Directions Relating To Information Security Practices, Procedure, Prevention, Response And Reporting Of Cyber Incidents For Safe & Trusted Internet In India – IT and Internet


To print this article, all you need is to be registered or login on Mondaq.com.

Article by Vijay Pal Dalmia, Advocate, Supreme
Court of India and Delhi High Court, Partner & Head of
Intellectual Property Laws Division, Vaish Associates Advocates,
India

The Indian Computer Emergency Response Team (CERT-In) serves as
the national agency for performing various functions in the area of
cyber security in the country as per provisions of section 70B
of the Information Technology Act, 2000 (
https://www.cert-in.org.in/PDF/Notification_regarding_CERT-In.pdf
)
and (https://www.cert-in.org.in/PDF/G.S.R_20(E).pdf)
.

CERT-In continuously analyses cyber threats and handles cyber
incidents tracked and reported to it. CERT-In regularly issues
advisories to organisations and users to enable them to protect
their data/information and ICT infrastructure.

In order to coordinate response activities as well as emergency
measures with respect to cyber security incidents, CERT-In calls
for information from service providers, intermediaries, data
centres and body corporate.

During the course of handling cyber incidents and interactions
with the constituency, CERT-In has identified certain gaps causing
hindrance in incident analysis. To address the identified gaps and
issues so as to facilitate incident response measures, CERT-In has
issued directions relating to information security practices,
procedure, prevention, response and reporting of cyber incidents
under the provisions of sub-section (6) of section 70B of the
Information Technology Act, 2000 (
https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf
)

The directions cover aspects relating to synchronization of ICT
system clocks; mandatory reporting of cyber incidents to CERT-In;
maintenance of logs of ICT systems; subscriber/customer
registrations details by Data centers, Virtual Private Server (VPS)
providers, VPN Service providers, Cloud service providers; KYC
norms and practices by virtual asset service providers, virtual
asset exchange providers and custodian wallet providers. These
directions may be accessed from
https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf

.

The Central Government in terms of the provisions of sub-section
(1) of section 70B of Information Technology (IT) Act, 2000 (IT
Act, 2000) has appointed “Indian Computer Emergency Response
Team (CERT-In)” vide notification dated 27th October 2009
published in the official Gazette and as per provisions of
sub-section (4) of section 70B of IT Act, 2000. The Indian Computer
Emergency Response Team serves as the national agency for
performing the following functions in the area of cyber
security:-

  • collection, analysis and dissemination of information on cyber
    incidents;

  • forecast and alerts of cyber security incidents;

  • emergency measures for handling cyber security incidents;

  • coordination of cyber incidents response activities;

  • issue guidelines, advisories, vulnerability notes and
    whitepapers relating to information security practices, procedures,
    prevention, response and reporting of cyber incidents;

  • such other functions relating to cyber security as may be
    prescribed.

As per provisions of sub-section (6) of section 70B of the IT
Act, 2000, CERT-In is empowered and competent to call for
information and give directions to the service providers,
intermediaries, data centres, body corporate and any other person
for carrying out the activities enshrined in sub-section (4) of
section 70B of the IT Act, 2000.

Various instances of cyber incidents and cyber security
incidents have been and continue to be reported from time to time
and in order to coordinate response activities as well as emergency
measures with respect to cyber security incidents, the requisite
information is either sometimes not found available or readily not
available with service providers/data centres/body corporate and
the said primary information is essential to carry out the
analysis, investigation and coordination as per the process of
law.

In the interest of

  • the sovereignty or integrity of India,

  • defence of India,

  • security of the state,

  • friendly relations with foreign states or

  • public order or

  • for preventing incitement to the commission of any cognizable
    offence using computer resource or

  • for handling of any cyber incident,

the following directions have been issued to augment and
strengthen the cyber security in the country:

  1. All

    • service providers,

    • intermediaries,

    • data centres,

    • body corporate and

    • Government organisations


    shall connect to the Network Time Protocol (NTP) Server of
    National Informatics Centre (NIC) or National Physical Laboratory
    (NPL) or with NTP servers traceable to these NTP servers, for
    synchronisation of all their ICT systems clocks.


