Section 70 of the Information Technology Act 2000 of India, which states that the government may declare any computer, computer system or computer network to be a “protected system”. The act also defines ‘Critical Information Infrastructure’ as a computer resource whose inefficiency or loss has a devastating impact on national security, the economy, public health, or safety. The act proves more deterrent to anybody who tries to get control of or attempts to secure access to a protected system in violation of the requirements will face imprisonment for a term of up to ten years as well as a penalty.
The Government of India, Ministry of Electronics and Information Technology (MeitY) vide a notification dated 16 June 2020, under the Ambit of Section 70 of the IT Act 200, has declared the IT resources of ICICI Bank as “Critical Information Infrastructure (Protected System)”. MeitY identified IT resources of HDFC bank and UPI controlling organisation National Payments Corporation of India (NPCI) as critical infrastructure in two other notifications.
These Notification under which the organisations being declared “Critical Information Infrastructure (Protected System)”, implying any harm to them can have an impact on national security and any unauthorised person accessing these resources will be liable for punishment. Also, any asset declared ‘Critical Information Infrastructure’, vide the provisions of the IT Act 2000, will be now monitored by National Critical Information Infrastructure Protection Centre (NCIIPC). The Chief Information Security Officer (CISO) of the organisation will be now accountable to DG NCIIPC, apart from being answerable to the corporate hierarchy. The act of incapacitation or destruction of these ‘Critical Information Infrastructure’, shall have debilitating impact on national security, economy, public health or safety, and the government has the right to consider such act by Non-State or State Actors, of both foreign or national origin to be declared as an ‘’Act of War’ on Indian Sovereign State.
“Looking at the recent sophisticated cyber-attacks, it is high time all the banks and financial institutions get themselves notified as a protected system. “Similarly, the control system of all the electricity, oil, airports, railways, metros and transport systems are critical infrastructure and must be declared as a protected system,” SP, Cyber Crime, Uttar Pradesh Police and certified cyber expert Triveni Singh said.
National Critical Information Infrastructure Protection Centre (NCIIPC) is an organisation of the Government of India created under the Section 70A of the Information Technology Act, 2000, through a gazette notification on 16 January 2014. Further, The Ministry of Electronics and Information Technology (MeitY) vide Notification dated the 22nd May, 2018, had released “The Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018″.
Under the Rules, the “Critical Information Infrastructure” (Protected System) which will have to adhere to many of its mandates to ensure the protection to these systems notified as specific Section 70 assets:
- Information Security Steering Committee
The Rules define an ‘Information Security Steering Committee’ to mean ‘the committee comprising higher management officials of an organization, responsible for continuously improving and strengthening the cyber security posture of the Protected System and also plan, develop, review remedial actions to mitigate and recover from malicious cyber incidents.’
As per Rule 3 of the Rules, every organization having ‘Protected System’ shall constitute an Information Security Steering Committee under the chairmanship of CEO/ MD or Secretary of the organization.
The composition of the Committee is required to include the IT Head or equivalent; Chief Information Security Officer (“CISO”); Financial Advisor or equivalent; Representative of National Critical Information Infrastructure Protection Centre (“NCIIPC”); any other expert(s) to be nominated by the organization.
- Roles and Responsibilities of the Information Security Steering Committee
The Rules prescribe the vital roles and responsibilities of the Information Security Steering Committee the significant ones of which are as follows: –
- To approve all the Information Security Policies of the ‘Protected System’ any significant changes in network configuration impacting the “Protected System” or any significant change in application of the “Protected System”.
- To establish mechanism for timely communication of cyber incident(s) related to “Protected System” to Information Security Steering Committee. A detailed definition as to what comprises of a cyber incident is mentioned in the Rules as an adverse incident that may result in impairing the confidentiality, integrity, or availability of electronic information, systems, services or networks resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource, changes to data or information without authorization or threaten interests of public at large.
- To establish mechanism for sharing of results of all information security audits and compliance of “Protected System” to Information Security Steering Committee.
- To assess validation of “Protected System” after every two years.
The Rules prescribe certain mandatory practices and infrastructural compliances to be followed by any organization having a Protected System.
- Nomination of Chief Information Security Officer (CISO):
A “Chief Information Security Officer” means a designated employee of Senior management, directly reporting to MD/ CEO etc. of the organisation, having knowledge of information security and related issues. The CISO is responsible for cyber security efforts and initiatives including planning, developing, maintaining, reviewing and implementation of Information Security Policies.
Every organization designated as a “Protected System” is required to nominate a CISO whose roles and responsibilities have been enumerated in “Guidelines for Protection of Critical Information Infrastructure” and “Roles and Responsibilities of Chief Information Security Officers (CISOs) of Critical Sectors in India” released by NCIIPC.
Some of the CISO’s main responsibilities include establishing ISMS, documenting network architecture, ensuring stability, resilience and scalability of the systems, conducting Vulnerability/Threat/Risk (V/T/R) Analysis for the cyber security architecture, Establishing and developing a Cyber Crisis Management Plan, conducting internal and external Information Security audits and documenting process for IT Security Service Level Agreements (SLAs) while entering into agreements with service providers etc.
- Cyber Security Operation Center (“C-SOCs”) and Network Operation Center (“NOCs”)
Organizations with Protected Systems have to establish a C-SCO and NOCs with the aim of implementing preventive, detective and corrective controls to secure against advanced and emerging cyber threats, threats of unauthorized access and ensure continuity in network availability.
The Rules also prescribe in detail the roles and responsibilities of CISO of the “Protected System(s)” towards NCIIPC.
What is it for the Customer?
The Customer of any Bank, for that matter, relies on the IT Systems and the Secure Services of the Service Provider. It truly requires courage for a non-Government Organisation/Enterprise to subscribe to the provisions of Section 70 of the IT Act 2000. By means of this notification, the customer is assured that the Banks Critical Information Infrastructure is being monitored by a responsible Government Entity, and also the infrastructure is made available to the NCIIPC for monitoring and periodic checks. It is also informed that the notification also entails the recertification by NCIIPC once in two years. This implies that the Bank has to allow inspection/audit and process audit of the Critical Information Infrastructure, which includes the Data Center and other Network Assets.
Benefit from improved productivity, efficiency and capacity, other than Cyber Security is also implied vide this notification. CIIs of Banks with an increasingly pervasive cyber component will benefit from a minimum level of cybersecurity to create a status of systemic resilience. NCIIPC can now even monitor or take cognizance of minor disruptions causing inconvenience to the consumers. It also implements a solid cybersecurity posture and a robust delivery to the consumer, with enhanced deterrence to cyber criminals or organisation who have plans to attack the infra.