National Advisory Board on Information Security

1
National Advisory Board on Information Security
Assurance 4-E Framework for Trusted
Sourcing December 4, 2004
2
4-E Framework - Introduction
The Indian IT software and services industry can
continue on its robust growth path, provided it
can successfully stave off some of the challenges
it will face, as mentioned below, as it moves
forward. NASSCOM has designed a 4-E framework for
future-proofing the IT software and services
industry as a trusted sourcing destination.

• CHALLENGES
• the need for a robust legal and enforcement
  framework to stem security and privacy concerns
• the need to manage the downward pressure on
  revenue (and absolute profitability)
• the need for adherence to specific country and
  vertical laws
• the need to improve security infrastructure and
  the availability of quality manpower

The framework has 4 major phases namely Engage,
Educate, Enact Enforce, referred to as the 4
Es, that are detailed in the following sections.
3
The 4-E Framework for Trusted Sourcing
E1 ENGAGE
E3 ENACT
E4 ENFORCE

• Legal Framework Strengthening
• Conduct Gap Analysis in Legal Scenario
• Mandate Information Security Certification

• Enforcement Procedures
• Institute the NASSCOM Seal of InfoSec Assurance
• Perform Security Audits and Certifications for
  members
• Create an enforcement body under the aegis of NAB
• Perform Yearly Review
• Develop Incident Response Database aka CERT
• Develop a Database of all IT/ITES employees

• Creation of Global and National Advisory Boards
  on Security
• Define the Charters for the Global and National
  Advisory Board

• Regulations Coalitions Involvement
• Identify and influence regulators in India and
  abroad and Identify unique country-specific
  information security requirements

• Engaging Stakeholders
• Identify Stakeholders and actively engage them

• Information Security Assurance Framework
• Establish the Security Framework maturity model
  program
• Establish ASSCOM Seal for InfoSec Assurance
• Establish Cyber-Cop Award

E2 EDUCATE

• Training Awareness Campaigns
• Identify Audience
• Evaluate possible tie-ups with prospective
  trainers
• Devise training modes methodologies
• Develop training modules
• Conduct Training and Awareness Sessions
• Key institutes to include information security as
  a key course

Public-Private Initiatives Propagation of The
Mumbai Cyber Labs Concept

• Instilling Best Practices in Member Companies
• Institute Award for member companies
• Influence Major Insurance Companies
• Influence Government to offer tangible benefits

4
National Advisory Board (NAB)
CONSTITUTION
R1
Steering Committee
NASSCOM Heads Industry
R2
R3
R4
Advisory Committee
Execution Committee
Support Committee
Legal Judiciary Bodies Regulatory Bodies
NASSCOM Consultants
Industry Associations Industry Influencers
R5
R6
Certification Committee
Awareness Committee
International Security Standards Certification
Bodies
NIIT Aptech Education Institutes Media
Houses

• Legal Judiciary Bodies
• CBI, CVC and ED

• Regulatory Bodies
• RBI, SEBI, TRAI

• Industry Associations
• ASSOCHAM, CII, FICCI, ISPAI

• Industry Influencers
• Free lancers,
• Management Gurus
• NGOs
• CERT
• Industry

• Media Houses
• Press
• TV
• Web
• Radio, etc

• International Security Standards Certification
  Bodies
• International Organization for Standards (ISO)
• British Standards Institute (BSI) ISI

5
National Advisory Board (NAB)
ROLE
Laying down security standards
Certification body for members
Liaising with the Ministry of IT
Create sub-committees for specific tasks
Run awareness campaigns

• Conduct Gap Analysis in Legal Scenario, identify
  amendments
• Establish the Security Framework Maturity Model
  (SFMM) program Institute award for member
  companies.

• Perform security audits and certifications for
  members.
• Perform yearly review (planned unexpected
  checks).
• Institute the -NASSCOM seal of InfoSec
  Assurance.

• Obtain buy-in from the government to
• Institutionalize propagate the program across
  companies, across various sectors within the
  country.
• Mandate Certification and tangible benefits.

• Identify sub tasks like research, PR, liaising
  with other key bodies, knowledge-base/ database
  formulation other support activities.
• Develop teams (sub-committees) for the identified
  sub tasks.

• Identify Audience.
• Evaluate possible tie-ups with prospective
  trainers
• Devise training modes methodologies.
• Develop training modules.
• Conduct Training and Awareness Sessions.

Responsible Sub-Committees
R2
R5
R6
R4
R3
R1
6
About NASSCOM

• NASSCOM is Indias National Association of
  Software and Service Companies, the premier trade
  body and the chamber of commerce of the IT
  software and services industry in India. NASSCOM
  is a truly global trade body with around 850
  members, of which nearly 150 are global companies
  from the US, UK, EU, Japan and China.
• NASSCOMs member companies are in the business of
  software development, software services, and
  IT-enabled/BPO services.
• NASSCOM was set up to facilitate business and
  trade in software and services and to encourage
  advancement of research in software technology.
  It is a not-for-profit organization, (funded
  entirely by its members) registered under the
  Societies Act, 1896.
• NASSCOM has been the strongest proponent of
  global free trade in India. NASSCOM is committed
  to work proactively to encourage its members to
  adopt world class management practices, build and
  uphold highest quality standards and become
  globally competitive.
• In India and around the world, NASSCOM members
  are participants in the new global economy and
  are reputed for their cutting-edge business
  practices and social initiatives.
• NASSCOMs vision is to establish India as the
  21st centurys software powerhouse and position
  the country as the global sourcing hub for
  software and services.