THE government's tightening the noose on IT security compliance and it's not just for government companies. According to the security compliance guidelines that have been drafted by CERT-In under the DIT, all government and critical infrastructure organisations — both public and private — must have a security policy, implement it and be subject to annual security audits.
To conduct the audits, a team of 18 auditors has been finalised by ihe government, including Tata Consultancy Services, Sify, PricewaterhouseC-oopers, Mahindra-British Telecom. Satyam Computer Services. Secure Synergy, Network Security Solutions, STQC Directorate, Ramco Systems, CyberQ Consulting, Haribhak-ti & Co, Paladion Networks, Information Systems Auditors & Consultants, Indusface Consulting, AUDITime Information Systems, Network Solutions, AAA Technologies and Sysman Computers.
KK Bajaj, director, CERT-In told ET, "the list of to-be-empanelled auditors will be announced shortly for third-party audits." Draft guidelines are ready and IT self-assessment tools, security products and parameters would be in consonance with ISMS standards like ISO 15408, IS 15150 and BS 1799.
The security assurance initiative is very much on the lines of the Federal Information Security Management Act '02 of the US.
While this is a law and fixes the ultimate responsibility for information security on the CIO or the agency head, India has opted to stipulate guidelines and may ask organisations to identify one person responsible for IT security.
As a source in the DIT put it, "The US has increased its cyber space so much that it has to take extreme security measures. In India, within organisations, some systems are identified for internet connectivity while some are protected from cyber space. So the risks are not as great and there is no need to raise the bar on security features."
Accordingly, organisations would be categorised as low-risk (where awareness of security norms would suffice), medium risk (where awareness and action is required) and high-risk (where awareness, action and assurance is mandated).
design by