caalley logo

The alley for Indian Chartered Accountants

Critical sectors may be asked to have a common crisis management plan

Jan 30, 2024, 06:01:00 AM IST

Synopsis
These organisations may have to undertake “mandatory internal and external information security audits” and report the findings of these audits to their respective sectoral regulator, as per the proposed national cybersecurity reference framework.

The government may mandate all public and private companies in banking, telecom, power and energy, public health, and other sectors that deal with or possess critical information infrastructure to stick to a common ‘cyber crisis management plan’ when dealing with cybersecurity incidents of all kinds.

These organisations may have to undertake “mandatory internal and external information security audits” and report the findings of these audits to their respective sectoral regulator, as per the proposed national cybersecurity reference framework.

ET has seen a copy of the draft framework, which might be released soon for public consultation.

If implemented, private entities will be following a common SOP (standard operating procedure) on cybersecurity as their public sector counterparts for the first time.

Though the reference framework is a largely suggestive document that lists out the best practices to be followed, the Ministry of Electronics and Information Technology (MeitY) may prescribe these suggestions as “standard practice to be followed” by all critical sector entities, a senior government official told ET.

These entities may have to “adopt an internationally accepted methodology” for the audit of their information technology systems as well as information security management systems. “The audit scope, audit objective, audit criteria, and the competency of the auditors should be such that it provides adequate assurance to the stakeholders on the objectivity and impartiality of the results,” the draft framework suggested.
Discover the stories of your interest

In case of a cybersecurity incident, critical sector entities should follow four main processes, namely, evaluating the incident, directing the next steps, monitoring the process, and communicating clearly, the draft has proposed.

These entities should also conduct routine cybersecurity maturity analyses of their systems to “measure the effectiveness of their cybersecurity capabilities”, it said.

As a part of this process, all physical and software assets must be identified and catalogued clearly from the time they are brought to their de-commissioning. Clear parameters that define the “sensitivity” of the software or the hardware along with their ownership restrictions should also be present, the draft has suggested.

The reference framework has also outlined other steps such as establishing a cyber security operation centre (C-SOC) and a network operation centre. In case of a cybersecurity incident, the C-SOCs at the critical sector entities should have “mechanisms to provide feedback on the actions taken”.

“These strategies should be tested during audits and ‘blue/red teaming’ exercises, and then form a part of the cyber crisis management plan (CCMP). Strategies, plans, procedures, and roles in CCMP should be continuously audited, updated, tested, and approved to maintain the efficacy of response,” the draft has suggested.

[The Economic Times]

Read more on:
Don't miss an update!
Subscribe to our newsletter