NATIONAL CRITICAL INFORMATION

INFRASTRUCTURE PROTECTION CENTRE

STANDARD OPERATING PROCEDURE

(SOP)

Identification of PPP (Public-Private-Partnership)

entities for partnership with NCIIPC and formulation
of training requirements along-with guidelines for
conducting training

June 2017
VERSION : 1.2
NCIIPC, Block-III, Old JNU Campus
New Delhi-110067
 Table of Contents

1. Introduction ................................................................................................................... 1
2. Objective ....................................................................................................................... 1
3. Identifying PPPs for partnership with NCIIPC ................................................................ 1
4. PPP Proposals .............................................................................................................. 2
5. Assessments of PPP Proposals by Competent Authority .............................................. 3
6. Signing of Memorandum of Understanding (MoU) ......................................................... 3
7. Steering Committee....................................................................................................... 3
8. Training requirements and guidelines for Critical Sectors .............................................. 3
8.1. Training Requirements ................................................................................................. 3
8.1.1. NCIIPC Training Curriculum.......................................................................... 3
8.1.2. Sector Specific Specialised Training ........................................................... 4
8.2. Training Guidelines ....................................................................................................... 4
8.2.1. CISO Training .................................................................................................. 4
8.2.2. NCIIPC Workshops/Trainings ....................................................................... 4
8.2.3. Certifications .................................................................................................... 4
9. Review .......................................................................................................................... 4

Appendix -‘A’ – Outline of MoU

Appendix -‘B’ – NCIIPC CISO Training Curriculum
 Abbreviations

BFSI Banking, Financial Services and Insurance

CERT- In Computer Emergency Response Team - India
CII Critical Information Infrastructure
CISO Chief Information Security Officer
DeitY Department of Electronics & Information Technology
DoT Department of Telecommunication
IB Intelligence Bureau
ICS Industrial Control Systems
IDRBT Institute for Development & Research in Banking Technology
IR Incident Response
ISGF India Smart Grid Forum
MoU Memorandum of Understanding
NCIIPC National Critical Information Infrastructure Protection Centre
NIIT National Institute of Information Technology
OEM Original Equipment Manufacturer
ONGC Oil and Natural Gas Corporation
PPP Public-Private-Partnership
SCADA Supervisory Control and Data Acquisition
SOC Security Operation Centre
STQC Standardisation Testing and Quality Control
1. Introduction
1.1. Developing and organising training and awareness programs is an
important function assigned to NCIIPC. Keeping in mind the diversity of
sectors, organisations and training requirements in Government and also
the private & public sector organisations, NCIIPC needs to identify key PPP
(Public-Private-Partnership) entities for partnership and formulating training
requirements and undertaking training relevant to their area of operations.

1.2. To facilitate the above, a subgroup was constituted during the first NCIIPC
Advisory Board Meeting, held on 11th December 2015. The subgroup
included members from Ministry of L&J (Law and Justice), DoT
(Department of Telecommunication), IB (Intelligence Bureau), DeitY
(Department of Electronics & Information Technology) and NCIIPC. The
subgroup was required to frame a SOP for “Identification of PPP for
partnership with NCIIPC and formulation of training requirements along-
with guidelines for conducting training”.

2. Objective
This document provides standard operating procedure for identification of PPP
entities for partnership and formulates training requirements and guidelines for
conducting training for all stakeholders.

3. Identifying PPPs for partnership with NCIIPC

3.1. Broad parameters for identification of the partner agency/organisation for
entering into a PPP are:-
3.1.1. The organisation must be actively engaged in Information Security
formulation / implementations / management in a CII Sector, and/or
must be recognised by the concerned Ministry. Sectoral Institutions
such as Institute for Development & Research in Banking
Technology (IDRBT) in BFSI (Banking, Financial services and
Insurance), India Smart Grid Forum (ISGF) in Power Sector,
Forums/Institutions under Department of Telecommunication (DoT)
etc. would be given priority for engaging with PPP partnerships.

1|Page
 3.1.2. The organisation must organically possess the requisite skill set with
minimum three years of experience in providing such training course
and not perform outsourcing of manpower for conduct of training.

