Guidelines on Information Security Practices for Government Entities for Safe & Trusted Internet

To further address the goal of safe cyberspace, the Indian Computer Emergency Response Team (CERT-In) has released "Guidelines on Information Security Practices for Government Entities" during June 2023.

Applicability

These guidelines, issued under the powers conferred by clause (e) of sub-section (4) of section 70B of the Information Technology Act, 2000 (21 of 2000), apply to all Ministries, Departments, Secretariats, and Offices specified in the First Schedule to the Government of India (Allocation of Business) Rules, 1961, along with their attached and subordinate offices.

They also include all government institutions, public sector enterprises, and other government agencies under their administrative purview.

Purpose of the guidelines

The purpose of these guidelines is to establish a prioritized baseline for cyber security measures and controls within government organisations and their associated organisations. The guideline shall assist security teams to implement baseline and essential controls and procedures to protect their Cyber infrastructure from prominent threats. These guidelines shall also act as a baseline document for administration and audit teams (internal, external/ Third-party auditors) to evaluate an organisation’s security posture against cyber security baseline requirements.

These guidelines cover best practices segregated in different security domains such as Network Security, Application Security, Data Security, Auditing, Third Party Outsourcing. Due to the ever-evolving threat landscape, this document is envisaged to be an organic document and would be updated as per changing threat landscape.

Policy measures

Senior management of the organisation should implement the following measures:

1. Nominate a Chief Information Security Officer (CISO) for IT Security and provide the details of this CISO (Point of Contact) to CERT-In as per Cyber Security Directions of 28 April 2022.
2. Formulate cyber security policy and assign roles and responsibilities for Chief Information Security Officer (CISO) and a dedicated cyber security functional team. Detailed Roles & Responsibilities of CISO are published on website of MeitY.
3.  CISO should have a dedicated cybersecurity team, separate from IT operations and infrastructure team. The team would be responsible for:
   • monitoring network’s security and responding to security alerts
   • conducting incident response
   • formulating, enforcing and reviewing IT security policies
   • conducting cybersecurity awareness drills and campaigns within the organisation
   • liaising with CERT-In and other government and industry cybersecurity organisations
4. Organisations should conduct an internal and external audit of the entire ICT infrastructure and deploy appropriate security controls based on the audit outcome. Internal information security audit to be conducted at least once in 6 months. 3rd Party Security audits must be conducted at least once a year. Services of CERT-In empanelled auditors may be utilized for the purpose of external audits. List of empanelled auditors with details such as skills, competence, experience in audits, manpower, tools used etc., is available on https://www.cert-in.org.in.
5. Formulate security policies and procedures for building cyber resiliency. Prepare, test and implement Business Continuity Plan (BCP) and Disaster Recovery (DR) plan.
6. Maintain inventory of authorised hardware and software (including versions, patch level, validity of support etc) along with mechanism for automated scanning to detect presence of unauthorized device and software. Guidelines on Information Security Practices for Government Entities
7. Prepare an organisation-wide Cyber Security Awareness Program and regularly educate end users about security practices to deal with cyber threats like phishing campaigns, social engineering and roles and responsibilities of users.
8. Maintain situational awareness of latest cyber security threats by following website of CERT-In and alerts and advisories thereof. Follow measures suggested by CERT-In for cyber hygiene including prevention of cyber threats.  

To access the complete guidelines, click here.

Source : CERT-In

Related resources

1. CERT-In Advisories