Everything you need to know about India’s new Cyber Incident Reporting Guidelines from CERT-In | need to know Ankura
On April 28, 2022, the Indian Computer Emergency Response Team (CERT-In), a functional organization of the Department of Electronics and Information Technology (MeitY) of the Government of India issued instructions under subsection (6) of Section 70B of the Information Technology Act, 2000 in Related to information security practices, procedures, prevention, response and reporting of cyber incidents for Safe & Trusted Internet. 
The instructions are issued to increase and strengthen cybersecurity in the country. The instructions apply from June 27, 2022 (60 days from the date of issue).
- Synchronization of time clocks to NTP servers from NIC – This applies to all service providers, intermediaries, data centers, corporations and government organizations. For the servers and infrastructure hosted in India, the time can be synchronized as follows:
- National Informatics Center (NIC):
- National Physics Laboratory (NPL):
- National Informatics Center (NIC):
- For servers and infrastructure outside of India, time can be synchronized with the nearest atomic time server. You can use https://pool.ntp.org/.
- When saving the logs of devices, applications, databases, etc., ensure that local time as well as UTC time are recorded in separate columns whenever possible along with time zone details next to the timestamp.
- Reporting cyber incidents to CERT in 6 hours-In the – While many other developed countries expect incidents to be reported within 48 to 72 hours, CERT-In has specified a very aggressive 6 hour timeframe for incident reporting. This means companies must have a monitoring mechanism in place to identify cyber security incidents and have a well-resourced incident response team and incident response plan in place. The relevant stakeholders should be informed immediately in the event of a suspected security breach and they must be able to triage and avoid false positives. A readiness assessment can help verify that the schedule can be met.
- POC to interact with CERT-In – Companies must designate a point of contact that CERT-In can communicate with for information. CERT-In has also provided a format in which such information must be provided to them.
- Retention of logs for 180 days – All companies are required to keep logs in India for a rolling 180 day period. This means organizations need to review their log management policies, device and application logging capabilities, secure log storage, and accessibility. An assessment to validate these points is important for all organizations to ensure compliance. Businesses may have data related to India hosted in overseas data centers. In this case, the logs need to be replicated in India.
- It is also important to pass on such obligations to providers and customers who process/store data so that they can comply with the guidelines in the event of a breach.
- Additional Obligations for Data Centers, Virtual Private Server (VPS) Providers, Cloud Service Providers and Virtual Private Network Service (VPN Service) Providers:
- Aside from the requirements listed above, CERT-In has provided a list of data points that data centers and server providers are required to maintain for a period of 5 years or more.
- Virtual asset service providers, virtual asset exchange providers and custodian bank providers are required to retain KYC details for 5 years.
CERT-in has also provided a list of cyber security incidents and details like email id, phone and fax number where to report incidents.
Given time constraints, it is important for organizations to rethink and validate their IT infrastructure and logging capabilities to ensure they are compliant.