The Indian Computer Emergency Response Team (CERT-In), which is the government’s nodal agency for cybersecurity-related matters, released the Guidelines on Information Security Practices for Government Entities on June 30.
The “infrastructure of government entities is one of the preferred targets of malicious actors, […] The purpose of these guidelines is to establish a prioritized baseline for cyber security measures and controls within government organisations and their associated organisations. The guideline shall assist security teams to implement baseline and essential controls and procedures to protect their cyber infrastructure from prominent threats,” CERT-In explained (emphasis ours).
These new guidelines are in addition to CERT-In’s cybersecurity guidelines issued in April 2022, which apply to all entities (private and public) and cover aspects related to the timeframe for reporting cybersecurity incidents, synchronization of system clocks, maintenance of logs, maintenance of KYC and transaction information for crypto exchanges, and maintenance of detailed customer information for VPN, cloud service, data center providers.
What are the new cybersecurity guidelines for government entities?
1. Appoint Chief Information Security Officer (CISO) and a dedicated cybersecurity team: All government entities are required to nominate a CISO and provide details of the person to CERT-In. The CISO should have a dedicated cybersecurity team. The entity should also formulate a cyber security policy and assign roles and responsibilities to the CISO and the cyber security team.
2. Conduct audits and prepare cyber resiliency plans: Organisations should conduct internal audits of their entire ICT (information and communication technology) infrastructure once every six months and external audits once a year, including conducting vulnerability and threat assessments. They should also formulate plans for cyber resiliency, such as a Business Continuity Plan (BCP) and a Disaster Recovery (DR) plan. These plans should cover aspects related to preventing cyber security incidents; determining the occurrence of an incident, assessing its severity, scope, and type of an incident; containing the impact of an incident; and recovering from an incident.
3. Improve cybersecurity awareness: Organisations should conduct cybersecurity awareness programs to educate end users on cyber threats like phishing campaigns, social engineering, and the roles and responsibilities of users. Such training must be provided to new joiners as part of induction training and to all employees every 6 months.
Article continues below. You might also want to read: 6 strategies to improve cybersecurity in financial sector: RBI Dep Gov
4. Social media security measures:
- Access to official social media accounts should only be accessible to restricted and limited officials and systems.
- Enable role-based accounts with appropriate privileges for social media management.
- Use a dedicated email account for social media accounts and a different set of credentials for email and social media accounts. Don’t use personal email for social media accounts.
- Enable multi-factor authentication for social media accounts.
- Content on social media should be approved by the appropriate authority.
- Disable location access for official social media platforms.
- Ensure that the social media app is updated to the latest version.
- Enable logs to monitor log-in attempts from untrusted devices or from geographical regions other than usual. Enable alerts for such login attempts as well.
- Exercise caution when using third-party apps for managing social media.
5. Network security measures: Organisations should
- Define their network architecture, including the network perimeter and ensure that only traffic that is required to support the business is being exchanged.
- Use firewalls, which deny traffic by default, and use a whitelist for authorized services.
- Ensure that Virtual Private Network (VPN) is used for accessing the network from a remote location.
- Deploy network intrusion detection or prevention devices.
- Deploy web and email filters on the network that scan for known bad domains, sources, etc., and scan all emails, attachments, and downloads.
- Deploy their own internal DNS servers for all segments.
- Block communication to malicious IPs and domains shared by CERT-In and other security agencies.
- Provide a security classification to each network and ensure no data should be allowed to move between two different classification networks. Computers dealing with sensitive or classified information should not have any wireless equipment, including Internet and Bluetooth.
- Enable logging for all devices.
- Deploy DDoS (Distributed Denial-of-Service) mitigation devices and DDoS mitigation services.
- Change all default credentials and configurations during setup.
- Block access to remote desktop applications such as Anydesk, Teamviewer, etc.
- Restrict Bring Your Own Device (BYOD) and no unknown devices (personal devices) should be allowed without authorization by the Network Administrator.
- Use Mobile Device Management (MDM) solutions for the remote management of devices.
- Important and sensitive zones should be monitored through CCTV cameras.
