The Centre’s nodal agency Indian Computer Emergency Response Team (CERT-In) has issued fresh guidelines for all government entities to ensure that cyberspace is secure while threats to the country’s critical digital infrastructure are on the rise.
The announcement came after the Delhi Police Special Cell arrested two persons who allegedly leaked personal data of Indians from the CoWIN portal. Prior to this incident, the All India Institute of Medical Sciences (AIIMS) was hit by a ransomware attack in 2022 and nearly 1TB of data of the hospital was encrypted after hackers took control of the servers.
risk
In this digitally connected world, the cyber security scenario in the country has changed a lot in the last few years. Experts and cyber security agencies have highlighted time and again that companies as well as government institutions have become prime targets for hackers.
As per government data, around 14 lakh cyber security incidents are to be reported in 2022. Keeping in view the growing cyber threat in Digital India, where more than 80 crore Indians actively use internet and cyber domain, CERT-In has introduced new guidelines to ensure that Access to a safe and reliable online space.
These guidelines apply to all the Ministries, Departments, Secretariats and Offices listed in the First Schedule to the Government of India (Allocation of Business) Rules, 1961 as well as their attached and subordinate offices. Their administrative purview also includes all government institutions, public sector enterprises and other government agencies.
The new CERT-In guidelines have been issued under the authority conferred by clause (e) of sub-section (4) of section 70B of the Information Technology Act, 2000 (21 of 2000).
what the guidelines say
The guidelines aim to provide security measures to government entities to protect their information systems from cyber attacks. These cover a wide range of topics, including information security policies and procedures, risk assessment on a regular basis, security of network infrastructure, application and data security, and security of end-user devices.
The guidelines also include a list of recommended security controls that government entities should implement. These include designating a Chief Information Security Officer (CISO) for IT security and providing the details of this CISO to CERT-In.
The guidelines also say: “Endpoint security solutions should be deployed for continuous monitoring of end-user devices to detect and respond to cyber threats such as ransomware, malware and unauthorized access. It should record all activities and security incidents happening at all office endpoints, which should be continuously monitored by IT infra/expert team.
In terms of use of personal devices, they say: “Use of personal devices must be authorized by the organization’s relevant network administrator and in accordance with the cyber security policy. Security checks of the system like open ports, installed firewall, antivirus, latest system patches should be done.
The guidelines also include other measures that need to be made and followed by the authorities to protect them from malware, ransomware, phishing, data breach etc. It asked organizations to conduct internal and external audit of the entire ICT infrastructure and deploy appropriate security controls based on that. audit results.
Separately, it talks about formulating a password policy, data backup policy, ensuring multi-factor authentication (MFA) at the user account, as well as timely updates of firmware, operating system and other software.
In terms of social media security, they say: “Access to official social media platform accounts should be restricted and restricted to designated authorities and systems only. Do not use a personal email account to operate an official social media account. Please disable the Geolocation (GPS) access feature for official social media platforms.”
The guidelines also specify a number of security controls that government entities must implement, such as patching software vulnerabilities, risk assessment, and encryption of sensitive data.
Minister of State for Electronics and IT, Rajeev Chandrasekhar said: “The government has taken several initiatives to ensure a safe and secure cyberspace. We are expanding and accelerating cyber security by focusing on capabilities, systems, human resources and awareness.