Capability Framework

The capability framework for the nation’s digital ecosystem describes the people, processes and technology related capabilities in a manner that is agnostic of specific products and solutions. It enunciates the IT and information security capabilities that the digital ecosystem participants should acquire, maintain, and continually improve so as to achieve their objective of cyber resilience. It also describes how organisations can ensure the effective use and sustenance of IT and information security capabilities through a lifecycle approach.

The target audience for the capability framework includes:

  • Business and GRC Heads, CIOs, Heads of OT, CISOs and their respective teams within CSEs.

  • Sectoral Regulators, who are mandated to oversee and ensure the cyber resilience of business and IT practices in their regulated entities.

  • Consultancy Organisations, System Integrators, OEMs, MSPs and MSSPs engaged by the CSEs.

  • Empanelled bodies, who carry out cyber security verification & validation (V&V), VAPT and technical audit of systems and networks of CSEs.

Governing bodies and top management of entities (through the Technology Strategy and Perspective Planning Group, the IT, OT and Information Security Divisions) can use this guidance to use, secure and sustain their IT for delivery of business functions, operations, and services.

Smart, Resilient and Sustainable Digital Ecosystem

In the current information age, data and communication technologies along with smart devices are deeply integrated into almost all aspects of our lives. The nation today runs on well-orchestrated and integrated IT and is therefore critically dependent upon the cyberspace and its underlying infrastructure (systems, networks, applications and data). Hence, it is vital that the Indian cyberspace is secure and protected against cyber-attacks that could jeopardise the benefits it offers to national security, economic prosperity, governance, constitutional processes, and social well-being.

The integration of IT at the sectoral, regional, and national levels will only increase in future. Hence, at the national level, there is need to develop capabilities for a smart, resilient, and sustainable digital ecosystem. These terms are described below.

  • Smart: describes the high levels of automation, analytics and decision support capabilities that are enabled by the use of IT. Smart technologies can significantly improve the functioning, performance and resilience of the digital ecosystem. In the context of information and cyber security, these capabilities are typically achieved by the use of intelligent devices, analytics, AI and machine learning for preventing, protecting, detecting and responding to cyber-attacks on IT and OT.

  • Resilient: ‘Resilient’ describes the ability of the business and digital ecosystems to not only withstand large scale attacks and mitigate its destructive power but also the capability to recover from a successful attack in the shortest possible time with minimal damage or disruption. It is a key component of business and organisational needs and achieved through well-designed operating procedures, processes, and practices.

  • Sustainable: ‘Sustainable’ describes the ability of the CSEs and the nation as a whole to be able to use and sustain IT for delivery of national critical functions and business services efficiently and effectively over a long period of time that extends into decades. It can be achieved through a combination of institutional structures, people, policies, governance, risk, and compliance (GRC) mechanisms.

Terms

The following terms establish a common vocabulary for communication of capabilities, objectives, activities and outcomes. They may be used within the organisations, from the executive level to the operations level, and with external stakeholders for business and technology level communication.

Information Technology (IT) capability is described as an organisation’s ability to identify IT business needs, to deploy IT to improve business process in a cost-effective manner, and to provide long-term maintenance and support for IT-based systems.

Information Security (IS) capability is defined as “an organisation’s ability to carry out a set of inter-related cybersecurity functions to secure, protect, defend and sustain its mission and business functions that run on underlying IT and OT infrastructure in the cyberspace”.

Cyber resilience is a key outcome expected from a full-fledged capability development program. A smart, resilient, and sustainable digital ecosystem is achieved at the national level only when all the stakeholders achieve a minimum level of cyber resilience through their individual capability development initiatives.

Functions represent sets of management and technical activities that organisations must carry out daily or periodically to achieve their cyber resilience objectives. The objectives are described using action-verbs defined below. Organisations can implement the functions through institutionalised practices and processes that must be carried out by the workforce, enabled by technology and tools.

Management Objectives and Activities

The action verbs describing the five management objectives are Govern & Administer, Acquire & Provision, Operate & Maintain, Analyse & Investigate, and Train & Enable. Activities to achieve the management objectives are usually owned, managed and carried out by different units and departments across the organisation.

Technical Objectives and Activities

The action verbs describing the five technical objectives are Identify, Protect, Detect, Respond and Recover. Activities to achieve the technical objectives are usually owned, managed and carried out by the IT, OT, IIoT and IS workforce of the organisation.

The technical objectives are derived from NIST CSF, and the guidelines issued by multiple regulators and national agencies. There are minor variations in the definitions of the action-verbs by these different bodies, which can lead to confusion and misunderstanding in conversations between the practitioners of different guidelines. Hence, it is suggested that the definitions given in this document be used as the base for generic discussions.

Description of Functions

A diagrammatic representation of the technical and management functions is given below.

Cybersecurity functions Cybersecurity functions

The individual functions are further described below.

