back to article Indian stock markets given ten day deadline to file infosec report, secure board signoff

Indian IT shops have been handed another extraordinarily short deadline within which to perform significant infosec work. This time the source of the edict is the Securities and Exchange Board of India, which on May 20 published a modified version of the "Cyber Security and Cyber Resilience framework" that applies to market …

  1. Paul Crawford Silver badge

    Can the Indian government respond in any meaningful way to its citizens in 10 days?

  2. Headley_Grange Silver badge

    Shirley...?

    Surely any organization that takes security seriously will have already done most of the donkey work already and the only rushed aspect will be to convene the board and put the relevant information in front of them for them to approve.

    Won't they??

    1. Pascal Monett Silver badge

      Re: Shirley...?

      There is a world of difference between securing a network and documenting it, and another world of difference between documenting it and writing a government-mandated report.

      I take it you haven't written any government reports. I have written a few (unfortunately), and it is not something I enjoy doing in the slightest.

      1. Headley_Grange Silver badge

        Re: Shirley...?

        If you don't document what you do then it might as well be considered not done. How many of us have ended up in world of pain because stuff was being done, but not documented, so it either needed checking or, and often easier, doing again just to confirm that it had been done.

        I agree about government reporting (I've done it but in UK and US, not India), but if the article is correct then that's not what's needed.

        "All MIIs are directed to communicate the status of the implementation of the provisions of this circular to SEBI within 10 days from the date of this circular."

        If they've taken any of this seriously since 2015 (when the original requirements were published) then they only have to say that, in line with their current Cyber Security and Cyber Resilience Framework Policies and Procedures they are auditing their estate in light of the new requirements and will update the P&Ps and relevant audit/test/HR/reporting/risk/etc. plans to include the new requirements. Then they attach their plan and schedule to finish these updates and an outline/draft plan with assumptions (they haven't finished the audit yet) to meet the new framework requirements.

        For a large company this is still a fair bit of work but if they take cyber security and resilience seriously and make it part of their everyday work they ought to be able to produce something that will demonstrate they are on top of it. Of course, if they've done fuck all since 2015 then they can still report on this. The report will be a lot of management speak for "we've done fuck all" and the plan and schedule might be a bit vague and run out a few years, but they could still meet the letter of the "communicate the status....".

  3. Anonymous Coward
    Anonymous Coward

    Indian IT

    What could possibly go wrong.

  4. Pascal Monett Silver badge

    And if it doesn't happen in 10 days ?

    What if the companies simply don't respond in the allotted time span ?

    Is there any hint of a fine anywhere ?

    On the other hand, they could respond with a basic report and mention "See Appendix . . ." for all precisions, the appendices being sent 30 days later.

    This whole attitude smacks of useless pressure from administrative busybodies who grant themselves a lot more importance than they have.

    Businesses don't want to be hacked. Most of them do want to be secure, and a fair proportion of them actually put money on the table for that. The thought behind this new rule may be commendable, but granting a 90-day delay (given that businesses are already on a 60-day delay for something else) wouldn't kill the donkey.

  5. Mike 137 Silver badge

    Criticality?

    "Among the modifications, equipment rated "critical" and therefore subject to regular security review and testing has been expanded to any internet-facing application, and any system that stores personally identifiable information. Anything that interacts with other critical systems for operations or maintenance is now also classified as critical."

    Was the businesswise relatively unimportant server on which some bod ('for convenience') at Equifax saved a clear test list of the access credentials for numerous other functionally important servers 'critical'?

    Making blanket rules based on lists is a sure fire way to miss the elephants in the office, as such rules always either have insufficient coverage or they get so complicated and detailed that they can't be maintained (or indeed in some cases even implemented). Also, as is commonly the case for PCI DSS, such rules can result in everything not on the list being left wide open because attention is focused primarily on 'compliance' with the rules.