3.1.3. The organisation under consideration must not be blacklisted by any

Government agency or authority.

3.2. Some suggested organisations include:-

3.2.1. Government R&D organisation such as Centre for Development of
Advanced Computing (C-DAC).
3.2.2. Eminent Government recognised Universities.
3.2.3. Renowned Private Institutions.
3.2.4. Leading ICS/SCADA, OEMs and major public sector organisations
such as Powergrid and ONGC.
3.2.5. Selection of private Institutions / organisation could be made in
consultation with IB and CERT-In.
To identify a PPP for partnership with NCIIPC, operating procedures
mentioned in subsequent paragraphs shall be followed.

4. PPP Proposals
4.1. To identify suitable PPPs across critical sectors, NCIIPC Sectoral
coordinators, including Incident Response (IR), Security Operation Centre
(SOC), and Research and Development units shall submit their PPP
engagement proposals to NCIIPC for examination and approval.

4.2. The PPP proposal shall comprise:-

4.2.1. Details of proposed PPPs.
4.2.2. Description of proposed partner such as qualification and
experience.
4.2.3. Expertise and skill- set such as certification level of instructors.
4.2.4. Demonstrated experience in delivery of similar trainings.
4.2.5. Demonstrated experience in working with public agencies.
4.2.6. Capacity to deliver the required quantity and quality of training /
services.

2|Page
 4.2.7. Training proposals.
4.2.8. Proposed timelines for the training.
4.2.9. Training requirements of the sector along with desired qualification
of the trainees.
4.2.10. Formulation of short term, mid-term and long term engagements.
4.2.11. Budgetary requirements.
4.2.12. Manpower and Infrastructure Requirements.
4.2.13. Additional resources and capacity (If any).

5. Assessments of PPP Proposals by Competent Authority

NCIIPC shall assess the proposals submitted by the Sectoral Coordinators and
other NCIIPC Units for correctness, completeness, and feasibility. Further, in
order to optimise, projects redundant or similar in nature may be merged by the
Competent Authority.

6. Signing of Memorandum of Understanding (MoU)

A MoU shall be signed between NCIIPC and the PPP. The MoU shall outline the
sections as mentioned at Appendix-‘A’.

7. Steering Committee
NCIIPC shall constitute a Steering Committee for each PPP partnership. The
Steering Committee shall be headed by the concerned Sectoral Coordinator and
shall provide guidance, direction and control to the project and monitor progress
or outcomes. Steering Committee shall have five members in total with members
from NCIIPC, CERT-In and STQC along with two co-opted members to be
nominated by DG NCIIPC. Secretariat support shall be provided by NCIIPC.

8. Training requirements and guidelines for Critical Sectors

8.1. Training Requirements

8.1.1. NCIIPC Training Curriculum
The training curriculum shall be aimed to train the Middle Level
Management, Senior Level Management and Chief Information Security
Officers (CISOs) about Critical Information Infrastructure Protection,

3|Page
 Information Security & Policies, Cyber Security, Vulnerability / Threat /
Risk Analysis, Incident Management & Handling, Cyber Audit etc. The
training curriculum is placed at Appendix-‘B’.

8.1.2. Sector Specific Specialised Training

NCIIPC sectoral coordinators shall submit their sector specific specialised
training requirements to Competent Authority. This process may be
included in the PPP identification process as explained above.

8.2. Training Guidelines

8.2.1. CISO Training
For conducting the above training critical sector organisations may contact
NCIIPC. NCIIPC, in turn may organise training in partnership with PPPs as
described in paragraphs above.
However, the critical sector organisation may also organise the NCIIPC
CISO Training Curriculum by hiring training entities suitable to their
organisational needs. For example, an organisation may include the
NCIIPC CISO Training Curriculum in its annual training plan and select a
training provider on its own.

8.2.2. NCIIPC Workshops/Trainings

In addition to above, NCIIPC shall also regularly organise
workshops/trainings for critical sector CISOs.

8.2.3. Certifications
The trainings may be followed by an exam or test, subsequent to which
NCIIPC may provide certification to the trainees.