6. Identity and access management policies:
- All employees must be allotted a unique ID and access privileges must be based on operational role and requirements. Access should be given on a “need to know” basis.
- Multi-factor authentication (MFA) should be used “as much as possible.”
- Passwords must be complex with a minimum length of 8 characters, using a combination of capital letters, small letters, numbers, and special characters. They need to be changed at least once in 120 days.
- Default login credentials of devices such as routers, firewalls, storage equipment, etc., should be changed prior to their deployment.
- Active user sessions must be terminated post 15 minutes of inactivity.
- All accounts must be reviewed periodically for log-in attempts to access non-authorized resources, abuse of system privileges, frequent deletion of data by users, etc.
- User access must be deactivated immediately upon termination of employment, instances of non-compliance, suspicious activity, etc.
- Implement single sign-on for government users by integrating with either e-Pramaan by C-DAC Mumbai or Parichay/Janparichay by NIC or DigiLocker by NeGD.
- Organizations should have an Acceptable Usage Policy that users must agree to.
- Avoid allowing open proxies, Tor, or free 3rd party VPN services for remote access.
7. Application security measures: Organisations should
- Ensure the privacy of citizens’ data at each stage of the application life cycle.
- Incorporate security measures at each level of the software development lifecycle, such as during development, deployment, and maintenance of an application, etc.
- Ensure that all websites and applications are “https” enabled with a valid SSL/TLS Certificate.
- Perform application security testing, vulnerability assessment, and penetration testing at least once a year.
- Implement measures for securing Application Program Interfaces (APIs).
- Ensure that all mobile applications address the Open Web Application Security Project (OWASP) Mobile Top 10 vulnerabilities.
- Don’t store secret keys used by mobile applications unencrypted.
- Don’t store user data submitted to any mobile application in unencrypted/plain-text form on the device.
- Seek only permissions required for essential functions of any mobile application from the user.
8. Data security measures:
- Identify sensitive or personal data and apply encryption measures for such data in transit and at rest.
- Deploy detection and alerting tools to prevent data breaches.
- Implement a data backup policy and ensure that all the business-critical data is backed up regularly. The backups must be kept in an area physically separate from the server.
9. Third-party access and outsourcing policies:
- Organizations should ensure that third-party access to information is restricted and only shared after signing Non-Disclosure-Agreement.
- Any outsourced work should include a contract that specifies information security requirements and compliance with the same should be monitored.
- Data collected and processed by any vendor should be protected appropriately and cannot be shared with any others without explicit consent or agreement.
10. Security measures for cloud services:
- Examine security models followed by cloud services and implement appropriate security policies and measures for testing, staging, and backup environments hosted on cloud services.
- Ensure no cloud server or storage is leaking data due to inappropriate configurations.
- Follow MeitY’s detailed cloud security best practices published here.
11. Hardening procedures: Hardening refers to the practice of reducing the potential attack options by turning off non-essential services, reducing interaction with other networks, etc.
- For desktops: Use only genuine versions of operating systems and other applications; install reputed antivirus and Endpoint Detection and Response (EDR) software; configure time servers to NIC, NPL, or any other standard time source; and update firmware, operating systems, and software regularly.
- For printers connected to the network: Disable default credentials, restrict intent access, and disable default services, such as FTP, HTTP, SSH, etc., that are not in use. Regularly update printer firmware and carry out remote printer administration only through a secure connection (HTTPS). Don’t allow the printer to store print history.
- For email services: Deploy a dedicated mail server, use encrypted/secure connections to connect with the server, implement relevant security standards like DKIM, SPF, DMARC, etc., limit the maximum number of SMTP server connections, update the server with the latest patches, and enable logs of web interfaces of an email server.
- For database servers: Keep database servers in a secure environment, keep them on physical machines different from those running application or web servers, protect them with a firewall, restrict user and admin privileges, and encrypt sensitive database info.
Note: Alongside the guidelines for government entities, the National Informatics Centre has also released (as part of the same document) guidelines for Chief Information Security Officers of central government ministries and departments and guidelines for government employees, both of which aren’t covered in this summary.
STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!