Kotak Bank Notified as Protected System and Obligations of a Protected System owner

Kotak Mahindra Bank became the Sixth Bank in India to be declared under Section 70 of Information Technology Act 2000 as a “Protected System”.

The Notification was issued on 11th January.

Earlier, following Banks namely ICICI Bank, HDFC Bank, Bank of Baroda, Punjab National Bank and Union Bank of India, have been notified similarly along with the Systems of NPCI. UIDAI and Tetra Secured Communication System Network of NCT Delhi had earlier been also notified.

These notifications are not notifications of a routine nature and will fundamentally change the Information Security Systems Management in these entities as indicated by the following.

Section 70 of ITA 2000 is reproduced here:

Protected system (Amended Vide ITAA-2008)

(1)The appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system.

Explanation: For the purposes of this section, “Critical Information Infrastructure” means the computer resource, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety.
(Substituted vide ITAA-2008)

(2)The appropriate Government may, by order in writing, authorize the persons who are authorized to access protected systems notified under sub-section (1)
(3)Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.
(4) The Central Government shall prescribe the information security practices and procedures for such protected system. (Inserted vide ITAA 2008)

The rules for the Information security practices  to be followed by Protected Systems were notified vide Gazette Notification of  22nd May 2018  which will now apply to all these systems declared as “Protected”.

According to Rule 3 of the said notification, the following will be an obligation of all these protected systems:

3. Information Security Practices and Procedures for “Protected System”.

(1)(a) The organisation having “Protected System” shall constitute an Information Security Steering Committee under the chairmanship of Chief Executive Officer/Managing Director/Secretary of the organisation.

(b) The composition of Information Security Steering Committee(ISSC) shall be as under:

(i) IT Head or equivalent;
(ii) Chief Information Security Officer (CISO);
(iii) Financial Advisor or equivalent;
(iv) Representative of National Critical Information Infrastructure Protection Centre (NCIIPC);
(v) Any other expert(s) to be nominated by the organisation.

(2) The Information Security Steering Committee (ISSC) shall be the apex body with roles and responsibilities as follows: –

(a) All the Information Security Policies of the “Protected System “shall be approved by Information Security Steering Committee.
(b) Significant changes in network configuration impacting “Protected System” shall be approved by the Information Security Steering Committee.
(c) Each significant change in application(s) of the “Protected System” shall be approved by Information Security Steering Committee.
(d) A mechanism shall be established for timely communication of cyber incident(s) related to “Protected System” to Information Security Steering Committee.
(e) A mechanism shall be established to share the results of all information security audits and compliance of “Protected System” to Information Security Steering Committee.
(f) Assessment for validation of “Protected System” after every two years.

(3) The organisation having “Protected System” shall

(a) nominate an officer as Chief Information Security Officer (CISO) with roles and responsibilities as per latest “Guidelines for Protection of Critical Information Infrastructure” and “Roles and Responsibilities of Chief Information Security Officers (CISOs) of Critical Sectors in India” released by NCIIPC;
(b) plan, establish, implement, operate, monitor, review, maintain and continually improve Information Security Management System (ISMS) of the “Protected System” as per latest “Guidelines for Protection of Critical Information Infrastructure” released by the National Critical Information Infrastructure Protection Centre or an industry accepted standard duly approved by the said National Critical Information Infrastructure Protection Centre;
(c) ensure that the network architecture of “Protected System” shall be documented. Further, the organisation shall ensure that the “Protected System” is stable, resilient and scalable as per latest National Critical Information Infrastructure Protection Centre “Guidelines for Protection of Critical Information Infrastructure”. Any changes to network architecture shall be documented;
(d) plan, develop, maintain the documentation of authorised personnel having access to “Protected System” and the same shall be reviewed at least once a year, or whenever required, or according to the Information Security Management System(ISMS) as suggested in clause(b);
(e) plan, develop, maintain and review the documents of inventory of hardware and software related to “Protected System”;
(f) ensure that Vulnerability/Threat/Risk (V/T/R) Analysis for the cyber security architecture of “Protected System” shall be carried out at least once a year. Further, Vulnerability/Threat/Risk (V/T/R) Analysis shall be initiated whenever there is significant change or upgrade in the system, under intimation to Information Security Steering Committee;
(g) plan, establish, implement, operate, monitor, review, and continually improve Cyber Crisis Management Plan (CCMP) in close coordination with National Critical Information Infrastructure Protection Centre;
(h) ensure conduct of internal and external Information Security audits periodically according to Information Security Management System(ISMS) as suggested in clause (b). The Standard Operating Procedure (SOP) released by National Critical Information Infrastructure Protection Centre (NCIIPC) for “Auditing of CIIs/Protected Systems by Private/Government Organisation” shall be strictly followed;(i) plan, develop, maintain and review documented process for IT Security Service Level Agreements (SLAs). The same shall be strictly followed while designing the Service Level Agreements with service providers;
(j) establish a Cyber Security Operation Center (C-SOC) using tools and technologies to implement preventive, detective and corrective controls to secure against advanced and emerging cyber threats. In addition, Cyber Security Operation Center is to be utilised for identifying unauthorized access to “Protected System”, and unusual and malicious activities on the “Protected System”, by analyzing the logs on regular basis. The records of unauthorised access, unusual and malicious activity, if any, shall be documented;
(k) establish a Network Operation Center (NOC) using tools and techniques to manage control and monitor the network(s) of “Protected System” for ensuring continuous network availability and performance;
(l) plan, develop, maintain and review the process of taking regular backup of logs of networking devices, perimeter devices, communication devices, servers, systems and services supporting “Protected System” and the logs shall be handled as per the Information Security Management System(ISMS) as suggested in clause (b).

