The CERT-In has issued new guidelines for all government entities to ensure that cyberspace is secure while there is a growing threat to the critical digital infrastructure.
These guidelines apply to all ministries, departments, secretariats, and offices listed in the First Schedule to the Government of India (Allocation of Business) Rules, 1961, as well as their attached and subordinate offices. They also include all government institutions, public sector enterprises, and other government agencies under their administrative purview.
The new CERT-In guidelines have been issued under the authority granted by clause (e) of sub-section (4) of section 70B of the Information Technology Act, 2000 (21 of 2000).
The guidelines aim to provide security measures for government entities to protect their information systems from cyberattacks.
The guidelines also include a list of recommended security controls that government entities should implement. These include nominating a CISO for IT Security and providing the details of this CISO to CERT-In.
The guidelines also say: “Endpoint security solutions should be deployed for continuously monitoring end-user devices to detect and respond to cyber threats like ransomware, malware and unauthorised accesses. It should record all activities and security events taking place on all office endpoints, which should be continuously monitored by the IT Infra/expert team.”
In terms of usage of personal devices, “Use of personal devices must be authorised by concerned Network Administrator of the organisation and in accordance with cyber security policy. Security checks of systems like open ports, installed firewalls, antivirus, and latest system patches must be done.”
The guidelines also says authorities need to create and follow to protect against malware, ransomware, phishing, data breach, etc. It asked organisations to conduct an internal and external audit of the entire ICT infrastructure and deploy appropriate security controls based on the audit outcome.
Separately, it talks about formulating a password policy, data backup policy, ensuring a user account has Multi-Factor Authentication (MFA), as well as timely updates of firmware, operating systems, and other software.
The guideline for social media security: “Official social media platform accounts access should be restricted and limited to the designated officials and systems only. Do not use a personal email account for operating an official social media account. Disable Geolocation (GPS) access feature for official social media platforms.”
The guidelines also specify a number of security controls that government entities should implement, such as patching software vulnerabilities, risk assessment, and encryption of sensitive data.