9. Review
Present SOP shall be reviewed whenever there is a requirement of an update.

4|Page
 Appendix- ‘A’

Outline of Memorandum of Understanding (MoU)

1. Preamble of the project

2. Scope

3. Steering Committee

4. Intellectual Property Rights

5. Representations and Warranties

6. Confidentiality and Announcements

7. Term and Termination

8. Governing Law, Arbitration and Jurisdiction

9. Notice

10. Miscellaneous

Page 1 of 1
 Appendix – ‘B’

National Critical Information

Infrastructure Protection Centre
Training Curriculum
NCIIPC Training Curriculum is aimed at providing awareness to CISO and
Management about their Critical Infrastructure and train them about Information Security
& Policies, Cyber Security, Vulnerability/Threat/Risk Analysis, Incident Management &
Handling, Cyber Audit etc.

2. The training curriculum is designed to train the Senior & Middle Level Management
and is divided into two parts:-
Parts I- Aimed to aware & train the Middle Level Management and focused on
Information Security.

Part II- Aimed to aware & train the Senior Level Management. It is more
specific and focused on Critical Information Infrastructure Protection (CIIP)

3. The criteria for Senior and Middle Level Management are as follows:-

Senior Level Management

Designation: Director, Dy. Director, Asst Director, ED, COO, GM, Head, CISO,
Jt. Secretary (Govt.)

Experience: More than 20 Years

Middle Level Management

Designation: GM, DGM, JGM, AGM, Head, Director (Govt.)

Experience: More than 15 Years

Page 1 of 13
 Appendix – ‘B’

Total
Course Type Duration Duration
(Hrs)
Part - I
For Middle Level 02 weeks (01 week = 5 working days; 01 Day = 7 hrs.)
Management &
Interested OR
parties 70
Can be conducted in 2 phases:
1st Phase - 01 Week
2nd Phase - 01 Week
(15 to 30 days after commencement of Phase 01)

Part - II
For CISO, Middle 01 week (01 week = 6 working days; 01 Day = 7 hrs.)
& Senior level
Mgmt OR
42
Can be conducted into 02 Phases :
1st Phase - 03 days
2nd Phase - 03 Days
(30 to 45 days after commencement of Phase 01)

Page 2 of 13
 Appendix – ‘B’

Course Content
A. Basic Level (Part - I)

Module and Objectives Duration

Name (approx.)
Module 1 – Overview  Understanding Information Security
of Information  Why Care About Security? 3 hrs
Security  Understanding techniques to enforce IS
in an organization
Module 2 - Overview  Overview of Information Security Threats
of Security threats  Types of threats – DDoS, Malicious codes, 3 hrs
Espionage, etc
 Identification of Threats
 Modus Operandi
 Sources of Threats
 Best Practices or Guidelines used to Identify
Threats
 Best Practices or Guidelines used in
mitigation of threats
 Collaborate with peers and experts
through different forums to understand
contemporary issues and solutions
Module 3 -  Why do Information Security Vulnerabilities
Information Security exists 4 hrs
Vulnerabilities  Understanding Security Vulnerabilities
 Understanding Vulnerability Assessment
Tools and Techniques
 Techniques to Exploit Vulnerabilities
 Techniques to Fix the Vulnerabilities
 Best Practices and Guidelines to mitigate
security Vulnerabilities
Module 4 – Risk  What is Risk?
Management  Relationship between Threat, Vulnerability& 3 hrs
Risk
 What Is the Value of an Asset?
 What Is a Threat Source/Agent?
 What Is a Control?
 Risk Management
 Different Approaches to Risk Analysis
 Best Practices and Guidelines in
Assessing and Calculating Risks
Page 3 of 13
 Appendix – ‘B’
Module and Objectives Duration
Name (approx.)
 Develop and implement policies and
procedures to mitigate risks arising
from ICT supply chain and outsourcing.
 Best Practices and Guidelines in
Mitigating Risks.
 Governance, Enterprise Risk
Management, Proactive Risk
identification & Management
Module 5 - Network  OSI Model
Protocols and  Data Encapsulation 8 hrs
Devices  OSI Layers
 Protocols at Each Layer
 Devices Work at Different Layers
 Networking Devices
 Firewall – First line of defense
 Firewall Types
 Firewall Placement
 Firewall Architecture Types
 IDS – Second line of defense
 IPS – Last line of defense?
 Host-based Intrusion Protection System
 Network Service
 VLAN concept in switch
 Static and Dynamic Routing
 Securing Internetworks using ACLs
Module 6 -  Introduction to Directory Services
Understanding  Benefits of DS in a network 5 hrs
Directory Services  DS implementations in different
Operating Systems
 Introduction to active directory
 Logical structure of active directory
 Physical structure of active directory
 Creating Domain
 Creating Additional DC and Read Only DC
 Understanding trees and forest
 Creating and managing Global Catalog
Servers
 Understanding Sites and Securing
domain/network through sites
 Organizing resources in OU
 Understanding Users and Groups

