A few weeks back the Indian government released the third version of Guidelines for India Government Websites (GIGW 3.0), which as the name suggests, provides guidelines to officials on how to safely, and securely, develop, maintain, and manage not just government websites, but also portals and mobile applications.
A major chunk of the National Informatics Centre, Indian Computer Emergency Response Team (CERT-In), and Standardisation Testing and Quality Certification (STQC) developed guidelines concentrate on cybersecurity of government websites.
This is important since Indian government websites were victims of major hacktvist campaigns, wherein these websites where defaced, highlighting poor cyber security standards. As the GIGW 3.0 states, these cyber attacks are not just data security risks but also risk "personal embarrassment".
Here is a quick look at what the NIC-developed guidelines say about how to maintain cybersecurity for government websites —
How do you ensure security of codes of websites, web applications, web portals and mobile apps?
"Every day, there are countless websites compromised due to outdated software. Potential hackers and bots are scanning sites to attack. Updates are vital to the health and security of the website. If the site’s software or applications are not up-to-date, the site is not secure. Take all software and plugin update requests seriously," the GIGW 3.0 said.
It recommended that developers should encrypt passwords, connection strings, tokens, and keys. Website cookies should also be secure, it added.
"If the web or mobile app is integrated with any 3rd party Applications or using any APIs for external communication, then ensure that all such communications are done through encrypted channels," it said.
What does it say about securing databases?
For securing databases, the GIGW 3.0 again recommended implementing strong encryption and management mechanism; using secure credentials for database access; creating admin restrictions such as controlling access on what users can do in a database; and enabling audit trail logs on the database servers.
"One of the best methods to keep a site safe is to have a good backup solution. You should have more than one. Each is crucial to recovering a website after a major security incident occurs. There are several different solutions you can use to help recover damaged or lost files," it said.
What about ensuring security of the service provider where the website is to be hosted?
"Think of a website’s domain name as a street address. Now, think of the web host as the plot of “real estate” where the website exists online. As one would research a plot of land to build a house, it needs to examine potential web hosts to find the right one," it said.
The document urged the departments to ensure that hosting service providers have domain controller, business continuity plan, and disaster recovery facilities configured in their systems. "Ensure the HSP has implemented all security controls of the Data Center including physical security and appropriate access control mechanisms," it read.
The guidelines also suggested that servers and network devices used to host the website are hardened with latest security patches.
What does the guidelines say on how to avoid mistakes from employees' end?
"Initially, one may feel comfortable giving several high-level employees access to a website. Administrative privileges are given thinking those would be used carefully. Although this is the ideal situation, it is not always the case.
"Unfortunately, employees do not think about website security when logging into the Servers or the CMS. Instead, their thoughts are on the task at hand. If they make a mistake or overlook an issue, this can result in a significant security issue," it said, adding that it was vital to ensure employees have experience in handling back-end of websites before they gain access.
"Educate every CMS user about the importance of passwords and software updates... To keep track of who has access to CMS and their administrative settings, make a record and update it often. Employees come and go. One of the best ways to prevent security issues is to have a physical record of who does what with the website. Be sensible when it comes to user access," it added.
What about security, privacy policies of websites?
The guidelines says government departments must clearly define, and approve website related policies such as security policy, privacy policy, and contingency management plans. "Citizen-facing policies like copyright policy, privacy policy, and terms and conditions must be published on the website," it added.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
