CERT-In issues “Guidelines on Information Security Practices” for Government Entities for Safe & Trusted Internet

Source: The post is based on the article “CERT-In issues “Guidelines on Information Security Practices” for Government Entities for Safe & Trusted Internet” published in PIB on 1st July 2023

What is the News?

Indian Computer Emergency Response Team (CERT-In) on Friday issued “Guidelines on Information Security Practices” for government entities for safe and trusted Internet. The guidelines have been issued under section 70B of the Information Technology Act, 2000. 

What is the purpose of Guidelines on Information Security Practices for Government Entities?

The guidelines are a roadmap for government entities and industries to reduce cyber risk, protect citizen data and continue to improve the cybersecurity ecosystem in the country. 

The guidelines will apply to all Ministries, Departments, Secretariats, and Offices specified in the First Schedule to the Government of India (allocation of business) Rules, 1961, along with their attached and subordinate offices.

What are the key guidelines issued by CERT-In?

Source: Business Standard

Firstly, Government organizations should mandatorily report cyber incidents to CERT-In within six hours of noticing them, as private entities do. They must do so even if third parties flag such incidents. The information shall be shared with stakeholders like sectoral CERTs and regulators.

Secondly, Government offices need to conduct an internal and external audit of their entire cyber infrastructure and deploy appropriate security controls based on the audit. 

– Internal information security audits shall be conducted at least once in six months, while third-party security audits need to be conducted annually.

Thirdly, Government organizations need to appoint a Chief Information Security Officer (CISO) who would be accompanied by a dedicated cybersecurity team, separate from the IT operations team.

Fourthly, Government employees can now use only standard user (non-administrator) accounts for accessing the computers for regular work. Admin access will be given to users only with the approval of the chief information security officer (CISO).

Fifthly, Government bodies shall maintain an inventory of authorized hardware and software for their organization, along with a mechanism for automated scanning to detect any unauthorized device or software.

Lastly, the guidelines recommend the use of complex passwords with a minimum length of 8 characters; Never store any usernames and passwords on the Internet browser; and do not store any payment-related information on the Internet browser.