Further, the Roles and Responsibilities of “Protected Systems” towards National Critical Information Infrastructure Protection Center (NIIPC)  is defined as follows under Rule 4.

(1) The Chief Information Security Officer (CISO) shall maintain regular contact with the National Critical Information Infrastructure Protection Centre(NCIIPC) and will be responsible for implementing the security measures suggested by the said National Critical Information Infrastructure Protection Centre(NCIIPC) using all available or appropriate ways of communication.
(2) The Chief Information Security Officer (CISO) shall share the following, whenever there is any change, or as required by the National Critical Information Infrastructure Protection Centre (NCIIPC), and incorporate the inputs/feedbacks suggested by the said National Critical Information Infrastructure Protection Centre (NCIIPC):-
(a) Details of Critical Information Infrastructure (CII)declared as “Protected System”, including dependencies on and of the saidCritical Information Infrastructure.
(b) Details of Information Security Steering Committee (ISSC) of “Protected System”.
(c) Information Security Management System (ISMS) of “Protected System”.
(d) Network Architecture of “Protected System”.
(e) Authorised personnel having access to “Protected System”.
(f) Inventory of Hardware and Software related to “Protected System”.
(g) Details of Vulnerability/Threat/Risk (V/T/R) Analysis for the cyber security architecture of “Protected System”.
(h) Cyber Crisis Management Plan(CCMP).
(i) Information Security Audit Reports and post Audit Compliance Reports of “Protected System”.
(j) IT Security Service Level Agreements (SLAs) of “Protected System”.
(3) (a) The Chief Information Security Officer (CISO) shall establish a process, in consultation with the National Critical Information Infrastructure Protection Centre (NCIIPC), for sharing of logs of “Protected System” with National Critical Information Infrastructure Protection Centre (NCIIPC) to help detect anomalies and generate threat intelligence on real time basis.
(b) The Chief Information Security Officer shall also establish a process of sharing documented records of Cyber Security Operation Center (related to unauthorised access, unusual and malicious activity) of “Protected System” with National Critical Information Infrastructure Protection Centre(NCIIPC) to facilitate issue of guidelines, advisories and vulnerability, audit notes etc. relating to “Protected System”.
(4) (a) The Chief Information Security Officer (CISO) shall establish a process in consultation with National Critical Information Infrastructure Protection Centre (NCIIPC), for timely communication of cyber incident(s) on “Protected System” to the said National Critical Information Infrastructure Protection Centre (NCIIPC).
(b) In addition, National Critical Information Infrastructure Protection Centre’s latest Standard Operating Procedure (SOP) on Incident Response shall be strictly followed in case of cyber incident(s) on “Protected System”.

As a result of these notifications the infrastructure of major Banks in India will come under the direct supervision of the CERT In.

The other implication of these notification is that any “Attempt” to access these systems other than what is allowed under the notification (any designated employee or authorized team member of a contractual managed service provider etc) will invoke the offence under Section 70 with a possible imprisonment of upto 10 years.

In view of the above, all consultants working with such Banks has to ensure that they have a proper signed authorization letter from an appropriate official (CISO) before they access any CBS, RTGS, NEFT, SMS, systems.

We can presume that systems to be accessed by customers are excluded from the above.

It is still surprising why SBI is still not notified even though they are the largest Bank in India.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.