Cert-In issues new guidelines for government bodies, mandates appointment of CISO

economictimes.indiatimes.com:

Cert-In) on Friday issued a set of guidelines to be followed by government organisations and their departments to ensure cybersecurity and safety. “The guidelines shall assist security teams to implement baseline and essential controls and procedures to protect their cyberinfrastructure from prominent threats. These guidelines shall also act as a baseline document for administration and audit teams (internal, external/ third-party auditors) to evaluate an organisation’s security posture against cyber security baseline requirements,” read the notification.

As a part of the new guidelines, Cert-In has mandated that senior management of government organisations should nominate a chief information security officer (CISO) for information technology security and share the details of such person with it. All government organisations must also formulate a cyber security policy, assign roles and responsibilities of CISO, and put in place a dedicated and functional cyber security team, Cert-In said. “Organisations should conduct an internal and external audit of the entire ICT infrastructure and deploy appropriate security controls based on the audit outcome.

Internal information security audit to be conducted at least once in 6 months. 3rd Party Security audits must be conducted at least once a year,” the new guidelines said. The guidelines follow several attacks on the network and internet infrastructure of several government-run websites, including the All India Institute of Medical Sciences.