The Centre’s nodal agency Indian Computer Emergency Response Team (CERT-In) has issued new guidelines for all government entities to ensure that cyberspace is secure while there is a growing threat to the critical digital infrastructure of the country.
This announcement came after the Delhi Police Special Cell arrested two individuals who allegedly leaked the personal data of Indians from the CoWIN portal. Before this incident, the All India Institute of Medical Sciences (AIIMS) was hit by a ransomware attack in 2022 and hackers encrypted about 1TB of hospital data after taking control of the servers.
The risk
In this digitally connected world, the cybersecurity landscape in the country has changed significantly over the last few years. Experts and cybersecurity agencies have highlighted several times that along with companies, government institutions have become typical targets for hackers.
As per government data, approximately 14 lakh cybersecurity incidents were reported in 2022. Considering the growing cyber threat in digital India, where over 80 crore Indians actively use the internet and cyber domain, CERT-In introduced new guidelines to make sure that the citizens have access to a safe and trusted online space.
These guidelines apply to all ministries, departments, secretariats, and offices listed in the First Schedule to the Government of India (Allocation of Business) Rules, 1961, as well as their attached and subordinate offices. They also include all government institutions, public sector enterprises, and other government agencies under their administrative purview.
The new CERT-In guidelines have been issued under the authority granted by clause (e) of sub-section (4) of section 70B of the Information Technology Act, 2000 (21 of 2000).
What the guidelines say
The guidelines aim to provide security measures for government entities to protect their information systems from cyberattacks. They include a wide range of topics including, information security policies and procedures, risk assessment on a regular basis, security of network infrastructure, application and data protection, and security of end-user devices.
The guidelines also include a list of recommended security controls that government entities should implement. These include nominating a Chief Information Security Officer (CISO) for IT Security and providing the details of this CISO to CERT-In.
The guidelines also say: “Endpoint security solutions should be deployed for continuously monitoring end-user devices to detect and respond to cyber threats like ransomware, malware and unauthorised accesses. It should record all activities and security events taking place on all office endpoints, which should be continuously monitored by the IT Infra/expert team.”
In terms of usage of personal devices, they say: “Use of personal devices must be authorised by concerned Network Administrator of the organisation and in accordance with cyber security policy. Security checks of the systems like open ports, installed firewall, antivirus, latest system patches must be done.”
The guidelines also include other measures that the authorities need to create and follow to protect against malware, ransomware, phishing, data breach, etc. It asked organisations to conduct an internal and external audit of the entire ICT infrastructure and deploy appropriate security controls based on the audit outcome.
Separately, it talks about formulating a password policy, data backup policy, ensuring a user account has Multi-Factor Authentication (MFA), as well as timely updates of firmware, operating systems, and other software.
In terms of social media security, they say: “Official social media platform accounts access should be restricted and limited to the designated officials and systems only. Do not use a personal email account for operating official social media account. Disable Geolocation (GPS) access feature for official social media platforms.”
The guidelines also specify a number of security controls that government entities should implement, such as patching software vulnerabilities, risk assessment, and encryption of sensitive data.
Rajeev Chandrasekhar, Minister of State for Electronics & IT, said: “The government has taken several initiatives to ensure a safe and trusted and secure cyberspace. We are expanding and accelerating on cybersecurity – with focus on capabilities, system, human resources, and awareness.”