The center’s Indian Computer Emergency Response Team (CERT-In) node office has issued new guidelines for all government agencies to ensure cyberspace is safe while there is a growing threat to the country’s critical digital infrastructure.
This announcement came after the special cell of the Delhi Police arrested two individuals who allegedly leaked the personal details of Indians from the CoWIN portal. Before this incident, All India Institute of Medical Sciences (AIIMS) was hit by a ransomware attack in 2022 and hackers encrypted about 1 TB of hospital data after taking control of its servers.
The risk
In this digitally connected world, the cybersecurity landscape in the country has changed significantly in recent years. Experts and cybersecurity authorities have repeatedly emphasized that, in addition to companies, government institutions have also become typical targets for hackers.
According to government data, about 14 lakh cybersecurity incidents were reported in 2022. Given the growing cyber threat in digital India, where over 80 crore Indians are actively using the internet and the cyber domain, CERT-In has introduced new guidelines to ensure citizens have access to a safe and trusted online space.
These guidelines apply to all ministries, departments, secretariats and offices included in the First Schedule to the Government of India (Allocation of Business) Rules, 1961, as well as their affiliated and subordinate offices. They also include all government agencies, public sector enterprises and other government entities under their administrative jurisdiction.
The new CERT-In Guidelines are issued under the authority granted by clause (e) of subsection (4) of Section 70B of the Information Technology Act, 2000 (21 of 2000).
What the guidelines say
The guidelines are intended to provide security measures for government agencies to protect their information systems from cyber-attacks. They cover a wide range of topics, including information security policies and procedures, risk assessment on a regular basis, network infrastructure security, application and data protection, and end-user device security.
The guidelines also include a list of recommended security controls for government agencies to implement. These include appointing a Chief Information Security Officer (CISO) for IT security and providing this CISO’s details to CERT-In.
The guidelines also say, “Endpoint security solutions should be deployed to continuously monitor end-user devices to detect and respond to cyberthreats such as ransomware, malware and unauthorized access. It must record all activities and security events that take place on all office endpoints, which must be continuously monitored by the IT Infra/expert team.”
On the use of personal devices, they say: “The use of personal devices must be authorized by the appropriate network administrator of the organization and in accordance with cybersecurity policies. Security checks of the systems such as open ports, installed firewall, antivirus, latest system patches should be performed.
The guidelines also include other measures that authorities must take and follow to protect against malware, ransomware, phishing, data breaches, etc. She asked organizations to carry out an internal and external audit of the entire ICT infrastructure and implement appropriate deploy security checks based on the check result.
Separately, it talks about formulating a password policy, data backup policy, making sure a user account has Multi-Factor Authentication (MFA), as well as timely updates of firmware, operating systems, and other software.
In terms of social media security, they say, “Access to accounts of official social media platforms should be restricted and limited to only the designated officers and systems. Do not use a personal email account to manage an official social media account. Disable the geolocation access feature (GPS) for official social media platforms.”
The guidelines also specify a number of security controls for government agencies to implement, such as patching software vulnerabilities, risk assessment and encryption of sensitive data.
Rajeev Chandrasekhar, Minister of State for Electronics and IT, said: “The government has taken several initiatives to ensure a safe and trusted cyberspace. We are expanding and accelerating in cybersecurity – with a focus on capabilities, systems, human resources and awareness.”
