Reporting of Cyber Incidents to Cert-In

Posted on January 19, 2017 by Vijayashankar Na

Cert-In has issued an order that suggests that  “Any Individual, “organization” or Corporate entity” affected by Cyber Security Incidents may report the incident to CERT-IN. (Copy of the Order)

However some types of incidents need to be reported mandatorily. The incidents that need to be mandatorily reported are

  1. Targeted scanning/probing of critical networks/systems
  2. Compromise of critical systems/information
  3. Unauthorized access if IT systems/data
  4. Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to exerternal websites etc.
  5. Malicious code attacks such as spreading of virus/worms/Trojans/Botnets/Spyware
  6. Attacks on servers such as Database, Mai and DNS and network devices such as Routers
  7. Identity Theft, Spoofing and Phishing attacks
  8. Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks
  9. Attacks on Critical infrastructure, SCADA Systems and Wireess networks
  10. Attacks on Applications such as E-Governance, E-Commerce etc.

Since the order is being sent to industry associations with an instruction that it should be sent to all major organizations, it appears that this is also meant for the private sector companies (though not specifically mentioned) besides Government departments and corroborates the advertisement that CERT-IN had released recently.

While the intention behind the order is understandable and was under powers available under Section 70B, there is need for more clarity to ensure that the circular is properly interpreted. It was already available under the Section 79 guidelines for intermediaries.

Firstly, the order need to be interpreted as applicable for “Service Providers”, Intermediaries”, “Data Centers” and “Body Corporates” and not to “Any Individual”.

Secondly, the word “attack” could mean both an “attempted attack” and “successful attack.”. Attacks are attempted always on every network and hence it is not possible to report all attempted attacks. The key therefore is to define what is an “Incident”.

Companies may normally define an “Incident” with reference to an adverse event that has the potential to cause either a liability on the organization or disruption of its service.

It is necessary for CERT-In to provide its own definition which is appropriate to its objectives. Otherwise there will be confusion for compliance managers.

Hopefully the clarification would be issued in due course.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.