Clearing the air over the new CERT-In rules

Authorities that lay down compliance regulations often update them in order to keep them relevant. However, for organizations that fall under the purview of these regulations, it can be a challenge to keep up with the updates and ensure that they stay compliant.

The Indian Computer Response Team (CERT-In), a division within the Ministry of Electronics and Information Technology of the Government of India, released certain directions under sub-section 6 of section 70B of the Information Technology Act, 2000 relating to information security practices and procedures for, prevention of, response to, and reporting of cyber incidents.

Industry stakeholders were baffled by the requirements and demanded an amendment, however, the agency clarified that the requirements were applicable only to VPN providers who offer services similar to the internet proxy to internet subscribers and not to corporate VPN service providers.

Be aware of the requirements, so you know whether your organization falls under the purview of this law. Let’s now dive deep into the requirements and understand what it takes to stay compliant.

Key excerpts from the CERT-In guidelines

Here are some of the key excerpts from the CERT-In guidelines. You can check out the complete list here.

1. Any service provider, intermediary, data centre, body corporate, and Government organisation shall mandatorily report cyber incidents to CERT-In falling under the purview of Annexure-I within six hours of noticing such incidents or being brought to notice about such incidents. This can be done via email, phone, or fax.

2. A point of contact must be appointed to provide assistance, take action, or provide required information on the incident to CERT-In to facilitate an incident response that includes both protective and preventive actions for the incident.

3. Logs must be maintained for a rolling period of 180 days and must be provided along with the report of the incident or when directed by CERT-In.

4. Valid subscriber and customer information including names, email ID, and addresses should be stored for a period of five years after any cancellation or withdrawal of the registration.

5. All information collected for know your customer processes must be maintained for a period of five years.

Challenges in staying compliant with the new rules 

One of the major reasons cited by organizations for retaliating against the new rules was that maintaining user data for five years can increase operational costs by a great extent. Further, small and medium-sized enterprises often find it difficult to store and verify user details.

Further, service providers wanted clarifications on who was required to follow these new rules. Some service providers may not be able to reveal sensitive information even under orders, whether it’s because they lack the capability to retrieve this information, because revealing sensitive information goes against the company’s ethics, or because they offer masking services to customers and simply don’t have this data available.

Storing huge amounts of data for a period of five years would require organizations to invest in more storage and to expand their infrastructures. While authorities clarified that the new rules have been established for security rather than surveillance, organizations are still skeptical about the repercussions of the new rules in the coming years.

Further, for those organizations that have privacy agreements with their clients, shutting down business in India would be the only option if proper amendments are not made to the new rules.

Best practices to stay compliant with the new CERT-In requirements

Though it is difficult to stay compliant with the new rules, it’s not impossible. Here are a few best practices that can help you stay compliant.

1. Have an incident monitoring procedure in place: In order to report an incident within six hours of it happening, it’s essential to have an incident monitoring process in place. However, it’s recommended to automate the process since doing it manually can be time consuming.

2. Conduct network audits regularly: It’s essential to conduct internal audits regularly to check the network’s health by collecting and analyzing network data. This will help identify and categorize sensitive information, so you can establish additional security.

3. Practice access control techniques: Reviewing and revoking privileged access can help reduce security incidents. Further, it’ll help identify users with admin privileges and monitor them continuously to avoid account compromises.

4. Implement policies to secure archived logs: One of the core objectives of the new rule is to retain logs for future analysis. Archiving logs can help achieve this. However, it is important to secure archived log files and ensure that they don’t get tampered with.

5. Deploy a SIEM solution: Deploying a SIEM solution can help you stay secure. The solution should also have tightly integrated data loss prevention and cloud capabilities to help organizations understand their networks completely.

Though the CERT-In rules look challenging to comply with, by taking the right measures, organizations can stay compliant with the latest regulations and secure their networks as well.