cyber security audits
Cyber Security

CERT-In issues advisory to improve the outcome of Cyber Security Audits

Rohit Ranjan Praveer 0 Comments , , , , ,

The Computer Emergency Response Team -India (CERT-In) has issued an advisory to improve the outcome of cyber security audits and reduce threat exposure to cyber-infrastructure. The advisory contains recommendations that CERT-In has mined from field data analysis of audits conducted across the country.

For the uninitiated, CERT-In has both proactive and reactive roles. In order to prevent cyber security incidents and generate awareness, the premier agency issues security guidelines and advisories. It also collaborates with various stakeholders and offers training programs, simulation exercises, etc.

CERT-In & Cyber Security Audit Program

CERT-In has created a panel of ‘IT security auditing organization’. Members of the panel audit or perform risk assessment/ penetration testing of computer systems & networks in both the government and private sectors.

Whenever an auditee organization requests, empanelled auditors will assess the information security risks. After a successful audit, the auditee organization gets a CERT-In certification.

You can read more about CERT-In here.

Different cybersecurity rules, such as RBI’s rules for banks, payment aggregators, and payment gateways, entities regulated by SEBI’s cybersecurity guidelines, etc., mandate such audits. Organizations can also volunteer for the audit to boost their cyber security credentials.

In case you are interested to know the entire cyber security law scenario of India, you can refer to this guide.

Recommendations to Implement Cyber Security Audit Program

Scope of the Audit: According to CERT-In, most cases of audit only include websites or web applications. However, the audit scope should include comprehensive audits of the entire cyber-infrastructure including system, applications, software, network infrastructure, SCADA/ ICS environment, etc.

Audit Intent: Organisations should not undertake audits just for the sake of compliance. Their intention should be to secure the cyber-infrastructure to protect the organization’s interests.

Timely action to patch vulnerabilities: Organizations should immediately patch the vulnerabilities that the audit reports highlight. After that, the auditor should perform follow-up audits to verify the closure of vulnerabilities.

Audit Methodology: As per CERT-In, audits should not be limited to lists like OWASP 10 or SANS Top 25. Rather, they should include the discovery of all known vulnerabilities based on comprehensive frameworks like ISO/ OWASP Web Security Testing Guide, Open Source Security Testing Methodology Manual, etc. Auditors can also refer to CERT-In advisories such as Cyber Security Audit Baseline requirements.

Audit Cycles: The top management should review & approve the audit program. This is also a requirement in many rules. e.g. RBI’s Master Direction on Digital Payment Security Controls.

Further, organizations should conduct audits after every change in infrastructure and application. Even if there is no change, audits should be performed at periodic intervals.

Prioritising Preventive Actions

CERT-In says organizations should prioritize preventive actions to avoid the most frequent vulnerabilities. This will reduce the threat of exposure to cyber-infrastructure. To do so, they should:

Maintain & monitor inventory of authorized assets: Organisations should maintain and monitor the inventory of all the authorized assets. They should also put in place proper patch management mechanism to patch vulnerable software, applications, and firmware.

Secure Configuration: Organisations should implement appropriate security configuration. It should block unused ports, secure and change default credentials, and remove unused pages during deployment of equipment and applications.

Implement the Principle of Least Privilege

Limit & Secure Remote Access: CERT-In is recommending multi-factor authentication for remote access to cyber-infrastructure. Further, such access should be limited, tunneled, encrypted, and logged.

Consider Security in all phases of application development by adopting Secure Software Development LIfe Cycle (SSDLC) or DeveSecOps.

Use Genuine Software and Secure Protocols

You can read the advisory on CERT-In’s website as well.

Do subscribe to our Telegram group for more resources and discussions on tech-law & policy. To receive weekly updates, don’t forget to subscribe to our Newsletter.

Rohit Ranjan Praveer

Rohit is a practicing advocate at Delhi. Beginning as a tech enthusiast, Rohit always had a keen interest in computer forensics and information security. Building upon these fundamentals, he has undertaken extensive research on various techno-legal topics and continues his pursuit pass on valuable information to the masses, with a zeal to build something that outlasts him.​

Share your thoughts!

This site uses Akismet to reduce spam. Learn how your comment data is processed.