    What's really needed for adequate security is constant attention to and monitoring of the actualities of each individual organisation's infrastructure in the context of its purposes and risks. That requires knowledgeable, dedicated personnel - and that requires sufficient resourcing. As ISO/IEC 27001 states, top management are responsible for information security, at least insofar as they must provide the authority and finance for the job to be done properly.

    Leaving security to the IT department to manage out of its local budget is a sure path to failure, as is following the letter of externally generated rules at the expense of keeping in touch with what's actually happening.

  6. vtcodger Silver badge

    How fun

    I think maybe if you are an Indian IT worker, grabbing a begging bowl and setting off to wander the countryside is probably beginning to look like an attractive alternative future. Better perhaps than living in constant fear of what short-deadline task the government is going to impose on you next.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Indian government signals changes to infosec rules after industry consultation
    Reports suggest SMBs will get more time, but core elements including six-hour reporting requirement remain

    Indian media is reporting that the government has consulted with industry about its controversial infosec reporting rules, possibly resulting in concessions that slightly ease requirements for some businesses.

    The rules, introduced on April 29 with no warning and a sixty-day compliance deadline, require organizations operating in India to report 22 different types of information security incidents within six hours of detection, maintain extensive logs of their own and customers' activities and provide that info to authorities as required, and use only network time protocol (NTP) servers provided by Indian authorities or synced to those servers.

    The rules generated swift and widespread opposition on grounds that they were loosely worded, imposed enormous compliance burdens, made India less attractive to foreign tech companies, and would harm privacy. The requirement to report even trivial incidents within six hours was criticized as likely delivering a deluge of reports that would contribute little to the stated goal of securing intelligence with which to defend the nation. The Internet Society warned that insistence on using Indian NTP servers would create an unhelpful reliance on that infrastructure.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Malaysia-linked DragonForce hacktivists attack Indian targets
    Just what we needed: a threat to rival Anonymous

    A Malaysia-linked hacktivist group has attacked targets in India, seemingly in reprisal for a representative of the ruling Bharatiya Janata Party (BJP) making remarks felt to be insulting to the prophet Muhammad.

    The BJP has ties to the Hindu Nationalist movement that promotes the idea India should be an exclusively Hindu nation. During a late May debate about the status of a mosque in the Indian city of Varanasi – a holy city and pilgrimage site – BJP rep Nupur Sharma made inflammatory remarks about Islam that sparked controversy and violence in India.

    Continue reading
  • Another VPN quits India, as government proposes social media censorship powers
    New Delhi now fighting criticism of eroding free speech and privacy with two proposed regulations

    India's tech-related policies continue to create controversy, with fresh objections raised to a pair of proposed regulation packages.

    One of those regulations is the infosec reporting and logging requirements introduced by India's Computer Emergency Response Team (CERT-In) in late April. That package requires VPN, cloud, and numerous other IT services providers to collect customers' personal information and log their activity, then surrender that info to Indian authorities on demand. One VPN provider, ExpressVPN, last week quit India on grounds that its local servers are designed not to record any logs so compliance would be impossible. ExpressVPN will soon route customers' traffic outside India.

    On Tuesday, another VPN – Surfshark – announced it would do likewise.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Zero Trust: What does it actually mean – and why would you want it?
    'Narrow and specific access rights after authentication' wasn't catchy enough

    Systems Approach Since publishing our article and video on APIs, I’ve talked with a few people on the API topic, and one aspect that keeps coming up is the importance of security for APIs.

    In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns.

    Zero trust has been on my radar for almost a decade, as it was part of the environment that enabled network virtualization to take off. We’ve told that story briefly in our SDN book – the rise of microsegmentation as a widespread use-case was arguably the critical step that took network virtualization from a niche technology to the mainstream.

    Continue reading
  • Indian government issues confidential infosec guidance to staff – who leak it
    Bans VPNs, Dropbox, and more

    India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.

    The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.

    "The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading

Biting the hand that feeds IT © 1998–2022