Scribd
Upload
64 views40 pages

Information and Cyber Security Policy For Organizations 21 10 2021

Uploaded by

pushkar.kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
64 views40 pages

Information and Cyber Security Policy For Organizations 21 10 2021

Uploaded by

pushkar.kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 40

Information and Cyber Security Policy

for Government Organizations

Sri Lanka Computer Emergency Readiness Team


Ministry of Technology
Version 1
Document Classification: Public

Versions
Version Prepared by Reviewed by Authorized by Issue Date Description
1 Research, Policy Review Board of Version 1
Policy and Committee, Directors of Sri
Projects Team Senior Lanka CERT
of Sri Lanka Management Date:
CERT of Sri Lanka
CERT
Date: 25th Date: 08th
August 2021 October 2021

Attribution

This publication shall be attributed as follows


Democratic Socialist Republic of Sri Lanka, Sri Lanka CERT|CC, Information and Cyber
Security Policy for Government Organizations – Version 1, October 2021

Published by
Research, Policy and Projects Division
Sri Lanka CERT|CC
Room 4-112, BMICH, Colombo 7
Sri Lanka
Telephone: +94 11 269 1692, Fax: +94 11 269 1064
Email: [email protected]
Websites: www.cert.gov.lk, www.onlinesafety.lk

Note
This publication will remain as a “Draft Version” until being approved by the relevant
Authority to adopt as a Policy.

Version 1 2
Table of Contents
Acronyms ……………………………………………………………….. 4

Executive Summary ………………………………………………… 5

Introduction ……………………………………………………………. 6

Information Security Policy Framework …. 7

Information and Cyber Security Policy …………………… 9

Policy Statements …………………………………………………… 13

Information Security Governance ……………….. 14


Identify Assets, Owners, Users and Risks ……… 17
Protect Assets ……………………………………………… 20
Detect Incidents ………………………………………….. 28
Respond to incidents ……………………………………… 30
Recover Normal Operations ………………….……… 31

Assessment Framework ………………………………….. 32

Glossary ………………………………………………………………. 36

References ………………………………………………………… 39

Version 1 3
Acronyms
AMC Audit and Management Committee
CCTV Closed-circuit Television
CD Compact Disk
CERT Computer Emergency Readiness Team
CIA Chief Internal Auditor
CII Critical Information Infrastructure
CIO Chief Innovation Officer
DVD Digital Video Disc
HOO Head of Organization
HTTPs Hypertext Transfer Protocol Secure
ICTA Information and Communication Technology Agency
IPS/IDS Intrusion Prevention System/Intrusion Detection System
ISC Information Security Committee
ISO Information Security Officer
ISO 27002 International Organization for Standardization for Information Technology –
Security Techniques - Information Security Management Systems
IT Information Technology
LGC Lanka Government Cloud
LGN Lanka Government Network
MFA Multifactor Authentication
MISS Minimum Information Security Standards
NDA Non-Disclosure Agreement
NIST National Institutes of Standards and Technology
PIN Personal Identification Number
RMC Risk Management Committee
RPO Recovery Point Objective
RTO Recovery Time Objective
SFTP Secure File Transfer Protocol
SIEM Information and Event Management
SSD Solid-state Drive
SLA Service Level Agreement
SSL Secure Socket Layer
TLS Transport Layer Security
USB Universal Serial Bus
VPN Virtual Private Network

Version 1 4
Executive Summary

Many government organizations in Sri Lanka now depend on the reliable functioning of
digital systems and infrastructure. Malicious actors, however, can exploit these digital
systems to cause harms such as theft of sensitive information, disruption of day to day
operations, damage to the reputation of organizations which in turn can lead to the loss
of public trust and confidence in government systems, and place nation’s security,
economy, safety and wellbeing at a risk.
To effectively address these cyber security risks, the Sri Lanka Computer Emergency
Readiness Team (Sri Lanka CERT), the organization which has the mandate for
protecting the cyber space in Sri Lanka, has developed an Information and Cyber
Security Policy for use by government organizations in order to protect their digital
systems and resources from various cyber security threats. The policy provides a risk
based approach for implementing an information security program at organizational
level, and guides organizations in identifying digital assets that should be protected,
developing appropriate measures to protect assets, detecting information security
incidents and in responding to and recovering from cyber security attacks in an efficient
and effective manner.
The policy is developed based on the international best practices and standards such as
International Organization for Standardization (ISO) and National Institute of Standards
and Technology (NIST), and has been extensively reviewed by the information security
experts and senior government officers.
Approval from the Cabinet of Ministers will be obtained for the Policy for mandatory
use by all the government organizations, with the instructions that all the heads of
organizations are accountable for the implementation of the policy. Sri Lanka CERT shall
facilitate and provide recommendations to all government organizations in
implementing the policy, and shall evaluate the performance of organizations in
implementing the on an annual basis.

Version 1 5
1. Introduction
1.1. Government organizations in Sri Lanka have progressed rapidly over the past
decade in developing digital systems to carry out their daily administrative work and
to provide services to the general public, other government organizations as well
as to the private sector. As organizations become increasingly dependent on digital
systems, protecting information and digital infrastructure from unauthorized
access, disclosure and destruction, and from natural disasters such as floods and
fire have also become a high priority. Information and cyber security policies
therefore, should be implemented in organizations to protect digital systems and
reduce the risk of operational disruptions in order to provide services in a secure
and efficient manner.

1.2. This document presents the information and cyber security policy for government
organizations. It provides a set of policy statements that specifies the direction
upon which controls, standards and guidelines should be implemented by
government organizations in handling information security threats, protecting
hardware, software and data, mitigating vulnerabilities, and establishing an
information and cyber security governance structure. It further provides guidelines
to employees on their responsibilities in relation to information and cyber security.

1.3. All the government organizations that are defined as public authorities in the Right
to Information Act No 12 of 20161, are required to comply with the policy
statements outlined in this document. Heads of organizations are required to
understand the content of the policy, provide leadership to the implementation of
the policy, and assume ultimate accountability and responsibility for the
organization's information security activities and staff.

1.4. The policy statements shall be used to benchmark each organization’s status in
adopting information and cyber security measures on an annual basis. This will
enable organizations to identify the areas which need attention and where
improvements need to be carried out to secure the organization against various
cyber security threats.

Version 1 6
2. Information Security Policy Framework

2.1. In line with the implementation of the Information and Cyber Security Strategy
(2019:2023)2, the Information Security Policy Framework is developed to assist
government organizations to implement Information and Cyber Security Policy.
The Policy Framework facilitates government organizations by providing other
necessary resources such as the Minimum Information Security Standards
(MISS)3, the Information Security Implementation Guide4, and the Technical
Guides that are necessary for organizations to protect information, systems and
digital assets from various information security events. Figure-1 presents an
overview of the Information Security Policy Framework.

Information and
Cyber Security Information and Cyber
Strategy (2019:2023) Security Policy

Minimum Information
Security
Standards
Information Security
Policy Framework
Information and Cyber
Security Implementation
Guide
Acts, Cabinet
Directives and
Circulars
Assessment Tool

Figure-1. Information Security Policy Framework

Version 1 7
2.2. The information security policy framework includes the following:

2.2.1. Information Security Policy which is the main focus of this document, provides a
set of policy statements which organizations shall comply with. These policy
statements outline the essential controls and provides direction to government
organizations in protecting information, systems and infrastructure from
information security events.

