The Indian Computer Emergency Response Team (CERT-In) is the national agency for performing various functions in the area of cyber security in the country as per provisions of section 70B of the Information Technology Act 2000. CERT-In is an arm of the Ministry of Electronics and Information Technology (MeitY) which deals with cyber security threats and is tasked with security-related defence of the Indian geography. CERT-In continuously analyses cyber threats and also handles cyber incidents reported to it by individuals and various organisations. CERT-In regularly issues advisories to organisations and users to enable them to protect their data/information and Information and Communication Technology (ICT) infrastructure.
According to the CERT-In, this is indeed a challenge because the essential data is not easily accessible with the relevant entities to conduct the analysis and investigation in accordance with the legal process.
Keeping in view the fact that there has been a tremendous increase in cyber attacks targeting key critical infrastructure in the country in recent times, and as per the need of the hour, CERT- In has rolled out significant policy framework to mitigate such threats and incidents. In order to coordinate response activities as well as emergency measures with respect to cyber security incidents, CERT-In calls for information from service providers, intermediaries, data centres and body corporate. The objective of introducing the Directions is to make it easier to track and monitor cyber security events, as well as take appropriate action.
MeitY issues directions vide Notification No. 20(3)/2022-CERT-In dated 28th April 2022 that will be effective from 27th June 2022 that is 60 days from the date of on which these directions are issued.
Salient Features and Key takeaways from the directions are as following –
A. Who is covered? *
- Data Centers
- Body Corporate
- Government Organisations
- Virtual Private Server (VPS) Providers
- Virtual Asset Service Providers
- Virtual Asset Exchange Providers
- Custodian Wallet Providers
- Cloud Service Providers
- Virtual Private Network Service (VPN) Providers
- All Intermediaries
*For each type of Service provider/entity listed above, the nature of activities, task and compliance to be performed shall vary as detailed in the directions issued.
B. Wider Coverage of the categories of cyber security incidents that must be reported
CERT – In had notified – The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules in 2013 to monitor cyber threats of the following nature –
- Targeted scanning/probing of critical networks/systems
- Compromise of critical systems/information
- Unauthorised access of IT systems/data
- Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious codes and links to external websites etc.
- Malicious code attacks such as spreading of virus/ Ransom ware/ Spyware/ Crypto miners/ worm/ Trojan/ Bots
- Attack on servers such as Database, Mail and DNS and network devices such as Routers
- Identity Theft, spoofing and phishing attacks
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
- Attacks on Critical infrastructure, SCADA and operational technology systems and Wireless networks
- Attacks on Application such as E-Governance, E-Commerce etc.
In addition to above list, the following incidents have been added via notification dated 28th April 2022 –
- Data Breach
- Data Leak
- Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
- Attacks or incident affecting Digital Payment systems
- Attacks through Malicious mobile Apps
- Fake mobile Apps
- Unauthorised access to social media accounts
- Attacks or malicious/ suspicious activities affecting Cloud computing systems/ servers/ software/ applications
- Attacks or malicious/ suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
- Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to Artificial Intelligence and Machine Learning
C. Mandatory Reporting of Cyber Incidents within 6 Hours
According to the Directions, relevant entities must report cyber security events to the CERT-In within 6 hours of becoming aware of them or being made aware of them. The incidents can be reported to CERT-In via
- Email – email@example.com
- Phone – 1800- 11-4949
- Fax – 1800-11-6969
- Refer website for details on format – www.cert-in.org.in
D. Synchronisation of System Clocks
Entities are required to connect with the following to synchronising their system clocks –
- Network Time Protocol (NTP) Server of National Informatics Centre (NIC) National Physical Laboratory (NPL)
- NTP servers traceable to these NTP servers
- Entities having ICT infrastructure spanning multiple geographies may also use accurate and standard time source other than NPL and NIC, however it is to be ensured that their time source shall not deviate from NPL and NIC
E. To Designate a Point of Contact (PoC)
- The service providers, intermediaries, data centres, body corporate and Government organisations shall designate a Point of Contact to interface with CERT-In.
- The Information relating to a Point of Contact shall be sent to CERT-In in the format specified at Annexure II and shall be updated from time to time.
- All communications from CERT-In seeking information and providing directions for compliance shall be sent to the designated Point of Contact.
F. Maintenance of Logs
All service providers, intermediaries, data centres, body corporate and Government organisations shall
- Mandatorily enable logs of all their ICT systems
- Maintain logs securely for a rolling period of 180 days
- Logs to be maintained within the Indian jurisdiction.
These should be provided to CERT-In along with reporting of any incident or when ordered / directed by CERT-In.
G. Reporting of the following Information to CERT-In
Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers, shall be required to register the following accurate information which must be maintained by them for a period of 5 years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be:
- Validated names of subscribers/customers hiring the services
- Period of hire including dates
- IPs allotted to / being used by the members
- Email address and IP address and time stamp used at the time of registration / on-boarding
- Purpose for hiring services
- Validated address and contact numbers
- Ownership pattern of the subscribers / customers hiring services
H. Obtaining and Maintaining of information under Know Your Customer Guidelines for Five Years
- The virtual asset service providers, virtual asset exchange providers and custodian wallet providers shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets.
- For the purpose of KYC, the Reserve Bank of India (RBI) Directions 2016 / Securities and Exchange Board of India (SEBI) circular dated April 24, 2020 / Department of Telecom (DoT) notice September 21, 2021 mandated procedures as amended from time to time may be referred to as per Annexure III.
I. Requirements of Maintaining Transaction Records
With respect to transaction records, accurate information shall be maintained in such a way that individual transaction can be reconstructed along with the relevant elements comprising of, but not limited to, –
- Identification of the relevant parties
- IP addresses
- Timestamps and time zones of transaction
- Transaction ID
- Public keys (or equivalent identifiers)
- Addresses or accounts involved (or equivalent identifiers)
- Nature and date of the transaction
- Amount transferred
Key definitions are to be referred from The Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013
Any non compliance in furnishing the information, directions and details may invite punitive action under sub-section (7) of the section 70B of the IT Act, 2000.
- Original copy of Notification No. 20(3)/2022-CERT-In (including Annexure) – Click Here
- For references of Key definitions – The Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013 – Click Here
- For reference of penal provisions – IT Act, 2000 – Click Here
Disclaimer: This is an effort by Lexcomply.com to contribute towards improving compliance management regime. User is advised not to construe this service as legal opinion and is advisable to take a view of subject experts.