DISCUSSION

Demystifying The CERT-IN Direction

Understanding the recently released directions for reporting cybersecurity incidents by the Indian Computer Emergency Response Team (CERT-In)

CERT-In is a nodal agency within the Ministry of Electronics and Information Technology of the Government of India that ensures cyber defence of the Indian internet domain. Its focus is to report on vulnerabilities, respond to cyber incidents and establish security best practices across the country.

According to a press release by MEITY, during the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis. To address these identified gaps so as to facilitate incident response measures, CERT-IN, on Apr 28, 2022 came out with a directive related to cybersecurity practices that are to be followed by enterprises and government bodies. This directive will come into effect within 60 days of its launch. Though industry experts see this as a broad directive, it will set a well defined reporting mechanism for cybersecurity incidents. These directions have been issued under section 70B of the Information Technology Act, 2000. 

Key Highlights

Synchronisation of Clocks: All service providers and government organisations shall connect to NTP or NPL or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks. Entities having ICT shall ensure that their time source shall not deviate from NPL and NIC.

Incident Reporting: All service providers and government organisations shall report cyber incidents to  CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. All the logs should be provided to CERT-In along with reporting of any incident or when ordered/directed by CERT-In. The list of cyber incidents to be reported including data lakes and breaches, attacks on mobile apps, unauthorised access of IT Systems and identity theft and phishing attacks.

Follow CERT-IN’s order to mitigate and report: When required by order/direction of CERT-In, the service provider is mandated to take action or provide information or any such assistance to CERT-In, which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness.

Log Retention: All the service providers shall mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same shall be maintained within the Indian jurisdiction.

Point of Contact: The service providers and Government organisations shall designate a Point of Contact to interface with CERT-In. The Information relating to a Point of Contact shall be sent to CERT-In in the format specified at Annexure II and shall be updated from time to time.

Maintain Information on customers and Subscribers: Data Centres, Virtual Private Server(VPS) providers, cloud service providers and Virtual Private Network Service(VPN Service) providers are required to register following accurate information which must be maintained by them for a period of 5 years or longer.

Virtual Asset Service providers, exchanges and wallets: The virtual asset service providers, virtual asset exchange providers and custodian wallet providers shall mandatorily maintain information obtained as part of KYC and record of financial transactions for 5 years.

The incidents can be reported to CERT-In via Email (incident@cert-in.org.in), Phone (1800-11-4949) and Fax (1800-11-6969). The details regarding methods and formats of reporting cyber security incidents are also published on the website of CERT-In www.cert-in.org.in and will be updated from time to time.

Download our datasheet on the requirements and implementation of the CERT-In directives, and be CERT-ready with DNIF!

Similar posts