National Guidelines
This compendium of national guidelines for cybersecurity is summarised from the original sources for information only. Readers must consult the authoritative sources for the actual guidelines.
Ministry of Electronics and Information Technology (MeitY)
National Cyber Security Policy 2013
Overview & Purpose
The National Cyber Security Policy 2013 provides vision âto build a secure and resilient cyberspace for citizens, businesses and Governmentâ and mission âto protect information and information infrastructure in cyberspace, build capabilities to prevent and respond to cyber threats, reduce vulnerabilities and minimize damage from cyber incidents through a combination of institutional structures, people, processes, technology and cooperationâ. It gives an overview of what it takes to effectively protect information, information systems & networks and an insight into the Government’s approach and strategy for protection of cyber space in the country. It also outlines some points to enable the collaborative working of all key players in public & private to safeguard the nation’s information and information systems.
Audience
The audience includes government ministries and departments, government and non-government entities, large, medium and small enterprises, decision-makers, procurement teams, service providers and other stakeholders.
Usage
This policy aims to create a cyber security framework, which leads to specific actions and programmes to enhance the national security posture for its cyber space.
India Enterprise Architecture (IndEA) Framework
Overview & Purpose
The IndEA framework 2018 comprises of a set of architecture reference models, which can be converted into a Whole-of-Government Architecture for India, Ministries, States, Govt. Agencies etc. IndEA is a structured combination of several Reference Models that, together, enable a boundary-less flow of information across the length and breadth of the government and facilitate the delivery of integrated services to the stakeholders, namely, the citizens, businesses and employees. Strictly speaking, IndEA is not an Enterprise Architecture as its name seems to connote. It is a comprehensive and convenient framework for developing Enterprise Architecture to support ICT enabled transformation across governments. It is an authoritative reference providing an integrated, consistent and cohesive view of strategic goals, business services and enabling technologies across the entire organisation. The Agile IndEA framework infuses agile practices into IndEA and simplifies the understanding of IndEA to promote widespread adoption.
Audience
Ministries, States, Govt. Agencies and large organisations in the public sector.
Usage
The IndEA and Agile IndEA frameworks , are based on federated architecture approach and recognise the need to accommodate both greenfield (new) and brownfield (existing/ legacy) eGovernance initiatives.
Policy on Adoption of Open-Source Software for Government of India
Overview & Purpose
The Government of India endeavours to adopt Open-Source Software (OSS) in all e-Governance systems implemented by various Government organisations, as a preferred option in comparison to Closed Source Software (CSS).
Audience
All Government of India organisations under the Central Governments and those State Governments implementing e-Governance applications.
Usage
The policy encourages the formal adoption and use of Open-Source Software (OSS) in Government Organisations.
National Policy on Software Products (2019)
Overview & Purpose
The purpose of the policy is to develop India as a Software Product Nation and a global leader in the conception, design, development and production of intellectual capital driven software products, thus, accelerating growth of entire spectrum of IT Industry of the country.
Audience
Micro, Small and Medium Enterprises, Indian Software Product Companies (ISPC) and Startups.
Usage
To promote the creation of a sustainable Indian software product industry, driven by intellectual property (IP), leading to a ten-fold increase in share of the Global Software product market by 2025; To nurture 10,000 technology startups; To create a talent pool; To build a cluster-based innovation driven ecosystem and In order to evolve and monitor schemes & programmes for the implementation of this policy, National Software Products Mission is set up with participation from Government, Academia and Industry.
Email Policy of Government of India, 2024
Overview & Purpose
The policy complements the framework that applies to the security of email solution(s) utilised to provide email services.
Audience
All Government of India organisations.
Usage
This policy applies to use and use-related security aspects governing email services.
Public Procurement Order 2018 for Cyber Security Products
Overview & Purpose
The Cyber Security Products notification encourages âMake in Indiaâ to promote manufacturing and production of goods and services in India with a view to enhancing income and employment. Cyber Security Product means a product or appliance or software manufactured/produced for the purpose of protecting, information, equipment, devices computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction. Cyber Security being a strategic sector, preference shall be provided by all procuring entities to domestically manufactured/ produced Cyber Security Products.
Audience
Domestically manufactured/ produced Cyber Security products covered in turnkey/ system integration projects.