Page 4 of 13
 Appendix – ‘B’
Module and Objectives Duration
Name (approx.)
concepts
 Groups and their rights
 Assigning permissions to users using
group membership
 Securing environment using Local and
Domain Group policies
 Group policies object and Group policy
templates
 Inheritance of group policies
 Execution of Group Policies
 Backup and Restoration of AD
Module 7 - Access  Access Control Administration
Control  Accountability and Access Control 4 hrs
 Trusted Path
 Who Are You?
 Authentication Mechanisms
 Strong Authentication
 Authorization
 Access Criteria
 Role of Access Control
 Control Combinations
 Accountability
 Types of Classification Levels
 Models for Access
 MAC Enforcement Mechanism – Labels
 Rule-Based Access Control
 Remote Centralized Administration
Module 8 -  Access Control Administration
Understanding  Accountability and Access Control 4 hrs
Security  Security Features and Implications of
Architecture and technology solutions
Technologies  Security Technologies and Techniques
 Defense in Depth Security Model
 Understanding of technology solutions
deployed by the organization (servers,
applications, databases, OS, routers, switch,
etc.)
 Hardening of IT and security solutions

Page 5 of 13
 Appendix – ‘B’
Module and Objectives Duration
Name (approx.)
 Improving Security
 Design, implement, and maintain security
architecture of the organization
 Best Practices and Security Guidelines
 Creation of DMZ Zones for servers
Module 9 -  Cryptography
Understanding  Use of certificates in 3 hrs
Cryptography, authentication, encryption, and e-
Tunneling, and commerce
Wireless Security  What Is a Tunneling Protocol?
 Wireless Technologies – WAP
 Software Engineering and System
Survivability
Module 10 - Securing  Database Security Issues
your Database  Redundancy and availability of Database 2 hrs
 Types of attacks
Module 11 - Focus on  Types of Viruses & Malware
Malware, viruses  Potential threats, Emerging class of Malware 3 hrs
and how they  Means of Propagating
subverts security  Protection Measures
 Special attention to critical infrastructure
systems
Module 12 -  Operations Issues
Operations Security  Specific Operations Tasks 5 hrs
 Fault-Tolerance Mechanisms
 Backups
 Facsimile Security
 Email Security
Module 13 -  How Did We Get Here?
Software  Issues in application security (SQL 6 hrs
Development injection, cross scripting, etc.)
Security  Security in SDLC
 Modularity of Objects and Security
 Security of Embedded Systems
 Common Gateway Interface
 Virtualization
 How to develop secure applications;
Application security design
Module 14 - Physical  Physical Security – Threats
Security  Different Types of Threats & Planning 2 hrs
 Entrance Protection

