Days after several websites were hacked by foreign “hacktivists” to protest comments made against Prophet Mohammad, a government body responsible for financial regulations has come out with a list of cybersecurity norms to wall up against such attacks.
In an internal advisory, the Central Board of Indirect Taxes and Customs (CBIC) has asked the principal chief commissioner of customs, central tax and customs and others to host websites of all zones on National Informatics Centre’s Data Centre or on cloud infrastructure provided by Ministry of Electronics and Information Technology-empanelled service providers.
The advisory dated June 13 also said the design of websites should be along the guidelines drawn by NIC for Indian Government Websites (GIGW).
“Website and data security is of paramount concern in the present times in view of increasing security threats. Hackers continuously attempt to explore security vulnerabilities available in the websites and deface government websites,” the advisory, reviewed by Moneycontrol, said.
“Therefore it is important that vendors developing and maintaining the website/applications must put preventive measures in place for website security and use of SSL certificate, which should remain valid at all times.”
The CBIC deals with formulation of policy concerning levy and collection of customs, central excise duties, Central Goods & Services Tax and IGST, prevention of smuggling and administration of matters relating to customs, central excise, Central Goods & Services Tax, IGST and narcotics to the.
On June 10, Indian government websites including those of the Indian Embassy in Israel, National Institute of Agricultural Extension Management and others were hacked following a call given by Malaysia-based hacktivist group DragonForceIO .
Corporate VPNs of a few companies were also breached. Hackers from other countries, too, joined in, a report by cybersecurity company Cloudsek said.
The advisory was issued by the Directorate General of Systems and Data Management (DGS) which is responsible for CBIC’s IT initiatives.
It said the IT infrastructure of CBIC was classified as Critical Information Infrastructure by the National Critical Information Infrastructure Protection Center (NCIIPC) under the Cabinet Secretariat.
The CBIC admitted that data exchange with multiple private stakeholders was inevitable due to the open architecture of the logistics and supply chain industry. “In view of the above it is necessary to lay down guidelines on procurement and use of IT-enabled services so as to ensure quality and data security,” it read.
A directorate or any wing of the CBIC can go for procurement of an IT service if it is not provided by the DGS. In such a situation, the Manual for Procurement of Consultancy Services, 2017, should be followed.
One of the guidelines says that the request for proposal (RFP) of a tender must specify that the vendor will be responsible for getting a security audit done by a vendor empanelled by the Indian Computer Emergency Response Team.
The DGS said the selected vendor must meet the ISO 9000/9001 certification required for denoting quality.
“It provides a set of generic requirements relating to the processes of development and production and how they will be managed, reviewed and improved in order to achieve customer satisfaction,” it said.The vendor must also meet the ISO/IEC 27001 certification which specifies the requirement of a management system for ensuring information security.