e-Gov Security Policy Framework

Broad level observations1. The intent of the above document is not clear. In our view, the document should be a introduction to the framework and its implementation methodology.2. Although the documents constituting the framework have been mentioned in sec 4(overview of e-SPF), nothing is said about the contents in the documents, how they are to be used or how they are related to each other.3. The audience of the document is senior management and hence certain sections like leadership, risk management can be made more concise.

Specific observations1. Section 1 Authoritya. Page 6 para 5, This project aims at. No explanation as what is being referred to by This project2. Section 3. Information security objectivea. Pg 8 para , Non repudiation and Accountability is defined as like terms and under Auditability, Accountability is defined as ability to audit.b. Initially the objectives of security are mentioned as CIAAAA but a paragraph below, the objective of security is mentioned as CIA.3. Section 4. Overview of e-SPFa. Para 1 , defines the audience as IT Secretary of States and Nodal officers of the state departments. However, the document also covers central MMPs and Ministries. The audience does not reflect that.b. Pg 10, fig 1, the structure of SAF shown in the figure is not what is described in the succeeding paragraph.c. Pg 11, standards are mentioned but it is not clear which standard is being referred to. d. The last 6 paragraphs tries to define the structure and content of the framework but they are very generic descriptions

4. Section 5. Scope a. Para 1 refers to these guidelines. No clarity is given to what guidelines are being referred to and why under scope of e-SPF, the guidelines are being mentioned. Further it is mentioned that guidelines are a mandate for all government information system. In the previous section, it was mentioned that guidelines are not mandatory. The guideline documents are referred to as presenting standard but standard and guidelines are separate entity as mentioned in the previous section. b. Para 3, pg 12 framework is applicable to all info assets in a state. Why is the scope limited to states only?c. Para 5, pg 12, this policy is aligned to the principles . No justification of bringing policy in a framework document. Also no clarity as to which policy is being referred to.d. Pg 12, mentions the various domains covered under the framework which happens to be part of ISO 27001:2013 framework. It is also mentioned that domain of third party and BCM have been added over and above the ISO 27001 domains. A15 of ISO 27001 deals with supplier relationships. Does not Supplier relationship also cover third party relationships? A17 of ISO 27001 already covers Business continuity management and so there is no need for any additional domain of BCM.

5. Section 6. Leadershipa. Permanent Secretary is no position in the Government.b. It is suggested that the section be made more concise.c. Pg 14, para 6 talks about initial privacy risk assessment of the new policies or project. However, no methodology (or reference to the same)is provided for doing a privacy risk assessment.

6. Section 7. Governance structurea. Pg 15 para 2 talks about governance structure being covered in GRC document. There is no GRC document.b. Page 16, last para says separate methodology for is suggested for implementation of Information security with External service provider. However, no reference to the methodology is provided.

7. Section 16. Enforcementa. Para says that the policy shall be operationalized by.. The current document is a framework document and it is not clear which policy is being referred to.