Page 6 of 13
 Appendix – ‘B’
Module and Objectives Duration
Name (approx.)
 Perimeter Protection
 Surveillance/Monitoring
 Types of Physical IDS
 Facility Attributes
 Fire Prevention
 Physical Security Compliance and Auditing
 Convergence of physical and logical security
Module 15 - Cloud  Introduction
Computing and  IAAS 4 hrs
Security  PAAS
 SAAS
 Public Cloud
 Private Cloud
 Hybrid Cloud
 Components of Cloud Computing
 Understanding Network and security
in Cloud
 Understanding Data, Application, and
Service Control and Ownership in
Cloud
 Security issues for Clouds
 Legal and jurisdictional challenges
 Evaluating security of cloud
service providers
 Standards and frameworks for security
and privacy in the cloud
 Resource scheduling
 Third party secure data publication
applied to cloud
 Data and information Control Issues
and Vulnerabilities
 Security Compliance for Cloud Computing
 Encrypted data storage for cloud
Module 16 –  ICS Characteristics, Threats and
Securing Industrial Vulnerabilities. 4 hrs
Control Systems  ICS Security Program Development
and Deployment.
 Network Architecture.
 ICS Security Controls.
Total Duration 70 hrs

Page 7 of 13
 Appendix – ‘B’
B. Advanced Level (Part - II)

Module and Objectives Duration

Name (approx.)
Module 17 -  Need of BCP
Business Continuity  BCP standards and frameworks 3 hrs
Plans  Who Is Ready?
 Pieces of the BCP
 BCP Development
 BCP Risk Analysis
 Determining backup strategy
 What Items Need to Be Considered in
a Recovery?
 BCP Plans Creation, Reviews, and
Updates
Module 18 –  Proper Planning
Disaster Recovery  Backup/Redundancy Options 3 hrs
Planning  Recovery Strategy
 Recovery
 Testing and Drills
Module 19 –  Seriousness of Computer Incidents
Incident  Incidents Management 3 hrs
Management and  Triage
Handling Process  Incident Notification and Communication
 Guidelines for handling security Incidents
 Role of CERT in case of Incident
Module 20 - Third  Need for Third Party Management
Party Management  Identification and management of 3 hrs
Third Party Risks
 Categorization of Third Parties Based on
Risk Perception
 Controls for Mitigating Third Parties Risks
 Security Considerations when Procuring
Services and Products from Third
Parties
 Auditing of Third Parties
 Best Practices and guidelines for managing
Third Party Risks
Module 21 - Legal  Need for Legal Framework and
Framework its enforcement 3 hrs
 Types of Law
 Historic Examples of Computer Crimes
 IT (Amendment) Act 2008
Page 8 of 13
 Appendix – ‘B’
Module and Objectives Duration
Name (approx.)
 National Cyber Security Policy Identification
Protection & Prosecution
 Role of Evidence in a Trial
 Privacy of Sensitive Data
 Sets of Ethics
 GAISP- Generally Accepted Information
Security Principles
Module 22 - Privacy  Understanding Privacy as a Domain
Protection  Relationship between security and privacy 3 hrs
 Revitalizing security program to
enable Privacy Protection
 Assess privacy implications of
security technologies
 Privacy impact assessment
 Develop and implement privacy
protection measures within the
organization
Module 23 - Audit  What is Information Security Audit?
and Testing  Importance of Information Security Audit 4 hrs
 Identifying the Information Security
Audit Objectives
 Audit Planning and preparations
 Performing Security Audits and Reviews
 Vulnerability assessment and
Penetration testing
 Code reviews
 Audit Controls
 Logical security audit
 Ethics and codes of conduct for Auditors
 Security Policies and Procedure Audits
and Compliance Audits
 Conduct and Close internal audits
 Information Security audit tools
 Reporting to senior management on defined
parameters
Module 24 -  What is Computer Forensics?
Computer Forensics  What are the benefits of Computer Forensics? 3 hrs
 Legal Aspects of Computer Forensics
 Role of Computer Forensics in collection of
evidence in Cyber Crimes
 Digital Evidences
 Spoliation and Data Fraud Cases

