CERT-In, India’s computer and emergency response organisation, released new guidelines on Thursday that service providers, intermediaries, data centres, and government institutions should disclose cybersecurity incidents, including data breaches, within six hours.
“Any service provider, intermediary, data centre, body corporate, and Government organisation shall report cyber events […] to CERT-In within six hours of noticing or being brought to notice of such incidents,” the government stated in a statement.
Compromise of critical systems, targeting scanning, unauthorised access to computers and social media accounts, website defacements, malware deployments, identity theft, DDoS attacks, data breaches and leaks, rogue mobile apps, and attacks against servers and network appliances such as routers and IoT devices are among the types of incidents covered.
The government stated it was taking these steps to guarantee that the required indicators of compromise (IoC) for security events are easily available to “carry out the analysis, investigation, and coordination as per the legal process.”
Concerned organisations are also required to synchronise ICT system clocks to the National Informatics Centre (NIC) or National Physical Laboratory (NPL) Network Time Protocol (NTP) Server, maintain ICT system logs for a rolling period of 180 days, and require VPN service providers to retain information such as names, addresses, phone numbers, emails, and IP addresses of subscribers for a minimum of five years, according to the directives.