Role of CISO according to Security Manual for Licensed Defence Industries.
The role of cyber information security officer (CISO) has been enhanced with a number of high-profile security breaches and organizations are increasingly realizing that they must augment their security teams or risk a huge fiasco. The government has also taken important initiative in this direction and come up with a comprehensive manual which describes the role of CISO in licensed defence industries.
Licensed defence industries are the private manufacturers of defence related equipments which are required to have adequate safety and security methods once license is granted to them and production begins. Also, this set up is open to verifications by authorized government agencies.
Security Manual for Licensed Defence Industries issued by the Department of Industrial Policy & Promotion (DIPP) under Ministry of Commerce and Industry, throws ample amount of light on the function and responsibility of CISO in private companies who are involved in the production of defence products.
According to the manual, Indian Licensed Defense Company (ILDC) management would be responsible for appointing or nominating a CISO with clear roles and responsibilities.
Chief Function of CISO
Broadly, CISO here would be responsible for development, implementation and evaluation of the facility Information System (IS) program. Additionally, he/she will safeguard computer storage media, software, sensitive & proprietary data, and check threats to computer and cyber security. In conjunction with this, they shall clearly identify enduring risk subsequent to implementation of necessary cyber security structure.
Though the document does not mention any specific qualifications needed for this profile since it vaguely mentions “adequate computer knowledge” required for the designation of CISO. But, it categorically indicates that CISO should be an Indian citizen and not a foreign citizen, or a Person of Indian Origin (who is a Non-Resident Indian). Further, this role ought to be accomplished by one senior officer in addition to his / her job in the company.
For functional independence of CISO, the manual gives directions to provide CISO a senior rank so that he/she can directly report to the senior most management of the company.
Important Responsibilities of CISO
1) CISO will undertake cyber security audits of computer systems and network devices once a year, which ought to be carried out by CERT-IN (Computer Emergency Response Team - India) empanelled auditors preferably by STQC (Standardization, Testing & Quality Certification) under Department of Information Technology.
The compliance report regarding vulnerabilities detected and reported in such audits shall be rectified within the shortest possible time by CISO.
2) The office premises which are handling classified information can have access to internet only if they have obtained prior approval from CISO. Information Security Operations Centre under CISO will sharply monitor internet connections which would provide fixed internet gateways for accessing the web from within the organisation. Moreover, the traffic through these gateways must be screened to ensure that company data remains protected.
3) On the issue of AMC (Annual Maintenance Contract) by external vendors, the manual indicates that CISO (with help from SIB/ Cyber Crime Cell of local police / MOD/ IB if so required) should properly inspect and then only allow them to take software & hardware maintenance work in the company. And to secure the information infrastructure, he/she must take competent measures and further ensure that compensating controls and remaining risk are enumerated with authorisation obtained from management.
4) CISO would also be liable for defining the Social media usage policy which must prohibit employees from accessing social media websites from their official systems until they are asked to do necessary official work. Moreover, it would be the responsibility of him/her to provide biometric access control systems with CCTV coverage in server/network rooms.
Though the role of CISO is discussed extensively in the manual but where it particularly lacks is the angle, where open ended qualifications and measures to tackle cyber threats are mentioned ambiguously. Hopefully, the government will fix these bugs and build an efficient setup around the position of CISO in age of digitisation.
The entire security manual for licensed defence industries can be accessed from this link.