Cyber security watchdog CERT-In issues guidelines for protection of govt data from cyberattacks, ransomware
|With recurring incidents of cyber-attacks and ransomware on important installations and government offices, the IT Ministry on Friday issued ‘Guidelines on Information Security Practices’ to be followed by government entities to keep them protected from online threats.
The guidelines were issued by the country’s cyber-security watchdog CERT-IN (Indian Computer Emergency Response Team) which released the dos and don’ts around usage and handling of information security practices.
The guidelines were issued as a roadmap that needs to be followed by the government entities and industry to reduce cyber risk, protect citizen data, and continue to improve the cyber security ecosystem in the country.
They will serve as a fundamental document for audit teams, including internal, external, and third-party auditors, to assess an organisation’s security posture against the specified cybersecurity requirements, the government said.
National cybercrime portal got 21 lakh cases, FIRs in only 2%
“The government has taken several initiatives to ensure an open, safe, and trusted and accountable digital space. We are expanding and accelerating on cyber security – with focus on capabilities, system, human resources, and awareness,” Minister of State for IT and Electronics Rajeev Chandrasekhar said.
The guidelines include various security domains such as network security, identity and access management, application security, data security, third-party outsourcing, hardening procedures, security monitoring, incident management, and security auditing.
They also include guidelines prepared by the National Informatics Centre for Chief Information Security Officers (CISOs) and employees of central government ministries/departments to enhance cyber security and cyber hygiene.
The guidelines said that organisations must identify possible threat vectors, exploitation points, tools and techniques, which can compromise the security of the organisation. “The organisation must perform vulnerability assessment to identify vulnerabilities and weaknesses in configuration devices and systems; vulnerabilities and threats associated with the use of specific ports, protocols and services and vulnerabilities introduced due to changes in ICT infrastructure.”
The guidelines also suggested that organisations identify and classify sensitive/personal data and apply measures for encrypting such data in transit and at rest. “Deploy data loss prevention (DLP) solutions / processes,” they said.