Digital India – Early Adoption of Cyber Security Framework is Necessary
With Digital India initiative, there is a new wave of transformation across country. It includes e-Governance, electronic delivery of services, and information to all in electronic form in the central & state government segment.
This transformation also demanding every small and big business to go online to increase efficiency and revenues.
This is making government and private businesses increasingly dependent on devices, services and applications that connect to the internet such as smartphones, email, social media, and cloud computing services. Through this dependence they become larger targets for cyber criminals looking to exploit technological vulnerabilities.
Therefore, it is crucial to take proper cyber security measures – measures to protect all computing devices, networks, and information – to ensure their data remains secure.
Cyber Security Threats
As per counter-terrorism expert Richard Clarke, most of the cyber threats can be classified into four distinct categories – Crime, Hacktivism, Espionage and War (CHEW).
Crime – Criminal cyber-attack that could take the form of data theft, fraud or extortion.
Hacktivism – refers to seeking to make a political statement through attacks that are generally disruptive in nature. These attacks often involve shutting down websites or defacing insecure websites to convey their message and can pose reputational risks to a brand.
Espionage– These operations are very well organized and funded by states/nations. Data, secrets and intellectual property stolen though this is used to enhance their own economies and national securities.
WAR – This is political motivations of a nation/state or a terrorist with the motive of damage and destruction.
National Institute of Standards and Technology’s (NIST) Cyber security Framework is a proposed framework which it has created to improve critical infrastructure security.
The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes.
This frame work is derived from existing industry standards and the end goal is not compliance to a standard but to increase cybersecurity and ensure the protection of customers.
The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers.
The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.
Core consists of five functions. Each function is further divided into Category, Subcategory and informative references such as existing standards, guidelines and practices etc.
– Identification of at-risk data (Asset information, business information)
– Assess the threat to and vulnerability of existing infrastructure
– Understand all devices connected to the network and network structure
– Limit network access to authorized users and devices
– Educate all users on cybersecurity awareness and risk management
– Employ programs and services that secure data and networks
– Exercise network monitoring to detect threats in a timely manner
– Evaluate threat and understand potential impact
– Look for anomalies in physical environment among users, including presence of unauthorized users or devices
– Contain and mitigate the event to prevent further damage
– Coordinate with stakeholders to execute a response plan and notify proper authorities. Once detected, notification to proper authorities
– Evaluate response effort to improve response plan
– Execute recovery systems to restore systems and data
– Update response plan with lessons learned
– Resume business activities with internal and external stakeholders and manage public relations
Provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Four tiers are defined as below:
Partial – Organizational cybersecurity risk management practices are not formalized. There is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established.
Risk Informed – Risk management practices are approved by management but may not be established as organizational-wide policy. There is an awareness of cybersecurity risk at the organizational level but an organization-wide approach to managing cybersecurity risk has not been established.
Repeatable – The organization’s risk management practices are formally approved and expressed as policy. There is an organization-wide approach to manage cybersecurity risk.
Adaptive – The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
A Profile enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational goals.
Framework Profiles can be used to describe the current state or the desired target state of specific cyber security activities. The Current Profile indicates the cyber security outcomes that are currently being achieved. The Target Profile indicates the outcomes needed to achieve the desired cyber security risk management goals.
Comparison of Profiles (e.g., the Current Profile and Target Profile) may reveal gaps to be addressed to meet cyber security risk management objectives.