2.2.2. Minimum Information Security Standards3 outline the minimum acceptable level
of information security controls that shall be adhered to by the respective
organizations. Two sets of minimum security standards are developed; one for
organizations maintaining critical national information infrastructure (CNII), and
the other for organizations which fall into the category of non CNIIs.
Organizations maintaining CNII are required to adhere to a higher level of
standards as disruption to such services would have a significant impact on the
country’s economy, national security and public health.

2.2.3. Information and Cyber Security Implementation Guide4 provides a comprehensive


set of instructions to staff and stakeholders who require more specific details on
implementing the Policy. These technical guides include the Web Application
Security5, Identity Management and Access Control Policy6, and Work from
Home Guidelines (for general users7 and IT administrators8).

2.2.4. Readiness Assessment Tool provides an assessment criterion to assess


performance and the readiness in respect to adoption of Information and Cyber
Security Policy at government organizations. Through this tool organization’s
overall information security maturity will be measured by the Sri Lanka CERT over
a predefined time frame. A sample assessment instrument developed for this
purpose is presented in Section 5 of this document.
2.3. The Information Security Policy Framework is governed by Acts of Parliament
(forthcoming Cyber Security Act and Data Protection Act), Cabinet directives, and
Circulars issued on this subject, and it is consistent with recognized international
information security standards such as the International Organization for
Standards (ISO) 27002: 20139 and National Institute of Standards and Technology
(NIST) of United States10,11, and national policies such as e-Government Policy of
Sri Lanka12, and National Data Sharing Policy of Sri Lanka13. Further, the
development of the Policy Framework has taken into consideration the
experience of the Sri Lanka CERT, opinions of the information security
professionals in the industry, and expert advice of the public sector senior
executives.

Version 1 8
3. Information and Cyber Security Policy

3.1. Introduction
3.1.1. The Information and Cyber Security Policy sets forth rules, guidelines and
processes for government organizations, creating a standard for the acceptable
use of organization’s information technology, including information, systems and
digital infrastructure to preserve confidentiality, integrity and availability of
information and systems used by organizations.

3.1.2. The specific objectives of the policy are,

o To establish a common information and cyber security standard across different


administration layers of the public sector.
o To establish a governance framework at organizational level to direct and control
the activities in relation to information and cyber security.
o To strengthen government organizations’ resilience to information and cyber
security events by mandating security standards, rules and processes related to
the design, implementation, use and operations of information, systems and
digital infrastructure.
o To establish a mechanism to detect information and cyber security incidents in a
timely manner, to minimize the impact of such incidents to organizations, and to
efficiently restore any capabilities or services that were impaired due to such
incidents.
o To educate staff on the best practices and national standards on information and
cyber security, and build staff confidence over the organization’s security status.
3.1.3. This Policy is written in simple language, and it is expected that all staff and
relevant third party service providers, regardless of their knowledge of the
subject, will be able to read the policy and understand the responsibilities of the
organizations, and the expected outcome of the policy implementation in
relation to protection of government information, critical information
infrastructure and IT assets.

3.1.4. This Policy is applicable to any type of government organization that are defined
as public authorities in the Right to Information Act No 12 of 20161. The Policy
shall also be applicable to the relevant third party service providers who manage
IT services on behalf of the government organizations.

Version 1 9
3.1.5. This document will be updated periodically to provide technical and security
guidance for government organizations to support good information security
practices.

3.2. Scope of the Policy


3.2.1. The Information and cyber security policy is developed based on information
security governance principles, and several concurrent and continuous
information security functions (identify, protect, detect, respond and recover)
proposed by the NIST10. Figure 2 presents an overview of the information and
cyber security policy, and Table 1 summarizes the scope of the policy statements.

Figure-2. Overview of the Policy

3.2.1.1. Information security governance principle: Information security governance


principle generally refers to the principle that directs and controls the IT
security of an organization14,15.
An acceptable governance principle would require the organizations to
establish a security organizational structure and appoint officers responsible for
information security, undertake capacity building of such officers, define

Version 1 10
organizations’ information security objectives, develop action plans, and secure
funding for information security activities.
3.2.1.2. Identify function: The identify function facilitates organizations to develop an
adequate understanding of how to effectively manage information and cyber
security risk to systems, assets, data, and functionalities (adopted from NIST10).
To comply with the identify function, organizations shall identify assets which
are in the forms of information, critical information infrastructure and IT
devices, and assess the risks associated with those assets to establish a formal
asset management system.
3.2.1.3. Protect function: The protect function outlines appropriate safeguards required
to ensure uninterrupted delivery of critical infrastructure services (adopted
from NIST10).
To comply with the ‘protect’ function, organizations shall implement
appropriate controls and safeguards to prevent, limit or contain the impact of
a potential information security event or incident. This includes but is not
limited to controlling user access to assets, installing firewalls, antimalware
software, conducting systems audits, data encryption, and establishing backup
strategy.
3.2.1.4. Detect function: The detect function defines the appropriate mechanisms
required to identify the occurrence of a cybersecurity event (adopted from
NIST10).
To comply with policy statements covered by the ‘detect’ function, the
organizations shall put in place mechanisms to detect information and cyber
security activities and events in a timely manner. Organizations shall analyze
logs and deploy automated tools to detect incidents in an efficient manner.
3.2.1.5. Respond function: The respond function defines the actions that should be
taken in response to a detected information and cybersecurity incident or an
event (adopted from NIST10).
To comply with this function, organizations shall develop and implement
incident response plan for responding to an information and cyber security
event in efficient and effective manner.
3.2.1.6. Recover function: The recover function identifies appropriate activities to
maintain plans for resilience and to restore any capabilities or services that
were impaired due to an information and cyber security incident (adopted from
NIST10).
To comply with ‘recover’ function, the organization shall develop disaster
recovery plan and activate disaster recovery plan to timely recover normal
operations to reduce the impact from an information and cyber security
incident.

Version 1 11
Table 1. Scope of Policy Coverage

Policy Aspect Description

Governance – o Information security leadership


establish o Security organization structure
governance o Personnel security
structure o Strategic alignment, action plans
o Capacity building
o Policy compliance
o End user responsibilities
Identify – o Identify information, IT assets and critical information
identify infrastructure
organization’s o Risk assessment
assets o Classify assets
o Identify assets owners
Protect – protect o Protect assets based on the risk associated with each asset
assets by o Implement appropriate controls/measures such as:
implementing - Physical protection
controls - Restrict user access
- Security by design
- Licensed software
- Perimeter security, Antimalware
- Backup strategy
- Systems audits
- Secure remote access
- Secure disposal of assets
- Security best practices for work from home, Bring your
owned devices
Detect – detect o Detect the occurrence of security events in timely manner
incidents - Identify incidents by staff
- Review logs generated by systems
o Implement systems to monitor cybersecurity event
o Report incidents to Sri Lanka CERT
Respond – respond o Develop incident response plan
to incidents o Activate incident response
Recover - o Develop disaster recovery plan
recover from o Activate disaster recovery plan
incidents o Crisis communication

Version 1 12
4. Policy Statements
the organization, and ensure resources
4.1. Information Security are available to support the information
Governance security activities and make it
successful.
The HOO shall also provide leadership
to create an information security
culture within the organization, where
users comply with information security
policies and guidelines, and work
proactively towards protection of
information and systems they use.
Compliance: Applicable to all
organizations

