In the light of rising cyber-attack incidents in the country and during the course of handling cyber incidents and interactions within the constituency, The Indian Computer Emergency Response Team (CERT-In) has identified certain gaps causing hindrance in incident analysis. In order to address these identified gaps & issues and to facilitate incident response measures, CERT-In on 28th April 2022 has issued directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000. One of the key directions was that CERT-In mandated that any service provider, body corporate, and government organization must report cyber incidents to it within 6 hours of becoming aware of them. These directions will become effective after 60 days.
As per section 70B of the Information Technology Act of 2000, CERT-In operates as the national agency for performing various functions in the sphere of cyber security in the country. It continuously analyses cyber threats and handles cyber incidents tracked and reported to it and regularly issues advisories to organizations and users to enable them to protect their data, information and ICT infrastructure. It also takes emergency actions in the event of a cyber security incident, and is thus authorized to obtain information from service providers, intermediaries, data centers, and corporate bodies.
The latest CERT-In directives are released with the aim of boosting the country’s overall cyber security posture and providing a safe and trusted internet. It covers aspects relating to synchronization of ICT system clocks, mandatory reporting of cyber incidents, maintenance of logs of ICT systems, subscriber or customer registrations details by Data centers, Virtual Private Server (VPS) providers, VPN Service providers, Cloud service providers, KYC norms and practices by virtual asset service providers, virtual asset exchange providers and custodian wallet providers.
In the directions, CERT-In stated that it is necessary to issue the following directions to augment and strengthen cyber security in the country in the interests of India’s sovereignty, integrity, defense, security, and public order, to maintain friendly relations with foreign states and to prevent incitement to the commission of any cognizable offense using computer resources.
Let's now take a closer look at this directive:
1. ICT Synchronization:
CERT-In has mandated that all service providers, intermediaries, data centers, body corporate, and government organizations shall connect to the Network Time Protocol (NTP) Server of National Informatics Center (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronization of all their ICT systems clocks.
It further stated that organizations with ICT infrastructure in several geographies may employ accurate and standard time sources other than NPL and NIC, but they must ensure that their time sources do not differ from NPL and NIC.
2. Mandatory reporting of cyber-incidents within 6 hours of their occurrence:
CERT-In also mandated that any service provider, intermediary, data center, body corporate, and government organization must report cyber incidents to it within 6 hours of becoming aware of them or being made aware of them.
These incidents can be reported to CERT-In via email (firstname.lastname@example.org), Phone (1800- 11-4949) and Fax (1800-11-6969) and details regarding methods and formats of reporting cyber security incidents is also published on the website of CERT-In www.cert-in.org.in.
3. Facilitation in cyber security mitigation actions and appointing a point of contact to communicate with CERT -In:
The directions also provide that when CERT-In issues an order or directs action, the service provider, intermediary, data center, or body corporate is required to take action, give information, or provide any other assistance with regards to cyber incident response, protective and preventive actions relating to cyber incidents that may contribute to cyber security mitigation actions and improved cyber security situational awareness.
Furthermore, it states that the above-mentioned providers must designate a Point of Contact to communicate with CERT-In, and that any communications from CERT-In requesting information and offering compliance instructions must be forwarded to the designated Point of Contact.
4. ICT system logs must be enabled and maintained for 180 days:
The directives further specified that all providers must enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days, all of which must be kept within Indian jurisdiction. Details of which should be submitted to CERT-In in conjunction with any incident reporting or when it is ordered or directed by it.
5. Mandatory registration and maintenance of the information for a minimum period of 5 years:
The directive further stated that Data Centers, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers must register and keep the information listed below for a period of 5 years or longer, as required by law. The information contains:
a) Validated names of subscribers/customers hiring the services
b) Period of hire including dates
c) IPs allotted to / being used by the members
d) Email address and IP address and time stamp used at the time of registration / on-boarding
e) Purpose for hiring services
f) Validated address and contact numbers
g) Ownership pattern of the subscribers / customers hiring services
6. Mandatory maintenance of Information received through KYC and financial transaction records for a period of 5 years:
In light of the expansion of virtual assets, the directives further stated that in order to provide cyber security in the areas of payments and financial markets for citizens. All information received as part of Know Your Customer (KYC) and records of financial transactions must be maintained for a period of 5 years by virtual asset service providers, virtual asset exchange providers, and custodian wallets.
Get in touch with us to get better equipped to handle Incident Response.