    Entities having ICT infrastructure spanning multiple geographies
    may also use accurate and standard time source other than NPL and
    NIC, however it is to be ensured that their time source shall not
    deviate from NPL and NIC.


  2. Any service provider, intermediary, data  centre, body
    corporate and Government organisation shall mandatorily report
    cyber incidents as mentioned in Annexure I to CERT-In within 6
    hours of noticing such incidents or being brought to notice about
    such incidents.

    The incidents can be reported to CERT-In via

    Email at [email protected],
    or by

    Phone at (1800-11-4949) or by

    Fax (1800-11-6969).

    The format of reporting of cyber security incidents can be accessed
    from https://www.cert-in.org.in/PDF/certinirform.pdf
    .

    The method of reporting may be accessed from https://www.cert-in.org.in/SecurityIncident.jsp


  3. When required by order/direction of CERT-In, for the purposes
    of cyber incident response, protective and preventive actions
    related to cyber incidents, the service provider/intermediary/data
    centre/body corporate is mandated to take action or provide
    information or any such assistance to CERT-In, which may contribute
    towards cyber security mitigation actions and enhanced cyber
    security situational awareness.

    1. The order/direction may include the format of the information
      that is required (up to and including near real-time), and a
      specified timeframe in which it is required, which should be
      adhered to and compliance provided to CERT-In, else it would be
      treated as non-compliance of this direction.

    2. The service providers, intermediaries, data centres, body
      corporate and Government organisations shall designate a
      Point of Contact
      to interface with CERT-In.

    3. The Information relating to a Point of Contact shall be sent to
      CERT-In in the format specified at Annexure II and shall be updated
      from time to tim

    4. All communications from CERT-In seeking information and
      providing directions for compliance shall be sent to the said Point
      of Contact.


  4. All service providers, intermediaries, data centres, body
    corporate and Government organisations shall,

    1. mandatorily enable logs of all their ICT systems, and

    2. maintain them securely for a rolling period of 180 days,
      and

    3. the same shall be maintained within the Indian
      jurisdiction.


    These should be provided to CERT-In along with reporting of any
    incident or when ordered/directed by CERT-In.


  5. All

    • Data Centres, 

    • Virtual Private Server (VPS)  providers, 

    • Cloud Service providers, and

    • Virtual Private Network Service (VPN Service) providers,


    shall be required to   register the following 
     accurate information which

    must be maintained by them for a
    period of 5 years or longer duration as mandated by the law after
    any cancellation or withdrawal of the registration as the case may
    be:


    1. Validated names of subscribers/customers hiring the
      services

    2. Period of hire including dates

    3. IPs allotted to / being used by the members

    4. Email address and IP address and time stamp used at the time of
      registration / on-boarding

    5. Purpose for hiring services

    6. Validated address and contact numbers

    7. Ownership pattern of the subscribers / customers hiring
      services.


  6. The

    1. virtual asset service providers,

    2. virtual asset exchange providers and

    3. custodian wallet providers (as defined by Ministry of Finance
      from time to time)


    shall mandatorily maintain all information obtained

    1. as part of Know Your Customer (KYC) and

    2. records of financial transactions for a period of five
      years


    so as to ensure cyber security in the area of payments and
    financial markets for citizens while protecting their data,
    fundamental rights and economic freedom in view of the growth of
    virtual assets.


  7. For the purpose of KYC,

    1. the Reserve Bank of India (RBI) Directions 2016 (
      https://www.rbi.org.in/CommonPerson/english/scripts/notification.aspx?id=2607

      ),

    2. Securities and Exchange Board of India (SEBI) circular dated
      April 24, 2020 (
      https://www.sebi.gov.in/legal/circulars/apr-2020/clarification-on-know-your-client-kyc-process-and-use-of-technology-for-kyc_46565.html

      ),

    3. Department of Telecom (DoT) notice September 21, 2021 mandated
      procedures as amended from time to time may be referred to as per
      Annexure III (
      https://dot.gov.in/sites/default/files/eKYC%2021-09-2021.pdf?download=1
      )
      .