Information security governance 4.1.2. Security Organization


proposes a mechanism to direct and Structure
control information security in the
organization. It specifies the
The organization shall establish an
leadership and accountability information security organizational
framework which is necessary to structure. The said structure is essential
ensure that information security to execute, direct and manage
activities are properly managed information security activities of the
within the organization. It further organization, and to protect the
specifies the importance of strategic organization against information and
alignment, capacity building of cyber security breaches, intrusions and
accountable individuals, interruptions. An effective information
development of action plans, and security organizational structure
policy compliance. includes key roles such as (1)
Information Security Officer, (2) Chief
4.1.1. Leadership Innovation Officer, and (3) Chief
Internal Auditor.
A. Information Security Officer (ISO)
The Head of the Organization (HOO)
shall provide leadership to information As per the instructions given in the
security activities of the organization, Circular MDIT/Dev/07/15 (23-05-
and shall bear the ultimate 2019), the organization shall
responsibility and accountability for appoint an ISO. The ISO shall be a
protecting information and assets of senior-level executive responsible
the organization. HOO shall establish for establishing the organization’s
the organization’s information and information security objectives in
cyber security program, set up consultation with HOO, managing
information security goals and priorities information security risks, and
that support the vision and mission of implementing information security
strategies, policies and action plans C. Chief Internal Auditor (CIA)
to ensure that the organization’s CIA shall be assigned the
information and assets are responsibilities of initiating and
adequately protected. overseeing information security
The ISO shall be the “point of audits of the organization, assessing
the progress of adopting
contact” for the subject of
information security, and will be information security and standards,
responsible for coordinating and reporting information security
security policy compliance efforts related findings to the Audit and
with Sri Lanka CERT and other Management Committee (AMC) for
further actions.
stakeholders.
Compliance: Applicable to CNII
The role of the ISO shall be
separated from the IT function, and operators
the ISO shall directly report to the
HOO with regards to the activities in 4.1.3. Information Security
relation to information security. Committee (ISC)
Compliance: Applicable to CNII
operators The organization shall establish an
Information Security Committee to
B. Chief Innovation Officer (CIO) provide strategic directions to activities
CIO (or the officer in charge of the related to information security. This
subject of IT) shall be trained and committee shall be responsible for
assigned responsibilities to take reviewing and approving all information
appropriate steps to protect security controls, action plans, assets
information and other IT assets, and classification schemes, security policies,
to ensure the continuity of the incident response plans and disaster
business operations of the recovery plans developed by the ISO,
organization. and shall monitor the implementation
of such plans. The HOO shall chair the
Note: In the case of the organization Committee, and the Committee shall
not having a suitable officer to be consist of the ISO, CIO, CIA, and asset
appointed as the ISO, the CIO or the owners.
officer in charge of the subject of IT
shall be empowered to play the role Compliance: Applicable to CNII
of the ISO. operators
Compliance: Applicable to all
organizations

Version 1 15
4.1.4. Risk Management Misappropriation of such resources
Committee (RMC) would lead to disciplinary actions as
stipulated in the Establishment Code
and the legal actions under the
The organization shall establish a Risk Computer Crimes Act or any other
Management Committee. This applicable Acts of Law.
Committee shall be an independent
Compliance: Applicable to all
committee directly reporting to the
HOO, and holds the responsibility of organizations
overseeing the risk management of the
organization with respect to 4.1.6. Capacity Building
information and IT assets.
The RMC shall identify and evaluate The organization shall build the
risks in relation to assets, and shall information security capacity of the
propose appropriate controls to ISC to accountable individuals (ISO, CIO, CIA,
take necessary actions to mitigate the Assets Owners, etc.) and the end users
risks. The Committee shall include through conducting information
process owners (sectional heads), asset security awareness and training.
owners, and the ISO. The deputy Head
of the organization shall be the Information security awareness
chairperson of the Committee. activities shall be carried out to
promote security, and to inform the
Compliance: Applicable to CNII staff of security measures. Training
operators activities are essentials to build relevant
and needed security knowledge and
skills among the government staff.
4.1.5. End User Responsibilities
Information security capacity building
shall be an ongoing activity of the
Information security is everyone’s organization and it shall be included in
responsibility. All end users are the annual training plan.
required to behave responsibly and
comply with the Policy regarding the Compliance: Applicable to all
protection of information and IT assets organizations
which they have access to.
End user responsibilities shall include 4.1.7. Personnel Security
but not be limited to appropriate use of
information, computing devices, emails,
internet, social media, telephones, and Any one appointed or transferred to a
faxes. All users shall understand and role or position that involves dealing
adhere to end user responsibilities with information classified as “Secret”
outlined in the Information and Cyber or “Confidential”, or accessing CNII
Security Implementation Guide4, and must go through a security clearance
applicable information security before they are appointed for or
practices required by this Policy. transferred to such position, and

Version 1 16
periodic security clearance checks objectives to overall organizational
during their tenure. activities.
Wherever necessary the organization Compliance: Applicable to all
shall review the background of organizations
designated officials before they are
appointed to positions related to
information security. 4.1.10. Policy Compliance
Compliance: Applicable to CNII
operators The organization shall comply with the
Information and Cyber Security Policy.
Sri Lanka CERT shall conduct annual
4.1.8. Action Plans information security readiness
assessments to determine the level of
compliance, and the organization shall
The organization shall develop and
facilitate Sri Lanka CERT to conduct
implement information security action
such assessments.
plans (long term, medium and short
term plans) which defines the way in Compliance: Applicable to all
which security is to be guaranteed in organizations
realizing the objectives of the
organization.
Based on the information security 4.2. Identify Assets,
priorities determined by a risk Owners, Users and Risks
assessment, the organization shall also
allocate a budget for information
security activities in the action plans.
Compliance: Applicable to all
organizations

4.1.9. Strategic Alignment

The organization’s information security


action plans which include projects and
activities shall be designed in such a
way that those initiatives are linked The organization shall develop the
with the organization’s objectives.
understanding of their operating
Each organization shall analyze the environment to manage the
organizational objectives to identify information security risks to
dependencies on information security, organizational assets. The
and then link information security organization shall identify
information, systems, and IT devices

Version 1 17
(assets) that are of value to the 4.2.2. Critical National Information
organization, owners of the assets Infrastructure (CNII)
their roles and responsibilities, and
current risks associated with assets.
Critical National Information
Infrastructure are the systems or
4.2.1. Information Assets and IT facilities, the failure or destruction of
Assets which would have a devastating impact
on national security, governance,
economy, health and social well-being
The organization shall identify it’s all of a nation.
important information assets. An Organizations which maintain CNII shall
information asset is any information take appropriate measures to protect
that is of value to the organization in such infrastructure as specified in this
performing its organizational functions. Policy. Identification of CNII shall be
Examples of information assets include carried out by Sri Lanka CERT.
trade secrets, tender documents, Organizations declared as CNIIs will be
budget sheets, and employees’ subject to a set of instructions which
personal records, data gathered by will be supported by the forthcoming
application software related to services Cyber Security Act for enforcement of
offered by the organization, etc. instructions.
Information assets may come in many
different forms such as a paper Compliance: Applicable to CNII
document, a digital document, a operators
database, a password or encryption key
or any other digital file.
4.2.3. Asset Owners and
The organization shall also identify IT Custodians
assets. An IT asset is a software (e.g.
operating system, payroll system, CNII)
or hardware (e.g. computers, hard The organization shall identify asset
disks, servers, routers, networks, owners and custodians. The asset
firewalls) within an information owner is a senior executive level officer
technology environment. or an entity who has the approved
The identification of assets (information management responsibility of
and IT assets) shall be performed with controlling the lifecycle of an asset. It is
the intention of protecting assets from necessary to formally assign ownership
unauthorized access, use, disclosure, of the asset when it is created, or when
disruption, modification, or destruction assets are transferred to the
in order to ensure integrity, organization or acquired by the
confidentiality, and availability of organization.
assets. The custodian of the information asset
Compliance: Applicable to all will be responsible for the protection of
organizations the asset and for implementing the
controls (as identified and approved by

