Report breach within six hours: Govt frames cybersecurity norms
The ministry of electronics and information technology on Thursday underlined a first of its kind cybersecurity policy, asking service providers, intermediaries, data centres, body corporates and government organisations to mandatorily report any breaches or leaks within six hours of them being flagged.
“Any service provider, intermediary, data centre, body corporate and government organisation shall mandatorily report cyber incidents as mentioned in Annexure I to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents,” the policy said. CERT-In is the government’s nodal agency for detecting and responding to cyber incidents.
The policy will come into effect within 60 days. It will have far-reaching ramifications as to how entities mentioned above collect and store data, the period for which it will be stored and the mandate to share it with the government in case of a breach.
Parallel to this, the government is also working on a new cybersecurity strategy, which has been in the works for over two years and proposes a multi stakeholder framework and legislative approach to check propaganda, deception, disinformation and “adversarial narratives” being peddled on websites of social media companies, people familiar with the matter said.
The policy has been pending with the government for over a year now and is being conceptualized by the National Security Council Secretariat of India headed by Lt General Rajesh Pant. Called National Cyber Security Strategy, 2021, the policy stresses on the need for a legislative framework to address the emerging challenges in the technology space.