On June 30, 2023, the Indian Computer Emergency Response Team (CERT-In), Ministry of Electronics & Information Technology, issued a document titled “Guidelines on Information Security Practices for Government Entities”.
These guidelines are applicable to government entities and cover various aspects related to cybersecurity such as policy measures, network and infrastructure security, identity and access management, application security, data security, third-party access and outsourcing, secure cloud services, and hardening procedures. The Guidelines include data security measures such as: Encrypting sensitive/ personal data, conducting third-party audits, use of multi-factor authentication, etc. It includes separate guidelines for Chief Information Security Officers (CISOs) & Government Employees as well.
While they address cyber security concerns for public entities, there’s still a need to address them for the private sector, direction for which may be set through a cyber security strategy. We wrote to the National Cyber Security Coordinator on this.
It remains unknown whether CERT-In consulted with/ invited comments from other domain experts such as the National Informatics Centre or the CDAC, or referenced internationally known organisations such as the Cybersecurity and Infrastructure Security Agency.
While we welcome this step by CERT-In to address the vulnerabilities in the public cyber security infrastructure, it needs to be given teeth by way of bringing in legal enforceability/a robust policy framework.