Version 1 18
the owner of the information asset) location of the asset, operating system,
related to the protection of the asset. license details, users, risk, classification
level, estimated value and so forth. The
The asset owner and custodian are also
IT asset register shall be accurate, up to
responsible for developing an inventory
date, consistent and aligned with other
for assets, classifying assets and
inventories.
protecting assets, defining and
reviewing access restrictions to assets, Compliance: Applicable to all
ensuring appropriate handling when organizations
asset is deleted or destroyed (adopted
from ISO 270029).
Compliance: Applicable to all 4.2.5. Risk Assessments
organizations

The organization shall conduct a risk


4.2.4. Information Assets and IT assessment to determine the threats to
Assets Register and vulnerabilities of the organization’s
assets, and their impact on assets. The
objective of a risk assessment is to
The organization shall record identify vulnerabilities and threats to
information assets in the information assets (data, computer systems or
assets register. An information assets other digital infrastructure) and decide
register is a formal inventory of the on which security measures shall be
information assets that an organization taken in order to reduce risk to an
holds and process. acceptable level.
At a minimum, an organization shall Based on the risk assessment,
record, the name of information asset, organization shall prioritize risks and
the location of information asset, record risks in a risk register.
owner and custodian of the information Risk assessment shall be carried out by
asset, date of classification, the
the RMC of the organization. In the
computer system which processes
event, where the organization does not
assets, reason for the classification,
possess the appropriate skills, a
disposal requirements, date to review
qualified and experienced firm shall be
classification, impact of
hired for this purpose.
loss/compromise or disclose. The
information assets register shall be Sri Lanka CERT shall assist CNIIs to
accurate, up to date, consistent and conduct Risk and Vulnerability
aligned with other inventories. assessments.
The organization shall also record Compliance: Applicable to CNII
details of IT assets in the IT assets operators
register. The IT asset register shall
contain at a minimum, the type of the
assets (e.g. hardware, software, server),

Version 1 19
4.2.6. Classify Assets Upon identification of the assets, the
organization shall implement
appropriate controls to prevent,
The organization shall classify assets limit or contain the impact of a
and determine the sensitivity and potential information security event
criticality of assets. The objective of the or incident. Controls applied shall be
classification is to ensure that an asset based on the classification of each
receives an appropriate level of
asset.
protection in accordance with its
importance to the organization and its To comply, the organization shall
sensitivity. Asset classifications shall be control access to assets, enforce
performed based on guidelines given in processes in place to secure data,
the “National Data Sharing Policy”13. define security controls for data- in-
Classification levels provided in the transit and data-at-rest, use
Data Sharing Policy are, “Secret”,
licensed, authorized software, and
“Confidential”, “Limited Sharing” and
deploy protective technology to
“Public”.
ensure cyber resilience.
IT assets shall be classified into three
levels namely, “Critical Systems”, To protect assets, the organization is
“Sensitive Systems”, and “Non-Sensitive required to define and implement
Systems”, or components of such policies such as Identity
systems. A description of the IT assets Management and Access Control
classification scheme is available in the Policy5, Password Policy, etc. (Refer
“Information and Cyber Security policy statement 4.3.4).
Implementation Guide4”.
In such instances, the organization
Compliance: Applicable to all shall ensure that all employees
organizations including third party contractors
adhere to the policies. Periodic
revisions shall also be made to these
4.3. Protect Assets policies to ensure that the policies
are adequate and up-to-date. Any
violations of these policies shall be
reported to the ISC for necessary
action.

4.3.1. Protect Data-at-Rest

The organization shall protect data-at-


rest. Data at rest is the data that is not
actively moving from device to device
or network to network (e.g. data stored

Version 1 20
on a server, cloud, hard drive, laptop, 4.3.3. Physical Protection
flash drive, or archived/stored).
It is essential to encrypt any data
(information assets) which are classified The organization shall provide physical
as “Secret” or “Confidential” prior to protection to assets to prevent physical
storing. Other means of protecting data intrusion and unauthorized access.
at rest include, controlling user access Based on the protection requirements
through Identity Management and of assets, each organization shall define
Access Control Policy and providing secure areas to store or process assets
physical protection to assets. which are important to the
Compliance: Applicable to all organization. Information assets
organizations classified as “Secret” and “Confidential”
are to be stored and processed in the
stated secure areas.
4.3.2. Protect Data-in-Transit Secure areas shall be protected by
physical walls and lockable doors, and
multi-factor entry systems, and shall be
The organization shall protect data-in- monitored through CCTV continuously
transit. Data in transit is the data that is to prevent physical intrusions and
actively moving from one location to unauthorized access.
another such as across the Internet or
Secure areas shall be protected to
through a private network (e.g. data
prevent threats from fire, flood,
being transferred from site A to B
humidity, electromagnetic fields and
through an organization owned private
temperature. Access to the computers,
network, including Wi-Fi).
systems or any devices shall be
In order to protect data in transit, the controlled through implementing an
organization shall encrypt sensitive Identity Management and Access
information (information classified as Control Policy (refer policy statement
“Secret” or “Confidential”) prior to 4.3.4).
moving and use secure connections
Furthermore, the organization shall use
(HTTPS, TLS, SFTP, etc.) for data
various technologies to control user
transfer as prescribed in the latest
access to information and IT assets.
version of “Information and Cyber
Such technologies include but are not
Security Implementation Guide”4.
limited to user identity and passwords,
Further, the organization shall ensure
access cards, PINs and biometrics.
that security parameters on Wi-Fi
settings have been enabled. Compliance: Applicable for all
organizations
Compliance: Applicable to all
organizations

Version 1 21
4.3.4. Identity Management and organization shall implement a policy
Access Control for passwords and MFA.
A password policy shall be formulated
The organization shall control user and implemented by the organization,
access to both Information and IT taking the following measures:
assets. Identity management and o Passwords must be at least 8
access control is an approach to characters long and must consist of
managing access to information and IT both upper and lower case
assets to keep them secure. characters (e.g. a-Y), digits (1,9), and
Identity management and access special characters (!@$+/).
control is focused on verifying a user’s o All passwords must be changed
identity and their level of access before after predetermined intervals which
granting them the access to systems is 90 days for regular access.
and information. Users shall only be Privilege access should only be
granted access to the assets which they granted on a need basis.
need to perform their tasks (need-to-
know), and assets they need to use to Note: Guidelines for developing a
perform tasks (need-to-use). The users password policy are also presented in
shall always be given minimum access the Identity Management and Access
to systems and information necessary Control Policy6.
for their role only. The organization shall implement MFA
Note: Sri Lanka CERT has drafted an access for securing user accounts which
“Identity Management and Access have access to secret and confidential
Control Policy”6 for government information. In designing MFA,
organizations which can be customized organization shall take into account at
and adopted by the organization. least combination of user’s knowledge
(what you know, e.g. password),
Compliance: Applicable to all possession (what you have, e.g. token,
organizations access card), or inherence (what you
are, e.g. biometric-finger print).
Passwords and any other
4.3.5. Strong Authentication
authentication credentials provided to
an employee who is leaving the
In accordance with the Identity organization shall be withdrawn and
Management and Access Control Policy, removed from all assets to prevent
the organization shall use strong further access by the employee.
authentication for verifying the identity
Compliance: Applicable to all
of a user. Username and password
organizations
combination, and use of multifactor
authentication (MFA) are
recommended to authenticate user
identity. To ensure a strong
authentication process, the

