As a part of the new guidelines, Cert-In has mandated that senior management of government organisations should nominate a chief information security officer (CISO) for information technology security and share the details of such person with it.
All government organisations must also formulate a cyber security policy, assign roles and responsibilities of CISO, and put in place a dedicated and functional cyber security team, Cert-In said.
“Organisations should conduct an internal and external audit of the entire ICT infrastructure and deploy appropriate security controls based on the audit outcome. Internal information security audit to be conducted at least once in 6 months. 3rd Party Security audits must be conducted at least once a year,” the new guidelines said.
The guidelines follow several attacks on the network and internet infrastructure of several government-run websites, including the All India Institute of Medical Sciences.
Last year in November, an attack on the state-run hospital’s infrastructure left most of its systems, including the online booking and registration of patients, out of service for nearly a month before access was restored.
Apart from AIIMS, there have been repeated attempts of successful and unsuccessful cyberattacks on the websites and infrastructure of several other central and state-run government agencies as well.
The new guidelines, Cert-In said, would establish a prioritised baseline for cyber security measures and controls within government organisations and their associated organisations.
“The government has taken several initiatives to ensure an open, safe & trusted and accountable digital space. The guidelines are an important part of our larger cybersecurity framework,” the minister of state for electronics and information technology Rajeev Chandrasekhar said.