Usage
For preference to domestically manufactured/ produced Cyber Security products, forming part of the turnkey/ system-integration projects.
Government of India (GI)-Cloud (Meghraj)
Overview & Purpose
To utilize and harness the benefits of cloud computing, the Government of India embarked upon an ambitious initiative â âGI Cloudâ which has been named as âMeghrajâ. The focus of this initiative is to accelerate delivery of e-services in the country while optimizing ICT spending by the Government. A set of guidelines have been published on the Ministry of Electronics and Information Technology website , which are briefly described below.
Guidelines for Enablement of Government Departments for Adoption of Cloud
The guidelines, provide a structured framework to facilitate the seamless transition of government entities to cloud-based solutions. These guidelines aim to promote the adoption of cloud technologies by addressing key aspects such as readiness assessment, capacity building, service selection, and risk management. They outline a phased approach for cloud adoption, ensuring alignment with operational requirements, security standards, and compliance obligations. By offering best practices and a roadmap for cloud enablement, the document empowers government departments to leverage the benefits of cloud computing, such as scalability, cost efficiency, and enhanced service delivery, while mitigating associated risks.
Software Development & Re-Engineering Guidelines for Cloud Ready Applications
The guidelines provide a comprehensive framework to design and modernize applications optimized for cloud environments. These guidelines emphasize creating scalable, interoperable, and flexible applications that adhere to open standards and leverage modular design principles, ensuring seamless integration across diverse platforms. They promote the development of Common Application Software (CAS), allowing states and departments to configure applications for specific needs without altering core functionalities, reducing duplication of efforts. The guidelines advocate for the adoption of open-source tools and configurable components to enhance innovation, minimize vendor lock-in, and streamline development processes. Additionally, they address metadata standards, multi-language support, and adherence to software engineering protocols to ensure consistency, security, and quality. By fostering reusability, scalability, and rapid deployment, the guidelines aim to facilitate the creation of robust, cloud-ready applications that align with MeitY’s vision for a digitally empowered society, enhancing efficiency and reducing costs for government and critical sectors.
Cloud Security Best Practices
The guidelines provide a detailed framework to ensure the secure adoption and management of cloud services by government entities and other stakeholders. The document outlines essential security measures to protect data integrity, confidentiality, and availability in cloud environments. It covers areas such as access control, data encryption, incident response, compliance, and governance, emphasizing the shared responsibility model between cloud service providers (CSPs) and users. The guidelines aim to address risks like unauthorized access, data breaches, and compliance violations while ensuring that cloud deployments align with regulatory requirements and international security standards. By following these best practices, organizations can minimize vulnerabilities, enhance trust in cloud technologies, and ensure the secure handling of sensitive information.
Guidelines for Procurement of Cloud Services
The guidelines provide a comprehensive framework to help government departments transition to cloud-based solutions while ensuring compliance with security and regulatory standards. These guidelines aim to standardize the procurement process, enabling government entities to adopt scalable, cost-efficient, and flexible cloud services effectively. They emphasize critical aspects such as Service Level Agreements (SLAs), data security, privacy, contractual terms, and risk management. The document offers a Master Service Agreement (MSA) template to address key concerns like data ownership, exit strategies, and dispute resolution while highlighting the differences between traditional IT and cloud service procurement. By outlining roles and responsibilities for stakeholders, such as cloud service providers (CSPs) and system integrators (SIs) and recommending best practices for safeguarding data integrity and availability, the guidelines ensure that digital transformation initiatives in the public sector are aligned with national objectives and operational requirements. These guidelines empower government departments to make informed decisions, promoting transparency, efficiency, and consistency in cloud adoption.
Guidelines for Government Departments on Contractual Terms Related to Cloud Services
The guidelines provide a structured framework to assist government entities in drafting and negotiating contracts with cloud service providers (CSPs). These guidelines aim to address critical contractual elements such as data ownership, security, privacy, liability, indemnity, termination, and exit management to safeguard the interests of government departments. By focusing on risk mitigation and compliance with regulatory and operational requirements, the guidelines ensure that cloud contracts are robust, clear, and enforceable. They empower government departments to establish fair and balanced agreements that protect sensitive data, ensure service continuity, and foster accountability, thereby enabling secure and efficient cloud adoption.