Version 1 22
4.3.6. Cloud Computing and Data Cloud (LGC) for cloud service
Sovereignty requirements. LGC is a government
owned private cloud service operated
by the Information and Communication
Cloud computing generally refers to the Technology Agency (ICTA), which was
availability of ICT resources such as designed to fulfil the cloud service
storage, processing, application requirements of the government.
development platforms etc., available
for users on demand without direct Compliance: Applicable to all
management by the user. Many organizations
organizations nowadays are moving to
cloud services due to cost savings, 4.3.7. Licensed Software and Patch
scalability and increased performance.
Updates
The organization, however, must be
extremely cautious about the risk of
The organization shall use licensed
using cloud services, particularly, when
software with valid updates. This
using public clouds (public cloud is a
includes but is not limited to system
cloud service available to anyone who
software, utility programs, and
wants to purchase them). Limited
application software (e.g. word
control over the cloud as they are
processing packages, databases,
operated in different jurisdictions,
browsers, antimalware, etc.).
limited visibility of architectures and
limited transparency of operations, Organization shall update operating
possible significant mismatches in systems and other relevant software
service-level agreements (SLAs) are with vendor supplied latest patches and
common cloud risks. fixes. Organizations should enable
automatic updates.
The organization shall ensure data
sovereignty. Data sovereignty refers to Compliance: Applicable to all
that the data subject to the laws and organizations
governance structures within the
country where it is collected.
4.3.8. Antimalware
All activities of the organization in
relation to storing and processing data
or hosting software applications in The organization shall install
other jurisdictions shall be performed Antimalware software with a valid
in accordance with the forthcoming license. Antimalware tools shall remain
“Data Protection Act” of Sri Lanka. active at any potential entry point, and
malware signatures shall be up-to-date
Further, it is strictly recommended to and automatic updates shall be
the organizations to perform a proper enabled.
risk assessment prior to obtaining any
cloud service. Malware detection must be configured
for on-access scanning, including
Organizations are encouraged to obtain downloading or opening of files, folders
the services of Lanka Government

Version 1 23
on removable or remote storage, and 4.3.10. Security of Emails
web page scanning.
Users must be prohibited from The organization shall configure their
changing the configuration of, email accounts with all applicable
uninstalling, deactivating or otherwise security features. To ensure the
tampering with antimalware. security of information, the email
Compliance: Applicable to all server shall be hosted in line with the
organizations regulatory framework of the
forthcoming Data Protection Act.
The organization shall set up email
4.3.9. Official Emails filters to remove emails known to have
malware attached and prevent the
inbox from being cluttered by
The organization shall use official
unsolicited and undesired (i.e. “spam”)
emails for official communications. email. Moreover, when sending
Official emails are the email provided
confidential information via emails, it
by the government with the domain must be encrypted.
name of “gov.lk”. Official email
accounts are official assets and the In the case of email accounts provided
organization has the right to access the by the Lanka Government Network
account, read emails or delete the (LGN), ICTA is required to ensure that
account. the email service is securely configured,
and security audit reports shall be
The organization shall use emails with
obtained on a periodic basis for
“gov.lk” domain for official
supervisory or regulatory requirements.
communications, and each employee
shall use official email for official
Compliance: Applicable to all
communication only. Employees must organizations
not use official emails for personal
communication.
All email attachments, regardless of the 4.3.11. Digital Signatures
source or content, must be scanned for
viruses and other destructive programs Where appropriate, the organization
before being opened or stored on any shall implement digital signatures to
government organization’s computer ensure authenticity. Similarly, digital
system. signatures should be used for emails to
All employees must adhere to ensure authenticity, integrity and
guidelines given in the “Safe and nonrepudiation.
Appropriate Use of E-mail” section of
the “Information Security and Cyber Compliance: Applicable to CNII
Implementation Guide”4. operators

Compliance: Applicable to all


organizations

Version 1 24
4.3.12. Perimeter Security To mitigate the risk of remote access,
Controls the organization shall use secure Virtual
Private Networks (VPNs), allow only
authorized users to access systems
The organization shall install perimeter based on the identity management and
security controls such as Firewalls, access control policy of the
Intrusion Detection Systems, etc., to organization, implement multifactor
provide protection to assets authentication, secure remote access
(information, computers, networks and from client devices, and use trusted
systems assets) against cyberattacks networks.
and prevent malicious software from
accessing assets via the Internet. Compliance: Applicable to all
organizations
The organization shall regularly update
perimeter security threat database,
install antimalware with automatic 4.3.14. Backup Strategy
updates enabled, update default
settings with appropriate The organization shall have a strategy
configurations, and disable default to backup data, logs, systems, software,
vendor supplied user accounts for such configuration details and any other
devices and systems. Information and information that are necessary to
Cyber Security Implementation Guide restore to normal operations in an
presents an overview of configuration event of a disaster. This strategy shall
details. be aligned with the organization’s
Disaster Recovery Plan (refer section
Compliance: Applicable to all 4.6.1).
organizations
Data written onto backup media shall
be preserved as per the regulatory
4.3.13. Secure Remote Access requirements of the government.
The organization shall also define the
Recovery Time Objective (RTO) and
The organization shall secure remote
Recovery Point Objective (RPO) to
access to internal networks to prevent
determine the frequency of backups.
unauthorized access to assets through
geographically distant locations. It is recommended that there shall be
an air gap16 between the live data and
Remote access brings many
backup data for protecting live data
information security threats to the
from any malicious attacks including
organization. Risk of eavesdropping as
ransomware.
information travels over the public
internet, unauthorized access to It is further recommended that backups
systems or data, and monitoring and shall be stored at a fire proof, secure
manipulation of data are common location which is physically distant from
security risks associated with remote the data processing site. There should
access. also be a mechanism implemented to

Version 1 25
detect any changes made to the “Information and Cyber Security
backups. Implementation Guide”3 provides
details on the secure application
Backups containing information assets
development lifecycle.
labeled as “Secret” and “Confidential”
shall be stored as per the security In developing web applications, the
requirements specified in the Assets organization shall adhere to the
Register. “Technical Guidelines for Web
Application Security”5 provided by Sri
Compliance: Applicable to all Lanka CERT.
organizations
Compliance: Applicable to all
organizations
4.3.15. Security-by-Design

4.3.16. Secure Disposal of Assets


The organization shall follow security-
by-design approach in software
acquisitions and in-house software Assets shall be disposed securely using
development. The security-by-design a formal procedure when no longer
approach extends the traditional required.
software development approach by
adding security considerations to each It is required that the organization’s
stage of the software development storage media, which includes but is
lifecycle. not limited to optical media (CDs or
DVDs), magnetic media (tapes or
In developing software (or acquiring diskettes), disk drives (external,
software), the organization must portable, or removed from information
consider security planning and systems), flash memory storage devices
conducting risk assessments at the (SSDs or USB flash drives) and
project planning stage, defining security documents (paper documents, paper
requirements in bidding documents, output, or photographic media) are
reviewing the security architecture in disposed securely.
the design and development stage,
reviewing code at the coding stage for If the media contains information that
identifying security-related weaknesses is no longer required, the information
(flaws), and performing vulnerability shall be deleted in an unrecoverable
assessments in the implementation manner to prevent the retrieval of the
stage to identify security weaknesses in original information. Low level sector
the systems. Finally, at the system based formatting is a possible method
decommissioning stage, the systems of removing information assets
shall be securely disposed to ensure contained in media. Shredding or
that its data and other information punching are possible ways of
assets cannot be accessed and permanently destroying media that
recovered by unauthorized individuals. contain information assets.

