Operations, Maintenance and Management of ICT and Security

The operations aspect focuses on “how” ICT and cyber resilience capabilities can be achieved during the operation phase of business and technology systems, through well-designed operating processes enabled by technology and tools, and by a workforce that is adequately trained on the processes and tools.

The audience for this chapter includes:

  • Business Heads, CIOs, CTOs, CISOs and their respective teams within CSEs.
  • Sectoral Regulators, who are mandated to oversee/regulate the cyber security related issues of their regulated entities.
  • Consultancy Organisations, System Integrators, OEMs and MSPs/ MSSPs engaged by the CSEs.
  • Empaneled Organiszations to carry out cyber security verification & validation (V&V), VAPT and technical audit of systems and networks of CSEs.
  • the lower levels of management, who are responsible for day-to-day business and technology operations.
  • process design teams, who conceptualise and design ICT and cyber security operating processes for day to day use and for protection of ICT, OT and IIoT.
  • operations teams, who implement and execute the day to day business and technology operating processes.
  • workforce development teams, who train and enable the workforce to absorb and adopt technology and the day to day operating processes designed for achieving business and cyber resilience.

Operations and Management Practices

There is an intrinsic association and a high degree of interdependence between the practices of IT Operations (IT-Ops), IT Operations Management (ITOM), AI-driven operations (AI-Ops), site reliability engineering (SRE), information security operations (IS-Ops), Dev-Sec-Ops and CI/CD pipeline activities.

At the macro level all operating and management practices have a generic purpose to help improve visibility, observability, compliance, control, responsiveness, and reporting within the critical sector entities themselves, as well as in the larger federated digital ecosystem.

At a granular level, the execution steps of operating and management processes would be sector/ entity and context specific, depending on generic and sector/ entity-specific factors. These factors include the entity type, size, geographical spread, heterogeneity of the technology layer, proportion and maturity of IT and OT implementations, the overall maturity of the prevailing cybersecurity implementation etc.

Further, all processes need to be monitored regularly for their effectiveness.

Guidance on IT and Cybersecurity Operations

Establishing Good Practices and Processes

One of the key aspects of operations is the distribution of responsibilities and associated practices between the inward-looking IT operations and IT security teams and the outward-looking Information Security (Infosec) teams.

  • The IT Operations and IT Security teams form the first line of defence. They carry out defensive and protective activities such are patch, vulnerability and compliance management, system hardening, configuration baselining and change management, backup management, network access control, domain management, identity and role-based access management, service desk, ticketing and case management.
  • The Information Security GRC and SOC teams form the second line of defence. They observe the internal and external environments, monitor the risk and detect cyber threats to the digital infrastructure.
  • The IT Operations and IT Security teams also carry out many of the incident response and recovery activities, in close coordination with the SOC teams.

Resilience of business, technology and cybersecurity operations and support essentially depends upon good operating and management practices and processes. These can be based on an Integrated Service Management (ISM) framework that combines both ITSM and ISMS and draws upon well-defined national/ international standards. Readers may refer to relevant material included under standards.

Developing Workforce Competencies

Modern IT Systems are reasonably large and complex, and the teams require different skill sets and expertise levels to handle the entire gamut of IT and Information Security operations effectively. The competency framework provides a broad structured approach and guidance to CSEs on how to establish a strategic program for ensuring cybersecurity competence in their workforce across their respective organisations.

Note

IT Ops teams must also contribute to securing the digital infrastucture. Managers can achieve this if they encourage their IT specialists to go beyond the functional and performance aspects of systems, networks, applications and databases. The specialists must develop competence in IT security aspects related to their job functions.

The NCIIPC-QCI Scheme for cybersecurity professionals incorporates essential IT security knowledge and skills in all the specialisation areas.

Leveraging Technology as an Enabler

A critical element for every organisation is the proper and effective use of technology by its workforce to achieve different cybersecurity functions. The following teams will benefit from technologies and platforms:

  • Enterprise Governance, Risk and Compliance (GRC) team, who are responsible for enterprise-wide governance, policies and management of risk and compliance.
  • The CIO, IT Operations and IT Security teams and management personnel, who are responsible for day-to-day management of the digital infrastructure.
  • The CISO, Information Security SOC teams, who are responsible for SOC operations.

Besides the teams listed above, the following teams and groups require information and guidance on IT, OT and IS technologies, products, platforms, and solutions:

  • The Technology Strategy group, systems engineering and systems security engineering teams, who are responsible for conceptualisation, design, and implementation of systems.
  • The acquisition and provisioning teams, who are responsible for preparation of RFPs and evaluation of solutions.
  • Persons responsible for tracking and enhancing cybersecurity performance and maturity since technology usage is essential for achieving higher levels of cybersecurity capabilities.

The technologies and platforms need to be selected based on relevance to the organisation’s business functions and processes. Readers are advised to refer to the resources section and Techsagar, the national repository of India’s cybertech capabilities, for identification of suitable ‘Made in India’ IT resources to meet IT/ IS requirements.

Automating the Processes using Technology

Given the increased use of IT by CSEs, many of the manual and semi-automated IT and information security processes of yore need to be enhanced to higher levels of automation using technology. The Dev-Sec-Ops and CI/CD pipeline used in software development lifecycles are examples of modern process automation. Automation frameworks are also being developed for content-based processes such as governance, risk, compliance, audit, information sharing and AI/ML enabled decision support.

CSEs can improve the efficiency of its workforce significantly by using standard operating processes (SOPs) for routine jobs and employing technology to run the standardised processes. Enabling manpower with technology to meet IT and IS, is strongly recommended.

To achieve automation and workforce enablement, it is essential for an organisation to have suitable manpower with adequate enablement through training, technology, and availability of resources to undertake jobs at levels as mentioned below:

  • Operating Level: This is the basic workforce of most Organizations that is capable of “doing things” at the operating level.
  • Operational Analytics Level: Competent workforce with capability to analyze issues at the operational, tactical, and strategic levels and suggest mitigation measures. This workforce needs IT-enabled analytical support tools to demonstrate reliability and efficiency in their operations.
  • Design Level: This level requires experienced specialists with skills and competence to design the operating and analytical processes and configure the platforms, to execute them.
Automation in CTI Sharing

The critical success factors for cyber resilience and sustenance of the nation’s digital ecosystem are:

  • The speed and quality of detection of compromise and cyber-attacks within the entities.
  • The rapidity by which information and guidance is disseminated to all the actual and potential targets.
  • The speed and effectiveness of response within entities as well as across sectors and cross-sectors.

Conventional paper-based and email-based methods of sharing are not capable of achieving the required speed in information sharing amongst all the stakeholders and participants, since they are less amenable for automated processing. Use of standardised STIX, TAXII and TLP protocols (or equivalent protocols) is a recommended for sharing CTI with speed and objectivity to counter cyber-attacks. Details of such protocols are covered in protocols section.

Community-driven MISP platform and OASIS STIX/TAXII protocols with TLP based classification is considered well suited for the Indian IT ecosystem at this stage. A coherent approach is required for adopting TLP, MISP and STIX/ TAXII as the core elements for operational cybersecurity information sharing. Standardisation in this aspect can help achieve balance between speed (with ambiguity or inaccuracy) and correctness (with delays) in sharing of CTI.