Note

The scope of each function in this document is kept short and focused, specifically to help the non-technical users from being overwhelmed.

Identify

This technical function addresses the need for organisations to identify things of value that need to be secured and protected from harm. The key practices and processes under this function are:

  • Asset lifecycle management: Identify and catalogue all the business and digital systems of the organisation, their physical and virtual assets, both in-store and in-use, across their lifecycle from acquistion till decommissioning.

  • Information and data lifecycle management: Identify and catalogue all the business and technical information, data and documentation of the organisation, along with parameters that help define their sensitivity, organisational value, ownership, restrictions etc, across the lifecycle from creation till disposal.

  • Identity lifecycle management: Identify all individuals, machines, devices, systems and applications along with their functions, roles, privileges, credentials, and access rights (to assets, information, data and documents) across the active lifecycle from onboarding till retirement.

The Identify function is a continuously running activity and needs regular review and update. The data managed through this activity is used by all other functions and is therefore a fundamental pillar of the framework. Automation of data collation and analysis activities under this function would be extremely useful to organisations, depending upon their size, budget, and risk profile.

Protect

This technical function addresses the need for organisations to establish and maintain robust defences by continuously searching for, discovering and acting upon vulnerabilties and weaknesses. A robust defensive action minimises the vulnerabilities and weaknesses and reduces the possibility of their exploitation by threat actors. The key processes under this function are:

  • Protection of in-store and in-use assets spanning across geographies of the organisation’s operational structure. This is typically achieved through hardening of in-use systems, networks, applications, databases, and other components of the information infrastructure.

  • Protection of data (at rest, in transit, in use) to achieve confidentiality, integrity and availability.

  • Protection of identities of people, machines and devices.

  • Protection of physical premises and safety of OT and IIoT systems.

A layered defence for business and digital systems with adequate monitoring and reporting is essential for achieving protection from a large variety of attack vectors. This requires a lifecycle approach that incorporate secure by design, secure in implementation and secure during operation. Custom-developed systems and software additionally require to be secure during manufacture/ development.

Detect

This technical function addresses the need for organisations to continuously observe, monitor, analyse, detect and classify threats emanating from anomalous events, activities, incidents, user behaviours, policy violations, infrastructure weaknesses, bypass of security controls, failures of security processes etc.

Continuous monitoring, analysis and detection of Indicators of Compromise (IoCs) and Indicators of Attacks (IoAs) is possible only through a proper collection and management of logs and other artefacts generated by the digital ecosystem.

The detect function at the organisation level must provide its observations to the central agencies for sectoral and national level situational awareness of potentially malicious activities in the national cyberspace.

Note

Information security continuous monitoring (ISCM) is the process of maintaining ongoing awareness of information security, vulnerabilities, and threats to support organisational risk management decisions. A robust ISCM program enables organisations to move from compliance-driven risk management to data-driven risk management that is based on collection, collation, analysis, and review of security-related information from every ICT device in the organisation.

Respond

This technical function addresses the need for organisations to act upon detected cyber incidents and cyber-attacks and respond to the same in order to contain/ mitigate their adverse impact.

Effectiveness of the Incident Response (IR) strategies is based on prior planning, having clearly earmarked responsibilities/ actions, and periodic testing of standard operating procedures (SOPs).

National agencies have an important role of supporting the CSEs in their response to debilitating, high impact cyber-attacks.

Recover

This technical function addresses the need for organisations to rapidly restore the business, IT and OT functions and/ or services that were impaired due to cyber-attack. This function is deemed to be successfully achieved when the services are restored with consistent data and the process is completed within the mandated “Time to Recovery”.

Tip

Recovery from debilitating (high impact) ransomware attacks calls for well-designed and properly executed practices and processes for immutable backup, business continuity and disaster recovery.

Incident analysis of breaches and cyberattacks on CSEs is essential, not only for rapid recovery within the affected CSEs but also for prevention of similar attacks on other organisations. National agencies have an important role to play in this regard and should implement mechanisms to ensure availability of essential logs (evidence) for carrying out necessary analysis. Automation of evidence recording by the technical functions is critical for rapid and effective incident handling.  

Entities should also endeavour to maintain voluntary information security sharing policy to enable broader cyber security awareness. Further, lessons from such information shared by other entities must be carefully perused to evaluate influence on internal cyber security functions.

Govern & Administer

This management function requires organisations to develop policies, practices and oversight mechanisms for governance and administration of people, processes, and systems on a day-to-day and periodic basis. It is based on establishing and maintaining an enterprise cybersecurity program and an ISMS that provides governance, planning, and operations support to the organisation’s cybersecurity activities. It includes practices and processes for planning and design of applicable guidelines and cyber security policies for the cyber-governance program and identification of risk to formulate mitigation strategy. Audit and compliance requirements are also covered under this function.

