National Cyber Security Policy -

2013
 Preamble
• Cyberspace is a complex environment consisting of
interactions between people, software and services,
supported by worldwide distribution of information and
communication technology (ICT) devices and networks
• The cyberspace is used by citizens, businesses, critical
information infrastructure, military and governments and
is expected to grow more complex
• Vulnerable to a wide range of incidents, whether
intentional or accidental, manmade or natural, and the
info can be exploited by both nation states and non state
actors
 Cyber Security Policy
• Caters to the whole spectrum of ICT users and
providers and is an evolving process
• IT SERVES AS AN UMBRELLA FRAMEWORK
FOR DEFINING AND GUIDING THE ACTIONS
RELATED TO SECURITY OF CYBER SPACE
• It also enables the individual sectors and org
in designing appropriate cyber security polices
to suit their needs
 Vision

TO BUILD A SECURE AND RESILIENT CYBERSPACE

FOR CITIZENS, BUSINESSES AND GOVERNMENT
 Mission
• Protect info and info infrastructure
• Build capabilities to prevent and respond to
cyber threats
• Reduce vulnerabilities and minimize damage
from cyber incidents through a combination of
institutional structures, people, processes,
tech and cooperation
 Objectives
• To create a secure cyber ecosystem in the country,
generate adequate trust & confidence in IT systems and
transactions in cyberspace and thereby enhance adoption
of IT in all sectors of the economy
• To create an assurance framework for design of security
policies and for promotion and enabling actions for
compliance to global security standards and best practices
by way of conformity assessment (product, process,
technology & people)
• To strengthen the Regulatory framework for ensuring a
Secure Cyberspace ecosystem
 Objectives
• To enhance and create National and Sectoral level 24 x 7
mechanisms for obtaining strategic information regarding
threats to ICT infrastructure, creating scenarios for response,
resolution and crisis management through effective predictive,
preventive, protective, response and recovery actions
• To enhance the protection and resilience of Nation’s critical
information infrastructure by operating a 24x7 National Critical
Information Infrastructure Protection Centre (NCIIPC) and
mandating security practices related to the design, acquisition,
development, use and operation of information resources
 Objectives
• To develop suitable indigenous security
technologies through frontier technology research,
solution oriented research, proof of concept, pilot
development, transition, diffusion and
commercialisation leading to widespread
deployment of secure ICT products / processes
• To improve visibility of the integrity of ICT products
and services by establishing infrastructure for
testing & validation of security of such products
 Objectives
• To create a workforce of 500,000 professionals skilled in cyber
security in the next 5 years through capacity building, skill
development and training.
• To provide fiscal benefits to businesses for adoption of standard
security practices and processes.
• To enable protection of information while in process, handling,
storage & transit so as to safeguard privacy of citizen's data and
for reducing economic losses due to cyber crime or data theft.
• To enable effective prevention, investigation and prosecution of
cyber crime and enhancement of law enforcement capabilities
through appropriate legislative intervention.
 Objectives
• To create a culture of cyber security and privacy
enabling responsible user behaviour & actions through
an effective communication and promotion strategy.
• To develop effective public private partnerships and
collaborative engagements through technical and
operational cooperation and contribution for
enhancing the security of cyberspace.
• To enhance global cooperation by promoting shared
understanding and leveraging relationships for
furthering the cause of security of cyberspace.
 Strategies : Creating a Secure Cyber Eco
System
• Designate a national nodal agency to coordinate
matters(cyber security) with clearly defined roles
and responsibilities
• Designate CISO in every org who will be responsible
for cyber security efforts and initiatives
• Org to devp info security policies and implement
them as per international best practices
• Org to earmark a specific budget for cyber security
 Strategies : Creating a Secure Cyber Eco
System
• Provide fiscal schemes and initiatives to
encourage entities to install and upgrade info
infrastructure for cyber security
• Prevent occurrence and recurrence of cyber
incidents (proactive actions)
• Est mechanism for sharing info
• Procurement of trustworthy indigenously
manufactured ICT products
Strategies : Creating a Assurance Framework

• Promote adoption of global best practices in info

security and compliance
• Create infrastructure for conformity assessment and
certification of compliance to cyber security best
practices, std and guidelines (e.g ISO 27001 ISMS
certification)
• Enable implementation of global security best
practices for risk management
• Identify and classify info infrastructure facilities and
assets
Strategies : Creating a Assurance Framework

