Crisis Management Plan (CMP)

For
Countering Cyber Attacks and Cyber
Terrorism

March, 2019

NIC-DADF Division, Krishi Bhawan

New Delhi-110001
Outlines
1)
2) Definitions of CMP

3) Concept of Cyber Crisis Management Plan(CCMP) ------------------------- 3

4) Purpose of CCMP --------------------------------------------------------------------- 4

5) Structure of CCMP -------------------------------------------------------------------- 5

6) Types of Crisis ---------------------------------------------------------------------- 6-8

7) Lines of Action of Cyber Crisis ------------------------------------------------- 9-10

8) Incident Prevention & Precautionary measures ----------------------- 11- 14

Introduction
Definitions of CMP
Purpose of CMP
Types of Crisis
Cyber Security Crisis,
Possible targets and
Impact
Crisis Recognition, Mitigation and Management Structure of CMP
Implementation of CMP Points for Action of CMP eGovernance News
Introduction
Crisis Management is a critical Organizational function. Failure can result in serious
harm to stakeholders, losses for an organization, or end its very existence. Public
relations practitioners are an integral part of crisis management teams. So a set of
best practices and lessons collected from our knowledge of crisis management
would be a very useful resource for those in public relations. Volumes have been
written about crisis management by both practitioners and researchers from many
different disciplines making it challenges to synthesize what we know about crisis
management and public relations place in that knowledge base. The best place to
start this effort is defining critical concepts.

Definitions of Crisis Management Plan(CMP)

A crisis is defined as a significant threat to operations that can have negative
consequences if not handled properly. In crisis management, the threat is the
potential damage a crisis can inflict on an organization, its stakeholders, and an
industry.

A crisis can create three related threats: 1) public safety, 2) financial loss, and 3)
reputation loss. Some crisis, such as industrial accidents and product harm, can
result in injuries and even loss of lives.

Crisis can create financial loss by disrupting operations, creating a loss of market
share/purchase intentions, or spawning lawsuits related to the crisis. A crisis reflects
poorly on an organization and will damage a reputation to some degree. Clearly
these three threats are interrelated. Injuries or deaths will results in financial and
reputation loss while reputations have a financial impact on organizations.

Concepts of Cyber Crisis Management Plan (CCMP)

• The Cyber Crisis Management Plan provides the strategic framework and guides
actions to prepare for, respond to, and begin to coordinate recovery from a cyber
incident.

• Covers different type of cyber crisis, possible targets and related impact, actions
and responsibilities of concerned stakeholders, cyber incident response
coordination among Ministries/Departments of Central Government, its agencies
 and Critical Information Infrastructure organizations to deal with cyber crisis
situations.

• The field of cyber security is technology intensive and new vulnerabilities

emerge with progress in technology giving rise to new types of incidents. As
such, the plan of response to cyber security incidents need to be updated on
regular basis, preferably once in a year.

• Equip them suitably for implementation, implement, supervise implementation

and ensure compliance among all the organizational units (both public &
private) within their domain.

• To ensure that interruption or manipulations of critical functions/services in

critical sector organizations are brief, infrequent and manageable and cause
least possible damage.

Purpose of CCMP

The Cyber Crisis Management Plan for countering cyber attacks and cyber terrorism
describes the framework for cyber incident response coordination among
Ministries/Departments of Central Government, its agencies and Critical Information
Infrastructure organizations. This crisis management plan addresses the definition and
documentation of IT & Cyber security incident management procedures for such
systems and services in Department of Animal Husbandry and Dairying, Ministry of
Agriculture and Farmers Welfare.

The field of cyber security is technology intensive and new vulnerabilities emerge with
advancement in technologies giving rise to new types of incidents. As such, the plan of
response to cyber security incidents need to be updated on regular basis, preferably
once in a year.
Structure of CCMP

The structure of Crisis Management Plan for countering Cyber Terrorism has five
sections dealing with the following:

 Concept of Crisis Management Plan

 Nature of cyber crisis

 Incident prevention measures

 Crisis recognition mitigation and management

 Incident closure and information sharing

Types of Crisis
Crises have many sources, some of which are common to all organizations. Others are
specific to certain industries. For directors, it may be helpful to consider them as fitting
into one of three groups, based on their severity, frequency and timing:

 Potential crises are serious problems that grow larger over time and become
critical if they are not addressed. They include declining sales, profits and share
prices, failure to respond to new competition, investigations by regulators, and
financial difficulties. These problems affect the long-term viability of the entire
organization and should be addressed by the CEO through the strategic planning
and risk management processes. These groupings of crises are linked. For
example: Operational crises may be symptoms of potential crises.

 Sudden crises are events that occur unexpectedly and have a major effect on
the organization. These include natural disasters, sabotage and outages of vital
services such as power, water or computers. The CEO should have plans for
managing crises and business continuity and test the plans through realistic
scenario-based simulations.

