The Central Government in terms of the provisions of sub-section (1) of section 70B of the Information Technology Act, 2000 (“IT Act, 2000”) has appointed “Indian Computer Emergency Response Team (CERT-In)” on 27th October 2009 under the provisions of sub-section (4) of section 70B of IT Act, 2000 and notified the Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013 on 16.01.2014.
That recently, CERT-In has issued directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet to augment and strengthen the cyber security in the country.
Service providers, intermediaries, data centres, body corporate, government organizations, Virtual Private Server (VPS) providers, Cloud Service providers, Virtual Private Network Service, virtual asset service providers, virtual asset exchange providers, and custodian wallet providers are all required to comply with the obligatory directions. Failure to adhere to these directives may result in penalties or other forms of punishment. The aim of these measures is to ensure information security and mitigate the risk of non-compliance.
The directions will become effective after 27th June 2022. The directions are as under:
Synchronization of the systems clocks
All service providers, intermediaries, data centres, body corporate and Government organisations shall connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronization of all their ICT systems clocks.
Entities having ICT infrastructure spanning multiple geographies may also use accurate and standard time source other than NPL and NIC, however it is to be ensured that their time source shall not deviate from NPL and NIC
Reporting of cyber incidents within 6 hours
Any service provider, intermediary, data centre, body corporate and Government organisation shall mandatorily report cyber incidents the below mentioned following cyber incidents within 6 hours of noticing such incidents or being brought to notice about such incidents:
- Targeted scanning/probing of critical networks/systems
- Compromise of critical systems/information
- Unauthorised access of IT systems/data
- Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.
- Malicious code attacks such as spreading of virus/worm/Trojan/Bots/ Spyware/Ransomware/Cryptominers
- Attack on servers such as Database, Mail and DNS and network devices such as Routers
- Identity Theft, spoofing and phishing attacks
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
- Attacks on Critical infrastructure, SCADA and operational technology systems and Wireless networks
- Attacks on Application such as E-Governance, E-Commerce etc.
- Data Breach
- Data Leak
- Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
- Attacks or incident affecting Digital Payment systems
- Attacks through Malicious mobile Apps
- Fake mobile Apps
- Unauthorised access to social media accounts
- Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications
- Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
Compliance of order or direction issued by CERT-IN
When required by order/direction of CERT-In, for the purposes of cyber incident response, protective and preventive actions related to cyber incidents, the service provider/intermediary/data centre/body corporate is mandated to take action or provide information or any such assistance to CERT-In, which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness.
Point of Contact
The service providers, intermediaries, data centres, body corporate and Government organisations shall designate a Point of Contact to interface with CERT-In.
The Information relating to a Point of Contact shall be sent to CERT-In in the format specified with the present directions and shall be updated from time to time.
All communications from CERT-In seeking information and providing directions for compliance shall be sent to the said Point of Contact.
Enabling of logs and preservation for 180 days
All service providers, intermediaries, data centres, body corporate and Government organisations shall mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same shall be maintained within the Indian jurisdiction.
These should be provided to CERT-In along with reporting of any incident or when ordered / directed by CERT-In.
Registration of information
Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers, shall be required to register the following accurate information which must be maintained by them for a period of 5 years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be:
a. Validated names of subscribers/customers hiring the services
b. Period of hire including dates
c. IPs allotted to / being used by the members
d. Email address and IP address and time stamp used at the time of registration / on-boarding
e. Purpose for hiring services
f. Validated address and contact numbers
g. Ownership pattern of the subscribers / customers hiring services
Obligation on virtual asset service providers
The virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by Ministry of Finance from time to time) shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets.
With respect to transaction records, accurate information shall be maintained in such a way that individual transaction can be reconstructed along with the relevant elements comprising of, but not limited to, information relating to the identification of the relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred.
Penalty
Any non-compliance with the any of the above directions or failure to provide information shall be punishable with imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both.
The notification can be accessed at below link:
https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf