CERT-In Cybersecurity Guidelines, 2022: Complete Compliance Guide
Comprehensive overview of CERT-In's cybersecurity directions including incident reporting, data retention requirements, and compliance strategies for Indian organizations.
Introduction
The Computer Emergency Response Team of India (CERT-In) is a national-level agency established under the Ministry of Electronics and Information Technology (MeitY). Its primary mission is to enhance cybersecurity preparedness, provide responsive support, and minimize cyber threats to India's digital infrastructure.
The CERT-In on April 28, 2022 notified these set of directions relating to information security practices and procedures to prevent and report cyber incidents under Section 70B(6) of the Information Technology Act, 2000.
Objectives of the Directions
These guidelines have two-fold objectives which are:
Ensuring that when a cyber incident occurs, all necessary information flows quickly and efficiently to the right people. This helps in analyzing the incident, investigating its cause, and coordinating a response to minimize damage.
Taking measures to protect India's sovereignty, defense, state security, friendly relations with other countries, public order, and preventing cyber crimes. It ensures that cyber incidents do not compromise national interests or lead to illegal activities using computer resources.
Highlights of the Guidelines
It is mandatory for the organisations to report the cybersecurity incident within 6 hours of first taking note of the incident.
The guidelines provide that all the information technology service providers, data centres and corporations are required to retain the data for 180 days within India. The data must be maintained locally and should be readily available whenever the CERT-In demands the same.
Extended Data Preservation
5-year retention of subscriber information for:
- Data centers
- Cloud service providers
- VPN providers
- Virtual asset service providers
Comprehensive data collection including:
- User names
- IP addresses
- Contact details
- Service usage periods
- Transaction records
Consequences in case of Non-Compliance
The new CERT-In directions come with significant legal consequences for non-compliance. Under Section 70B(7) of the Information Technology Act, organizations face potential punitive measures, including:
Imprisonment up to 1 year or Fine of INR 100,000, or both
This legal framework applies to private entities, though government organizations are notably exempt from similar penalties due to legislative limitations.
Organisations and businesses face challenges implementing these guidelines which leaves them exposed to additional scrutiny and risks from cyber attacks. Data>Nuance helps organisations and businesses implement these guidelines in a phased manner using cost effective compliance tools, thus minimising the protracted approach of complying with the evolving legislation.
How Data>Nuance helps adopt CERT-In guidelines
We will help you develop automated incident detection and reporting tools. We will establish and train a dedicated response team and implement 24/7 monitoring systems.
We will help you implement robust log collection and storage information to develop secure and compliant log retention systems. This will ensure compliance with the data localisation requirements as per the DPDPA and related rules.
We will implement the best practices to ensure the protection and governance of sensitive personal data. Further, we will create an automated 5 year data retention and management system to ensure compliance with these guidelines.
We will conduct a comprehensive analysis of the regulations applicable to your industry and develop customised compliance roadmaps. This will ensure compliance with the evolving regulations, thus making your business and organisation compliant with all the applicable rules and regulations.
Conclusion
Organisations can navigate the implementation challenges surrounding the CERT-In Directions through the comprehensive and effective strategies adopted by Data>Nuance. The absence of the same will expose organisations to legal, financial and reputational risks.
Data>Nuance's expertise in privacy compliance and guiding organisations through a comprehensive and effective process helps in managing the increasing data protection risks.
Get Started with Data>Nuance
Reach out to Data>Nuance to comply with CERT-In Directions. Ensure your practices meet legal standards while safeguarding your business from regulatory penalties. Let's make compliance effortless—before regulators make it expensive!