CERT-In Directive – A Step to Strengthen India’s Cybersecurity Posture

The Indian Computer Emergency Response Team (CERT-In) on April 28, 2022, issued Directions with an objective to augment and strengthen cyber security in the country. The Directions apply to service providers, virtual private server providers, virtual private network (VPNs) service providers, cloud service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers, intermediaries, data centres, bodies corporate and government organisations. The key norms and requirements listed out in the latest directive include the following:

• Maintaining logs for 180 days: The entities covered in scope are required to maintain logs in India for a rolling period of 180 days. This means the companies need to look at their log management policies, logging capabilities of devices and applications while ensuring secure log storage, and accessibility.
• Retention of data for >5 years: The Directions require virtual private server providers and VPN service providers, data centres and cloud service providers to collect certain information in relation to customer accounts and store it for at least five years after such accounts are closed. For entities which deal with virtual assets, including virtual asset service providers, virtual asset exchange providers and custodian wallet providers, the Directions create a mandatory KYC regime, requiring these entities to maintain KYC data for a period of five years.
• Reporting cyber incidents in six hours to CERT-In: Entities covered in scope are mandatorily required to report cyber security incidents to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents. Reportable incidents under the Directions include unauthorised access to systems, data breaches, data leaks, malicious code attacks, identity thefts, spooling or phishing attacks, attacks affecting applications/software relating to big data, blockchain, virtual assets, custodian wallets and unauthorised access to social media accounts.
• Synchronization of time clocks: The Directions require entities to connect to Network Time Protocol (NTP) servers of National Informatics Centre (NIC) and synchronise all ‘ICT system’ clocks. Entities with infrastructure across several geographies can use other standard time sources, but such standard cannot deviate from NTP. For servers and infrastructure outside India, the time can be synced with the nearest server having atomic time.

So, has the directive gone too far in its intent to secure against cybersecurity breaches? Only time will tell. However, one key concern aside from the stringency of the directions is the potential conundrum that Indian organisations will face – of tools and cybersecurity expertise needed to comply with CERT-In’s requirements. With a shortfall of much needed talent in this space, complying with these regulations is likely to be an uphill battle in the months to come.

CERT-In however has extended the implementation deadline to Sep 25, 2022 from the originally stated June 27, 2022. The extension will enable organizations to prepare for the associated operational and technical requirements mandated by the new directive.

How can SISA help?

As it’s a new initiative and requires all the Indian entities to comply with it, there is a lack of understanding and awareness on how to meet these guidelines. Besides the four key requirements listed above, CERT-In is also identifying malicious communication/s being generated from the client network after which clients are required to share the data with CERT-In, conduct investigation and report back within five working days. The larger objective is to capture the Indicator of Compromise (IOCs) and Threat Vectors of each incident and create an Intel database that could be used for securing the country’s cyber space.

SISA, as a leading global PFI and an empaneled CERT-In auditor, can help organizations by consulting and guiding them on how to comply with the new guidelines. SISA’s expertise in digital forensics and incident response can aid organizations to minimize the compliance burden, reduce TCO for storing ICT logs and simplify reporting of incidents.

• SISA Forensic Readiness Audit can help evaluate level of preparedness to detect and contain a breach, capture relevant logs, and create a minimum set of Use Cases.
• SISA Forensic Retainer Service can help in reporting the incidents to CERT-In and in containing them.
• SISA MDR solution can help in incident identification and storage of ICT logs with minimal TCO using a common infrastructure.
• SISA Incident Response Service can help identify, investigate and respond to breaches faster using forensic-based intelligence.
• SISA Ransomware Prevention Services can help organizations prepare for and prevent ransomware attacks through continuous improvement and learning.