Page 9 of 13
 Appendix – ‘B’
Module and Objectives Duration
Name (approx.)
 Understanding Digital Forensic Process and
Procedures
 Understanding Computer Forensic
investigating and analysis procedures,
techniques, and tools
Module 25 -  Understanding Security Frameworks
Information  Security Standards 2 hrs
Security Policy and  Understanding organizational
Procedures requirements from an information
security point of view
 Security Policy, Procedures, and Practices
 Develop information security policies
and procedures
 implement information security policies
and procedures
 Collaborate with other departments
within the organization for effective
implementation of security provisions.
 Understand the organization and
individual behaviors for information
security
 Update and upgrade Key
Performance Indicators for security
implementation
 Best practices and Guidelines in developing
information security policies and procedures
Module 26 -  Global Issues
National and  National Security and Cyber Security 2 hrs
International  Critical infrastructure protection
Cooperation  Bilateral cooperation
 National cooperation Sectorial cooperation
 Security Governance
 International Information Security
Organizations, standards, and Compliances
 Information sharing and Incident management
at the national and international levels
 Global treaties, conventions, etc.
Module 27 -  What is “Infrastructure”?
Identification of  “Critical” Infrastructure and “Key Resources” 2 hrs
Critical  Differentiating Critical and Non-Critical
Infrastructure “Assets”
 Challenges Identifying Critical Assets
 Critical Infrastructure
Page 10 of 13
 Appendix – ‘B’
Module and Objectives Duration
Name (approx.)
 Policy Issues
Module 28 -  Vulnerabilities
Vulnerability/Threat o Technology weaknesses 4 hrs
/Risk Analysis o Configuration weaknesses
o Security policy weaknesses
 Threats
o Unstructured threats
o Structured threats
o External threats
o Internal threats
 Attacks
o Reconnaissance
o Access
o Denial of service
o Worms, viruses, and Trojan horses
 Vulnerability Analysis
o Policy identification
o Network analysis
o Host analysis
 Vulnerability-Threats Assessment for
Enterprise Network
 Threat and risk assessment/Analysis
 Risk Assessment/Analysis
o Identifying Potential Risks to
Network Security
o Asset Identification
o Vulnerability Assessment
o Threat Identification
o Open Versus Closed Security Models
 Risk evaluation - relationships - most
critical assets, and threats - assets and the
vulnerability impacts
 Threat and risk
assessment/Analysis -
o identify the safeguards to be adapted
to maintain confidentiality
 Network security integrity
strategy
o identifying the areas of greatest risk
and concentrate on those triggers like
Trojan horses, viruses, and malwares
 Risk Assessment Framework
o The Concepts of Return on

Page 11 of 13
 Appendix – ‘B’
Module and Objectives Duration
Name (approx.)
Investment
o Botnets Propagation Mechanism
o Vulnerability Access Control
o Estimating Risk and Return on
Investment
 The Emergence of Threats on
Enterprise Network
Information Systems
o Threats and the Vulnerabilities
o Network Exploitation
o Client – Side and Client to Client
Exploitation
o Governance, Enterprise Risk
Management, Proactive Risk
identification & Management
 Analysis Tools
Module 29 - Inter-  Cumulative effects of a single security incident
dependencies with on multiple infrastructures. 2 hrs
other sectors /  Interdependencies Control Strategy
organizations  Advantages of Interdependency Analysis
 Survival from Disaster by Interdependencies
Management
Module 30 - Incidence “Network-Centric” Challenges
Response in the NCII  Information Inundation 2 hrs
domain  Networking for Networking’s Sake
Addressing Challenges and Leveraging
“Network Centric” Emergency Response
 Determining Information Requirements
 Overcoming Challenges
o Inaccessible
o Incomplete
o Irrelevant
 Seizing the Information Domain
 Shared Situational Awareness
 Greater Mission Effectiveness
 Support for Ad-Hoc Operations
 Continuity of Operations
Module 31 – Senior  Support security within the organization
Management support through clear direction, 3 hrs
to Critical Information demonstrated commitment, explicit
Infrastructure assignment and acknowledgment
Protection of information security responsibilities
 Ensuring the information security policy and
the information security objectives are
Page 12 of 13
 Appendix – ‘B’
Module and Objectives Duration
Name (approx.)
established and are compatible with the
strategic direction of the organization.
 Directing and supporting persons to
contribute to the effectiveness of the
information security management system.
 Top management shall establish an
information security policy.
 Top management shall ensure that the
responsibilities and authorities for roles
relevant to information security are assigned
and communicated.
Total Duration 42 hrs

Page 13 of 13