The Indian Computer Emergency Response Team (CERT-In) on Friday issued “Guidelines on Information Security Practices” for government entities for safe and trusted Internet.

These guidelines apply to all Ministries, Departments, Secretariats, and Offices specified in the First Schedule to the Government of India (allocation of business) Rules, 1961, along with their attached and subordinate offices, it said. They also include all government institutions, public sector enterprises, and other government agencies under their administrative purview.

“The government has taken several initiatives to ensure an open, safe and trusted and accountable digital space. We are expanding and accelerating on Cyber Security – with focus on capabilities, system, human resources and awareness,” Rajeev Chandrasekhar, Minister of State for Electronics & Information Technology & Skill Development and Entrepreneurship, said.

Recognising the significance of a secure and trustworthy digital environment, the government has formulated policies aimed at ensuring an open, safe and trusted and accountable Internet for its users. It remains fully aware of the growing cyber threats and attacks present in today’s digital world, he said.

The recommendations

These guidelines are a roadmap for government entities and industry to reduce cyber risk, protect citizen data, and continue to improve the cyber security ecosystem in the country. They will serve as a fundamental document for audit teams, including internal, external, and third-party auditors, to assess an organisation’s security posture against the specified cybersecurity requirements, CERT-In said.

The guidelines include various security domains such as network security, identity and access management, application security, data security, third-party outsourcing, hardening procedures, security monitoring, incident management, and security auditing.

For instance, for desktop/laptop/printer security in office, the guidelines suggest to “Use only Standard User (non-administrator) account for accessing the computer/ laptops for regular work. Admin access to be given to users with approval of CISO only”.

Similarly, use of complex passwords with a “minimum length of 8 characters”, using a combination of capital letters, small letters, numbers and special characters; Never store any usernames and passwords on the Internet browser; and do not store any payment related information on the Internet browser.

Apart from adhering to the best practices in the field they also include guidelines prepared by the National Informatics Centre for Chief Information Security Officers (CISOs) and employees of Central government Ministries/ Departments to enhance cyber security and cyber hygiene.