Are Indian Organizations Ready for the New CERT-In Cyber Policy?

What is CERT-In??

The publication requires that cybersecurity incidents, including data breaches, be reported to the Indian Computer Emergency Response Team (CERT-In) within six hours of becoming aware of the incident.

CERT-In has enabled the industry to report incidents within a reasonable time so that you can take timely action. Still, several loopholes have been identified that hinder the analysis of security incidents. In light of this, a new problematic policy was introduced.

To fill these unidentified gaps, the Information Technology Act of 2000, section 70B, subsection (6), provides instructions on information security practices, procedures, prevention, response, and reporting of cybersecurity incidents.

Apart from the above guidelines, CERT-In has added some additional guidelines that organizations must follow.

All service providers, intermediaries, data centres, enterprises, and government agencies must activate and maintain ICT system logs for 180 days. Indian jurisdiction remains unchanged.

Data Centers, Virtual Private Server (VPS) Providers, Cloud Service Providers, and Virtual Private Network (VPN) Service Providers must register information such as a valid subscriber name, valid address, and contact number for five years. Or more.

Virtual Asset Service Providers, Virtual Asset Exchange Providers, and Custodian Bank Providers must keep all information and records of financial transactions received as Know Your Customer (KYC) for five years.

These rules take effect 60 days after the release is published.

CERT-In commissioned these rules for the above industries to ensure cybersecurity in financial markets so that citizens can protect their data, fundamental rights, and economic freedoms.

Purpose and Functions of CERT-In

1. CERT-IN complies with the functions required by Section 70B of the Act to assist Indian cyber users in implementing measures to mitigate the risk of cyber security incidents.

2. Cybersecurity Incident Prediction and Alerts.

3. Emergency response in the event of a cybersecurity incident.

4. Coordinating Cyber Incident Response Activities.

5. Release Cyber Incident Guidelines, Advisories, Vulnerability Advisories, and White Papers.

With the announcement of CERT-In's new direction, this is the first time India has implemented strong mandates to combat cyber incidents. The reorganization of CERT-In has stimulated conversations among various stakeholders. VPN service providers speculate that the new standard could lead to more data breaches from malicious attacks and more breaches from the India attack.

In addition, we have expressed concern that data logging and storage may lead to violations of privacy and trust. Under increasing pressure and associated data collection protections, some of his VPN providers have already discontinued their services in India, with others following suit.

LTS Secure has expertise in addressing cybersecurity challenges faced by companies with complex IT infrastructures, which has brought about more and more customers we serve.

Register for the LTS Secure online webinar: https://ltssecure.com/cert/