The Indian government has issued new guidelines requiring organizations to report cybersecurity incidents to CERT-IN within six hours, even if it is a port scan or vulnerability scan.
This guide, promoted by the Computer Emergency Response Team of India (CERT-In), identifies gaps that pose difficulties in analyzing and responding to security incidents, and the need to take more proactive steps to address them.
These measures and various other provisions will be published and become part of Indian law and will take effect in 60 days.
Immediate notification of incidents
Most notably, the new requirement that Internet service providers, intermediaries, data centers, and government agencies must report these incidents to CERT-In within six hours of becoming aware of them.
This also applies to incidents reported to these agencies by third parties, so these service providers must ensure that information received is not lost or ignored and is processed and evaluated in a timely manner.
The types of cybersecurity incidents that must be reported to CERT-In are.
- Targeted scanning/probing of critical networks/systems
- Compromise of critical systems/information
- Unauthorized access to IT systems/data
- Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code links to external websites, etc.
- Malicious code attacks such as the spreading of viruses/worm/trojan/bots/ spyware/ransomware/cryptominers
- Attack on servers such as database, mail, and DNS and network devices such as Routers
- Identity Theft, spoofing, and phishing attacks
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
- Attacks on Critical infrastructure, SCADA and operational technology systems, and Wireless networks
- Attacks on applications such as E-Governance, E-Commerce, etc.
- Data Breach
- Data Leak
- Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
- Attacks or incidents affecting Digital Payment systems
- Attacks through Malicious mobile Apps
- Fake mobile Apps
- Unauthorized access to social media accounts
- Attacks or malicious/ suspicious activities affecting cloud computing systems/servers/software/applications
- Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Blockchain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D Printing, additive manufacturing, and drones
For proper coordination, you must connect to an NTP server at the National Institute of Informatics (NIC) or the National Physical Laboratory (NPL) to synchronize your system time.
And all system logs of the aforementioned service providers shall be securely maintained for a rolling period of 180 days within Indian jurisdiction and shall be provided to CERT-In along with any security incident reports or when requested by the agency.
User data retention
The new guidelines also include sections on VPS (Virtual Private Server) and VPN (Virtual Private Network) service providers, which will now be required to retain user records.
The data acquisition period is 5 years from the cancellation or withdrawal of user registration, or longer if mandated by future regulations.
Managed data includes the following Valid name of subscriber/customer using the serviceRental period including dateIP assigned to/used by the memberEmail address, IP address and time stamp used at time of registration/start of usePurpose of using the serviceValid address and contact informationForm of ownership of the subscriber/client using the service
Virtual asset (cryptocurrency) service providers, including exchanges and wallet management services, will likewise retain customer information for at least five years going forward.