Indian government’s latest guidelines on organizations reporting cybersecurity incidents within 6 hours is certainly a good step to effectively fight cybercrime.
According to new guidelines released under Section 70b of the IT Act, all firms and enterprises would be required to report all cyber incidents to the Indian Computer Emergency Response Team (CERT-In).
CERT-In said in a statement that this order is to coordinate response activities and emergency measures in the event of a cybersecurity incident.
Within the Indian jurisdiction, all service providers, intermediates, data centers, bodies corporate, and government organizations should mandatorily enable logs of all their Information and Communication Technology (ICT) systems and maintain them securely for a rolling period of 180 days. According to the guidelines, “These should be provided to CERT-In along with reporting of any incident or when ordered / directed by CERT-In,” These regulations will take effect 60 days after they are being issued.
CERT-In has identified certain shortcomings causing hindrance in incident analysis during the course of handling cyber incidents and interactions with the constituency. Under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000, CERT-In has issued directives relating to information security practices, procedure, prevention, response, and reporting of cyber incidents in order to enable incident response measures. According to a statement, these instructions will take effect after 60 days.
Cert-In said “To address the identified gaps and issues so as to facilitate incident response measures, CERT-In has issued directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000. These directions will become effective after 60 days,”
Union Minister of state for Electronics and IT, Rajeev Chandrasekhar on microblogging platform Twitter said “To effectvly fight cybercrime, all companies n enterprises must mandatorily report cyber incidents to @IndianCERT, New #CyberSecurity directions for a #SafeAndTrusted Internet issued under Sec 70b of IT Act,”
According to the latest order, data centers, Virtual Private Server (VPS) providers, cloud service providers, and Virtual Private Network (VPN) service providers must register the accurate information about subscriber names, customer hiring the services, ownership pattern of the subscribers etc, and maintain them for five years or longer duration as mandated by the law.
Other Directives
Other directives include synchronization of ICT system clocks, maintenance of logs of ICT system; subscriber/customer registrations details by data centers, virtual private server (VPS) providers, VPN Service providers, Cloud service providers; KYC (Know Your Customer) norms and practices by virtual asset service providers, virtual asset exchange providers, and custodian wallet providers; KYC norms and practices by virtual asset service providers, virtual asset exchange providers and custodian wallet providers. Data leaks and breaches, mobile app assaults, unauthorized access to IT systems, identity theft, and phishing attempts are among the cyber events to be reported. Data leaks and breaches, attacks on mobile apps, unauthorized access of IT systems and identify theft and phishing attacks, are among the cyber incidents to be reported.
What the Experts Say
Jiten Jain, Voyager Infosec director of digital lab, said “Many times during LEA (Law Enforcement Agency) requests and investigations, we have seen cases of non-storage or availability of data and proper records with intermediaries and service providers. These guidelines will streamline the date records to be maintained and proper reporting of security incidents to CERT-In,”
Several incidences of data breaches in Indian businesses have resulted in the leak of millions of personal data information of individuals.
Some companies continued to ignore the cyber security researchers’ alert message, acting only after the leaked data was made public.
Cyber Security Researcher Rajshekhar Rajaharia said “End-user has the right to know if their data is loaded so that an individual can protect himself from fraud transactions, fake loans, ID misuse etc. Government should also force companies to inform their users within 24 hours of the incident. Neither CERT-In nor companies inform users. We saw a lot of data breaches last year. None of them informed their users. As a result, cyber crime, financial frauds and ID misuse have spiked,”
He said that users are still unsure whether their KYC and financial data is safe or not.