Ministry of Electronics & Information Technology (Cyber Security and Cyber Law Group), Government of India through its D.O. No 5(4)/2016-ESD dated 19 May 2017 issued a note on “Key Roles and Responsibilities of Chief Information Security Officers (CISOs)” in Ministries/Departments and Organisations managing ICT operations.
Last week the Ministry published the “CISOs Top Best Practices for a Safe & Secure Cyber Environment” through its note No. 20 (7)/2017-CLES
The text of the same is as follows:
1. Chief Information Security Officer’s (CISO) Top Best Practices for a safe & secure Cyber environment are given below. It is strongly advised that all CISOs follow and implement the same.
(i) Know your IT environment – Undertake an inventory of the computers and networked devices in your environment, types of data managed by your department, how these data-sets are classified, who has access, and their scale of importance and sensitivity and maintain and update the threat landscape.
(ii) Build a Strong Internal Cyber Hygiene Culture – Educate, sensitize and train your employees on types of cybercrime attacks and safe cyber practices such as strong passwords, multi-factor authentication, secure Internet browsing, social media safety, use of USB drives, etc.
(iii) Information Security Management System (ISMS): Identify, implement, operate, review and improve Information Security Policy for the department.
(iv) Implement Strong IT Asset Fundamentals –
- Keep operating systems and software applications updated and patched from trusted sources on a regular basis. Ensure you have the latest OS/Versions/SW installed, which have the latest security features inbuilt.
- Do not use software and hardware, which are old, have no longer manufacturer’s mainstream technical and product support or are near end-of-life support.
- Procure and use only genuine and current software and hardware from trusted sources to benefit from the latest security and privacy features.
(v) Ensure a Robust Cybersecurity Policy Framework – Implement and enforce a formal cybersecurity policy framework that includes governance, risk management, compliance, data back-up, enforcement and usage policy statements that clearly defines its purpose, guidance, roles and responsibilities.
(vi) Deeper Focus on User Identity & Information Security – Protect and manage user identity and privileged access authentication with robust in-built identity and access management (IAM) tools; drive strong device protection with encryption and data leakage prevention (DLP); maintain logs.
(vii) Conduct Regular and Comprehensive Cybersecurity Reviews – Undertake a regular and on-demand software asset management, cyber risk analysis of your network, network resources and critical assets, threats and vulnerabilities, including audit of IT suppliers and vendors. Conduct Vulnerability Assessment and Penetration Testing (VAPT) of all websites and portals on quarterly basis at a minimum. Do a Web Application Security Assessment (WASA) annually.
(viii) Proactive Operations & Cyber Response Strategy – Use tools and built-in technologies for active monitoring of network, devices and user activity to detect anomalies in systems, processes, commands, registries, malware activity, unauthorized user behaviour, coupled with a cyber-response strategy that includes executive sponsorship, internal and external communication, threat containment and remediation, legal exposure and risk assessment.