Authors: Jayshree Chandra, Senior Partner and Anisha Jhawar, Associate at ZEUS Law
Published in Live Law on 18th August 2023
The Indian Computer Emergency Response Team (CERT-In), an organ of Ministry of Electronics and Information Technology (MeitY), is the national nodal agency for responding to computer security incidents in India. Recently, guidelines have been issued by CERT-In regarding the security practices to be adopted by the government entities for ensuring a safe and trusted internet (‘Guidelines’).
The Guidelines is to consolidate best practices related to information security practices and procedures that are required to be followed by ministries, departments, secretariats, and offices and entities associated with these government organisations. The purpose is to establish a benchmark for the cyber security measures and the controls, provide procedures to protect their cyber infrastructure from prominent threats, and cover the best practices to be adopted by the government organisations and associated entities in different security domains such as network security, application security, data security, auditing, third party sourcing as well as prevention and response to combat cyber incidents and cyber security incidents.
The list of requirements and measures that the government organisations and agencies have to follow include:
- Nominating a Chief Information Security Officer (CISO) for Information Technology (IT) security.
- Formulating a cyber security policy as well as a dedicated cyber security functional team, which is separate from IT operations and infrastructure team.
- Conducting regular internal and external third-party audits of the entire ICT (Information and Communication Technology) infrastructure.
- Maintaining inventory of authorised hardware and software with the mechanism for automated scanning for unauthorised device and software.
- Maintaining network and infrastructure security by way of an appropriate network architecture, including the network perimeter, segmenting of the networks with separate VLANs for different functional requirements, using fire walls to create buffer zones between internet and networks, and other mechanisms such as network intrusion detection, web and email filters, etc. so that only the traffic required be exchanged.
- Blocking access to remote desktop applications and installing appropriate security technologies to protect information or information systems being accessed via such remote access.
- Logging enabled devices and restricting the custom of Bring Your Own Device (BYOD) and unknown devices without due authorization.
- Incorporating security at each level of software development lifecycle.
- Enabling log monitoring on a continuous basis with the ability to alert the dedicated team when a security anomaly is detected.
- Identifying and classifying sensitive data and personal data and applying measures for encrypting such data in transit and at rest.
- Implementing micro-segmentation for controlled granular access to database applications.
- Restricting personal external storage media devices for use with the official information systems or assets.
- Designing a data back-up policy within the organisation with regular and monitored back-ups, tools to prevent, contain and respond to data leaks and breaches, and such back-up be kept in an area physically separate from the server.
- Ensuring collection and processing of information is with explicit consent and agreement.
- Thoroughly examining cloud services models and making sure that no server/ storage is inadvertently leaking data due to inappropriate configuration.
- Appropriately securing hardware such as desktop, printers and other commonly used and shared devices in the network from any unauthorised access, exposure and use of information or data leakages.
- Installing only the authorised and licensed software for use from trusted repositories.
- Regularly conducting awareness programmes and educating end users about the security practices to be adopted for dealing with the cyber threats.
- Ensuring security measures in respect of social media including, limited and restricted access to the official social media accounts, using a dedicated separate e-mail to operate the social media accounts, multi-factor authentication, approval of the appropriate authority before posting of the contents on social media handles, disabling geolocation (GPS) access feature for such accounts, as well as enabling security logs with periodic monitoring and enabling alerts for unrecognized login attempts.
- Identifying the possible threat vectors and exploitation points, as well as establishing a formal relationship with the external entities such as CERT-In, sectoral CSIRTs and other stakeholders.
The Guidelines have extensive prescription for Third Party access and outsourcing. The organisations are required to ensure signing stringent non-disclosure agreements before sharing of or allowing access of information to any third party / vendor. The contract should document the information security requirements, such as the general policy on information security, procedures to protect organisational assets, restrictions on copying/ disclosure, return of information/ assets in the possession of third party, water-tight termination clauses for event of security incident or security breach, regular monitoring and auditing the contractual responsibilities, as well as arrangements for reporting and investigation into incidents of breaches. The Vendor is required to follow the data protection norms as well as comply with the information security policies, processes and procedures of the organisation and in case of violation, risk the termination of the contract apart from actions under and as per the applicable laws.
The Guidelines propose Defence-in-Depth (D-i-D) approach along with Zero Trust Architecture to protect the confidentiality, integrity and availability of the network and the data. Zero Trust approach is built around eight pillars, i.e. user device, network, infrastructure, application, data, visibility and analytics ad orchestration and automation.
Private businesses relying on the networks, hardware and software services need to be attuned with these guidelines and adopt appropriate measures, systems, design policies for cyber hygiene and resiliency, as well as have a robust framework for safe, trusted and accountable ICT security practices prior to signing of any contractual document and non-disclosure agreements for their engagements with government organisations and agencies.