The Tamil Nadu government recently introduced Cyber Security Policy 2.0, detailing measures to protect the state's assets through specific guidelines and Standard Operating Procedures (SOPs) for auditing, compliance, and monitoring of cyber threats and attacks. Released by the Information Technology and Digital Services Department, the policy includes provisions for e-signatures, digital signatures, email security, password management, social media use, backup and recovery procedures, and regular information security audits.
This new policy, issued on August 23, 2023, replaces the Tamil Nadu Cyber Security Policy of 2020. It incorporates feedback from key institutions like the Centre for Development of Advanced Computing (C-DAC), Indian Institute of Technology Madras (IIT-M), and the Tamil Nadu e-Governance Agency, among others.
Policy Scope
Cyber Security Policy 2.0 applies to all State government departments, public sector units, and agencies under the Tamil Nadu government that utilize IT infrastructure, networks, or digital data. It also extends to third-party stakeholders, such as suppliers, contractors, consultants, and partners who interact with the government.
Objectives
The policy focuses on safeguarding government information assets, including infrastructure, software, and citizen services, while ensuring their continuous availability. It establishes a structured mechanism to monitor and manage the IT infrastructure.
The policy aims to:
- Develop a comprehensive security risk reduction strategy.
- Build security capabilities for the layered protection of critical systems and data.
- Implement measures for the detection, prevention, and mitigation of cyber attacks.
Incident Response and Training
Under CSP 2.0, all State government departments must designate officials to work with the Cyber Security Incident Response Team (CSIRT). These officials are responsible for reporting cyber security incidents related to government websites, applications, and IT infrastructure.
Departments must also ensure that their nominated officials participate in annual training programs, lasting one or two days, on topics such as incident management and change management.
Data Backup and Risk Assessment
The policy mandates that backed-up datasets be stored securely in multiple locations, apart from the primary storage space, using tapes, external devices, or servers. Departments are required to periodically restore and verify these backups to ensure data integrity and completeness.
Additionally, a comprehensive risk assessment must be conducted by departmental Chief Information Security Officers (CISOs) or Information Security Officers (ISOs). This assessment should evaluate the criticality, sensitivity, and potential consequences of any compromise to assets and applications.
Post a Comment