Guidelines on Information Security Practices for government entities

CERT-In has issued “Guidelines on Information Security Practices” for Government Entities for Safe & Trusted Internet. They include all government institutions, public sector enterprises, and other government agencies under their administrative purview.

These guidelines are a roadmap for the Government entities and industry to reduce cyber risk, protect citizen data and continue to improve the cyber security ecosystem in the country. They will serve as a fundamental document for audit teams, including internal, external, and third-party auditors, to assess an organisation’s security posture against the specified cybersecurity requirements.

The guidelines include various security domains such as network security, identity and access management, application security, data security, third-party outsourcing, hardening procedures, security monitoring, incident management, and security auditing.

Senior management of the organization should implement the following measures:

1. Nominate a Chief Information Security Officer (CISO) for IT Security and provide the details of this CISO (Point of Contact) to CERT-In as per Cyber Security Directions of 28 April 2022.
2. Formulate cyber security policy and assign roles and responsibilities for Chief Information Security Officer (CISO) and a dedicated cyber security functional team. Detailed Roles & Responsibilities of CISO are published on website of Meity at following URL: https://www.meity.gov.in/content/key-roles-and-responsibilities-chief-informationsecurity-officers-cisos
3. CISO should have a dedicated cybersecurity team, separate from IT operations and infrastructure team. The team would be responsible for:
   i. monitoring network’s security and responding to security alerts
   ii. conducting incident response
   iii. formulating, enforcing and reviewing IT security policies
   iv. conducting cybersecurity awareness drills and campaigns within the organisation
   v. liaising with CERT-In and other government and industry cybersecurity organisations
4. Organisations should conduct an internal and external audit of the entire ICT infrastructure and deploy appropriate security controls based on the audit outcome. Internal information security audit to be conducted at least once in 6 months. 3rd Party Security audits must be conducted at least once a year. Services of CERT-In empanelled auditors may be utilized for the purpose of external audits. List of empanelled auditors with details such as skills, competence, experience in audits, manpower, tools used etc., is available on website “https://www.cert-in.org.in”.
5. Formulate security policies and procedures for building cyber resiliency. Prepare, test and implement Business Continuity Plan (BCP) and Disaster Recovery (DR) plan.
6. Maintain inventory of authorised hardware and software (including versions, patch level, validity of support etc) along with mechanism for automated scanning to detect presence of unauthorized device and software. Guidelines on Information Security Practices for Government Entities.
7. Prepare an organisation-wide Cyber Security Awareness Program and regularly educate end users about security practices to deal with cyber threats like phishing campaigns, social engineering and roles and responsibilities of users.