PTI“Provisions under the new mandate may adversely affect organisations”
“Provisions under the new mandate may adversely affect organisations”
The US-based technology industry organization ITI, which has global technology companies such as Google, Facebook, IBM and Cisco as members, has requested a revision of the Indian government’s cybersecurity breach notification policy.
ITI said provisions under the new mandate could adversely affect organizations and undermine cybersecurity in the country.
ITI country manager for India, Kumar Deep, in a May 5 letter to CERT-In chief Sanjay Bahl, has asked for broader stakeholder consultation with industry before finalizing the policy.
“The Directive has the potential to improve India’s cybersecurity posture if properly developed and implemented, however certain provisions of the bill, including counterproductive incident reporting requirements, may adversely affect Indian and global businesses and undermine cybersecurity,” said Mr. Deep.
The Indian Computer Emergency Response Team (CERT-In) issued a guideline on April 28, requiring all government and private agencies, including ISPs, social media platforms, and data centers, to report cybersecurity breach incidents within six hours to report becoming known.
The new circular of the CERT-In requires all service providers, intermediaries, data centers, enterprises and government organizations to mandatorily activate logs of all their ICT (Information and Communication Technology) systems and maintain them securely for a rolling period of 180 days and the same shall within of Indian jurisdiction.
ITI has raised concerns about the mandatory reporting of security breaches within six hours of discovery to allow logs of all ICT systems and keeping them within Indian jurisdiction for 180 days, the overly broad definition of reportable incidents and the requirement that Businesses need to connect to the servers of Indian government agencies.
Mr Deep said in the letter organizations must be given 72 hours to report an incident in accordance with global best practices, rather than just six hours.
ITI said the government’s mandate to activate logs of all information and communications technology systems of all affected companies, keep logs “securely for a rolling 180-day period” in India and make them available to the Indian government upon request is not a best practice method is.
“It would make such stores of logged information a target for global threat actors, in addition to requiring significant resources (both human and technical) to implement,” Mr. Deep said.
ITI also expressed concern about the requirement that “all service providers, intermediaries, data centers, corporate bodies and governmental organizations must connect to the NTP servers of Indian laboratories and other entities to synchronize the clocks of all their ICT systems”.
The global body said the regulations could negatively impact organizations’ security operations and the functionality of their systems, networks and applications.
ITI said the government’s current definition of reportable incidents, which includes activities such as probing and scanning, is far too broad because probing and scanning are everyday occurrences.
“It would not make sense for companies or CERT-In to spend time collecting, transmitting, receiving and storing such a large amount of insignificant information that is unlikely to be followed up,” Deep said.
ITI has asked the government to postpone the timeline for implementation of the new directive and to launch wider consultation with all stakeholders for its effective implementation.
ITI requested CERT-In to “revise the policy to reflect the relevant provisions related to the obligation to report incidents, including in relation to the reporting schedule, the scope of incidents covered and the requirements for localization of logging data” . PTI PRS HVA DRR
Our editorial code of values
