The Indian Computer Emergency Response Team (CERT-In), the government's main agency for cybersecurity matters, recently released a renewed set of guidelines on Information Security Practices for Government bodies. Malicious actors often target the infrastructure of government bodies, making it crucial to establish a prioritised baseline for cybersecurity measures and controls within these organisations and their associated bodies.
CERT-In's prime objective with these guidelines is to assist security teams in implementing essential controls and procedures that protect their cyber infrastructure from prevalent threats. These new guidelines complement the cybersecurity guidelines issued by CERT-In in April 2022, which apply to all Government Sectors, both private and public. The previous guidelines covered various aspects, including the timeframe for reporting cybersecurity incidents, synchronisation of system clocks, maintenance of logs, as well as handling of customer information for crypto exchanges, VPNs, cloud service providers, and data centres.

What are the New Cybersecurity Guidelines for Government Bodies?

1. Appointment of Chief Information Security Officer (CISO):

   It is essential for all government bodies to appoint a CISO and share the relevant information about the executive with CERT-In. Alongside the CISO, a dedicated cybersecurity team should be formed. Additionally, the organisation needs to develop a cybersecurity policy and clearly define the roles and responsibilities of the CISO and the cybersecurity team.



2. Audits and Development of Cyber Resiliency Plans:

   Regular audits of the entire information and communication technology (ICT) infrastructure should be conducted within government organisations. Internal audits need to be performed every six months, while external audits should take place annually. These audits should include comprehensive vulnerability and threat assessments. Furthermore, the organisation should establish plans for cyber resiliency, such as a Business Continuity Plan (BCP) and a Disaster Recovery (DR) plan. These plans should cover various aspects, including preventing cybersecurity incidents, promptly identifying and assessing incidents in terms of severity, scope, and type, mitigating the impact of incidents, and facilitating recovery from incidents.



3. Enhancement of Cybersecurity Awareness:

   Updated CERT-In guidelines emphasise government bodies must prioritise cybersecurity awareness by conducting regular awareness programs. These programs should educate end users about common cyber threats, such as phishing campaigns and social engineering techniques, as well as inform them about their roles and responsibilities in maintaining cybersecurity. It is crucial to provide cybersecurity training to new employees as part of their induction, and all employees should receive such training every six months.



4. Social Media Security Measures:

   • Restrict access to official social media accounts to authorised individuals and systems.
   • Implement role-based accounts with appropriate privileges for social media management.
   • Use dedicated email accounts and separate credentials for social media and email accounts (avoid using personal email).
   • Enable multi-factor authentication for social media accounts.
   • Ensure content on social media is approved by authorised personnel.
   • Disable location access on official social media platforms.
   • Keep social media apps updated to the latest version.
   • Enable logs to monitor login attempts from untrusted devices or unusual geographical regions, and set up alerts for such attempts.
   • Exercise caution when using third-party apps for social media management.



5. Network Security Measures:

   • Define network architecture, including the perimeter, and limit traffic to essential business needs.
   • Utilise firewalls with default deny settings and whitelist authorised services.
   • Use Virtual Private Network (VPN) for remote network access.
   • Implement network intrusion detection/prevention systems.
   • Employ web and email filters to scan for malicious domains, sources, and attachments.
   • Set up internal DNS servers for all network segments.
   • Block communication with malicious IPs and domains identified by CERT-In and security agencies.
   • Classify networks and restrict data movement between different classifications.
   • Prohibit wireless equipment on computers handling sensitive information.
   • Enable logging on all devices.
   • Deploy DDoS mitigation devices and services.
   • Change all preset credentials and configurations during setting up.
   • Block access to all kinds of remote desktop applications such as Anydesk, Teamviewer, etc.
   • Restrict Bring Your Own Device (BYOD), no personal devices should be allowed without authorization by the Network Administrator.
   • Use Mobile Device Management (MDM) solutions for remotely managing devices.
   • Important and sensitive areas should be under surveillance through CCTV cameras.


6. User Access and Authentication Measures

   • Assign unique IDs to all employees and grant access privileges based on operational roles and requirements.
   • Implement multi-factor authentication (MFA) whenever possible.
   • Enforce strong passwords, with a minimum length of 8 characters, including a mix of uppercase letters, lowercase letters, numbers, and special characters. Passwords should be altered within 120 days.
   • Change default login credentials on devices (routers, firewalls, storage equipment) before deployment.
   • Terminate active user sessions after 15 minutes of inactivity.
   • Regularly review accounts for unauthorised access attempts, abuse of privileges, or suspicious activities.
   • Immediately deactivate user access upon employment termination, non-compliance, or suspicious behaviour.
   • Integrate single sign-in for government users with approved platforms (e-Pramaan, Parichay/Janparichay, DigiLocker).
   • Establish an Acceptable Usage Policy that users must adhere to.
   • Prohibit the use of open proxies, Tor, or free third-party VPN services for remote access.



7. Application Security Measures:

   • Safeguard citizen data privacy throughout the application life cycle.
   • Incorporate security measures at every stage of software development, deployment, and maintenance.
   • Enable "https" and use valid SSL/TLS Certificates for all websites and applications.
   • Conduct regular application security testing, vulnerability assessments, and penetration testing (at least annually).
   • Implement security measures for securing Application Program Interfaces (APIs).
   • Address the OWASP Mobile Top 10 vulnerabilities in mobile applications.
   • Encrypt secret keys used by mobile applications.
   • Avoid storing user data in unencrypted/plain-text form on mobile devices.
   • Request only necessary permissions from users for essential functions of mobile applications.



8. Data Security Measures:

   • Identify and encrypt sensitive or personal data both during transit and while at rest.
   • Install alerting and detection tools to prevent data breaches.
   • Implement regular data backups, ensuring business-critical data is backed up and stored separately from servers.



9. Third-Party Access and Outsourcing Policies:

   • Restrict third-party access and share information only after signing a Non-Disclosure Agreement.
   • Establish contracts for outsourced work that specify information security requirements and monitor compliance.
   • Ensure vendors protect collected and processed data and obtain explicit consent before sharing it.



10. Security Measures for Cloud Services:

    • The CERT-In Guidelines assess and implement appropriate security policies for testing, staging, and backup environments hosted on cloud services.
    • Prevent data leaks by ensuring proper configurations of cloud servers and storage.



11. Hardening Procedures:

    • Secure desktops by using genuine software, reputable antivirus, and Endpoint Detection and Response (EDR) software.
    • Configure printers connected to the network securely, disable default credentials and unused services and update firmware regularly.
    • Safeguard email services with dedicated servers, encrypted connections, and relevant security standards.
    • Protect database servers in secure environments, separate them from application or web servers, restrict user privileges, and encrypt sensitive information.

Alongside these CERT-In guidelines for government bodies, the National Informatics Centre has also released guidelines for cybersecurity measures, as part of the same document. These guidelines are directed to Chief Information Security Officers of Central Government ministries and departments and for the policies of other government employees.