Acquire & Provision

This management function requires organisations to develop policies, practices and oversight mechanisms for acquisition and provisioning of trustworthy systems. It is primarily focused on conceptualisation, design, acquisition, and engineering of secure and trustworthy systems through a project-driven approach. It also includes supply chain risk management, covering systems, software, services, and workforce resources.

Regulators and national nodal agencies have a role in shaping policies, practices and guidelines for CSEs, specifically for acquisition of their critical systems, processes, services, and workforce. National initiatives for trusted supply chains are under design for supporting the CSEs through regulatory mechanisms.

Operate & Maintain

This management function requires organisations to develop policies, practices and oversight mechanisms for secure operations and maintenance of systems. It covers the entire gamut of people, processes, systems, and services.

Many entities assign the IT security functions to their IT operations workforce, whose primary responsibilities are to ensure the functionality, availability and performance of digital systems. Organisations must assign the IT security responsibility to a separate IT security team, distinct from the IT operations team. The team must be given separate resources for operation and management of IT security functions.

Analyse & Investigate

This management function requires organisations to continually analyse threats and risks and design, develop, test, implement, analyse, and improve the functions, thereby improving the cyber resilience of the organisation. Threat modelling, performance measurement and evidence collection are essential for any analysis to be effective. The evidence collection should also support investigations that may be triggered by multiple events like cyber incident report, new acquisition, observations during internal / external VAPT etc.

Train & Enable

This management function requires organisations to train the IT Operations, IT Security and Cybersecurity workforce and other employees (users of IT services) in the technical and management functions applicable to them. Workforce enablement is achieved through the development of organisational culture in which the workforce is encouraged to operate as a team, be accountable and empowered to take decisions within their scope of responsibility and authority.

Application of Capability Framework

There is a generalised relationship between the five management functions and the broader capability framework:

  • The functions ‘Acquire & Provision’ and ‘Operate & Maintain’ represent the two major lifecycle stages of business and digital systems in CSEs. These functions will help the CSE to become “smart”, efficient and effective over time.

  • The functions ‘Analyse & Investigate’ and ‘Train and Enable’ will help enhance the CSE’s organisational culture for developing “resilience” through continuous improvement.

  • The ‘Govern & Administer’ function encompasses everything and enables the CSEs to have a long term “sustainability” approach.

Elements of Resilience and Sustainability

In general, cyber resilience is achievable through well-designed operating procedures, processes, and practices, while sustainability is achievable through a combination of institutional structures, people, policies, governance, risk, and compliance (GRC) mechanisms. High levels of cyber resilience and sustainability are largely achievable using technology and automation operated by skilled personnel. These are further described below.

Resilience Drivers

In the context of cybersecurity, resilience is usually achieved through:

  • well-designed cyber secure architecture that incorporates the concepts of defense-in-depth and supports the processes and people responsible for its protection.

  • responsive operating practices and processes to achieve resilience, such as:

    • keep the defenses and all possible attack routes under 24 x 7 watch (Logging, SOC).

    • quick response to anomalous activities that are observed by the SOC (IR).

    • rapidly carrying out defensive actions against materialized attacks (EDR, XDR, SOAR).

    • mitigate the impact of any successful penetration through the defenses (CCMP, BCP).

  • a skilled and trained workforce is essential for successfully executing the operating processes.

Sustainability Drivers

In the context of cybersecurity, sustainability is usually achieved by:

  • having the right cybersecurity policies in place.

  • smart mechanisms to monitor the effectiveness of implementation and operation of the policies on ground.

  • a culture of continuous improvement within the entities.

Strategic Program Management

Resilience and sustainability of IT and Information Security are strategic goals of organisations. Hence, they must be driven by the top leadership and management, who must take a long-term strategic view of both the use of IT to achieve business objectives and use of Information and Cyber Security to protect IT and business. Governing bodies and top leadership should assess whether they have adequate in-house capabilities to strategise on these two goals or they require external expertise to support their leaders and teams.

A smart, resilient, and sustainable digital ecosystem is achieved only when it is driven by the top leadership. It is a good practice to have a strategic oversight team that regularly consults, analyses and reports to the top management whether the organisation’s digital ecosystem sufficiently:

  • Enables and supports the business requirements.
  • Protects information and information infrastructure in cyberspace.
  • Minimises weaknesses, vulnerabilities and risks through defensive actions.
  • Detects failures and cyber exploits.
  • Responds rapidly and effectively to IT and cyber incidents.
  • Recovers quickly from disruptions and cyber-attacks with minimal damage.
  • Is governed, administered, engineered, operated, maintained and managed by a competent workforce, through institutionalised practices and processes, supported by technology, platforms and tools.

A right combination of people, processes, technology and governance is essential for organisations to leverage the digital ecosystem to accomplish the organisation’s mission, fulfil the legal and regulatory requirements, maintain the day-to-day functions, and protect the assets and individuals.

Capability Maturity Models

This is described in detail here.