Version 1 26
If the assets in the storage media are Audits shall be performed by a party
classified as “Secret” or “Confidential” qualified to carry out such audits. If the
the safest method of disposal is audits are to be carried out by a third
physical destruction of the media, after party, it is essential that a Non-
obtaining proper approval for the Disclosure Agreement (NDA) is to be
disposal action from ISC. signed to ensure the confidentiality of
the organization’s assets.
Compliance: Applicable to all
organizations Compliance: Applicable to CNII
operators

4.3.17. Internal Information


4.3.18. Audits Prior to
Security Audit Program
Deployment

The organization shall have a formal


On par with the internal information
internal information security audit
security audit program, the
program in place to conduct routine
organization shall perform vulnerability
audits that includes but is not limited to
assessments and penetration tests
IT security control audits, application
prior to the deployment of any website,
security control reviews, network
web application or system on the live
architecture reviews, IT process audits,
environment.
security compliance reviews, internal
and external vulnerability assessments, The organization needs to obtain the
penetration testing, and web services of Sri Lanka CERT to conduct
application penetration testing. these assessments or a qualified third
party nominated by Sri Lanka CERT.
Assessments shall be performed
periodically (at least annually), after an Compliance: Applicable to all
incident has occurred, after a change is organizations
introduced (to application or hosting
environment), after changes to
standard/guidelines, after spread of
4.3.19. Systems Hardening
virus or malware, or as determined by
the ISC. The organization shall harden IT assets
A formal process to oversee the (operating systems, servers, networks
implementation of recommendations and network devices, databases, and
raised in previous audit reports is to be virtual private networks) to reduce
established. their surface of vulnerability by
eliminating potential attack vectors and
The CIA of the organization shall condensing the system's attack surface.
coordinate the audit, and the CIA of
each Ministry shall coordinate Hardening systems shall only be carried
information security audits of the out with the support of experienced
organizations under its purview. and skilled personnel.

Version 1 27
Compliance: Applicable to all classified as “Secret” and “Confidential”
organizations under any circumstances.
When employees’ personal devices are
4.3.20. Work from Home used to perform official duties, the
organization shall ensure that user
accounts are set up to have limited
With the transition to working from privileges, accounts are protected with
home, there is an increase in strong passwords and multifactor
information security threats. Therefore, authentication, antimalware software is
employees shall adhere to “Information installed and automatic updates are
Security Guidelines for Working from enabled, operating systems, utility
Home”7 issued by Sri Lanka CERT which software and other application
outline a set of security best practices software that is used have valid licenses
when working remotely. IT with necessary patch updates.
Administrators shall adhere to the Security of the personal device shall be
“Minimum Guidelines for IT the responsibility of the owner of the
Administrators”8 issued by Sri Lanka device. The organization shall not be
CERT to ensure secure access to liable for any loss or damage to the
organization’s IT assets when working device including loss of personal data
remotely is permitted. due to the use of the device.

Compliance: Applicable to all Compliance: Applicable to all


organizations organizations

4.3.21. Bring Your Own Device


(BYOD) 4.4. Detect Information
Security Incidents
The organization shall not allow
employees to use their personal
laptops, smartphones and tabs to carry
out official duties.
However, under specific circumstances
determined by the ISC, the organization
may allow selected employees to use
their personal devices to perform
official duties, under the supervision of
the ISO. The organization shall implement
appropriate measures to identify
The organization’s security policies are cybersecurity incidents in a timely
applied to BYOD. manner. The organization shall
Employees’ personal devices shall not instruct staff to report any cyber
be used to process or store information security incidents or policy
violations, analyze logs to identify
Version 1 28
incidents, and adopt continuous The organization shall regularly review
monitoring solutions that detect logs to detect malicious attacks on
anomalous activity and other threats systems, and to determine the causes
to operational continuity. of errors or security breaches.
Logs shall be protected against
4.4.1. Report Incidents tampering and unauthorized access. In
the case of logs containing sensitive
and personally identifiable information,
Staff shall be clearly advised to appropriate privacy protection
immediately report any suspicious measures shall be taken prior to storing
activity or any security violation to the and analysis.
ISO. Security violations shall include but
Logs shall be retained for a period of 12
are not limited to unauthorized access
months or as determined by ISC.
to a network, telecommunication or
computer systems, the apparent
Compliance: Applicable to CNII
presence of a virus on computers, the
operators
apparent presence of any information
resource prohibited by guidelines,
apparent tampering with any file by 4.4.3. Continuous Monitoring of
unauthorized user, and violations of Events
these guidelines or security policy by
another user or contractor. Users shall
also be instructed to report any The organization shall monitor
vulnerabilities existing on IT assets. networks or systems for detecting
malicious activities, and counter such
The organization shall provide activities through implementing
adequate awareness and trainings to Intrusion Detection Systems and
staff on detection of incidents, Intrusion Prevention System (IPS/IDS).
reporting information security events
detected, and preserving evidence. The organization can also use Security
Information and Event Management
Compliance: Applicable to all (SIEM) systems for security monitoring,
organizations and advanced threat and incident
detections.
Compliance: Applicable to CNII
4.4.2. Review Logs
operators

The organization shall maintain and


review Logs (access logs, error logs, 4.4.4. Report Incidents to Sri Lanka
server logs, audit logs, firewall logs and CERT
antimalware logs) generated by
systems and associated components to
detect incidents. As determined by the ISC, the
organization is advised to report critical
information security incidents to Sri

Version 1 29
Lanka CERT immediately for technical Compliance: Applicable to CNII
advice and handling. operators

Compliance: Applicable to all


organizations 4.5.2. Activate Incident Response
Plan

4.5. Respond to Incidents In an event of an information security


incident, the designated authorized
person shall activate the incident
response plan to minimize the impact
on the organizational operations, and
to resume normal operations after an
event.
In case of an information security
incident, the organization has to initiate
procedures to identify, collect and
To comply with the ‘respond’
preserve information, which can serve
function, the organization shall as evidence for performing forensics
develop an incident response plan, investigations. The general rule is that a
and activate the plan in an event of person or organization has a duty to
an incident. retain and preserve all evidence or
electronic records/documents
concerning pending or foreseeable
4.5.1. Incident Response Plan claims. This includes the responsibility
of not to lose, destroy, or meaningfully
alter documents or similar instruments.
The organization shall develop an
incident response plan which consists An Incident Register shall be
of a set of instructions to detect, maintained at each organization listing
respond, and recover from information information related to cybersecurity
security incidents. incidents.

The incident response plan shall Compliance: Applicable to all


contain, at a minimum, incident organizations
reporting procedures, strategies for
detection, analysis and, containment of
incidents (eradication or recovery),
allocation of information security
responsibilities to designated staff, and
procedures related to post-incidents
reviews.
The Incident Response plan shall be
tested and communicated to all staff
members of the organization.

