Network security and data protection have become the prevailing theme of recent years, as nations around the world race to enact laws to govern future technology.
The expanding presence of the Internet, and the financial incentives it entertains, have attracted attention from a variety of individuals—and not all of them have the best intentions.
A sharp uptick in cybercrime has already put companies on red alert, but new CERT-In guidelines for security breaches have introduced further requirements for firms to comply with.
If your business is likely to be affected by such changes, keep reading to learn more about the CERT-In guidelines, their scope, and best practices for compliance.
In this article:
- What Are the New CERT-In Guidelines?
- CERT-In Guidelines and Scope
- Best Practices for CERT-In Guideline Compliance
- Final Thoughts
- Frequently Asked Questions
Image by Selena Jain from Pixabay
What Are the New CERT-In Guidelines?
The Indian Computer Emergency Response Team, or "CERT-In," is in charge of specifying what measures must be taken by firms operating within their jurisdiction, or with data concerning India's citizens.
From issuing guidelines and vulnerability notes to directly collecting security breach information in cyberspace, CERT-In is India's response to the unprecedented growth of worldwide networks and the threats that permeate them.
Tip of the day: Beware of keylogger malware.#indiancert #cyberswachhtakendra #staysafeonline #cybersecurity #besafe #staysafe #mygov #meity #onlinefraud #cybercrime #scam #cyberalert #CSK #cybersecurityawareness #cyberdost #DigitalIndia pic.twitter.com/LZFvReIVwm
— CERT-In (@IndianCERT) December 26, 2023
A recent batch of new guidelines from CERT-In introduces requirements in response to perceived security gaps, and these guidelines could impact the response team's capacity to perform risk and incident analysis at scale. These measures have been mandatory since 2022.
The new CERT-In guidelines for security breaches govern incident reporting, data retention, and more. The intention is to streamline collaborative security efforts between the Indian government and firms utilizing the network for operations that impact Indians.
For example, the new guidelines for security breaches call for extremely quick communication with the national authority in the event that such a breach occurs. More specifically, breaches must now be reported within six hours of discovery.
We'll go over the defined scope of CERT-In's guidelines below and cover the new guidelines themselves.
Photo by Glenn Carstens-Peters on Unsplash
CERT-In Guidelines and Scope
CERT-In Scope
CERT-In's guidelines are intended to apply to "any entity whatsoever" involved in handling Indian data, even if that entity resides overseas. The following types of entities are specifically listed in the Cyber Security Directions:
- Service providers - Internet service providers are included here, as are cloud service providers, virtual asset services, and government organizations. Intermediaries are covered as well.
- Data centers - These include virtual private server providers.
- Corporate bodies - Firms, sole proprietorships, and all other professional associations qualify.
Guidelines
The actual guidelines put forth by CERT-In in 2022 are as follows:
- Clock sync - All affected entities will need to synchronize their systems' clocks to the Network Time Protocol server of the National Informatics Centre or the National Physical Laboratory.
- Reporting - All cyber incidents must be reported to CERT-In within six hours of detection. Reports can be submitted by email to [email protected], by phone at 1800-11-4949 or by fax to 1800-11-6969.
- Requests - Organizations must comply with orders for information in specific formats and within timeframes provided by CERT-In.
- Logging - Logs must be enabled for all network systems and maintained for a rolling period of 180 days within the Indian jurisdiction.
- Data preservation - Service providers and data centers must register the names, periods/purposes of hire, IP addresses, email addresses, physical addresses, contact numbers, and ownership patterns of their customers. This information must also be preserved for at least five years following service cancellation.
- Transaction tracking - Virtual asset service providers must record Know Your Customer information and financial transaction details for five years. All identifying information must be preserved to facilitate the reconstruction of individual transactions, including public keys, timestamps, IPs, and accounts.
For a more information about this, check out the following video:
Best Practices for CERT-In Guideline Compliance
Always Report Incidents
Regardless of the nature of your operations or the other parties witnessing a security breach, you are expected to report it independently to CERT-In. The obligation of reporting is "neither transferable nor indemnified or dispensed with."
However, 'vulnerabilities' need not be reported in the absence of an actual incident. Incidents may include anything from targeted security probing and denial of service attempts to the compromise of critical systems, etc.
Designate a Point of Contact
Any organization operating in India or handling Indian data is expected to have a designated point of contact within the nation who can communicate directly with CERT-In.
Report Information On Hand On Time
Even if you don’t have access to all the information concerning a given incident within the six-hour window following its detection, you are expected to provide whatever information you have at that moment to CERT-In for assessment.
Final Thoughts
Defending against cyber crimes is a concern of increasing importance in today's always online environment.
As compliance comes into the picture, companies of all kinds will need to step up their security practices to keep customers’ data safe and satisfy authorities simultaneously.
Image by Rishi Gangoly from Pixabay