SNo Section NeGD Comments Response 1 Scope 1) The scope mentions that the policy document

defines the security requirements of 18 domains of ISO 27001 (A5 to A18). However, the rest of the policy document does not specify the security requirements for these domains. ( also please note that A5-A18 = 14 domains and not 18 domains).

The framework includes security requirements for 18 domains as part of Implementation Guidelines for Security Controls which is a separate document. It covers the ISO Domains as mentioned in Annexure A of ISO/IEC 27001: 2013 and Privacy, Cloud, BYOD, BCM The framework does not follow ISO/IEC 27001:2013. However, it covers the ISO domains.

2) Domains for Minimum security requirement as mentioned in Scope don’t match with the domains of the minimum security requirement Annexure 3.

Domains in Scope are requirements for establishing an ISMS. Annexure 4 gives guidance for Minimum security requirements. These requirements do not pertain to any specific domain. An organization can plan to work on these before a formal Risk Assessment (RA) as they can be a good starting point. Suitable changes have been made in the document to make the text clearer.

3) It is also mentioned that domain of “third party “ and “BCM” have been added over and above the ISO 27001 domains. A15 of ISO 27001 deals with supplier relationships. It covers the third party relationships also. A17 of ISO 27001 already covers Business continuity management and so there is no need for any additional domain of BCM.

If we look at FISMA and other International Standards (including ISO), they have separate / more detailed guidelines for "BCM/Contingency Planning" and "Third party security" domains for the Government Sector. Therefore, these domains are worked upon separately and more comprehensively. A17 covers the information security aspects of Information security while we are covering BCM/ Contingency planning practices which are more comprehensive.

The supplier relationship/ Third Party is integrated under A15. We have considered the NIST standards (NIST SP 800-34 on contingency planning / NIST SP 800-34 on supplier relationship) and ISO standards (22301 on BCM and ISO 27036 on Third Party) in developing

these practices.

2 Annexure 1) Annexures 1-3 are not linked in the document. 2) Annexure 4 defines issues specific policy but is mentioned only under the heading of ISSC.

The Annexures are now suitably mentioned.

3 Org Structure 1) The structure is not aligned to MHA information security guidelines (NISPG) which are in turn aligned to Cyber Security Policy for GOI ver 2.0 issued on 30th August 2010.

Has been suitably aligned. Few additional roles have been suggested.

4 Implementation

1) Structure of Assurance Framework shown as figure 1 on the same page does not correlate with the description provided in the document.

Has been removed and is now included only in the Information Security Assurance Framework-Introduction and Overview document.

5 Section 9, 12 In places, like under section 9, section 12, framework and ISMS have been used instead of policy

Section 9 checked, the usage is correct. Section 12 is now removed. Relevant points have been added to Section 9.

6 Annexure 5 Annexure 5 is incomplete System Specific policies are not included as they are supposed to be technology specific guidelines.

7 General 1) It is suggested that the policy document should clearly give sample policies in the area mentioned in the documents i.e. Overall Security policy , Issue Specific policy and system specific policy .

Has been done

2) To give completeness to the document , cyber security policy prepared by DeitY can be used as sample for Overall Security policy covering all the domains of the ISMS as Annexure.

We have considered the cyber security policy prepared by DeitY. The Cyber Security Policy by DeitY also includes supporting guidelines for application security, asset management, client system security, network device security, password management, wireless network security etc. These guidelines are included in the document on Implementation Guidelines for Security Controls and therefore not repeated in the information security policy as they concern the Implementors. The Guidelines for Users, Administrators, Department and Internet Connected PC's have been considered. The consideration has been to include factors which affect

all employees.

3) The document should be linked to the annexure properly .

The Annexures are now suitably mentioned.

4) Recently GOI Email Policy and Policy on use of IT resources has been published in the Gazette of India . The section on General guidelines / media / laptop policy should be aligned to the above mentioned policies.

The suggestion for aligning has been taken into consideration. These policies are suitably referred.

8

The overall document needs improvement in consistency and flow , keeping in mind that this document is intended for Senior Govt Officials to give them bird’s eye view of the basic security requirement of their Department /Ministries.

This document is not intended to give bird's eye view of the framework to the Senior Government officers, that is the purpose of the Information Security Assurance Framework-Introduction and Overview document. The name of e-SPF is changed to Information Security Assurance Framework -Introduction and Overview to make this aspect clearer. This document applies to all the user groups working on e-Gov systems (including system administrators, network administrators etc.) and users at all levels. It also includes users other than government personnel which includes application developers (Total Solution providers), System Integrators (SI), IT security auditors, Data Center Operators(DCO) and Network Operators including contractors and Third party service providers or any other party on their behalf, which maintain, manage, operate or support information system, facilities and/or communications networks etc. The document has been checked to improve consistency and flow.