What CERT-In’s new cybersecurity audit guidelines mean for Indian PSUs and businesses

The Indian Computer Emergency Response Team (Cert-In) on July 25th issued new mandatory guidelines regarding the conduct of cybersecurity audits targeting both private and public-sector organizations. For the first time, entities across private and public sector domains have been brought under the ambit of a CERT In audit mandate. Further, CERT In has outlined clear guidelines covering all aspects of risk assessment/audits for auditors and auditees.

What has changed as per the new mandate?

Here are some of the key directives that have been mandated by CERT In:

· Entities that own or manage digital systems have to necessarily undergo a third-party cybersecurity audit at least once a year.

· Responsibility of the management: Top management should review & approve the audit program, scope and remedial measures taken by organization to plug the vulnerabilities highlighted in the audits in a time bound manner.

· Asset owner responsibility: Risk treatment techniques such as retain, avoid, transfer and reduce for any reported vulnerabilities or observations in the application or infrastructure, must be authorized & accepted by the head of the auditee organization. Further, any exceptions to reported vulnerabilities or observations in the application must be authorized by the head of the organization, who is the owner of the application.

· The audits should be contextual and relevant to the entity in terms of risks and operational domain. This means that the audit must be conducted considering the business context, risk envelope and threat landscape connected with the entity.

· Organisations should ensure restricted remote access to the cyber infrastructure. Remote access traffic should be tunneled, encrypted and logged to avoid any misuse.

· Organizations should maintain and monitor the inventory of all the authorized assets (both software and hardware). For all the assets, proper patch management mechanism should be in-place to patch the vulnerable software, applications and firmware used by the organization.

· Organizations need to implement the principle of least privilege across the organization's assets.

· The responsibility for maintaining an efficient and robust cyber security posture ultimately rests with the auditee organization

· Regulators have been accorded the discretion to mandate more frequent audits per year, if conditions so arise.

· Auditing organization must verify the existing policies of the organization against the industry standards and best practices and suggest the necessary improvements, if required and auditee organizations must confirm that applications are designed and developed with secure practice prior to commencing any assessment.

· The audits should include discovery of all known vulnerabilities based on the comprehensive standards/frameworks like ISO/IEC, Cyber Security Audit Baseline Requirements, CSA Cloud Controls Matrix (CCM) for Cloud Security, Open Source Security Testing Methodology Manual (OSSTMM3), OWASP Web Security Testing Guide for web application security testing, OWASP Application Security Verification Standard (ASVS) for establishing and verifying application security controls, the OWASP Mobile Security Testing Guide (MSTG) for mobile app audits OWASP DevSecOps Maturity Model for assessing Continuous Integration / Continuous Deployment (CI/CD) pipeline security along with applicable regulatory framework and directions & guidelines issued from time to time by agencies such as CERT-In, Government and regulatory bodies.

· Audit should be performed after every major change in infrastructure and application, based on the criticality involved.

What lies within the scope of the new mandate?

The scope of audits should include audit of entire cyber infrastructure including system, applications (both Web/Mobile), software, network infrastructure, Operational Technology (OT) / Industrial Control Systems (ICS) environment, cloud architecture, Application Programming Interfaces (APIs), database and hosting infrastructure, code review, application security, data Security, testing of Incident response capability of the auditee.

As per CERT In, the types of cyber security audits and assessments including, but not limited to, those listed below should be carried once at least once a year:

· Compliance Audits

· Risk Assessments

· Vulnerability Assessments

· Penetration Testing

· Network infrastructure Audits

· Operational Audits

· IT security policy review and assessment against security best practices.

· Information Security Testing

· Source Code Review

· Process Security Testing

· Communications Security Testing

· Application security testing  

· Mobile Application Security Auditing  

· Wireless Security Testing

· Physical Security Testing

· Red Team Assessment

· Digital Forensic Readiness Assessment

· Cloud Security Testing

· Industrial Control Systems/ Operational Technology Security Testing-

· Evaluating the cyber security posture of industrial control systems (ICS) and operational technology (OT) networks, specifically designed to identify vulnerabilities and potential threats that could disrupt critical industrial processes, impacting safety, production, and overall system availability within a facility.

· Internet of Things (IOT)/ Industrial Internet of Things Security Testing (IIOT)

· Log Management and Maintenance Audit

· Endpoint Security Assessment

· Artificial Intelligence (AI) System Audits

· Vendor Risk Management Audits

· Blockchain Security Audit  

· SBOM (Software Bill of Materials), QBOM (Quantum Bill of Materials), and

· AIBOM (Artificial Intelligence Bill of Materials) Auditing   

To learn more about these guidelines or to book a risk assessment consultation, speak to a Shieldworkz risk assessment expert. 

Learn more about IEC 62443-based risk assessment and Security Level augmentation methodologies.

Learn more about our comprehensive OT and IoT security services portfolio.