• Encourage secure appln/software devp processes

• Create conformity assessment framework for
periodic verification of compliance to best
practices, std and guidelines on cyber security
• Encourage all entities to periodically test and
evaluate the adequacy and effectiveness of tech
and op security measures implemented in IT sys
and networks
Strategies : Encouraging Open Stds
• Encourage use of open standards to facilitate
interoperability and data exchange among
different products and services
• Promote a consortium of Govt and private
sector to enhance availability of tested and
certified IT products on open standards
 Strategies : Strengthening the Regulatory
Framework
• Devp dynamic and legal framework and its
periodic review to address Cyber security
challenges
• To mandate periodic audit and evaluation
• To enable, educate and facilitate awareness
of the regulatory framework
 Strategies : Creating Mechanisms for Early
Warning, Vulnerability Mgmt and Response

• To create National lvl sys , processes, structures

and mechanisms to generate situational scenario
of existing and potential threats and enable
timely info sharing for proactive, preventive and
protective actions
• To operate 24x7 CERT-in to function as a Nodal
Agency for coordination of all efforts for cyber
security emergency response and crisis mgmt
(Umbrella org)
 Strategies : Creating Mechanisms for Early
Warning, Vulnerability Mgmt and Response

• Operationalise 24x7 sectorial CERTs

• Implement Crisis Mgmt plan for dealing with
incidents impacting critical national
processes or endangering public safety and
security of the nation
• To conduct and facilitate regular cyber
security drills and exercises at National,
sectorial and entity levels
Strategies : Securing E-Governance Services

• To mandate implementation of global

security best practices, business continuity
mgmt and cyber crisis mgmt plan for all e-
Governance initiatives
• To encourage wider usage of PKI within Govt.
for trusted communication and transactions
• To engage info security professionals / org to
assist
 Strategies : Protection and Resilience of
Critical Info Infrastructure
• To devp plan for protection of CII
• To operate 24x7 National Critical Information
Infrastructure Protection Centre(NCIIPC) to
function as Nodal agency for CII protection
• To facilitate identification, prioritisation,
assessment, remediation and protection of CII
and key recourses
• To encourage and mandate as appropriate, the
use of validated and certified IT products
 Strategies : Protection and Resilience of
Critical Info Infrastructure
• To mandate security audit of CII on periodic
basis
• To mandate certification of all security roles
right from CISO/CSO to those involved in
operation of CII
• To mandate secure appl /software devp
process
 Strategies : Promotion of R & D in Cyber
Security
• To undertake R&D programs aimed at short
term, medium term and long term goals
• To encourage R&D to produce cost effective,
tailor-made and indigenous security solutions
• To facilitate transition, diffusion. And
commercialisation of outputs of R&D into
commercial products and services for use in
public and private sectors
 Strategies : Promotion of R & D in Cyber
Security
• To set up Centre of Excellence in areas of
strategic importance for the point of security
of cyber space
• To collaborate in joint R&D projects with
industry and academia in frontline
technologies and solution oriented research
Strategies : Reducing Supply Chain Risks
• To create and maintain testing infrastructure and
facilities of IT security product evaluation and
compliance verification
• To build trust relationships with product / system
vendors and service providers for improving end-
to-end supply chain security visibility
• To create awareness of the threats,
vulnerabilities and consequences of breach of
security related to IT procurement
 Strategies : HRD
• To foster education and trg programs both in formal
and informal sectors to support the nation’s cyber
security needs and build capacity
• To est cyber security trg infrastructure across the
country by way of public private partnership
arrangements
• To est cyber security concept labs for awareness and
skill devp in key areas
• To est institutional mechanisms for capacity building
for Law Enforcement Agencies
 Strategies : Creating Cyber Security
Awareness
• To promote and launch a comprehensive
national awareness program on security of
cyber space
• To sustain security literacy awareness and
publicity campaign through electronic media
• To conduct, support and enable cyber
security workshops / seminars and
certifications
 Strategies : Devp Effective Public Pvt
Partnerships
• To facilitate collaboration and cooperation
among stakeholder entities
• To create models of collaborations and
engagement with all relevant stakeholders
• To create a think tank for cyber security
inputs, discussion and deliberations
 Other Strategies
• INFO SHARING AND COOPERATION (among
security agencies, CERTs, defence agencies,
Law enforcement agencies and judicial
systems)
• PRIORTIZED APPROACH FOR
IMPLEMENTATION
Thank You