CERT-In issues guidelines to plug security gaps at govt organisations

To bridge the technical and policy gaps in cybersecurity of government organisations, the Indian Computer Emergency Response Team (CERT-In) on Friday released guidelines on information security practices for all government entities.

The guidelines require government organisations to mandatorily report cyber incidents to CERT-In within six hours of noticing them, like private entities do. They must do so even if third parties flag such incidents. The information shall be shared with stakeholders like sectoral CERTs and regulators.

“We are expanding and accelerating on Cyber Security – with focus on capabilities, system, human resources, and awareness. The guidelines are an important part of our larger cybersecurity framework being built under the leadership of our PM Narendra Modi ji as India takes rapid strides towards a $1 trillion digital economy,” said Rajeev Chandrasekhar, minister of state for electronics and IT on Friday.

Government offices need to conduct an internal and external audit of their entire cyber infrastructure and deploy appropriate security controls based on the audit. Internal information security audits shall be conducted at least once in six months, while third-party security audits need to be conducted annually. Services of CERT-In empanelled auditors can be utilised for external audits, the guidelines say.

Government organisations need to appoint a chief information security officer (CISO), who would be accompanied by a dedicated cybersecurity team, separate from the IT operations and infrastructure team.

The move comes days after private data collected on Covid-19 vaccine platform CoWin was allegedly leaked. Last year, key government departments, including Railways and All India Institute of Medical Sciences (AIIMS), witnessed incidents of data breaches and cyber-attacks. CERT-In recorded 12,67,564 cyber-attacks till November last year.

Making foolproof

• Report security breaches within six hours of being noticed
• Mandatory cyber security audits every six months
• Employees to be logged out when inactive for more than 15 minutes
• Admin access to system only with the approval of chief information security officer

“As ICT infrastructure of the government entities is one of the preferred targets of malicious actors. The responsibility of implementing good cyber security practices for protecting computers, servers, applications, electronic systems, networks, and data from digital attacks, also remains with the ICT assets’ owner i.e. government entity,” says the rulebook of CERT-IN.

Government employees can now use only standard user (non-administrator) accounts for accessing the computers for regular work and admin access will be given to users only with the approval of the CISO. The employees must be logged out of their accounts after 15 minutes of inactivity and must be activated only after re-entering their passwords, the guidelines state.

All government employees, including temporary, contractual, and outsourced professionals, are required to strictly adhere to the guidelines.

Apart from this, the government bodies shall maintain an inventory of authorised hardware and software for their organisation along with a mechanism for automated scanning to detect any unauthorised device or software. Use of personal devices would only be authorised by the network administrator of the organisation concerned.

The CISO’s team will monitor the network’s security, respond to security alerts and conduct incident response. It will formulate, enforce and review IT security policies. It will conduct cybersecurity awareness drills and campaigns within the organisation and communicate with CERT-In and other government and industry cybersecurity organisations, the guidelines state.