Critical Information Infrastructure Protected System as per Information Technology Act, 2000

Here are the notes on Critical Information Infrastructure Protected System as per Information Technology Act, 2000, along with some MCQs and answers:

What is a Critical Information Infrastructure (CII)?

A Critical Information Infrastructure (CII) is a computer resource, the incapacitation or destruction of which would have a debilitating impact on national security, economy, public health or safety.

What is a Protected System?

A Protected System is any computer resource which directly or indirectly affects the facility of a CII.

What are the provisions of the Information Technology Act, 2000 related to CII and Protected Systems?

Section 70 of the Information Technology Act, 2000 (IT Act) defines CII and Protected Systems. It also empowers the Central Government to declare any computer resource to be a Protected System.

The IT Act also provides for the following measures for the protection of CII and Protected Systems:

  • Security measures: The owner or operator of a CII or Protected System is required to take appropriate security measures to protect it from unauthorized access, use, disclosure, disruption, modification or destruction.
  • Reporting of cyber incidents: The owner or operator of a CII or Protected System is required to report any cyber incident to the Indian Computer Emergency Response Team (CERT-In).
  • Investigation of cyber incidents: The Central Government may investigate any cyber incident that affects a CII or Protected System.
  • Penalties: The IT Act provides for penalties for the unauthorized access, use, disclosure, disruption, modification or destruction of a CII or Protected System.

MCQs on CII and Protected Systems

  1. Which of the following is not a Critical Information Infrastructure (CII)?
    • Power grid
    • Air traffic control system
    • Banking system
    • Social media platform
    The answer is Social media platform. Social media platforms are not considered to be CIIs because their incapacity or destruction would not have a debilitating impact on national security, economy, public health or safety.
  2. Which of the following is a Protected System?
    • A computer system that stores the personal information of government employees
    • A computer system that controls the traffic lights in a city
    • A computer system that manages the inventory of a pharmaceutical company
    • All of the above
    The answer is All of the above. All of the computer systems mentioned above are Protected Systems because they directly or indirectly affect the facility of a CII.
  3. What are the security measures that should be taken to protect a CII or Protected System?
    • Use strong passwords and multi-factor authentication
    • Keep the software up to date
    • Implement a firewall and intrusion detection system
    • Regularly backup the data
    • Train the employees on cyber security
    The answer is All of the above. These are some of the most important security measures that should be taken to protect a CII or Protected System.
  4. What are the penalties for the unauthorized access, use, disclosure, disruption, modification or destruction of a CII or Protected System?
    • Imprisonment for up to three years, or a fine of up to Rs. 5 lakh, or both
    • Imprisonment for up to five years, or a fine of up to Rs. 10 lakh, or both
    • Imprisonment for up to seven years, or a fine of up to Rs. 15 lakh, or both
    The answer is It depends on the severity of the offense. The penalties can range from imprisonment for up to three years and a fine of up to Rs. 5 lakh, to imprisonment for up to seven years and a fine of up to Rs. 15 lakh.