Cybersecurity experts have expressed concern over the standards recently announced by the Indian Computer Emergency Response Team.
On 28 April 2022, the Indian Computer Emergency Response Team (CERT-In) issued a directive that, among other things, companies must report cyber security incidents to the agency within six hours and maintain IT logs and communications for six months. The guidelines, effective June 27, 2022, apply to all service providers, intermediaries, data centers, corporate entities and government agencies.
Some Indian cybersecurity practitioners say the six-hour incident reporting order is unnecessarily concise and does not compare to global standards. Jaspreet Singh, client and market leader at auditing firm Grant Thornton, notes that mature markets have 24-hour to 72-hour reporting guidelines.
The directive could further complicate matters as companies try to focus on the difficult task of understanding, responding to and repairing cyber security incidents, said several practitioners who spoke to CSO India.
Excessive reduction of false-positive feedback and significant work stress can increase
DSP Mutual Fund’s CISO Fal Ghancha says that most of the time – more than 70% – there are false-positive cyber security warnings in an incident. Reporting a six-hour reporting mandate can be an overkill. Because the timeline is so tight, people will become more aggressive and paranoid; They will report the incident in a hurry and make the wrong decision, he says.
Ghancha noted that the CERT-In guidelines contain multiple granular verbs, which many organizations today do not follow at length. “The entire ecosystem needs to be integrated with a 24/7 monitoring system and efficient resources so that all reports are viewed, analyzed and reported in accordance with the new guidelines.”
Additional work for security operations centers could be significant, he said. “Let’s say today a company is only monitoring its crown jewels, which could be 20% of total assets. Tomorrow, the company will have to monitor additional assets, which will be 50% to 60% more than the current number.”
Venkateshwaran TR, deputy general manager, anti-money laundering, Punjab National Bank, said the problem with the mandate was that India did not have the skills or awareness to report any incident within six hours. “It takes a huge set of skills, time and awareness to find out exactly what an attack is and then mitigate it. It is not possible to report an incident within six hours as many people still do not understand the terminology of various aspects of incident reporting, “said Venkateshwaran, who previously worked as CISO at the bank.
Vague quality makes reporting and event assessment uncertain
To make matters worse, “not everyone points out what needs to be reported,” says Venkateshwaran, adding that the skills needed to make appropriate, consistent assessments are enhanced. And at what level, ”he said.
Grant Thornton Singh says he believes the new order is a good start in terms of having uniform reporting guidelines, but agrees that a clear definition of what an event is will help.
Venkateswaran says big companies may be able to comply with the new rules, but smaller companies will see it as a bigger challenge. He suggested that the norm should include a general format for reporting an attack and that it should be reported at a later stage when the data is analyzed and the attack is included.
Singh said the new mandate would force companies to go through a maturity model and that CISOs would have to establish a clear-cut incident management plan and reporting guidelines.
CERT-In’s new guidelines: a first step or a bad start?
Concerns about the timeliness and ambiguity of the CERT-In guidelines can be seen as a first step where the journey will improve over time, or as a bad start that will take away resources and attention.
Singh cautiously optimistic for a long time: “Today cyber attacks are a reality. Until now, there were no reporting guidelines. Although there were sectoral guidelines from the RBI, there was nothing at the country level. So, this is a very good start because it will bring uniformity. The more we share with CERT-In and other organizations, the better for the country as awareness grows, ”he said.
Venkateshwaran is not so optimistic: “Not much will be achieved outside of the new mandate. We must first build skills and maturity in the community and find answers to questions such as: Do we know how to identify an event? Do we have the tools to help us with that? “
Copyright © 2022 IDG Communications, Inc.