Scribd
Upload
132 views

Response To Comments On Information Security Policy

The document provides comments on an information security policy framework. It notes several issues: 1) The scope mentions 18 domains but the document only specifies requirements for 14 domains. 2) The domains in the scope do not match those listed in the minimum security requirements annex. 3) The additional domains of third party and BCM are already covered by existing ISO 27001 domains. The response addresses each comment, clarifying that security requirements are covered separately, the framework is not intended to strictly follow ISO 27001, and the additional domains are informed by other standards for the government sector. Improvements are suggested to clearly link annexes and align the document structure.

Uploaded by

Pravin Sinha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
132 views

Response To Comments On Information Security Policy

The document provides comments on an information security policy framework. It notes several issues: 1) The scope mentions 18 domains but the document only specifies requirements for 14 domains. 2) The domains in the scope do not match those listed in the minimum security requirements annex. 3) The additional domains of third party and BCM are already covered by existing ISO 27001 domains. The response addresses each comment, clarifying that security requirements are covered separately, the framework is not intended to strictly follow ISO 27001, and the additional domains are informed by other standards for the government sector. Improvements are suggested to clearly link annexes and align the document structure.

Uploaded by

Pravin Sinha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

SNo

Section
Scope

NeGD Comments
1) The scope mentions that the policy document
defines the security requirements of 18 domains
of ISO 27001 (A5 to A18).
However, the rest of the policy document does
not specify the security requirements for these
domains. ( also please note that A5-A18 = 14
domains and not 18 domains).

2) Domains for Minimum security requirement


as mentioned in Scope dont match with the
domains of the minimum security requirement
Annexure 3.

3) It is also mentioned that domain of third


party and BCM have been added over and
above the ISO 27001 domains. A15 of ISO 27001
deals with supplier relationships. It covers the
third party relationships also. A17 of ISO 27001
already covers Business continuity management
and so there is no need for any additional
domain of BCM.

Response
The framework includes security
requirements for 18 domains as part
of Implementation Guidelines for
Security Controls which is a separate
document. It covers the ISO Domains
as mentioned in Annexure A of
ISO/IEC 27001: 2013 and Privacy,
Cloud, BYOD, BCM
The framework does not follow
ISO/IEC 27001:2013. However, it
covers the ISO domains.
Domains in Scope are requirements
for establishing an ISMS.
Annexure 4 gives guidance for
Minimum security requirements.
These requirements do not pertain to
any specific domain. An organization
can plan to work on these before a
formal Risk Assessment (RA) as they
can be a good starting point.
Suitable changes have been made in
the document to make the text
clearer.
If we look at FISMA and other
International Standards (including
ISO), they have separate / more
detailed guidelines for
"BCM/Contingency Planning" and
"Third party security" domains for the
Government Sector. Therefore, these
domains are worked upon separately
and more comprehensively. A17
covers the information security
aspects of Information security while
we are covering BCM/ Contingency
planning practices which are more
comprehensive.
The supplier relationship/ Third Party
is integrated under A15.
We have considered the NIST
standards (NIST SP 800-34 on
contingency planning / NIST SP 80034 on supplier relationship) and ISO
standards (22301 on BCM and ISO
27036 on Third Party) in developing

these practices.
2

Annexure

Org Structure

Implementati
on

Section 9, 12

In places, like under section 9, section 12,


framework and ISMS have been used instead of
policy

Annexure 5

Annexure 5 is incomplete

General

1) It is suggested that the policy document


should clearly give sample policies in the area
mentioned in the documents i.e. Overall Security
policy , Issue Specific policy and system specific
policy .

1) Annexures 1-3 are not linked in the


document.
2) Annexure 4 defines issues specific
policy but is mentioned only under
the heading of ISSC.
1) The structure is not aligned to MHA
information security guidelines (NISPG) which
are in turn aligned to Cyber Security Policy for
GOI ver 2.0 issued on 30th August 2010.
1) Structure of Assurance Framework shown as
figure 1 on the same page does not correlate
with the description provided in the document.

2) To give completeness to the document , cyber


security policy prepared by DeitY can be used as
sample for Overall Security policy covering all the
domains of the ISMS as Annexure.

The Annexures are now suitably


mentioned.

Has been suitably aligned. Few


additional roles have been suggested.
Has been removed and is now
included only in the Information
Security Assurance FrameworkIntroduction and Overview
document.
Section 9 checked, the usage is
correct. Section 12 is now removed.
Relevant points have been added to
Section 9.
System Specific policies are not
included as they are supposed to be
technology specific guidelines.
Has been done

We have considered the cyber


security policy prepared by DeitY.
The Cyber Security Policy by DeitY
also includes supporting guidelines
for application security, asset
management, client system security,
network device security, password
management, wireless network
security etc. These guidelines are
included in the document on
Implementation Guidelines for
Security Controls and therefore not
repeated in the information security
policy as they concern the
Implementors.
The Guidelines for Users,
Administrators, Department and
Internet Connected PC's have been
considered. The consideration has
been to include factors which affect

all employees.

3) The document should be linked to the


annexure properly .

The Annexures are now suitably


mentioned.

4) Recently GOI Email Policy and Policy on use of


IT resources has been published in the Gazette of
India . The section on General guidelines / media
/ laptop policy should be aligned to the above
mentioned policies.
The overall document needs improvement in
consistency and flow , keeping in mind that this
document is intended for Senior Govt Officials to
give them birds eye view of the basic security
requirement of their Department /Ministries.

The suggestion for aligning has been


taken into consideration. These
policies are suitably referred.
This document is not intended to give
bird's eye view of the framework to
the Senior Government officers, that
is the purpose of the Information
Security Assurance FrameworkIntroduction and Overview
document.
The name of e-SPF is changed to
Information Security Assurance
Framework -Introduction and
Overview to make this aspect clearer.
This document applies to all the user
groups working on e-Gov systems
(including system administrators,
network administrators etc.) and
users at all levels. It also includes
users other than government
personnel which includes application
developers (Total Solution providers),
System Integrators (SI), IT security
auditors, Data Center Operators(DCO)
and Network Operators including
contractors and Third party service
providers or any other party on their
behalf, which maintain, manage,
operate or support information
system, facilities and/or
communications networks etc.
The document has been checked to
improve consistency and flow.

You might also like