The guidelines include a wide range of topics including, information security policies and procedures, risk assessment on a regular basis, security of network infrastructure, application and data protection, and security of end-user devices

Government Issues New Guidelines to Strengthen Cybersecurity – CERT-In Established

Adriana MaraisJuly 1, 23 cybersecurity, India, internet

In order to safeguard the country’s critical digital infrastructure from increasing threats, the Indian Computer Emergency Response Team (CERT-In), the central agency responsible, has released new guidelines for all government entities to follow and ensure the security of cyberspace.

This announcement came after the special unit of the Delhi Police arrested two people who allegedly leaked personal data of Indians from the CoWIN portal. Prior to this incident, the All India Institute of Medical Sciences (AIIMS) was hit by a ransomware attack in 2022 and hackers encrypted around 1 TB of hospital data after gaining control of the servers.

Risk

In this digitally connected world, the country’s cybersecurity landscape has changed significantly over the past few years. Experts and cyber security agencies have repeatedly emphasized that, along with companies, state institutions have become typical targets for hackers.

According to government data, approximately 14,000,000 cyber security incidents will be reported in 2022. Considering the growing cyber threat in digital India, where more than 80 million Indians are actively using the Internet and cyberspace, CERT-In introduced new guidelines to ensure that citizens have access to a safe and reliable online space.

These instructions apply to all the Ministries, Departments, Secretariats and Offices listed in the Government of India (Allocation of Business) Rules, 1961, as well as attached and subordinate offices. They also include all government institutions, public sector companies and other government agencies under their administration.

The new CERT-In instructions have been issued pursuant to section 70B subsection 4 subsection e of the Information Technology Act 2000 (21/2000).

What the instructions say

The goal of the guidelines is to provide security measures for authorities to protect their information systems from cyber attacks. They cover a wide range of topics, including information security policies and procedures, regular risk assessment, network infrastructure security, application and data protection, and end-user device security.

The guidelines also include a list of recommended security measures that government entities should implement. These include appointing a Chief Information Security Officer (CISO) for IT security and providing this CISO’s information to CERT-In.

The guidelines also say: “Endpoint security solutions should be deployed to continuously monitor end-user devices to detect and respond to cyber threats such as ransomware, malware and unauthorized access. It should record all activities and security events that occur across all office endpoints and be monitored by the IT infrastructure/expert team them constantly.”

Regarding the use of personal devices, they say: “The use of personal devices must be authorized by the relevant network administrator of the organization and in accordance with the cyber security policy. System security checks such as open ports, installed firewall, anti-virus, latest system patches must be done.”

The guidelines also include other measures that authorities need to create and follow to protect against malware, ransomware, phishing, data breaches, etc. It asked organizations to conduct an internal and external audit of the entire ICT infrastructure and implement appropriate security audits based on the outcome of the audit.

Separately, it talks about establishing a password policy, data backup policy, ensuring that user accounts have Multi-Factor Authentication (MFA), and timely updates to firmware, operating systems, and other software.

Regarding social media security, they say: “The use of official social media platform accounts should be limited and limited to designated officials and systems only. Do not use a personal email account to maintain an official social media account. Disable the Geolocation (GPS) access feature on official social media platforms.”

The guidelines also define a set of security measures that government entities must implement, such as patching software vulnerabilities, risk assessment, and encryption of sensitive data.

Electronics and IT Minister Rajeev Chandrasekhar said, “The government has taken several initiatives to ensure a safe and secure cyber space. We are expanding and accelerating cyber security with a focus on capability, system, human resources and awareness.”