following a common SOP (standard operating procedure) on cybersecurity as their public sector counterparts for the first time.

Though the reference framework is a largely suggestive document that lists out the best practices to be followed, the Ministry of Electronics and Information Technology (MeitY) may prescribe these suggestions as “standard practice to be followed” by all critical sector entities, a senior government official told ET.

These entities may have to “adopt an internationally accepted methodology” for the audit of their information technology systems as well as information security management systems. “The audit scope, audit objective, audit criteria, and the competency of the auditors should be such that it provides adequate assurance to the stakeholders on the objectivity and impartiality of the results,” the draft framework suggested.

Discover the stories of your interest


In case of a cybersecurity incident, critical sector entities should follow four main processes, namely, evaluating the incident, directing the next steps, monitoring the process, and communicating clearly, the draft has proposed.

Cybersecurity Print GFXETtech

These entities should also conduct routine cybersecurity maturity analyses of their systems to “measure the effectiveness of their cybersecurity capabilities”, it said.

As a part of this process, all physical and software assets must be identified and catalogued clearly from the time they are brought to their de-commissioning. Clear parameters that define the “sensitivity” of the software or the hardware along with their ownership restrictions should also be present, the draft has suggested.

The reference framework has also outlined other steps such as establishing a cyber security operation centre (C-SOC) and a network operation centre. In case of a cybersecurity incident, the C-SOCs at the critical sector entities should have “mechanisms to provide feedback on the actions taken”.

“These strategies should be tested during audits and ‘blue/red teaming’ exercises, and then form a part of the cyber crisis management plan (CCMP). Strategies, plans, procedures, and roles in CCMP should be continuously audited, updated, tested, and approved to maintain the efficacy of response,” the draft has suggested.

Stay on top of technology and startup news that matters. Subscribe to our daily newsletter for the latest and must-read tech news, delivered straight to your inbox.



READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.