To bridge the technical and policy gaps in the

Solution

To bridge the technical and policy gaps in the cybersecurity of government organizations, the Indian Computer Emergency Response Team (CERT-In) has released guidelines on information security practices for all government entities.The guidelines require government organizations to mandatorily report cyber incidents to CERT-In within six hours of noticing them, like private entities do.They must do so even if third parties flag such incidents.The information shall be shared with stakeholders like sectoral CERTs and regulators.Government offices need to conduct an internal and external audit of their entire cyber infrastructure and deploy appropriate security controls based on the audit. Internal information security audits shall be conducted at least once in six months, while third-party security audits need to be conducted annually. Services of CERT-In impanelled auditors can be utilised for external audits, the guidelines say.Government organisations need to appoint a chief information security officer (CISO), who would be accompanied by a dedicated cybersecurity team, separate from the IT operations and infrastructure team.