Section 3 in The Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018
3. Information Security Practices and Procedures for "Protected System".
(1)(a)The organisation having "Protected System" shall constitute an Information Security Steering Committee under the chairmanship of Chief Executive Officer/Managing Director/Secretary of the organisation.(b)The composition of Information Security Steering Committee(ISSC) shall be as under:(i)IT Head or equivalent;(ii)Chief Information Security Officer (CISO);(iii)Financial Advisor or equivalent;(iv)Representative of National Critical Information Infrastructure Protection Centre (NCIIPC);(v)Any other expert(s) to be nominated by the organisation.(2)The Information Security Steering Committee (ISSC) shall be the apex body with roles and responsibilities as follows: -(a)All the Information Security Policies of the "Protected System "shall be approved by Information Security Steering Committee.(b)Significant changes in network configuration impacting "Protected System" shall be approved by the Information Security Steering Committee.(c)Each significant change in application(s) of the "Protected System" shall be approved by Information Security Steering Committee.(d)A mechanism shall be established for timely communication of cyber incident(s) related to "Protected System" to Information Security Steering Committee.(e)A mechanism shall be established to share the results of all information security audits and compliance of "Protected System" to Information Security Steering Committee.(f)Assessment for validation of "Protected System" after every two years.(3)The organisation having "Protected System" shall(a)nominate an officer as Chief Information Security Officer (CISO) with roles and responsibilities as per latest "Guidelines for Protection of Critical Information Infrastructure" and "Roles and Responsibilities of Chief Information Security Officers (CISOs) of Critical Sectors in India" released by NCIIPC;(b)plan, establish, implement, operate, monitor, review, maintain and continually improve Information Security Management System (ISMS) of the "Protected System" as per latest "Guidelines for Protection of Critical Information Infrastructure" released by the National Critical Information Infrastructure Protection Centre or an industry accepted standard duly approved by the said National Critical Information Infrastructure Protection Centre;(c)ensure that the network architecture of "Protected System" shall be documented. Further, the organisation shall ensure that the "Protected System" is stable, resilient and scalable as per latest National Critical Information Infrastructure Protection Centre "Guidelines for Protection of Critical Information Infrastructure". Any changes to network architecture shall be documented;(d)plan, develop, maintain the documentation of authorised personnel having access to "Protected System" and the same shall be reviewed at least once a year, or whenever required, or according to the Information Security Management System(ISMS) as suggested in clause(b);(e)plan, develop, maintain and review the documents of inventory of hardware and software related to "Protected System";(f)ensure that Vulnerability/Threat/Risk (V/T/R) Analysis for the cyber security architecture of "Protected System" shall be carried out at least once a year. Further, Vulnerability/Threat/Risk (V/T/R) Analysis shall be initiated whenever there is significant change or upgrade in the system, under intimation to Information Security Steering Committee;(g)plan, establish, implement, operate, monitor, review, and continually improve Cyber Crisis Management Plan (CCMP) in close coordination with National Critical Information Infrastructure Protection Centre;(h)ensure conduct of internal and external Information Security audits periodically according to Information Security Management System(ISMS) as suggested in clause (b). The Standard Operating Procedure (SOP) released by National Critical Information Infrastructure Protection Centre (NCIIPC) for "Auditing of CIIs/Protected Systems by Private/Government Organisation" shall be strictly followed;(i)plan, develop, maintain and review documented process for IT Security Service Level Agreements (SLAs). The same shall be strictly followed while designing the Service Level Agreements with service providers;(j)establish a Cyber Security Operation Center (C-SOC) using tools and technologies to implement preventive, detective and corrective controls to secure against advanced and emerging cyber threats. In addition, Cyber Security Operation Center is to be utilised for identifying unauthorized access to "Protected System", and unusual and malicious activities on the "Protected System", by analyzing the logs on regular basis. The records of unauthorised access, unusual and malicious activity, if any, shall be documented;(k)establish a Network Operation Center (NOC) using tools and techniques to manage control and monitor the network(s) of "Protected System" for ensuring continuous network availability and performance;(l)plan, develop, maintain and review the process of taking regular backup of logs of networking devices, perimeter devices, communication devices, servers, systems and services supporting "Protected System" and the logs shall be handled as per the Information Security Management System(ISMS) as suggested in clause (b).