Guidelines for User Departments on Service Level Agreement for Procuring Cloud Services
The guidelines provide a structured approach for government departments to draft, evaluate, and enforce SLAs when adopting cloud services. These guidelines aim to ensure clarity and accountability between government users and cloud service providers by defining key performance metrics, responsibilities, and penalties for non-compliance. They address critical areas such as service uptime, data security, response times, and disaster recovery, ensuring that the agreed service levels meet operational and regulatory requirements. By offering a detailed SLA framework, the guidelines empower government departments to establish measurable expectations, monitor service performance, and safeguard their interests in cloud procurement agreements.
Master Service Agreement for Procurement of Cloud Services
The MSA provides a standardized contractual framework to facilitate transparent and efficient cloud service procurement by government entities. It outlines the terms and conditions governing the relationship between government departments and cloud service providers (CSPs), addressing critical aspects such as service delivery, data ownership, security, privacy, termination clauses, and exit management. It ensures that cloud services are procured with clearly defined responsibilities, measurable performance metrics, and robust dispute resolution mechanisms. By providing a comprehensive and legally sound agreement template, the MSA enables government departments to safeguard their interests, ensure compliance with regulatory requirements, and build trust with CSPs while transitioning to cloud technologies.
Audit Criteria for Cloud Service Providers
The audit criteria document establishes a comprehensive framework to evaluate and ensure that CSPs meet the required standards for delivering secure, reliable, and compliant cloud services to government entities. These criteria outline essential audit parameters across areas such as data security, privacy, service availability, incident management, compliance with legal and regulatory requirements, and operational efficiency. The purpose of the guidelines is to provide a standardized evaluation mechanism to assess the capabilities and performance of CSPs, ensuring they align with the stringent requirements of government projects. By implementing these audit criteria, government departments can identify trustworthy CSPs, mitigate risks, and uphold the integrity of their cloud-based operations.
Audience
Ministries of GoI, States and organisations in the public sector.
Usage
The guidelines enable ministries, government departments and others to use the GI Cloud services offered by the empaneled cloud service providers.
Ministry of Home Affairs (MHA)
NISPG 5.0
Overview & Purpose
The National Information Security Policy and Guidelines (NISPG) version 5.0, issued by the Ministry of Home Affairs (MHA), Government of India, focuses on establishing guidelines to help secure âinformationâ that may impact internal security and national security. These guidelines are based on the analysis of existing global security standards and frameworks and the emerging trends and discourse in the wake of persistent threats, and cyber-attacks on critical infrastructure of nations globally.
Audience
Various government organisations in India.
Usage
The NISPG guides Government and Public Sector organisations and associated entities and third parties, in protecting the information under their control or ownership during the informationâs lifecycle that includes creation, storage, processing, accessing, transmission and destruction.
Cyber Security Guidelines for Government Employees
Overview & Purpose
These guidelines are meant to sensitize the government employees and contractual/ outsourced resources and build awareness amongst them on what to do and what not to do from a cyber security perspective.
Audience
All government employees, including temporary, contractual/ outsourced resources
Usage
Develop awareness amongst the government employees and contractual/ outsourced resources.
Reserve Bank of India (RBI)
Information Security, Electronic Banking, Technology Risk Management
Overview & Purpose
Addresses various issues arising out of the use of Information Technology in banks and makes recommendations in nine broad areas, namely, IT Governance, Information Security, IS Audit, IT Operations, IT Services Outsourcing, Cyber Fraud, Business Continuity Planning, Customer Awareness programmes and Legal aspects.
Audience
Elements in the Banking Sector.
Usage
Provides a focused project-oriented approach towards implementation of guidelines and to put in place a time-bound action plan to address the gap and comply with the guidelines.
Cyber Security Frameworks in Banks
Overview & Purpose
To enhance the resilience of the banking system by improving the current defences in addressing cyber risks, arising from the low barriers to entry, evolving nature, growing scale/ velocity, motivation, and resourcefulness of cyber-threats to the banking system.
Audience
Elements in the Banking Sector.
Usage
Put in place an adaptive Incident Response, Management and Recovery framework to deal with adverse incidents/ disruptions, if and when they occur.
Outsourcing Information Technology Services
Overview & Purpose
The Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023 was introduced to regulate the outsourcing of IT services by financial institutions, ensuring that such practices do not compromise their operational integrity or customer security. These guidelines are effective from October 1, 2023,
Audience
Elements in the Banking Sector. These directions are applicable to all entities regulated by the RBI, including banks, non-banking financial companies (NBFCs), and credit information companies.
