Context:

Recently, the Indian Computer Emergency Response Team (CERT-In)  issued “Guidelines on Information Security Practices” for government entities for a safe and trusted Internet.

About: Guidelines on Information Security Practices: CERT-In

• Aim: To ensure an open, safe and trusted and accountable Internet for its users.
• Need: India’s digital landscape has witnessed tremendous growth, with over 80 crore Indians (Digital Nagriks) actively utilizing the Internet and cyberspace.
• Applicability: 
  • All Ministries, Departments, Secretariats, and Offices specified in the First Schedule to the Government of India (allocation of business) Rules, 1961, along with their attached and subordinate offices.
  • Public sector enterprises
• Appointment of Chief Information Security Officer: Government organizations should appoint a Chief Information Security Officer (CISO) along with a dedicated cybersecurity team, independent of the IT operations team.
• Password Management and Browser Security Guidelines: The guidelines recommend the use of complex passwords with a minimum length of 8 characters.
• Comprehensive Security Domains Covered: The guidelines include various security domains such as network security, identity and access management, application security, data security, third-party outsourcing, hardening procedures, security monitoring, incident management, and security auditing.
• Data Encryption and Protection: Organizations should identify and encrypt sensitive data during transmission and storage.
• Threat Analysis and Mitigation: Organizations must analyze potential threats and adopt strategies to counter them.
• Vulnerability Assessment: Conducting vulnerability assessments helps identify weaknesses in devices, systems, and potential threats related to specific ports and services.
• Mandatory Cybersecurity Incident Reporting: All government and private agencies, including internet service providers, social media platforms, and data centers, must report cybersecurity breaches to the appropriate authority within six hours of detection.

Significance: 

• Roadmap for Government and Industry: These guidelines are a roadmap for government entities and industry to reduce cyber risk, protect citizen data, and continue to improve the cyber security ecosystem in the country. 
• Facilitating Audits for Security Assessment: They will serve as a fundamental document for audit teams, including internal, external, and third-party auditors, to assess an organization’s security posture against the specified cybersecurity requirements.

News Source: Times of India