Consultancy Organisations
The NCIIPC-QCI Scheme for accreditation of IT and ICS Consultancy Organisations (COs) is an initiative of the Government to develop a pool of specialist organisations that can help CSEs in handling the different dimensions of work related to the digital ecosystem.
‘Consultancy’ is the act of providing technical expertise, by an individual or an organisation deemed competent in delivering services as per the defined scope in exchange for a fee. The nature of such expertise may be technical, thematical, procedural or managerial.
Domains
Organisations can usually group their work of handling their digital infrastructure into multiple domains as given here and also tabulated below. Each of these domains are inherently complex and dynamic and require a substantial depth and breadth of knowledge, expertise and skills to do the work.
| . | Domain Type | Domain Title |
|---|---|---|
| 1 | Organisational | Governance, Risk and Compliance |
| 2 | Technical | Technology & System Security Architecture |
| 3 | Technical | Secure Software Development |
| 4 | Technical | Application Security Testing |
| 5 | Technical | Security Product Testing |
| 6 | Technical | Network Security Administration |
| 7 | Technical | System Security Administration |
| 8 | Technical | Applications & Data Security Administration |
| 9 | Technical | Security Support Services |
| 10 | Technical | Security Performance Management |
| 11 | Technical | ICS Cyber Security |
| 12 | Technical | ICS Cyber Risk Assessor |
| 13 | Technical | ICS Cybersecurity Design, & Implementation |
| 14 | Technical | ICS Cybersecurity Operations & Maintenance |
| 15 | Technical | Cyber Defence |
| 16 | Technical | Cyber Vulnerability, Threat & Risk Management |
| 17 | Technical | Security Operations |
| 18 | Technical | Cyber Forensics & Investigation |
| 19 | Organisational | Cyber Training & Awareness |
Typical domain ownership and responsibility is described below.
Domain 1 is related to IT/ ICS GRC under the CISO.
Domains 2 to 5 & 13 are related to design, engineering and implementation of IT/ ICS systems by project engineering teams, under the project management organisation.
Domains 6 to 11 & 14 are related to cyber security aspects for consideration by the IT & ICS teams under the CIO/ OT Head.
Domains 12, 15 to 18 are exclusively related to cyber security functions by the IS & SOC teams under the IT / OT CISO.
Domain 19 is related to training under Head HR.
Work Heads
CSEs find it a challenge to hire sufficient in-house resources for all the domains and functions. Hence, they look for competent, capable and trustworthy Consultancy Organisations, who can do some of the work for them.
The Scheme has defined 11 Work Heads for COs, which are aligned to the work domains within organisations as shown in the table below.
| WH-Id | Title of Consultancy Service (Work Head) | Related Domain (indicative) |
|---|---|---|
| WH-1 | Designing and facilitation of implementation of CSMS (L1/L2/L3) with focus on Governance, Risk and Compliance Requirements | Domain 1 (Governance, Risk and Compliance) |
| WH-2 | IT Cyber Security, Architecture, Design, Engineering and Implementation | Domain 2 (Technology & System Security Architecture) Domain 3 (Secure Software Development) Domain 4 (Application Security Testing) Domain 5 (Product Security Testing) |
| WH-3 | IT Cyber Security Administration and Management | Domain 6 (Network Security Administration) Domain 7 (System Security Administration) Domain 8 (Applications & Data Security Administration) Domain 9 (Security Support Services) Domain 10 (Security Performance Management) |
| WH-4 | ICS Cybersecurity Risk Assessment | Domain 12 (ICS Cyber Risk Assessor) |
| WH-5 | ICS Cybersecurity Architecture, Design, Engineering and Implementation | Domain 13 (ICS Cybersecurity Design, & Implementation) |
| WH-6 | ICS Cybersecurity Operations & Maintenance | Domain 14 (ICS Cybersecurity Operations & Maintenance) |
| WH-7 | Cyber Defence | Domain 15 (Cyber Defence) |
| WH-8 | Cyber Security Monitoring and Assessment | Domain 16 (Cyber Vulnerability, Threat & Risk Management) |
| WH-9 | Cyber Security Operations | Domain 17 (Security Operations) |
| WH-10 | Cyber Security Forensics & Investigation | Domain 18 (Cyber Forensics & Investigation) |
| WH-11 | Cyber Training & Skill Gap Assessments | Domain 19 (Cyber Training & Awareness) |
CXOs can use the mapping of domains to each WH Id to identify who can do what work.
The detailed scope of consultancy work/ services is described in a separate table in the Scheme. This table can be used by the stakeholders in the manner given below:
- CSEs can use the table to describe the work/ services sought from the consultancy organisations in different domains. Contents of the table can be suitably adapted for inclusion in the RFPs.
- COs can use the table to identify what work/ services they can do/ want to do. This activity will be done at the time of applying for accreditation and during the accreditation process.
- ABs can use the table to validate that the COs have the capability to deliver all of the work/ service described under the Work Heads for which they have sougt accreditation.
- Regulators and nodal agencies can use the table to review the capability of COs hired by the regulated entities. This activity is usually required when there are serious lapses in the quality of work done by the COs for the entities.
Note
Lapses in the quality of work/ services of COs is often due to lack of competence in the professionals provided by the COs to the entities. It may also be due to gaps in the work package given to the COs.
The Scheme has a well-defined redressal process to address the issues related to capabilities and competencies of COs.
Accreditation of COs
Accreditation Bodies (AB) are responsible for accreditation of COs under the Scheme. During the accreditation process, the CO shall be attested for their capability, competence and level of expertise to provide consultancy service as per the detailed scope of work/ services tabulated above.
The accreditation process requires the CO to demonstrate to the AB that their consultants/ professionals have the required competency (knowledge, skills and advanced/ master level expertise) to deliver the services. The Scheme tabulates the knowledge and skill requirements for the consultants/ professionals, which is derived from the Scheme for Cybersecurity Professionals.
The evidence of competency is usually demonstrated through global certifications and documented work experience of the professionals.
Once accredited, the CO can offer their services as a whole package or parts of it, depending on the scope chosen and the services sought by the client.
Guidance
CSEs must leverage the robust mechanism of the NCIIPC-QCI Scheme to accredit skilled consultancy organisations. The CSEs can hire COs to become a part of their composite workforce and handle portions of the work of conceptualisation, design, engineering, acquisition, operation and management of their digital infrastructure.