back to article Indian government issues confidential infosec guidance to staff – who leak it

India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website. The document, and the measures it contains, suggest infosec could be somewhat …

  1. stiine Silver badge

    bans the use of 3rd party ntp servers

    How else are they going to propel the country into the past.

    1. G2

      Re: bans the use of 3rd party ntp servers

      not to mention DNS servers... not even /.net are allowed to be used as the root servers are considered a "3-rd party"... and also that national DNS server is mandatory because it allows easier man-in-the-middle redirection and/or interception.

  2. Mike 137 Silver badge

    "check the popularity of the app and read the user reviews [...]"

    This, in common with many of the other listed requirements, is a mere exhortation that ignores whether it's likely to be effective (and it probably isn't, as 'popularity' is no warranty of safety and user reviews come from unverifiable sources). Unless they're backed by technical measures and informative training, exhortatory 'policy statements' of this kind are incapable of protecting the enterprise. But India is far from alone. In over two decades of consulting I've never seen a corporate 'user policy' that could actually contribute to security. The common failings are:

    [1] vagueness of objectives

    [2] lack of explanation

    [3] negligible provision for and verification of training

    [4] fundamental resort to penalties as opposed to effective enforcement

    If policy is going to actually work, there's at least as much need to address the human angle as to deal with the technical. In his classic "Industrial Relations" (1987) Michael Salamon points out what almost every organisation seems to have missed (although it's objectively rather obvious), that policies are only effective if they are arrived at by negotiation and supported by training so that people actually understand both the policies and the need for them. They're also ineffective if their sole (or even primary) objective is punishment of 'offenders' rather than resolution of problems and prevention of their recurrence. The almost universal 'enforcement' clause along the lines of "breaching this policy can lead to dismissal" is actually worse than useless, as it:

    [a] causes people aware of it to conceal their mistakes

    [b] introduces an adversarial relationship between management and those managed when an incident is investigated, preventing objective investigation

    [c] does nothing to prevent recurrence of an event as it gets primarily ascribed to 'stupidity'

    [d] absolves management in their own mind from taking precautions that could minimise opportunities for incidents to happen (e.g. better technical provisioning)

    As a result almost all corporate security policy is pure shelfware. To operate securely, you need to be working within a culture of secure practice - not just attempt to follow a list of externally imposed apparently arbitrary obligations that haven't been put into proper context in your own terms.

    1. cyberdemon Silver badge

      Re: "check the popularity of the app and read the user reviews [...]"

      A better approach might be to set up a repository of open source apps for their employees to use, and disable the Google/Apple app stores.

      Unfortunately this approach is not very feasible because Google and Apple have done their very best to kill off any open source development on their platforms, and they have largely succeeded.

      There are some holding out against this tyranny though, such as /e/os, but thanks to Android's horrendously complicated SDK, it is almost impossible for an end-user to build even /e/os from source.

    2. sitta_europea Silver badge

      Re: "check the popularity of the app and read the user reviews [...]"

      "... almost all corporate security policy is pure shelfware. "

      Never seen the term "shelfware" before. Love it.

  3. Pascal Monett Silver badge

    Whoa there

    "patch promptly, run anti-virus software, log off when away from one's desk, and encrypt data before transmission"

    We're talking about government. That means that there's an IT department that calls the shots on patching.

    As for encrypting, that would be difficult if IT has not installed and configured the tools to do so. The user is not supposed to be able to do that on his own, now is he ?

    And if you think I'm logging off to go take a piss, I have news for you : I'm pressing Windows-L to lock my session and not lose my work.

    I appreciate the intent, but there's a lot here that doesn't really depend on just the user.

    1. unimaginative

      Re: Whoa there

      Its probably intended for IT departments too.

      Its a set of national government guidelines, so probably applies to departments that run their own IT.

      Its an improvement on our own government in the UK which used Zoom for meetings that must have included discussions of at least some top secret information.

      1. Yet Another Anonymous coward Silver badge

        Re: Whoa there

        If politicians know about it - it's no longer secret.

    2. Suragai

      Re: Whoa there

      Also, best not to assume different govt agencies have the same levels of IT support - in my experience (16 years so far) the larger Ministries or Departments have the largest budgets, and the biggest (though not necessarily best) IT teams, while smaller agencies may have very little support internally, instead out-sourcing IT to commercial providers.

  4. Lars Silver badge

    No sensitive information was lost

    To be honest, even if:

    "Whoever posted it there probably needs to re-read the document. One of the instructions it includes is "Don't share any sensitive information with any unauthorized or unknown person over telephone or through any other medium."".

    1. Yet Another Anonymous coward Silver badge

      Re: No sensitive information was lost

      If you share something with 30million employees it's hardly secre.t

      And exactly what's national security about this? It's introductory IT good practice

  5. nijam Silver badge

    ...confidential information security guidelines...

    How on earth is any of the advice in this dcoucument confidential? It seems to be mostly well-known and widely-used good practice.

    OTOH, mustn't give the proles advice about security, they might use it to secure themselves against the govt., I suppose.

  6. bertkaye

    dubious customer support

    After I saw that the list of security recommendations included "Have you unplugged and replugged your system" and "Try rebooting", and "Try cleaning your mouseball", I felt the advice could be improved but the chaat was delicious.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like