Leadership & Executive Communication , Standards, Regulations & Compliance , Training & Security Leadership
Government Entities Told to Hire CISOs Under New Guidelines
Mandatory Guidelines Apply to All Indian Ministries, Departments, AffiliatesThe Indian government issued fresh guidelines on cybersecurity measures and controls for the government and associated organizations to secure their networks.
See Also: Preparing for New Cybersecurity Reporting Requirements
Noting that government entities are preferred targets for malicious actors, the government's Ministry of Electronics and Information Technology said the new guidelines set out baseline and essential controls and procedures that government entities are required to implement to protect their infrastructure from threats. The guidelines also will serve as a baseline document for administration and audit teams to evaluate government organizations' cybersecurity posture.
The fresh set of guidelines will apply to all government ministries, their subordinate offices, secretariats, public sector enterprises, government agencies under administrative purview and their associated organizations.
The new guidelines say these organizations must appoint chief information security officers and set up dedicated cybersecurity functional teams to monitor network security, conduct incident response, review and enforce IT security policies, conduct cybersecurity awareness drills, and liaise with India's computer emergency response team and industry cybersecurity organizations.
Government entities also must have business continuity and disaster preparedness plans, maintain inventories of hardware systems and software solutions installed on-premises, prepare cybersecurity awareness programs and conduct internal information security audits at least once in six months and third-party security audits once a year.
The government also told these organizations to define and appropriately segment their network architecture, use firewalls to create buffer zones, deploy network intrusion detection systems and web and email filters, and use any of the three national single sign-on systems - e-Pramaan, Parichay and DigiLocker - for login purposes.
The ministry on Friday issued mandatory cybersecurity guidelines for government employees and contractual workers who work for government ministries and departments.
The Indian government's cybersecurity chief, Lt. Gen Rajesh Pant, in June said the government is putting the finishing touches on the country's first-of-its-kind National Cybersecurity Reference Framework (see: India to Launch Critical Infrastructure Security Framework).
He said the framework will be the first to be launched by the government to guide organizations operating in critical infrastructure sectors on how to assess and improve their cybersecurity. The framework also will help organizations that do not fall within the definition of critical infrastructure to shore up their cyber defenses and prioritize areas of concern.
Prime Minister Narendra Modi plans to introduce a revised version of the first-of-its-kind personal data protection bill in August.
The government said in an explanatory note that the revised data protection bill contains lessons learned from consultations with stakeholders during the drafting of the 2019 bill. The bill borrows from existing data protection legislation in Singapore, Australia and the EU and prospective federal legislation in the U.S., and it features global best practices for user data privacy and restrictions on excessive data collection and processing.