Data PrivacyScrutinizing the Guidelines on Information Security Practices for Government Entities

INTRODUCTION

On 30^th June the Indian Computer Emergency Response Team (hereinafter referred to as “CERT-In”) issued the ‘Guidelines on Information Security Practices for Government Entities’ (hereinafter referred to as the “Guidelines”). These Guidelines have been issued under clause (e) of sub-section (4) of section 70B of the Information Technology Act, 2000 (hereinafter referred to as “IT Act”) and apply to all Ministries, Departments, Secretariats, and Offices specified in the First Schedule to the Government of India (Allocation of Business) Rules, 1961, along with their attached and subordinate offices.

These Guidelines have been issued keeping in mind that the Information & Communication Technologies (hereinafter referred to as “ICT”) infrastructure of the Government as ICT is often a preferred target by black hat hackers and foreign elements seeking to gain information of Indian citizens.

The objective of these guidelines is to establish a prioritized foundation for cyber security measures in Government organisations and their associated organisations. It will set out a path for the Government entities to understand how to mitigate cyber security threats and better protect the data of the citizens..

WHAT IS CERT-IN?

The CERT-In is an agency under the Ministry of Electronics and Information Technology (hereinafter referred to as “MeiTY”), Government of India. It is the national nodal agency for responding to threats/emergencies and promoting effective data security practices throughout India and is thus the first responder to data breach incidents in large corporations and data holders.

OBJECTIVE OF INTRODUCING THE GUIDELINES

The Guidelines have been introduced specifically for Government organisations. The Government has a huge reservoir of data of its citizens and this data is being digitized by the day which is why the threat of data leaks/hacks has also increased in the past few years. This puts the private data of almost 80 crore citizens who regularly use internet services at risk. With the advent of the proposed Digital India Act, 2023 which seeks to provide governance for modern challenges like cybercrime, data protection and online safety; and aims to replace the IT Act  has become all the more important for the Government to take strict measures to protect the confidential data which is in its possession.

KEY FEATURES OF THE GUIDELINES

The Guidelines provide instructions for the government about various aspects of cyber security measures which they must adhere to and implement in their respective organisations which include various security aspects such as network security, identity and access management, data security, third-party outsourcing, security monitoring, and security auditing. Moreover the provisions of appointment/nomination of a Chief Information Security Officer (hereinafter referred to as “CISO”) has also been made mandatory.

Following are the key aspects of the Guidelines to be taken into consideration by the government organisations:

1. Appointment of a CISO

The Clause 3 of the Guidelines state that all government organisations to which the Guidelines apply must nominate and appoint a CISO. The details of such CISO must be recorded and sent to the CERT-In as prescribed. The organisation must also formulate and assign a dedicated cyber security team under such CISO.

2. Conducting audits and formulating cyber security plans

The Clause 3.4 of the Guidelines mandates an internal audit of their entire ICT structure and an external audit on a yearly basis, every six months for the Government organisations . These audits must include vulnerability and threat assessments. Based on the outcome of the audit, appropriate measures must be implemented. The organisation must also form security plans to for building cyber resiliency such as Business Continuity Plan (hereinafter referred to as “BCP”) and Disaster Recovery (hereinafter referred to as “DR”) plan.

3. Network security measures to be strengthened

According to the Clause 4 of the Guidelines, the Government organisation must develop an appropriate network structure and boundary, giving access to only internal networks and other authorized external connections such as service providers/partners. The guidelines also stipulate setting up of firewalls to establish a protective zone between the business’s networks and the Internet (and other untrusted networks). This approach decreases the vulnerability of systems to network-based attacks.

4. Identity and access management

Every employee of the organisation must be assigned a distinct identification for access and their access must be determined by a ‘need to know’ basis, according to the Clause 5 of the Guidelines.  To enhance security, active user sessions should be automatically ended after 15 minutes of inactivity. User access must be promptly deactivated in situations such as termination of employment, non-compliance, or suspicious activities.

5. Data security measures

The Clause 7 of the Guidelines provides for the identification and filtration of personal/sensitive data so as to apply measures for encrypting that data by the state. Organisations must be ready with a Data Loss Prevention (hereinafter referred to as “DLP”) process. A Data Backup policy must be implemented and all the business-critical data should be backed up regularly to prevent data loss and to ensure faster recovery in case of an incident. Organisation must conduct third-party risk assessments and monitor for any data breach /leak cases from supply chains to take necessary protective & remedial measures. Any personal external storage device must not be allowed to connect with any official systems.

6. Policies for third-party access and outsourcing

It should be taken care that third-party access to information is restricted and only shared after signing Non-Disclosure-Agreement according to clause 8.1 of the Guidelines . If any work is being outsourced it should be accompanied by a contract that specifies information security requirements and compliance with the same should be monitored.

7. Cloud service security measures

The Clause 9 of the Guidelines provide for the security measure of the cloud services. A shared responsibility model for security and compliance is used for cloud services, government organisations if using this must scrutinize the models before implementation. Public accessibility of the cloud service must be thoroughly checked to ensure there is no possibility of a data leak.

AMLEGALS REMARKS

The Guidelines that have been issued by CERT-In in light of the upcoming Data Protection Bill, 2022 and the Digital India Act, 2023 are a remarkable effort to regulate and protect the data of the general public in cyberspace.

CERT-In has issued these Guidelines keeping in mind the various data leaks happen across the nation, especially through the offices of Government organisations which are considered easy high-reward prey for malicious actors.

Digitization of data is the future and thus protection of data against cyber threats cannot be ignored. The security aspects enshrined under the Guidelines will form a baseline for cyber security measures for Government organisations. These Guidelines though sufficient for now should remain open to be amended or extended as per the requirements of the future.

– Team AMLEGALS, assisted by Ms. Kermina Patel (Intern)