On 28th April 2022, Indian Computer Emergency Response Team (CERT-In)* issued the following directions relating to information security practices, procedures, prevention, response, and reporting of cyber incidents for safe & trusted internet:
On Reporting Cyber Incidents
CERT-In directed all service providers, intermediaries, data centres, body corporate, and government organisations to report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. Cyber security incidents that need to be mandatorily reported to CERT-In include:
- Unauthorised access of IT systems/data
- Malicious code attacks such as spreading of virus/Trojan/Bots/ Spyware
- Fake mobile apps
- Unauthorised access to social media accounts
The incidents can be reported to CERT-In via email, phone, and fax.
On Maintaining ICT System Logs
CERT-In directed all service providers, intermediaries, data centres, body corporate, and government organizations to enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days within the Indian jurisdiction.
On Connecting to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC)
CERT-In directed all service providers, intermediaries, data centres, body corporate, and government organizations to connect to the NTP Server of NIC or National Physical Laboratory or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks.
On Assisting CERT-In
When required by CERT-IN for cyber incident response, service providers, intermediaries, data centres, and body corporates must take action and provide assistance to CERT-In for cyber security mitigation actions and enhanced cyber security situational awareness. The organizations must also designate a Point of Contact to interface with CERT-In and send the information of the Point of Contact to CERT-In in the format prescribed in the directions.
On Registration of Data Centres, Cloud Service Providers and Virtual Private Network (VPN) Service Providers
Data centres, Virtual Private Server providers, cloud service providers, and VPN service providers shall register accurate information on their IP address, names of subscribers/ customers, period, and purpose of hiring the service, etc. and maintain it for a period of 5 years or longer after cancellation or withdrawal of their registration.
On Maintaining Information Obtained as part of Know Your Customer (KYC)
Virtual asset service providers, virtual asset exchange providers and custodian wallet providers shall maintain all information obtained as part of KYC and records of financial transactions for a period of 5 years.
Effective Date
The directions will be effective after 60 days from the date of issuance.
*As per Section 70B of the IT Act, 2000, CERT-In serves as the national agency for the collection, analysis, and dissemination of information on cyber incidents and undertaking emergency measures for handling cyber security incidents.