Usage
Designed to enhance the operational resilience of financial institutions, ensuring that they remain compliant with regulatory requirements even when IT services are outsourced.
IT Governance, Risk, Controls and Assurance Practices
Overview & Purpose
The RBI Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices (ITGRCA) was introduced in November 2023 and is effective wef 1st April 2024. It provides a comprehensive framework for banks, NBFCs, and other regulated entities to improve their IT governance, cybersecurity, and risk management practices.
Audience
Elements in the Banking Sector. These directions are applicable to banks, NBFCs, and other regulated entities.
Usage
These guidelines aim to enhance the operational resilience, data security, and risk management capabilities of financial institutions, ensuring they meet the growing challenges of digital transformation and cybersecurity threats.
Digital Payment Security Controls
Overview & Purpose
The RBI Master Direction on Digital Payment Security Controls directions, 2021 provides a detailed framework aimed at strengthening the security of digital payment systems across India for regulated entities to set up a robust governance structure for such systems and implement common minimum standards of security controls for channels like internet, mobile banking, and card payments, among others. While the guidelines are technology and platform agnostic, it aims to create an enhanced and enabling environment for customers to use digital payment products in a safe and secure manner.
Audience
These directions are applicable to regulated entities.
Usage
These guidelines are designed to ensure that digital payment systems remain secure, scalable, and resilient, meeting global security standards and safeguarding customer data and transaction integrity.
Security and Exchange Board of India (SEBI)
SEBI has issued several Cybersecurity & Resilience guidelines for their constituent entities. These are listed below.
CSCRF for SEBI Regulated Entities (REs) 2024
Overview & Purpose
The Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI REs has been formulated in consultation with the stakeholders to strengthen the cybersecurity measures in Indian securities market, and to ensure adequate cyber resiliency against cybersecurity incidents/ attacks.
Audience
Stockbrokers and Depository Participants, Mutual Funds (MFs)/ Asset Management Companies (AMCs), KYC Registration Agencies (KRAs), Qualified Registrar to an Issue and Share Transfer Agents (QRTAs), Portfolio Managers.
Usage
The CSCRF aims to provide standards and guidelines for strengthening cyber resilience and maintaining robust cybersecurity of SEBI REs.
Guidelines for Market Infrastructure Institutions (MIIs) 2023
Overview & Purpose
Market Infrastructure Institutions (i.e. Stock Exchanges, Clearing Corporations and Depositories) are systemically important institutions as they, inter-alia, provide the infrastructure necessary for the smooth and uninterrupted functioning of the securities market. As part of the operational risk management, these Market Infrastructure Institutions (MIIs) need to have a robust cyber security framework to provide essential facilities and perform systemically critical functions relating to trading, clearing and settlement in securities market .
Audience
Market Infrastructure Institutions (MIIs).
Usage
By MIIs to establish and continuously improve their Information Technology (IT) processes and controls to preserve confidentiality, integrity and availability of data and IT systems.
Adoption of Cloud Services by SEBI Regulated Entities (REs) 2023
Overview & Purpose
The major purpose of this framework is to highlight the key risks, and mandatory control measures which REs need to put in place before adopting cloud computing . The document also sets out the regulatory and legal compliances by REs if they adopt such solutions.
Audience
Stock Exchanges, Clearing Corporations, Depositories, Stockbrokers through Exchanges, Depository Participants through Depositories, Asset Management Companies (AMCs)/ Mutual Funds (MFs), Qualified Registrars to an Issue and Share Transfer Agents, KYC Registration Agencies (KRAs).
Usage
This framework provides baseline standards of security and for the legal and regulatory compliances by the REs.
For Stock Brokers / Depository Participants
Overview & Purpose
Guidelines and clarifications to create a framework on cyber security and cyber resilience.
Audience
All Stock Brokers and Depository Participants registered with SEBI.
Usage
Helps create a robust cyber security and cyber resilience framework to provide essential facilities and perform systemically critical functions relating to securities market.
For Stock Exchanges, Clearing Corporations & Depositories
Overview & Purpose
Creates Cyber Security Operation Center (C-SOC) for Market Infrastructure Institutions (MIIs), i.e., Stock Exchanges, Clearing Corporations and Depositories.
Audience
All Stock Exchanges, Clearing Corporations and Depositories (except Commodities Derivatives Exchanges and their Clearing Corporations).
Usage
Helps in prevention of cyber security incidents through proactive actions.
For Mutual Funds/ Asset Management Companies (AMCs)
Overview & Purpose
Extension of framework on cyber security and cyber resilience to Mutual Funds/ Asset Management Companies (AMCs).
Audience
Mutual Funds/ Asset Management Companies (AMCs).
Usage
Includes Mutual Funds/ Asset Management Companies (AMCs) in Cyber Security and Cyber Resilience framework.
For KYC Registration Agencies
Overview & Purpose
Creation of a framework on cyber security and cyber resilience for KYC Registration Agencies.
Audience
KYC Registration Agencies.
Usage
Helps in creation of a Cyber Security and Cyber Resilience framework for KYC Registration Agencies.
For Qualified Registrars to an Issue/ Share Transfer Agents
Overview & Purpose
Guidelines for submission of report / information containing information on cyber-attacks and threats experienced by QRTAs.
Audience
KYC Registration Agencies.
Usage
Helps in protection of the interests of investors in securities and to promote the development and regulation of the securities market.
Central Electricity Authority (CEA)
Cybersecurity Compliance Guidelines
Overview & Purpose
Interim guidelines till such time the “Regulation on Cyber Security in Power Sector” is released.
Audience
All Responsible Entities, System Integrators, Equipment Manufacturers, Suppliers/Vendors, Service Providers, IT Hardware and Software OEMs engaged within the Indian Power Supply Ecosystem.
Usage
The Objectives of these guidelines, as stated within the document are: a) Creating cyber security awareness b) Creating a secure cyber ecosystem c) Creating a cyber-assurance framework d) Strengthening the regulatory framework e) Creating mechanisms for security threat early warning, vulnerability management and response to security threats f) Securing remote operations and services g) Protection and resilience of critical information infrastructure h) Reducing cyber supply chain risks i) Encouraging use of open standards j) Promotion of research and development in cyber security k) Human resource development in the domain of Cyber Security l) Developing effective public private partnerships m) Information sharing and cooperation n) Operationalization of the National Cyber Security Policy.
National Critical Information Infrastructure Protection Centre (NCIIPC)
NCIIPC has issued the following key guidelines, which are available on the website . â Guidelines for Protection of CII. â Evaluating Cyber Security in CII. â SOP: Incident Response. â SOP: Audit of CII/Protected Systems.
The contents of the above documents have now been suitably subsumed into the NCRF. Hence, the NCRF is now intended to be used as the base document for guidelines for protection of CIIs.
CERT-In
Guidelines on Information Security Practices for Government Entities. 2023
Overview & Purpose
The guidelines provide a comprehensive framework to enhance the cybersecurity posture of government organizations. These guidelines outline structured protocols and best practices to safeguard government information systems from cyber threats, emphasizing risk assessment, incident response, and continuous monitoring. The purpose of the guidelines is to strengthen cyber resilience, ensuring government entities can effectively prevent, detect, and respond to cyber incidents while minimizing operational disruptions. They aim to protect the confidentiality, integrity, and availability of sensitive government data through robust security controls and standardized access management practices. Additionally, the guidelines promote a consistent approach to security across departments, enhancing compliance with national laws and cybersecurity standards. By fostering cybersecurity awareness and providing targeted training for government personnel, the guidelines help build a culture of security within governmental operations. Ultimately, they assist in ensuring secure, efficient, and uninterrupted public service delivery while maintaining compliance with relevant regulations.
Audience
The audience includes government departments, public sector organizations, IT administrators, security professionals, and policymakers responsible for safeguarding government information systems.
Usage
The guidelines provide a standardized framework for securing government information systems, enabling effective risk management, incident response, and compliance with cybersecurity laws, while fostering consistent security practices and resilience against cyber threats.
Reporting of Security Incidents 2022
Overview & Purpose
Cyber incidents and cyber security incidents have been and continue to be reported from time to time and in order to coordinate response activities as well as emergency measures with respect to cyber security incidents, the requisite information is either sometime not found available or readily not available with service providers/data centres/body corporate and the said primary information is essential to carry out the analysis, investigation and coordination as per the process of law. Outlines the triage mechanism when any aspect of a computer system is threatened by loss of confidentiality, disruption of data or system integrity, denial of service availability.