Version 1 30
The disaster recovery plan shall be
4.6. Recover Normal tested and updated on a periodic basis.
Operations
Compliance: Applicable to all
organizations

4.6.2. Activate Disaster Recovery


Plan

In an event of a disaster, the designated


authorized person shall activate the
disaster recovery plan to minimize the
impact on the organization’s
The organization shall develop and operations, and to resume normal
implement a plan of effective operations after the event.
activities to restore any capabilities
or services that were impaired due Compliance: Applicable to all
to a disaster. organizations

4.6.1. Disaster Recovery Plan 4.6.3. Crisis Communication

The organization shall have a Disaster In the event of a major crisis (critical
Recovery Plan that will be activated in disaster, cyber security incident), the
an event of a disaster to facilitate organization shall communicate with
recovery from such disaster. internal and external parties such as
line ministries, victims, media, clients,
The disaster recovery plan shall contain
and law enforcement authorities
activities to be performed to recover
according to a plan. The organization
from a disaster, and roles and
shall appoint a senior responsible
responsibilities of each team member
officer as the Media Spokesman to
in the plan.
communicate the crisis to the relevant
Disaster recovery plan shall be designed stakeholders.
by conducting a risk assessment and a
business impact analysis of the
Compliance: Applicable to all
information and IT assets, and the
organizations
recovery activities shall be designed by
considering the earliest point in time at
which it is acceptable to recover the
data (recovery time objective), and the
earliest point in time at which the
organization’s operations and systems
must be resumed after a disaster
(recovery point objective).

Version 1 31
5. Assessment Framework
5.1. Prior to the implementation of the Information and Cyber Security Policy, it is
essential to identify the present status of government organizations in adopting
information security to protect government resources, and this assessment is
therefore, designed to capture the present status of the government
organization in implementing information security.

5.2. Findings of the assessment will be used by Sri Lanka CERT to establish a baseline
for the organizations in adopting information security, and provide
recommendations to government organizations in implementing the
Information and Cyber Security Policy at their organizations.

5.3. This assessment will be repeated annually, and each year Sri Lanka CERT shall
assess the level of adoption of the Information and Cyber Security Policy at the
relevant organization, and recommendations will be made to improve the overall
information and cyber security readiness of the organization.

5.4. Any organization desiring to assess their level of Information and Cyber Security
Policy adoption could use this assessment framework to evaluate their progress
at any given time.

5.5. Information Security Officer, Chief Innovation Officer, or the officer in charge of
the subject of IT, is required to fill this assessment, and forward to Sri Lanka CERT
with the signature of the Head of Organization on or before 30th October of each
year.

5.6. This assessment questionnaire consists of 50 questions. All government


organizations are required to indicate their response (Yes/No) to each question
to the best of their knowledge.

5.7. Should the respondent wish to provide a detailed response to each question, the
respondent can provide details in the remarks section at the end of the survey
questionnaire. Respondents can refer to the Glossary of Information and Cyber
Security Policy for detailed explanation of relevant terms.
5.8. Assessment

Policy Assessment Criteria Organization’s Remarks


Reference Response Section

Yes No
Information Security Governance
Security 1. Has the organization appointed an ISO?
Organization 2. Has the organization assigned information
Structure security responsibilities to ISO?
3. If no ISO has been appointed, has the CIO or the
officer in charge of the subject of IT been
assigned information security responsibilities?
4. Does the organization have a committee to
make decisions on Information Security or IT?
5. Does the HOO proactively lead information
security initiatives?
6. Has the organization assigned information
security audit responsibilities to CIA?
Capacity 7. Has the organization taken any steps to develop
Building the information security capacity of
accountable individuals?
Strategic 8. In designing and implementing the
Alignment organization’s functions, policies, strategies or
projects, has your organization taken
information security into account?
Information 9. Does your organization has financial provisions
Security for information security activities?
Action Plan 10. Has your organization developed action plans to
achieve its information security objectives?
Identify Assets, Owners, Users and Risks
Assets 11. Has your organization identified information
assets that have a value to the organization?
12. Has your organization assessed the risk
associated with information assets?
13. Has your organization classified information
assets based on their sensitivity, criticality,
impact of sharing or other means?
14. Has your organization recorded information
assets in an information assets register?
15. Has your organization identified IT assets?
16. Has your organization recorded IT assets in an
IT assets register?
17. Has your organization classified IT assets based
on their criticality?
18. Has your organization identified the owners of
the assets?
Protect Assets

Version 1 33
Encryption 19. Does your organization encrypt sensitive
information prior to storage?
20. Does your organization encrypt sensitive
information prior to moving through electronic
channels?
Physical 21. Does your organization process or store
Protection sensitive information in secure areas?
22. Has your organization taken appropriate
measures to protect secure areas from fire,
flood, humidity and temperature?
23. Does your organization prevent unauthorized
entry to secure areas?
Identity 24. Does your organization have an Identity
Management Management and Access Control Policy?
and Access 25. Does your organization use strong
Control authentication?
Data 26. Does your organization obtain the service of
Sovereignty clouds or other digital infrastructure which
operate from other jurisdictions?
27. Does your organization assess risk prior to
obtaining cloud service?
Licensed 28. Does the organization use operating systems
Software and (OSs) with valid License(s)?
Patch 29. Have the OSs (s) of the organization been
Updates updated with vendor supplied latest patches
and fixes?
30. Does your organization have a procedure in
place to ensure vendor supplied critical patches
are installed on time?
Antimalware 31. Has the organization installed Antimalware
software with a valid license in all machines?
Email 32. Do the employees of your organization use
personal emails for official communication even
if they have been given official emails by the
organization?
33. Does your organization restrict users using
personal emails for official communications?
Perimeter 34. Does your organization have a Firewall in your
Security computer network?
Devices
Secure 35. Does your organization use secure Virtual
Remote Private Networks (VPNs) for remote access?
Access 36. Do all the users connecting remotely use VPN?
Backup 37. Does your organization backup data?
Strategy
38. Are the backups stored at a fire proof, secure
location which is physically distant from the
data processing site?

Version 1 34
Secure 39. Does your organization follow any of the
Disposal of following to dispose electronic media that
Assets contain sensitive information? - Shredding,
punching, physically damaging, degaussing.
Internal 40. Does your organization have internal
Information information security audit program?
Security Audit 41. Does your organization perform VAPTs through
Program Sri Lanka CERT prior to any deployment of
software applications?
42. Have you performed VAPT for your computer
network?
43. Does your organization perform VAPTs for
software applications on a periodic basis?
Work from 44. Does your organization adhere to the work
Home from home guidelines issued by Sri Lanka CERT?

Bring your 45. Does your organization have a formal


Own Device procedure to register BYOD?
(BYOD) 46. Does your organization allow BYOD to process
or store critical data?
Detect Information Security Incidents
Report 47. Has the organization instructed staff to report
incidents any suspicious activity, contact, theft, virus,
vulnerability, unauthorized access, tampering
with files, or violation of security policy to the
person in charge of Information security?
48. Have you ever reported cyber security incidents
to Sri Lanka CERT or any other party?
Respond to Incidents
Incident 49. Has your organization developed an Incident
Response Response Plan?
Plan
Recovery from Incidents
Disaster 50. Does your organization have a Disaster
Recovery Recovery Plan developed to facilitate the
Plan recovery in an event of a disaster?

