The Karnataka Information Security Policy establishes comprehensive guidelines for securing digital infrastructure across state government departments, public sector undertakings, and e-governance initiatives. Issued by the Department of Electronics, IT, Bt and S&T, it mandates risk assessment, incident response protocols, access controls, and data classification for all state entities handling citizen data. The policy aligns with national frameworks like CERT-In directions while addressing Karnataka-specific digital governance needs including the Sakala mission, Bhoomi land records system, and Karnataka One portal. It requires annual security audits, vulnerability assessments, and appointment of Chief Information Security Officers (CISOs) across all government departments and agencies.

• Provides structured security baseline for Karnataka's extensive e-governance ecosystem including Bhoomi (30M+ land records), Kaveri (property registration), and Sakala (700+ services) platforms
• Mandates role-based access controls and audit trails for sensitive citizen data across 30+ districts, reducing unauthorized access risks in revenue, health, and welfare departments
• Establishes incident response framework coordinated through Karnataka State Data Centre (KSDC) enabling faster breach containment and recovery
• Requires regular security awareness training for 2 lakh+ government employees handling digital systems, improving human firewall strength
• Creates accountability through mandatory CISO appointments and security committees at departmental level with reporting to state IT Secretary

• Enforcement mechanisms remain weak with limited penalties for non-compliance, resulting in delayed implementation across smaller departments and urban local bodies
• Inadequate budget allocation for security infrastructure in tier-2 and tier-3 district offices, creating vulnerability islands despite policy mandates
• Lack of standardized security architecture across departments leads to fragmented implementation with varying maturity levels between Revenue, Police, and Health departments
• Limited integration with private sector entities operating critical infrastructure like power distribution companies (ESCOMs) and transport corporations under state control
• Insufficient focus on supply chain security and third-party vendor risk management despite extensive outsourcing of IT services and application development

• In 2019, the Karnataka Bhoomi land records system experienced unauthorized access attempts where hackers tried to manipulate property ownership records; the incident exposed gaps in access controls and prompted stricter authentication requirements under the policy.
• During 2021, multiple Karnataka government websites including district administration portals were defaced, revealing inadequate patch management and web application firewall deployment despite policy requirements for regular vulnerability assessments.
• The Karnataka State Road Transport Corporation (KSRTC) online ticketing system faced data breach concerns in 2020 when customer payment information was allegedly compromised, highlighting challenges in securing payment gateways of state PSUs under the policy scope.

• Implement centralized Security Operations Center (SOC) at KSDC with 24/7 monitoring capabilities covering all critical state systems including Bhoomi, Sakala, and health information systems
• Establish mandatory third-party security certifications (ISO 27001, PCI-DSS) for all IT vendors and system integrators working on state projects before contract awards
• Create dedicated cybersecurity budget line items (minimum 8-10% of IT budget) at departmental level with quarterly utilization audits by state IT department
• Deploy unified identity and access management (IAM) solution across all government departments with multi-factor authentication for accessing citizen databases and financial systems
• Conduct bi-annual red team exercises and penetration testing for critical systems like property registration, treasury operations, and public distribution systems with public disclosure of remediation timelines