Audience
Service providers, intermediaries, data centres, bodies corporate and Government organisations.
Usage
By reporting cybersecurity incidents to CERT-In the System Administrators and users receive technical assistance in resolving these incidents. This also helps CERT-In to correlate the incidents, analyse them, draw inferences, disseminate up-to-date information and develop effective security guidelines to prevent the occurrence of the incidents in future.
Empanelment of Information Security Auditing Organisations
Overview & Purpose
Guidelines and procedures for empanelment of Information Security Auditors by CERT-In.
Audience
All Information Security Consulting Organisations.
Usage
Assist Information Security Auditors in understanding and meeting the requirements of empanelment with CERT-In.
Guidelines on Software Bill of Materials (SBOM), 2024
Overview & Purpose
The Software Bill of Materials (SBOM) Guidelines are a critical step toward strengthening software supply chain security in India. These guidelines aim to provide a detailed inventory of software components, including libraries, dependencies, and third-party modules, to enhance transparency, accountability, and risk management. By offering a comprehensive understanding of the components within a software application, the SBOM facilitates the identification of vulnerabilities and ensures compliance with cybersecurity standards. The purpose of these guidelines is to manage software supply chain risks, protect organizations from insecure or outdated libraries, and promote secure software development practices. They also assist in vendor risk management by enabling organizations to assess third-party risks and establish accountability in the software lifecycle. Additionally, SBOMs support organizations in responding swiftly to cyber threats and incidents by providing detailed knowledge of software components, thus enabling efficient vulnerability management. These guidelines are particularly significant for sectors like critical infrastructure, government services, finance, and healthcare, where cybersecurity is paramount. MeitYâs SBOM framework promotes industry best practices, ensuring secure software procurement, development, and maintenance while building trust in the software ecosystem.
Audience
The audience includes government entities, critical sector organizations, software developers, vendors, regulatory bodies, auditors, security professionals, and policymakers responsible for software security and compliance.
Usage
The guidelines provide organizations with a standardized framework for identifying, managing, and mitigating risks in their software supply chains. It enables transparency in software components, facilitates compliance with cybersecurity standards, enhances the ability to respond to vulnerabilities, ensures vendor accountability, and promotes secure software development practices. This policy is designed to improve risk assessment, regulatory compliance, and overall cybersecurity posture in critical sectors and government operations.
Secure Application Design, Development, Implementation & Operations 2024
Overview & Purpose
The prime objective of this guideline is to establish a firm and robust application security baseline in application development lifecycle. This approach is crucial for ensuring the application’s security right from the initial phase and progressively strengthening every phases of application development lifecycle.
Audience
Entities engaged in developing or outsourcing application development (especially for Government sector entities).
Usage
The secure application development practices outlined in this document have been crafted to enable organisations to customize them according to their specific requirements and seamlessly integrate them into their application lifecycle right from the outset of an application development project. The establishment of context of the security in design process is addressed which underscores all security considerations, encompassing not only secure application design but also secure architectural design, by considering the environment to which the application will be integrated, and outlining strategies to ensure its comprehensive security.
Information Security Practices for Government Entities
Overview & Purpose
The purpose of these guidelines is to establish a prioritized baseline for cyber security measures and controls within government organisations and their associated organisations. The guidelines should assist security teams to implement baseline and essential controls and procedures to protect their cyber infrastructure from prominent threats. These guidelines shall also act as a baseline document for administration and audit teams (internal, external/ third-party auditors) to evaluate an organisationâs security posture against cyber security baseline requirements.
Audience
Ministries, Departments, Secretariats and Offices specified in the First Schedule to the Government of India (Allocation of Business) Rules, 1961, their attached and subordinate offices, and all government institutions, public sector enterprises and other government agencies under their administrative purview (hereinafter collectively referred to as âgovernment entitiesâ).
Usage
These guidelines cover the best practices segregated in different security domains such as Network Security, Application Security, Data Security, Auditing, Third Party Outsourcing. Due to the ever-evolving threat landscape, this document is envisaged to be an organic document and would be updated as per changing threat landscape.