Topics In Demand
Notification
New

No notification found.

Call for Inputs: CERT-IN's Directions on Safe and Trusted Internet
Call for Inputs: CERT-IN's Directions on Safe and Trusted Internet

May 11, 2022

459

0

On 28th April 2022, the Indian Computer Emergency Response Team (CERT-IN) issued a set of directions on information security and security incident reporting aimed at building "a safe and trusted internet". These directions are available here.

Overarching legal framework

These directions are issued by CERT-IN in pursuance of its powers under Section 70-B of the Information Technology Act of 2000. Under section 70B (6), the agency is empowered to call for information and give direction to “the service providers, intermediaries, data centres, body corporate and any other person”.  

It is worth noting that the directions reference several terms that are defined in the IT Act as well as in a set of rules issued in 2013 on the way CERT-IN is to perform its functions and duties. The 2013 rules are available here. The directions may be read together with these rules.

Objective of the directions

As per the directions, entities reporting security incidents often do not keep information required to respond, investigate into, or analyse such incidents readily available with them. To address this gap, CERT-IN has issued these directions. Based on a review of the document, we see that there are two categories of directions:

A. General directions: applicable to “all service providers, intermediaries, data centres, body corporate and Government organisations”. A brief summary of the requirements applicable to these entities is below.

  1. Time synchronisation: These entities must connect to the network time protocol servers of National Informatics Centre or National Physical Laboratory or with NTP servers traceable to these NTP servers for synchronisation of all their ICT system clocks.
  2. Incident reporting: These entities must mandatorily report all cyber incidents mentioned in Annexure I to the directions to CERT-IN within 6 hours of noticing such incidents or being brought to notice about such incidents. The list includes over 20 items.
  3. Provision of information and assistance: CERT-IN may, “for the purposes of cyber incident response, protective and preventive actions related to cyber incidents”, require these entities by order or direction to “take action or provide information or any such assistance, which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness.”
  4. Point of contact: These entities must designate a point of contact (POC) to interface with CERT-IN. Information on the POC appointed must be shared to CERT-IN in accordance with Annexure II.
  5. Maintenance of logs: These entities must mandatorily enable logs of all their ICT systems and maintain them securely within India for a rolling period of 180 days. These are to be provided along with any incident report or when ordered or directed to do so by CERT-IN.

B. Specific directions applicable to “data centres, virtual private server, cloud service provider and virtual private network service providers” whereby these entities are to register and storage information on their subscribers for at least 5 years. The information to be maintained include:

  1. Validated names of subscribers/customers hiring the services
  2. Period of hire including dates
  3. IPs allotted to / being used by the members
  4. Email address and IP address and time stamp used at the time of registration / on-boarding
  5. Purpose for hiring services
  6. Validated address and contact numbers
  7. Ownership pattern of the subscribers / customers hiring service

C. Specific directions applicable to “virtual asset service providers, virtual asset exchange providers and custodian wallet providers” whereby these entities are to keep and store all  information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of 5 years “so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets.” This requirement is to be read in conjunction with Annexure III.

The directions state that they shall come into force within 60 days from the date of issue, that is, on 27th June 2022.

We shall be currently analysing these directions. In this regard, we request you to kindly share your detailed inputs with suitable justifications to us by or before May 16th, 2022. Please share your inputs to varun@nasscom.in and apurva@nasscom.in.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


images
Varun Sen Bahl
Manager - Public Policy

Reach out to me for all things about data regulation, cybersecurity policy, and internet governance.

© Copyright nasscom. All Rights Reserved.