MEITY notifies directions for implementing stringent information security practices to strengthen cyber security: applicable to service providers, intermediaries, data centres, body corporates; effective from 27th June, 2022
Considering various cyber security incidents being reported from time to time, the Ministry of Electronics and Information Technology (“MEITY”) has notified directions (under *Section 70B (6) of the Information Technology Act, 2000) relating to information security practices, procedure, prevention, response and reporting of cyber incidents. These directions will gain effect after 60 days from the date on which it is issued i.e. 27th June, 2022.
The following directions have been issued to augment and strengthen the cyber security in the country:
1. All service providers, intermediaries, data centres, body corporates and Government organisations are required to connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks. Entities having ICT infrastructure spanning multiple geographies may also use accurate and standard time source other than NPL and NIC, however it is to be ensured that their time source shall not deviate from NPL and NIC.
2. Any service provider, intermediary, data centre, body corporate and Government organisation has to mandatorily report cyber incidents as mentioned in Annexure I to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. The incidents can be reported to CERT-In via email (incident@cert-in.org.in), Phone (180011-4949) and Fax (1800-11-6969). The details regarding methods and formats of reporting cyber security incidents is also published on the website of CERT-In www.cert-in.org.in and be updated from time to time.
3. When required by Order / direction of CERT-In, for the purposes of cyber incident response, protective and preventive actions related to cyber incidents, the service provider / intermediary / data centre / body corporate is mandated to take action or provide information or any such assistance to CERT-In, which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness. The Order / direction may include the format of the information that is required (up to and including near real-time), and a specified timeframe in which it is required, which should be adhered to and compliance provided to CERT-In, else it would be treated as non-compliance. The service providers, intermediaries, data centres, body corporate and Government organisations shall designate a Point of Contact to interface with CERT-In. The Information relating to a Point of Contact shall be sent to CERT-In in the format specified at Annexure II and shall be updated from time to time. All communications from CERT-In seeking information and providing directions for compliance shall be sent to the said Point of Contact.
4. Service providers, intermediaries, data centres, body corporate and Government organisations are required to mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same needs to be maintained within the Indian jurisdiction. These should be provided to CERT-In along with reporting of any incident or when ordered / directed by CERT-In.
Further, data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers, are required to register the following accurate information which must be maintained by them for a period of 5 years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be:
• Validated names of subscribers/customers hiring the services
• Period of hire including dates
• IPs allotted to / being used by the members
• Email address and IP address and time stamp used at the time of registration / on-boarding
• Purpose for hiring services
• Validated address and contact numbers
• Ownership pattern of the subscribers / customers hiring services
The virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by Ministry of Finance from time to time) shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets.
For the purpose of KYC, the Reserve Bank of India (RBI) Directions 2016 / Securities and Exchange Board of India (SEBI) circular dated April 24, 2020 / Department of Telecom (DoT) notice September 21, 2021 mandated procedures as amended from time to time may be referred to as per Annexure III.
With respect to transaction records, accurate information shall be maintained in such a way that individual transaction can be reconstructed along with the relevant elements comprising of, but not limited to, information relating to the identification of the relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred.
Additionally, the notification also mentions the types of cyber security incidents mandatorily to be reported by service providers, intermediaries, data centres, body corporate and Government organisations
to CERT-In.
Please note- The attached documents have not yet been made available in the official website of MEITY. We have obtained these from private sources.
*Section 70B (6) of the Information Technology Act, 2000 deals with Indian Computer Emergency Response Team to serve as national agency for incident response
Source: Ministry of Electronics and Information Technology
