The Ministry of Electronics and Information Technology (MeitY) recently updated its cybersecurity guidelines for government employees, which were first released in June of this year. The new guidelines include provisions for securing the local area networks (LAN) of ministries and departments, and logging requirements, among others.
The latest version of the guidelines, which was reviewed by Moneycontrol, explains what Chief Information Security Officers (CISO) of government ministries and departments should do to ensure that LANs of office networks are not vulnerable to cyber attacks.
The National Informatics Centre (NIC), a body under MeitY, released the latest version on September 5. The NIC meets all kinds of information and communications technology (ICT) needs at all levels of government, designs and develops IT systems for the government, etc.
In the guidelines, the government first said that all government applications, websites, and services should be hosted at data centres or cloud service providers that MeitY has approved.
It stated that such applications should not be hosted on the LAN segment of ministries or departments.
"All ICT devices should be connected via the internet gateway of NIC's network (i.e. NICNET) and any other direct internet connection i.e. broadband, 3G/4G/5G should be withdrawn with immediate effect," the guideline read.
The NICNET is a satellite-based nationwide computer network developed by the NIC.
The guidelines also asked CISOs to ensure that all ministries and departments have a Cyber Crisis Management Plan (CCMP) that is prepared and implemented.
Earlier in July, Moneycontrol reported that only about half of the Indian government's departments and ministries have CCMPs.
The "CCMP for Countering Cyber Attacks and Cyber Terrorism" was launched in 2019 to create a framework for ministries/departments/bodies to deal with cyber attacks.
In addition, the government has implemented stringent access control measures for all connected systems and IT devices in departments and ministries.
"Configure the host firewall on all systems to restrict lateral movement within the same network, reads one of the guidelines.
The government has also included logging requirements in the recent version of the guidelines.
"Ensure that logging is enabled on all ICT systems -- which includes but not limited to websites/applications, databases, operating systems ICT devices," the guideline stated, adding that logs must be kept for at least one year.
It is important to note that the government, through the Indian Computer Emergency Response Team, has implemented cybersecurity directions that include similar logging requirements for all types of corporate bodies.
While the majority of the new updates were intended for CISOs, the government also made some changes to its employee guidelines.
For instance, it stated that if one is participating in a sensitive discussion, one should "switch off the mobile phone or leave the mobile in a secure area outside the discussion room."
It also advised employeesto take note of the disparity between permissions that an app may request and its functionalities.
In terms of social media usage, the government has asked employees to "limit and control the use/exposure of personal information while accessing social media and networking sites," according to the guidelines.
Moneycontrol has reached out to MeitY and NIC with queries in this regard, and the post will be updated when a response is received.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