  8. With respect to transaction records, accurate information shall
    be maintained in such a way that individual transaction can be
    reconstructed along with the relevant elements comprising of, but
    not limited to, information relating to the identification of the
    relevant parties including IP addresses along with timestamps and
    time zones, transaction ID, the public keys (or equivalent
    identifiers), addresses or accounts involved (or equivalent
    identifiers), the nature and date of the transaction, and the
    amount transferred.

‘Cyber incident’ means any real or
suspected adverse event that is likely to cause or causes an
offence or contravention, harm to critical functions and services
across the public and private sectors by impairing the
confidentiality, integrity or availability of electronic
information, systems, services or networks resulting in
unauthorized access, denial of service or disruption, unauthorized
use of a computer resource, changes to data or information without
authorization; or threatens public safety, undermines public
confidence, have a negative effect on the national economy, or
diminishes the security posture of the nation. (Rule 2(g) of the
The Information Technology (The Indian Computer Emergency Response
Team and Manner of performing functions and duties) Rules, 2013 (
https://www.meity.gov.in/writereaddata/files/G_S_R%2020%20%28E%292_0.pdf
)

‘Cyber security incident’ means any
real or suspected adverse event in relation to cyber security that
violates an explicitly or implicitly applicable security policy
resulting in unauthorized access, denial of service or disruption,
unauthorized use of a computer resource for processing or storage
of information or changes to data, information without
authorization. (Rule 2(h) of the The Information Technology (The
Indian Computer Emergency Response Team and Manner of performing
functions and duties) Rules, 2013 (
https://www.meity.gov.in/writereaddata/files/G_S_R%2020%20%28E%292_0.pdf
)

‘Computer resource’ means computer,
computer system, computer network, data, computer data base or
software. (Section 2(k) of the IT Act, 2000 (
https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf
)

In case of any incident, the above-referred entities must
furnish the details as called for by CERT-In. The failure to
furnish the information or non-compliance with the ibid.
directions, may invite punitive action under sub-section (7) of
section 70B of the IT Act, 2000 and other laws as
applicable1.

By

Vijay Pal Dalmia, Advocate

Supreme Court of India & Delhi High
Court

[email protected]

Mobile No.: +91 9810081079

LinkedIn: https://www.linkedin.com/in/vpdalmia/

Facebook: https://www.facebook.com/vpdalmia

Twitter: @vpdalmia

Footnote

1 (7) Any service provider, intermediaries, data centres,
body corporate or person who fails to provide the information
called for or comply with the direction under sub-section (6),
shall be punishable with imprisonment for a term which may extend
to one year or with fine which may extend to one lakh rupees or
with both.

© 2020, Vaish Associates Advocates,

All rights reserved

Advocates, 1st & 11th Floors, Mohan Dev Building 13, Tolstoy
Marg New Delhi-110001 (India).

The content of this article is intended to provide a general
guide to the subject matter. Specialist professional advice should
be sought about your specific circumstances. The views expressed in
this article are solely of the authors of this article.

https://www.mondaq.com/india/it-and-internet/1190932/directions-relating-to-information-security-practices-procedure-prevention-response-and-reporting-of-cyber-incidents-for-safe-trusted-internet-in-india

Erlando F Rasatro

Next Post

Web Hosting Services Market to Reach USD 267.10 Billion by

Thu May 19 , 2022
Pune, India, Oct. 22, 2021 (GLOBE NEWSWIRE) — The global web hosting services market size is projected to reach USD 267.10 billion by 2028, exhibiting a CAGR of 18.0% during the forecast period. According to the Fortune Business Insights™ report, titled “Web Hosting Services Market, 2021-2028”, the market value stood […]