Version 5.0 – Final 09 October 2014 NATIONAL INFORMATION SECURITY POLICY AND GUIDELINES MINISTRY OF HOME AFFAIRS GOVERNMENT OF INDIA National Information Security Policy and Guidelines | Ministry of Home Affairs Disclaimer The Ministry of Home Affairs (MHA), Government of India, is aware of the cyber security policies, guidelines, and standards as identified and practiced by various government organizations in India. The role of MHA is specialized and focuses on establishing guidelines to help secure the “information” which may impact internal security and national security. These guidelines are based on the analysis of existing global security standards, and frameworks; and the emerging trends and discourse in the wake of persistent threats, and cyber-attacks on critical infrastructure of nations globally. The scope of MHA’s “National Information Security Policy & Guidelines” encompasses Government and Public Sector organizations and associated entities and third parties, for protecting the information under their control or ownership during information’s life-cycle including creation, storage, processing, accessing, transmission, destruction etc. The objective of this document is to improve the information security posture of an organization possessing any information, including classified information, and does not restrict organizations from adopting additional stringent practices over and above these guidelines. Organizations may evaluate various additional measures for the security of information they possess for protecting their information depending upon the sensitivity, criticality and importance of such information in the overall Internal Security and National Security interest of the country. NISPG - Version 5.0 Restricted Page 1 National Information Security Policy and Guidelines | Ministry of Home Affairs Foreword Ministry of Home Affairs (MHA) has been designated as the lead agency for the protection of the “Information” in Cyberspace. The Ministry is tasked with finalizing and issuing guidelines on the codification and classification, of information, and keeping it updated in the ever expanding cyberspace. Earlier, MHA has issued the manual of departmental security instructions 1994 which is presently applicable and is being used today by all the Government Ministries/departments/agencies. The government at all levels, central, state and local, is increasingly using Information and Communication Technologies (ICT) to enhance productivity, improve efficiency in service delivery, speed-up development in all sectors of economy and improve the governance while safeguarding overall Internal Security and National Security interests of the country. Paper based records, which were earlier held in the files and filing cabinets, are now created, stored, processed, accessed, transmitted and destroyed in electronic formats. Such information can be accessed from different parts of the country by authorized personnel; however, this information is also vulnerable to unauthorized access which can compromise confidentiality, availability and integrity of information through cyber-attacks from anywhere in India or from outside the Indian borders. Adoption of international standards and best practices for security of information in the complex and borderless cyber space has, therefore, become paramount to protect national information assets in the overall national security interest. This is more important for organizations dealing with strategic information related to internal security, national security, economic security, and external affairs which handling large data/ information in electronic format. Also, the critical infrastructures such as power, banking and finance, telecommunications, transport, air traffic control etc., which are using ICT for increasing efficiency and productivity, are prone to cyber- attacks. This can have a crippling effect on the nation’s stability, economy and security. This policy document on “National Information Security and Guidelines 2014” includes a comprehensive review of the “Manual on Departmental Security Instructions” of 1994 for the present day information security requirements in the Cyber space to address the above mentioned challenges. It will serve as an extension to the existing “Manual on Departmental Security Instructions”, 1994 which primarily addresses the handling of the security of paper based information. The National Information Security Policy and Guidelines (NISPG) has been prepared by the Ministry of Home Affairs, based on the experience of the existing security standards and frameworks and the global best practices and experience of implementation in the wake of expanding information security threat scenario. This policy document will supplement the existing guidelines issued by DeitY, NIC, IB and NTRO for the security of ICT infrastructure, assets, networks, applications, user management, email etc. I hope that the organizations directly involved in handling the information in any form, including the digital form, which is relevant to the internal security and national security shall implement these guidelines and make further suggestions, if any, to improve the next version of NISPG. (Anil Goswami) Union Home Secretary NISPG - Version 5.0 Restricted Page 2 National Information Security Policy and Guidelines | Ministry of Home Affairs Executive summary The digital world is a reality today in all aspects of our lives. Digital infrastructure is the backbone of prosperous economies, vigorous research communities, strong militaries, transparent governments and free societies. Lacs of people across the country rely on the electronic services in cyberspace every day. As never before, Information and Communication Technology (ICT) is fostering transnational dialogue and facilitating the global flow of information, goods and services. These social and trade links have become indispensable to our daily lives as well as the economy of our country. Critical life-sustaining infrastructures that deliver electricity and water, telecommunication, Internet and broadband connectivity, control air traffic, and support our financial systems all depend on networked information systems. The reach of networked technology is pervasive and global. For all nations, the underlying digital infrastructure has become a critical national asset. Therefore improving and securing this digital infrastructure in all its dimensions including increased availability of next generation broadband connectivity, citizen/ customer centric applications and services, security of information, is critical to India’s future. Traditionally, information available with the government has been safely managed by keeping it in paper records throughout its lifecycle i.e. creation, storage, access, modification, distribution, and destruction. However, to make all government services accessible to the common man in his locality, through efficient service delivery outlets, along with transparency & reliability, the government has steadily graduated towards using electronic formats of information. Now, several forms of information have been converted to the electronic format by the ministries, departments and agencies, both in the central as well as state governments. The classification, storage and protection of such information in electronic format have always remained an area of concern. The challenge, as with the information contained in paper format, remains the same, namely the ability to categorize, protect, archive, discover, and attribute information during its useful life and eventual destruction. Even though the lifecycle of information remains the same in electronic documents and online transactions, the methods to secure information in electronic environment are different. In the present age, the “Manual of Departmental Security Instructions”, issued in 1994, is no longer sufficient to protect against the threats facing electronic forms of information. Information security is one of the important components of cyber security and is gradually taking centre stage in the national security deliberations and discussions. In fact, it has become a key component of national security design and is shaping international strategies of nations globally. Threats to information are increasingly organized and targeted, helping criminals, state actors and hacktivists to reap immense benefits out of information compromise, theft or espionage. Cybercriminals can carry out identity theft and financial fraud; steal corporate information such as intellectual property; conduct espionage to steal state and military secrets; and recruit criminals or disrupt critical infrastructures by exploiting the vulnerabilities in any system connected to the Internet. The cybercriminals could be located anywhere in the world and they can target a particular user, system or a particular service in a country or a region. Worse still, the cybercriminals can cover their tracks so that they cannot be traced. It is extremely difficult to prove whether the cybercriminal is an individual, a gang, a group of state actors or a nation-state. As the government broadens the scope of its drive to move towards e-governance and embraces technology for citizen-centric services, it faces threats from multiple sources. Each government process or project introduces a different level of complexity as a result of varied data transactions, NISPG - Version 5.0 Restricted Page 3 National Information Security Policy and Guidelines | Ministry of Home Affairs involvement
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages256 Page
-
File Size-