NIT Agartala CISO, Dr. Nirmalya Kar presents Risk-Based Assessment & Continuous Security Monitoring framework at State-Level Workshop on Strengthening Cyber Security Frameworks for State Data
Agartala: Tripura should urgently move from policy formulation to implementation by operationalising its cybersecurity governance framework, constituting the State Cyber Security Steering Committee, and establishing the Tripura Computer Security Incident Response Team (CSIRT-Tr), according to Dr. Nirmalya Kar, Chief Information Security Officer (CISO) at the National Institute of Technology (NIT) Agartala.
Delivering his presentation on “Risk-Based Assessment and Continuous Security Monitoring” during the State-Level Workshop on Strengthening Cyber Security Frameworks for State Data, Dr. Kar stressed that cybersecurity should be treated as a statutory responsibility rather than merely a compliance exercise.
According to him, the Tripura Cyber Security Policy 2025 (TCSP 2.0) provides a clear legal framework, and government departments should immediately begin implementing its provisions instead of viewing them as long-term aspirations.
“TCSP 2.0 is not a wish list—it is a mandate. Risk assessment and continuous monitoring are now statutory obligations for every government department in the state,” Dr. Kar observed.
Rising Cyber Threats Demand Immediate Action
Dr. Kar cautioned that Tripura should not consider itself immune from the growing wave of cyberattacks affecting government institutions across India.
Referring to incidents such as the ransomware attack on AIIMS Delhi, the CoWIN data breach, the BSNL subscriber data leak and the Telangana Aadhaar-linked database exposure, he said these cases demonstrate that government digital infrastructure remains a prime target for cybercriminals.
He pointed out that India recorded nearly 13.91 lakh cyber incidents in 2023 while cybercrime losses crossed ₹11,333 crore during the first four months of 2024.
According to Dr. Kar, critical assets such as citizen databases, land records, financial management systems and the State Wide Area Network (SWAN) require continuous monitoring because similar attacks could occur in Tripura if adequate safeguards are not implemented.
“These are not hypothetical scenarios. They happened to Indian government systems, and Tripura’s digital assets are not immune,” he said.
Shift from Compliance to Risk-Based Cybersecurity
Dr. Kar suggested that the government should replace traditional checklist-based cybersecurity practices with a risk-based approach.
Instead of allocating equal protection to all digital assets, departments should prioritise systems based on their likelihood of attack and potential impact on public services.
He recommended adopting a structured Risk Heat Map to identify Critical Information Infrastructure, enabling limited financial and technical resources to be directed towards systems requiring the highest level of protection.
“Not every asset deserves the same protection. Risk-based security ensures finite government budgets deliver maximum resilience where it actually matters,” he noted.
Governance Decisions Can Be Taken Immediately
One of Dr. Kar’s strongest recommendations was the immediate operationalisation of key institutions mandated under TCSP 2.0.
While acknowledging that Tripura has already established the Tripura Security Operations Centre (TSOC), the State Data Centre, and the Security Audit as a Service (SAaaS) platform, he observed that several governance mechanisms remain pending.
He suggested that the State Government should immediately:
- Constitute the State-Level Cyber Security Steering Committee (SLCSSC) chaired by the Chief Secretary;
- Formally establish CSIRT-Tr as the state’s incident response agency;
- Designate Information Security Officers (ISOs) in every government department.
According to him, these are administrative decisions that require leadership rather than additional financial resources.
“Three pre-conditions block everything else: CSIRT-Tr is not operational, SLCSSC is not yet constituted, and ISOs are not designated in most departments. None of these require a budget. All three are governance decisions that can be made this week,” Dr. Kar said.
Suggested Roadmap for Tripura
Dr. Kar proposed a phased implementation strategy for strengthening the cybersecurity ecosystem of Tripura.
In the immediate phase, he recommended constituting the Steering Committee, appointing departmental ISOs and ensuring all departments register on the SAaaS portal.
Over the next year, he suggested establishing CSIRT-Tr, deploying a Security Information and Event Management (SIEM) platform with mandatory 180-day log retention, and implementing Endpoint Detection and Response (EDR) solutions across critical government infrastructure.

For the longer term, Dr. Kar recommended integrating State security ecosystem with the national Government Security Operations Centre, adopting a Zero Trust Architecture at the State Data Centre, and establishing a Centre of Excellence for Cybersecurity in collaboration with NIT Agartala.
He also encouraged Tripura to study successful state-level cybersecurity models such as Tamil Nadu’s CSIRT-TN and initiatives undertaken by neighbouring Assam.
Greater Support Needed from Central Agencies
Dr. Kar further suggested that central agencies should extend greater technical and financial support to help northeastern states strengthen cybersecurity capabilities.
He recommended that the National Informatics Centre provide cloud-hosted SIEM and Security Operations Centre services through MeghRaj, while CERT-In should prioritise assistance for establishing CSIRT-Tr.
| Related News : Tripura Reports Over ₹80 Crore Cyber Fraud Losses in Four Years |
He also proposed that the Ministry of Electronics and Information Technology consider creating a dedicated cybersecurity budget instead of clubbing cyber expenditure under general IT allocations. Additionally, he sought structured capacity-building support from the National e-Governance Division for future cybersecurity professionals in Tripura.
“TCSP 2.0 provides the mandate. What we are asking central agencies for today is the enablement to operationalise it,” he remarked.
Measuring Success Through Outcomes
According to Dr. Kar, cybersecurity programmes should be evaluated using measurable performance indicators rather than infrastructure purchases.
He suggested targets such as reducing critical vulnerabilities by over 60 percent within 12 to 18 months, lowering the Mean Time to Detect cyber threats to under four hours, and reducing Mean Time to Respond incidents to less than two hours.
“If the state CISO cannot produce these numbers on demand, there is no functioning Security Operations Centre—regardless of what equipment has been purchased. These outcomes transform cybersecurity from a cost centre into a governance asset,” he said.
Continuous Monitoring Is Essential
Concluding his presentation, Dr. Kar emphasised that effective cybersecurity begins with complete visibility of government digital assets and continuous monitoring.
“You cannot secure what you haven’t inventoried. You cannot respond to what you don’t continuously monitor,” he concluded.
He thanked the Department of Information Technology, Government of Tripura, along with NeGD and MeitY, for organising the workshop and expressed hope that the recommendations would contribute to strengthening the state’s cybersecurity framework.
