CERT-In's 6-Hour Mandate: How Practical Is It?Experts Share Their Views on Implementing CERT-In's Mandate
The Indian Computer Emergency Response Team, CERT-In, has mandated that starting June 28, both government and private organizations in the country must inform the agency within six hours of discovering a cybersecurity incident. What do CISOs feel about this, and how are they planning to approach this new requirement? Pushkal Mishra, chief information security officer and head of privacy at Dr Lal PathLabs; Amit Dhawan, CISO and DPO at Quantiphi; and Sameer Anja, COO at Arrka Consulting; share their views.
"I am not sure if CERT-In is expecting enterprises to report all incidents or only the serious ones where actually a breach has happened at a large scale. They need to further refine and define what an incident is," Anja says.
"I use privacy as a guideline to determine seriousness of a breach," Dhawan says. "A breach which can cause a harm to somebody is something I would signify as material. If there is a ransomware attack on an isolated server and that server is down and not using any personal data, I will not call that a material harm."
"Organizations will have to go back to how they have defined an incident in that you add materiality, and this as well you need to define. Only then we can figure out what is worthy enough to be reported," Mishra says.
In a panel discussion with Information Security Media Group, the three also discuss:
- The practical challenges of reporting an incident in six hours;
- Why the definition of an incident needs more clarity;
- How to tackle the challenges of under-reporting and over-reporting.
Anja is the co-founder and COO of Arrka. He is the co-author of IAM guidance for security in the cloud, with the Cloud Security Alliance, and is currently working on security by design and privacy by design.
Mishra is CISO at Dr. Lal PathLabs, where he leads enterprisewide development and execution of information security and privacy programs, technologies and processes. He has previously worked with Microsoft, Akamai, GMR Group and HDFC ERGO.
Dhawan is CISO and DPO at Quantiphi. He has more than 20 years of experience in the IT, information security and privacy domains. He was previously the CISO and DPO at Birlasoft, and he retired from the Indian Navy as a commander in 2014.