Version 1 35
Glossary
Air Gap “An air gap is a technical configuration of the backup environment
where backup data is stored offline and completely separate from the
production environment. Because the data is stored in this way, it's
much harder for malicious parties to access the data remotely and
sabotage or delete it”16
Antimalware Anti-malware is a software designed to identify malware in devices or
prevent malware from infecting computer systems or electronic
devices. Malware is any software intentionally designed to cause
damage to a computer, server, or computer network (e.g. viruses,
worms, ransomware).
Assets Classification is the process of categorizing information assets based
Classification on its level of sensitivity, criticality and the impact of the sharing of
that information. The primary objective is to ensure that information
receives an appropriate level of protection in accordance with its
importance to the organization.
Assets Custodian Person in the organization who has the responsibility to protect an
information asset throughout the lifecycle as it is stored, transported,
or processed in line with the requirements defined by the information
asset owner
Assets Owner An asset owner is the person responsible for the day-to-day
management of assets
Availability of Availability ensures timely and reliable access to and use of
Information information.
Confidentiality of Confidentiality refers to the assurance that information is not disclosed
Information to unauthorized people and organizations.
Criticality of A measure of the degree to which an organization depends on the
Information information or IT assets for the success of a mission or of an
organization function. Criticality is comprised of two components,
Integrity and Availability. Integrity Criticality is the degree to which the
value of the information is determined by its reliability. Availability
Criticality is the degree to which the value of the information is
determined by its accessibility when needed.
Critical National Critical information infrastructure are the systems or facilities, whose
Information incapacity or destruction would cause a debilitating impact on national
Infrastructure security, governance, economy, health and social well-being of a
(CNII) nation.
Cyber Security It is a subsect of information security, which refers to the protection of
information and IT assets from being compromised or attacked
through cyber means (with the use of Internet Technologies).
Digital Signature Digital Signatures are mathematical scheme for verifying the
authenticity of digital messages or documents. It provides sender
authenticity (identity of the users), message integrity (guarding against
improper modification or destruction) and nonrepudiation (the
claimed sender cannot later deny generating the document).

Version 1 36
Encryption Encryption is the process of converting a plaintext message into a
secure-coded form of text, which cannot be understood without
converting it back via decryption.
Government The government organizations are the public authorities defined in the
Organizations Right to Information Act No. 12 of 2016.
Information Security controls are safeguards or countermeasures to avoid, detect,
Security Controls counteract, or minimize security risks to information and IT assets.
Controls could be technologies, policies, procedures, or processors put
in place to protect information assets.
Information Information Security Officer is a senior-level executive responsible for
Security Officer establishing and maintaining the organizations objectives, strategy,
(ISO) and action plans to ensure information assets are adequately
protected.
Information Information Security Committee is responsible in leading and
Security managing all Information Security related activities within the
Committee (ISC) organization, including information security planning, funding,
implementation and monitoring the implementation of information
security measures.
Information and SIEM is a solution that combines the collection data from log files for
Event analysis and reports on security threats and events, and conduct real-
Management time system monitoring, notifies network admins about important
systems (SIEM) issues and establishes correlations between security events to provide
real-time analysis of security alerts generated by applications and
network hardware.
Information Information security means protecting assets from unauthorized
Security access, use, disclosure, disruption, modification, or destruction in
order to ensure integrity, confidentiality, and availability.
Information Information asset is information or data that is of value to the
Assets organization. This includes the documents available in an electronic
format, database records as well as the documents available in paper
format. Examples for information assets: word file, images, employees
personal record in a database.
IT Assets IT asset is any IT equipment, information system, software, storage
media that is of value to the organization. Examples for IT assets are
computers, servers, routers, disks, networks, software, information
systems and its components.
IPS/IDS Intrusion Detection Systems are devices that analyze network traffic to
identify known cyberattacks. Intrusion Prevention Systems devices
analyzes network traffic to identify known cyberattacks, however, it
can stop attacks by preventing packet from being delivered based on
type of attacks it detects
Integrity of Integrity refers to guarding information against improper modification
Information or destruction. It ensures that information remains in its original form.
Official Email Official emails are the email accounts supplied by the government with
the domain name of “gov.lk
Private Cloud Services offered over the Internet or over a private internal network to
only select users. E.g. Lanka Government Cloud
Public Cloud Service available to anyone who wants to purchase them

Version 1 37
Sensitivity of The degree to which the value of the information is determined by its
Information secrecy.
Recovery Point RPO indicates the earliest point in time in which it is acceptable to
Objective (RPO) recover the data. For example, if a process can afford to lose data up
to hours before disaster, then the latest backup available shall be up to
4 hours before disaster. The transactions which occurred after RPO
period shall be entered after recovery.
Recovery Time RTO indicates the earliest point in time at which the organizations
Objective (RTO) operations and systems must be resumed after a disaster.
Systems System hardening is the process of securing a system through changing
Hardening the default configuration and settings to reduce IT vulnerability and
the possibility of being compromised. This can be done by reducing the
attack surface and attack vectors which attackers continuously try to
exploit for purpose of malicious activity.
Virtual Private Virtual Private Network, establishes a secure connection by utilizing an
Network(VPN) encrypted tunnel for data communication over the internet.

Version 1 38
References
1.
Right to Information Act No 12 of 2016. Document can be accessed through
https://www.rti.gov.lk/.
2.
Information and Cyber Security Strategy of Sri Lanka (2019:2023), Published by
Research and Policy Unit, Sri Lanka CERT, November 2019. Document can be
accessed through https://cert.gov.lk/documents/NCSStrategy.pdf
3.
Minimum Information Security Guidelines. Published by Research, Policy and
Project Division of Sri Lanka CERT. Document can be accessed through
https://www.onlinesafety.lk/wp-content/uploads/2021/07/Minimum
Information_Security_Standards_Version1_14-07-2021.pdf
4.
Information Security Implementation Guide. Published by Research, Policy and
Projects Division of Sri Lanka CERT, (forthcoming).
5.
Technical Guidelines for Web Application Security. Published by Research, Policy
and Projects Division of Sri Lanka CERT. Document can be accessed through
https://www.onlinesafety.lk/wp-content/uploads/2021/04/Technical-Guidelines-
for-Web-Application-Security.vf1-1.pdf
6.
Identity Management and Access Control Policy for Government. Published by
Research, Policy and Projects Division of Sri Lanka CERT. Document can be
accessed through https://www.onlinesafety.lk/wp-
content/uploads/2021/04/Attachment-03_Logical-Access-Control-Policy.pdf
7.
Information Security Guidelines for Working from Home. Published by Sri Lanka
CERT. Document can be access through https://www.onlinesafety.lk/wp-
content/uploads/2021/01/IS-Guidelines-for-Working-from-Home.pdf
8.
Minimal Guidelines for IT Administrators: Guidelines to Improve Cyber Security to
Enable Work from Home. Published by Sri Lanka CERT. Document can be accessed
through https://www.onlinesafety.lk/wp-content/uploads/2021/01/IS-Guidelines-
for-Working-from-Home.pdf
9.
ISO 27002 (2013): Information Technology – Security Techniques - Information
Security Management Systems – Requirements, International Standards
Organization, Published by International Standard Organization.
10.
NIST Cybersecurity Framework. Published by National Institute of Standards and
Technology, U.S Department of Commerce. Resources can be accessed through
https://www.nist.gov/cyberframework/online-learning/five-functions
11.
NIST (2006): Information Security Handbook: A Guide for Managers, Published by
National Institute of Standards and Technology, U.S Department of Commerce.
Resources can be accessed through
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-100.pdf

Version 1 39
12.
e-Government Policy of Sri Lanka (2009). Published by Information and
Communication Technology Agency of Sri Lanka (ICTA).
13.
National Data Sharing Policy of Government, Published by Information and
Communication Technology Agency of Sri Lanka (ICTA). Document can be accessed
through http://www.data.gov.lk/download/file/fid/362
14.
Educause, Information Security Governance Information Security Governance.
Document can be accessed through https://www.educause.edu/focus-areas-and-
initiatives/policy-and-security/cybersecurity-program/resources/information-
security-guide/toolkits/information-security-governance
15.
ISO/IEC 38500:2015 Information technology — Governance of IT for the
organization.
16.
Carbonite (2021), Can Air-Gapped Backup Provide an Extra Measure of Security?
Document can be accessed through https://www.carbonite.com/.

Version 1 40

You might also like