 Operational crises are the day-to-day, minor crises of running the organization
and serving individual customers. With good management these can be avoided
or promptly resolved.
 Types of Crisis Impact
1 Malware “Malicious S/W” such as ransom ware, designed to damage or
controls a computer system.
2 Phishing Fake official emails (bank etc.) link to fake websites, where
victims log in, giving up theirs passwords.
3 Man-in-the Middle Hackers insert themselves between your computer and the web
Attacks server.
4 DDOS(Distributed Network of computers overload a server with data, shutting it
Denial of Service down.
5 Cross-Site Scripting Inject malicious code into a website which targets the visitor’s
browser.
6 SQL Injection Corrupt data to make a server divulge data, such as credit cards
Attacks numbers, usernames.
7 Domain Name Total/partial disruption of ‘.in’ registry services.
Sever(DNS) attacks Illegal diversion of Internet and mail traffic to some other
countries.
8 Malicious Code Hanging Computer Systems,
attacks Monetary loss, Information loss, Break down of data access
(Virus/Worm/Trojans services.
/Botnets)

Lines of Action of Cyber Crisis

LINE OF ACTION CONTENT

 Capability to prevent, Increase prevention, defence, detection, analysis,
1 detects, respond to and response, recovery and coordination capabilities vis-à-
recover from cyber vis cyber threats, placing particular emphasis on the
crisis. Public Authorities,

Capability to investigate Strengthen capabilities to detect, investigate and

2 and prosecute cyber prosecute terrorist and criminal activities in cyberspace
terrorism and on the basis of an effective legal and operational
cybercrime framework.

Knowledge, skills and Promote the training of professionals, give impetus to

3 R&D&I industrial development and strengthen the R&D&I
system in cyber security matters.

4 Cyber security culture Raise the awareness of citizens, professionals and

companies about the importance of cyber security and
the responsible use of new technologies and the
services of the Information Society.

5 International Promote a secure and reliable international cyberspace,

commitment in support of national interests.

6 Security and resilience Boost the security and resilience of infrastructures,

of ICT in the private networks, products and services using instruments of
sector public-private cooperation.
7 Incident management Develop incident response and disaster recovery plans
that address the full scope of possible incidents. All
plans should be regularly tested and updated.
8 Monitoring Establish a monitoring strategy taking into account
known previous incidents and attacks. Continuously
monitor incoming and outgoing data traffic to identify
unusual activity that may indicate attacks or
compromised information.
9 Managing user Users should only be granted access rights and
privileges privileges that are necessary to do their job. Limit the
number of critical accounts, such as administrators.
Monitor user activity, especially access to sensitive
information, or unexplained access from abroad. Ensure
that the closing of ICT accounts is part of any staff
termination procedure.
PILLARS OF SECURITY

PEOPLE POLICIES + PROCEDURES PHYSICAL PROTECTION

Incident Prevention & Precautionary measures

Action Implementation
1 Nomination of Chief JS(IT) nominated as CISO for ____
Information Security
Officers
2 Information Security To ensure standard practices are in place for
Policy and maintaining & managing cyber crisis.
Implementation of Best
Practices (IT Group) PC Level – All Desktops are provided Internet
connectivity from Centralized NIC.
3 Business Continuity Plan Presently Local Area Network is under restructuring/
(BCP) installation phase at HQ, Business Continuity Plan
(BCP) will be formulated as per the requirement
when LAN is established in __________.
4 Disaster Recovery Plan  Regular back-up of the existing website and
(DRP) important documents. Since the installation of
LAN is in early stage, the network level
 Disaster recovery plan will be made
available after commissioning of LAN.
5 Security of Information  All the systems are installed with licensed
Infrastructure and operating system.
Network  OS is being updated with regularly with the
latest patches.
 Antivirus is installed valid license.
 LAN is in restructuring phase.
 The remote monitoring and maintenance of
the PCs is strictly restricted.
 The software at network, stand alone systems
and application level shall be upgraded
regularly by applying/ installing upgrades and
updates.
5 Network Traffic Scanning LAN is in restructuring phase.
6 Manpower engaged in IT Group at HQ, _______, CSO at each zone and
cyber security activities ISO at the field establishments are the dedicated
persons engaged in cyber security activities.

Information security management practices based

 on ISO 27001 standards provide guidance with
regard to screening and background checks in
respect of employees and other personnel. The
organisation may consider following ISO 27001 best
practices.

Roles and responsibilities Security roles and

responsibilities of employees, contractors and third
party users should be defined and documented in
accordance with the organisation’s information
security policy.

Security roles and responsibilities should include the

requirement to:
a) implement and act in accordance with the
organization’s information security policies;
b) protect assets from unauthorized access,
disclosure, modification, destruction or interference;
c) execute particular security processes or activities;
d) ensure responsibility is assigned to the individual
for actions taken;
e) Report security events or potential events or other
security risks to the organization.
Security roles and responsibilities should be defined
and clearly communicated to job candidates during
the pre-employment process.
6 Audit and Assurance The comprehensive security audit of the entire IT
infrastructure including Local Area Network at three
steps:
a) Internal Audit by ISO
b) Audit by CSO
c) Third Party Audit by Independent auditor.

Compliance of the audit observations with the

security policy shall be documented
7 Security Training and Employees of the organisation and, where relevant,
Awareness should receive appropriate awareness training and
regular updates in organizational policies and
procedures, as relevant for their job function.
8 Coordination and In case of anything wrong or virus attack is identified,
Incidents information it is responsibility of end user to ensure the
sharing information is shared with Network.

Cyber Security exercises conducted by CERT-In may

be used as a tool for improving the coordination and
information sharing