PDP Framework
Cyber threats are growing in today’s hyper-connected world. The need to safeguard critical infrastructure and information systems has become imperative. Government of India is keen to proactively address this issue across multiple vertical technology products and systems so as to operate in a safer and secure world. The PDP (Prevent, Detect, Protect) Framework was developed by ERTL(E), STQC IT Services, Kolkata in association with the Centre for Distributed Computing, Jadavpur University (CDC-JU), Kolkata under a MeitY-funded project. Its primary objectives were as follows:
Developing CAPACITY and CAPABILITY for:
- Promoting design and development best practices for improving overall security posture of an ICT product or system;
- Developing security testing and assessment methodologies to proactively address the most critical security issues in new areas of technology (products, systems, networks and communication) by proactive identification / early detection of unspecified functionalities and unknown (zero day) vulnerabilities before deployment of the newly released application / software / product; and
- Awareness creation and helping the Government and other organizations to operate in a safer and more secure world.
Taking into consideration the above objectives, the PDP Framework specifies security measures (Prevention, Detection and Protection measures in ICT products, applications and systems throughout its life cycle) for a holistic approach to assuring security from “Design to Disposal”. This generic security assurance framework – the PDP Framework, would help in providing guidance to all stakeholders in implementing the Prevention-Detection-Protection measures at different product life-cycle stages. The specific measures / methodologies to be adopted in different technology areas can be integrated in the framework as “plug and play” options.
The PDP framework is illustrated in Figure 1 below. All stake-holders need to work harmoniously to ensure that a critical ICT product serves the intended purpose through implementation of security best practices during design, development, use, maintenance and disposal. The aim is to ascertain unspecified / unknown vulnerabilities do not creep into the product, system or networks at any stage and compromise its security. The concern is more so in ICT products and systems used in critical infrastructure, especially in emerging areas of technology. The IT security community in our country, therefore, must be geared up to handle this issue. The Framework is based on international Best Practices and Standards. It specifies the Prevention, Detection and Protection measures to help address the security concerns at all stages of the product and for all stakeholders.
The PDP Framework has been conceived as a National framework, for critical ICT products that are manufactured and used in the country. All ICT product manufacturers and users will need to comply with the requirements of this framework.
The implementation and adoption of the PDP Framework by manufacturers and users can be verified by developing an automated compliance checker tool. The objective of this project is to develop such a tool.