CERT-IN proposes mandatory IT security audit

In February 2005, noted Cyber Law expert Sarbajit Roy whose Hacking Complaint under section 66 of the Information Technolgy Act 2000 is ongoing, charged during hearings that CIBIL (Credit Information Bureau India Limited.) and several Foreign Banks like Standard Chartered Bank had not bothered to get their secure Financial Computer networks audited by approved auditors and that CERT-IN and the Controller's Office were fully aware of the numerous hacking incidents in India's Banking and Finacial BPO sector. The swift response of CERT-IN to Roy's allegations is before you below:

---

India raises the security bar to rein in e-crime

by SUDHA NAGARAJ (of the Economic Times New Delhi)

NEW DELHI: Are you the head of a government-run entity or the chief information officer at a public or private sector organisation in the “critical infrastructure” (power and telecom) arena?

If so, you had better secure your information technology systems and network. Not only would they be audited, but annual reports on compliance with security norms would have to be filed with the National Information Bureau under the National Security Adviser through the Computer Emergency Response Team-India (CERT-In).

In the face of increasing cyber crimes, the government plans to announce a National Security Compliance Assurance Framework that would require implementation of security controls and reporting of incidents that breach IT security. This was revealed by BJ Srinath, scientist, CERT-In, at a cyber security seminar organised by the department of information technology (DIT) under the auspices of the Indo-US Security Forum.

The development assumes greater significance in the light of the cyber drug racket that has just been unearthed and was traced back to Agra. All countries are forming their own CERTs to tackle cyber crimes which know no borders. And unless these CERTs provide norms for security compliance and ensure implementation, there would be “weak links” in the global effort, says Mr Srinath.

According to the security compliance guidelines that have been drafted by CERT-In under the DIT, all government and critical infrastructure organisations — both public and private — must have a security policy, implement it and be subject to annual security audits.

To conduct the audits, a team of 18 auditors has been finalised by the government, including Tata Consultancy Services, Sify, PricewaterhouseCoopers, Mahindra-British Telecom, Satyam Computer Services, Secure Synergy, Network Security Solutions, STQC Directorate, Ramco Systems, CyberQ Consulting, Haribhakti & Co, Paladion Networks, Information Systems Auditors & Consultants, Indusface Consulting, AUDITime Information Systems, Network Solutions, AAA Technologies and Sysman Computers.

KK Bajaj, director, CERT-In told ET, “the list of to-be-empanelled auditors will be announced shortly for third-party audits.” Draft guidelines are ready and IT self-assessment tools, security products and parameters would be in consonance with ISMS standards like ISO 15408, IS 15150 and BS 1799.

The security assurance initiative is very much on the lines of the Federal Information Security Management Act ‘02 of the US. While this is a law and fixes ultimate responsibility for information security on the CIO or the agency head, India has opted to stipulate guidelines and may ask organisations to identify one person responsible for IT security.

As a source in the DIT put it, ”The US has increased its cyber space so much that it has to take extreme security measures. In India, within organisations, some systems are identified for internet connectivity while some are protected from cyber space. So the risks are not as great and there is no need to raise the bar on security features.”

Accordingly, organisations would be categorised as low-risk (where awareness of security norms would suffice), medium risk (where awareness and action is required) and high-risk (where awareness, action and assurance is mandated).